CVE-2021-3748 - QEMU: virtio-net: heap use-after-free in virtio_net_receive_rcu

[BelCloud]

Hello

A use-after-free vulnerability was found in the virtio-net device of QEMU. It could occur when the descriptor's address belongs to the non direct access region, due to num_buffers being set after the virtqueue elem has been unmapped. A malicious guest could use this flaw to crash QEMU, resulting in a denial of service condition, or potentially execute code on the host with the privileges of the QEMU process.

https://bugzilla.redhat.com/show_bug.cgi?id=1998514

As far as I understand, there's a risk of guest to host access due to this vulnerability.

I was wondering if this is fixed and if pve 6 is also covered?
Are there any mitigations or we need to shutdown / migrate all VMs in order to update it?

Thank you

 

[t.lamprecht]

Hi,

I was wondering if this is fixed and if pve 6 is also covered?

The fix isn't contained in the 5.2 QEMU from Proxmox VE 6.4 at time of writing, we'll cherry-pick this plus a few other bugfix patches that piled up and release this over the next few days for PVE 6.x.

Are there any mitigations or we need to shutdown / migrate all VMs in order to update it?

Once the upgrade is available you can just do the classic: first, upgrade a host then migrate VMs from to upgraded host so that they start with the new, fixed QEMU executable.

 

[t.lamprecht]

FYI, pve-qemu-kvm version 5.2.0-7, which includes fixes for the CVE you mentioned, is now available on the pvetest repository.