Bug 1185000 (CVE-2021-3507) - VUL-0: CVE-2021-3507: qemu,kvm: fdc: heap buffer overflow in DMA read data transfers
Summary: VUL-0: CVE-2021-3507: qemu,kvm: fdc: heap buffer overflow in DMA read data tr...
Status: RESOLVED FIXED
Alias: CVE-2021-3507
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/282256/
Whiteboard: CVSSv3.1:SUSE:CVE-2021-3507:4.4:(AV:L...
Keywords:
Depends on:
Blocks:
 
Reported: 2021-04-20 07:01 UTC by Alexander Bergmann
Modified: 2024-06-07 07:41 UTC (History)
9 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2021-04-20 07:01:09 UTC 
rh#1951118

A heap buffer overflow was found in the floppy disk emulator of QEMU. It could occur in fdctrl_transfer_handler() in hw/block/fdc.c while processing DMA read data transfers from the floppy drive to the guest system. A privileged guest user could use this flaw to crash the QEMU process on the host resulting in DoS scenario, or potential information leakage from the host memory.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1951118
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3507
Comment 1 Dario Faggioli 2022-02-18 18:53:46 UTC 
(In reply to Alexander Bergmann from comment #0)
> rh#1951118
> 
> A heap buffer overflow was found in the floppy disk emulator of QEMU. It
> could occur in fdctrl_transfer_handler() in hw/block/fdc.c while processing
> DMA read data transfers from the floppy drive to the guest system. A
> privileged guest user could use this flaw to crash the QEMU process on the
> host resulting in DoS scenario, or potential information leakage from the
> host memory.
> 
> References:
> https://bugzilla.redhat.com/show_bug.cgi?id=1951118
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3507
>
I was looking into this, but situation is a bit confusing, at least for me.

This is mentioned in the discussion: https://gitlab.com/qemu-project/qemu/-/commit/1ab95af033a419e7a64e2d58e67dd96b20af5233

And we can backport it... but I'm not sure it's the actual fix for this issue, which might instead be still missing (e.g., the CVE appears to be different)
Comment 2 Dario Faggioli 2022-03-01 17:30:32 UTC 
(In reply to Dario Faggioli from comment #1)
> (In reply to Alexander Bergmann from comment #0)
> > References:
> > https://bugzilla.redhat.com/show_bug.cgi?id=1951118
> > http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3507
>
> This is mentioned in the discussion:
> https://gitlab.com/qemu-project/qemu/-/commit/
> 1ab95af033a419e7a64e2d58e67dd96b20af5233
> 
> And we can backport it... but I'm not sure it's the actual fix for this
> issue, which might instead be still missing (e.g., the CVE appears to be
> different)
>
In fact, that seems to be about CVE-2021-20196, which is already been worked on in bug 1181361 (backport done for 15SP2 and 15SP3, still missing for 12SP5).

Do you think we need other patches? I personally don't find much about whether we do or not, in the upstream list (and the same appears to be true for others, considering the last comment to https://bugzilla.redhat.com/show_bug.cgi?id=1951118)
Comment 3 Dario Faggioli 2022-03-17 09:33:08 UTC 
An update:

https://lore.kernel.org/qemu-devel/38386efc-1e83-63d4-703d-10c7650e7829@redhat.com/

But patches haven't been merged yet. Will keep monitoring.
Comment 4 Carlos López 2022-09-01 11:42:34 UTC 
The fix was finally merged a few months ago:
https://gitlab.com/qemu-project/qemu/-/commit/defac5e2fbddf8423a354ff0454283a2115e1367
Comment 9 Swamp Workflow Management 2022-10-26 14:10:02 UTC 
SUSE-SU-2022:3768-1: An update that solves 7 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1175144,1182282,1185000,1192463,1198035,1198037,1198038,1201367
CVE References: CVE-2020-17380,CVE-2021-3409,CVE-2021-3507,CVE-2021-4206,CVE-2021-4207,CVE-2022-0216,CVE-2022-35414
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    qemu-3.1.1.1-150100.80.43.2
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    qemu-3.1.1.1-150100.80.43.2
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    qemu-3.1.1.1-150100.80.43.2
SUSE Linux Enterprise Server 15-SP1-BCL (src):    qemu-3.1.1.1-150100.80.43.2
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    qemu-3.1.1.1-150100.80.43.2
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    qemu-3.1.1.1-150100.80.43.2
SUSE Enterprise Storage 6 (src):    qemu-3.1.1.1-150100.80.43.2
SUSE CaaS Platform 4.0 (src):    qemu-3.1.1.1-150100.80.43.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 18 Maintenance Automation 2023-03-16 12:30:24 UTC 
SUSE-SU-2023:0761-1: An update that solves 14 vulnerabilities can now be installed.

Category: security (important)
Bug References: 1172033, 1172382, 1175144, 1180207, 1182282, 1185000, 1193880, 1197653, 1198035, 1198038, 1198712, 1201367, 1205808
CVE References: CVE-2020-13253, CVE-2020-13754, CVE-2020-14394, CVE-2020-17380, CVE-2020-25085, CVE-2021-3409, CVE-2021-3507, CVE-2021-3929, CVE-2021-4206, CVE-2022-0216, CVE-2022-1050, CVE-2022-26354, CVE-2022-35414, CVE-2022-4144
Sources used:
SUSE Linux Enterprise High Performance Computing 12 SP5 (src): qemu-3.1.1.1-66.1
SUSE Linux Enterprise Server 12 SP5 (src): qemu-3.1.1.1-66.1
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): qemu-3.1.1.1-66.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 19 Maintenance Automation 2023-03-21 12:30:09 UTC 
SUSE-SU-2023:0840-1: An update that solves six vulnerabilities and has one fix can now be installed.

Category: security (important)
Bug References: 1180207, 1185000, 1193880, 1197653, 1198038, 1202364, 1205808
CVE References: CVE-2020-14394, CVE-2021-3507, CVE-2021-3929, CVE-2022-0216, CVE-2022-1050, CVE-2022-4144
Sources used:
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): qemu-5.2.0-150300.121.2
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): qemu-5.2.0-150300.121.2
SUSE Linux Enterprise Real Time 15 SP3 (src): qemu-5.2.0-150300.121.2
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): qemu-5.2.0-150300.121.2
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): qemu-5.2.0-150300.121.2
SUSE Manager Proxy 4.2 (src): qemu-5.2.0-150300.121.2
SUSE Manager Retail Branch Server 4.2 (src): qemu-5.2.0-150300.121.2
SUSE Manager Server 4.2 (src): qemu-5.2.0-150300.121.2
SUSE Enterprise Storage 7.1 (src): qemu-5.2.0-150300.121.2
SUSE Linux Enterprise Micro 5.1 (src): qemu-5.2.0-150300.121.2
SUSE Linux Enterprise Micro 5.2 (src): qemu-5.2.0-150300.121.2
SUSE Linux Enterprise Micro for Rancher 5.2 (src): qemu-5.2.0-150300.121.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 20 Maintenance Automation 2023-03-23 08:30:01 UTC 
SUSE-SU-2023:0879-1: An update that solves two vulnerabilities can now be installed.

Category: security (moderate)
Bug References: 1180207, 1185000
CVE References: CVE-2020-14394, CVE-2021-3507
Sources used:
openSUSE Leap Micro 5.3 (src): qemu-6.2.0-150400.37.14.2
openSUSE Leap 15.4 (src): qemu-6.2.0-150400.37.14.2, qemu-linux-user-6.2.0-150400.37.14.1, qemu-testsuite-6.2.0-150400.37.14.1
SUSE Linux Enterprise Micro for Rancher 5.3 (src): qemu-6.2.0-150400.37.14.2
SUSE Linux Enterprise Micro 5.3 (src): qemu-6.2.0-150400.37.14.2
Basesystem Module 15-SP4 (src): qemu-6.2.0-150400.37.14.2
Server Applications Module 15-SP4 (src): qemu-6.2.0-150400.37.14.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 21 Maintenance Automation 2023-03-23 08:30:05 UTC 
SUSE-SU-2023:0878-1: An update that solves two vulnerabilities and has two fixes can now be installed.

Category: security (important)
Bug References: 1185000, 1190425, 1202364, 1205808
CVE References: CVE-2021-3507, CVE-2022-4144
Sources used:
openSUSE Leap 15.4 (src): qemu-4.2.1-150200.72.2
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): qemu-4.2.1-150200.72.2
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): qemu-4.2.1-150200.72.2
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): qemu-4.2.1-150200.72.2
SUSE Enterprise Storage 7 (src): qemu-4.2.1-150200.72.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 26 Maintenance Automation 2023-04-27 16:30:37 UTC 
SUSE-SU-2023:0879-2: An update that solves two vulnerabilities can now be installed.

Category: security (moderate)
Bug References: 1180207, 1185000
CVE References: CVE-2020-14394, CVE-2021-3507
Sources used:
SUSE Linux Enterprise Micro for Rancher 5.4 (src): qemu-6.2.0-150400.37.14.2
SUSE Linux Enterprise Micro 5.4 (src): qemu-6.2.0-150400.37.14.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.