Headline
CVE-2021-3750: Fix DMA MMIO reentrancy issues (#556) · Issues · QEMU / QEMU · GitLab
A DMA reentrancy issue was found in the USB EHCI controller emulation of QEMU. EHCI does not verify if the Buffer Pointer overlaps with its MMIO region when it transfers the USB packets. Crafted content may be written to the controller’s registers and trigger undesirable actions (such as reset) while the device is still transferring packets. This can ultimately lead to a use-after-free issue. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition, or potentially execute arbitrary code within the context of the QEMU process on the host. This flaw affects QEMU versions before 7.0.0.
Fix DMA MMIO reentrancy issues
Goal
Find a generic way to fix the DMA reentrancy problem.
Technical details
DMA ring buffer might contains pointers to DMA MMIO region, and once the DMA is programmed it calls itself recursively.
Additional information
List of DMA reentrancy issues (usually found by fuzzer):
- #62 (AHCI)
- #84 (closed), #305 (closed), #552 (closed) (SCSI)
- #451 (closed) (SDHCI)
- #540 (xHCI)
- #541 (EHCI)
- #542 (closed) (HDA)
- #557 (pcnet)
- #782 (closed) (NVMe)
- eepro100
- #827 (virtio-blk)
Usually coredump backtrace includes multiple calls to access_with_adjusted_size() from the Memory API.
Edited Jan 18, 2022 by
Related news
Ubuntu Security Notice 5772-1 - It was discovered that QEMU incorrectly handled bulk transfers from SPICE clients. A remote attacker could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 14.04 ESM and Ubuntu 16.04 ESM. It was discovered that QEMU did not properly manage memory when it transfers the USB packets. A malicious guest attacker could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS and Ubuntu 22.04 LTS.
Red Hat Security Advisory 2022-7967-01 - Kernel-based Virtual Machine is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm packages provide the user-space component for running virtual machines that use KVM. Issues addressed include buffer overflow, bypass, null pointer, and use-after-free vulnerabilities.
Gentoo Linux Security Advisory 202208-27 - Multiple vulnerabilities have been discovered in QEMU, the worst of which could result in remote code execution (guest sandbox escape). Versions less than 7.0.0 are affected.