CVE-2021-3750

A DMA reentrancy issue was found in the USB EHCI controller emulation of QEMU. EHCI does not verify if the Buffer Pointer overlaps with its MMIO region when it transfers the USB packets. Crafted content may be written to the controller's registers and trigger undesirable actions (such as reset) while the device is still transferring packets. This can ultimately lead to a use-after-free issue. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition, or potentially execute arbitrary code within the context of the QEMU process on the host. This flaw affects QEMU versions before 7.0.0.
Configurations

Configuration 1 (hide)

cpe:2.3:a:qemu:qemu:*:*:*:*:*:*:*:*

Configuration 2 (hide)

OR cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:-:*:*:*
cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:advanced_virtualization:*:*:*

History

12 Feb 2023, 23:42

Type Values Removed Values Added
References
  • {'url': 'https://access.redhat.com/security/cve/CVE-2021-3750', 'name': 'https://access.redhat.com/security/cve/CVE-2021-3750', 'tags': [], 'refsource': 'MISC'}
  • {'url': 'https://access.redhat.com/errata/RHSA-2022:7967', 'name': 'https://access.redhat.com/errata/RHSA-2022:7967', 'tags': [], 'refsource': 'MISC'}
Summary A DMA reentrancy issue was found in the USB EHCI controller emulation of QEMU. EHCI does not verify if the Buffer Pointer overlaps with its MMIO region when it transfers the USB packets. Crafted content may be written to the controller's registers and trigger undesirable actions (such as reset) while the device is still transferring packets. This can ultimately lead to a use-after-free issue. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition, or potentially execute arbitrary code within the context of the QEMU process on the host. A DMA reentrancy issue was found in the USB EHCI controller emulation of QEMU. EHCI does not verify if the Buffer Pointer overlaps with its MMIO region when it transfers the USB packets. Crafted content may be written to the controller's registers and trigger undesirable actions (such as reset) while the device is still transferring packets. This can ultimately lead to a use-after-free issue. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition, or potentially execute arbitrary code within the context of the QEMU process on the host. This flaw affects QEMU versions before 7.0.0.

02 Feb 2023, 21:21

Type Values Removed Values Added
References
  • (MISC) https://access.redhat.com/security/cve/CVE-2021-3750 -
  • (MISC) https://access.redhat.com/errata/RHSA-2022:7967 -
Summary A DMA reentrancy issue was found in the USB EHCI controller emulation of QEMU. EHCI does not verify if the Buffer Pointer overlaps with its MMIO region when it transfers the USB packets. Crafted content may be written to the controller's registers and trigger undesirable actions (such as reset) while the device is still transferring packets. This can ultimately lead to a use-after-free issue. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition, or potentially execute arbitrary code within the context of the QEMU process on the host. This flaw affects QEMU versions before 7.0.0. A DMA reentrancy issue was found in the USB EHCI controller emulation of QEMU. EHCI does not verify if the Buffer Pointer overlaps with its MMIO region when it transfers the USB packets. Crafted content may be written to the controller's registers and trigger undesirable actions (such as reset) while the device is still transferring packets. This can ultimately lead to a use-after-free issue. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition, or potentially execute arbitrary code within the context of the QEMU process on the host.

25 Oct 2022, 20:06

Type Values Removed Values Added
References (CONFIRM) https://security.netapp.com/advisory/ntap-20220624-0003/ - (CONFIRM) https://security.netapp.com/advisory/ntap-20220624-0003/ - Third Party Advisory
References (GENTOO) https://security.gentoo.org/glsa/202208-27 - (GENTOO) https://security.gentoo.org/glsa/202208-27 - Third Party Advisory

15 Aug 2022, 11:15

Type Values Removed Values Added
References
  • (GENTOO) https://security.gentoo.org/glsa/202208-27 -

24 Jun 2022, 16:15

Type Values Removed Values Added
References
  • (CONFIRM) https://security.netapp.com/advisory/ntap-20220624-0003/ -

16 May 2022, 18:14

Type Values Removed Values Added
CWE CWE-416
First Time Redhat
Qemu
Redhat enterprise Linux
Qemu qemu
CPE cpe:2.3:a:qemu:qemu:*:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:-:*:*:*
cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:advanced_virtualization:*:*:*
CVSS v2 : unknown
v3 : unknown
v2 : 4.6
v3 : 8.2
References (MISC) https://bugzilla.redhat.com/show_bug.cgi?id=1999073 - (MISC) https://bugzilla.redhat.com/show_bug.cgi?id=1999073 - Issue Tracking, Third Party Advisory
References (MISC) https://gitlab.com/qemu-project/qemu/-/issues/541 - (MISC) https://gitlab.com/qemu-project/qemu/-/issues/541 - Exploit, Third Party Advisory
References (MISC) https://gitlab.com/qemu-project/qemu/-/issues/556 - (MISC) https://gitlab.com/qemu-project/qemu/-/issues/556 - Third Party Advisory

02 May 2022, 19:15

Type Values Removed Values Added
New CVE

Information

Published : 2022-05-02 19:15

Updated : 2023-12-10 14:22


NVD link : CVE-2021-3750

Mitre link : CVE-2021-3750

CVE.ORG link : CVE-2021-3750


JSON object : View

Products Affected

redhat

  • enterprise_linux

qemu

  • qemu
CWE
CWE-416

Use After Free