Bug 1644052 (CVE-2018-16847)

Summary: CVE-2018-16847 QEMU: nvme: Out-of-bounds r/w buffer access in cmb operations
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: amit, apevec, areis, berrange, cfergeau, chrisw, dwmw2, itamar, jen, jforbes, jjoyce, jschluet, kbasil, knoel, lhh, lpeer, markmc, m.a.young, mburns, mkenneth, mrezanin, mst, pbonzini, ppandit, rbalakri, rbryant, rjones, robinlee.sysu, sclewis, security-response-team, slinaber, tdecacqu, virt-maint, virt-maint
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
An out-of-bounds heap buffer r/w access issue was found in the NVM Express Controller emulation in QEMU. It could occur in nvme_cmb_ops routines in a nvme device. A guest user/process could use this flaw to crash the QEMU process resulting in denial of service or, potentially, run arbitrary code with privileges of the QEMU process.
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-10 10:41:09 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1645438, 1645439, 1645440, 1645441, 1645442, 1645443, 1645444, 1645445, 1645446, 1645447, 1645448, 1645449    
Bug Blocks: 1644053    

Description Pedro Sampaio 2018-10-29 21:18:39 UTC
An OOB heap buffer r/w access issue was found in the NVM Express Controller emulation in QEMU.  It could occur in nvme_cmb_ops routines in nvme devices. A guest user/process could use this flaw to crash the QEMU process resulting in DoS or potentially run arbitrary code with privileges of the QEMU process.

Upstream patch:
---------------
  -> https://lists.gnu.org/archive/html/qemu-devel/2018-11/msg00200.html

Comment 2 Prasad Pandit 2018-11-01 11:40:53 UTC
Acknowledgments:

Name: Li Qiang

Comment 3 Prasad Pandit 2018-11-02 08:59:10 UTC
External References:

https://www.openwall.com/lists/oss-security/2018/11/02/1

Comment 4 Prasad Pandit 2018-11-02 09:03:21 UTC
Created qemu tracking bugs for this issue:

Affects: fedora-all [bug 1645442]