Bug 1786026

Summary: QEMU: sm501_2d_operation() in hw/display/sm501.c allows out-of-bounds write and read operations.(CVE request)
Product: [Other] Security Response Reporter: ziming zhang <1015138407>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED DUPLICATE QA Contact:
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: unspecifiedCC: 1015138407, chayang, jinzhao, juzhang, mcascell, mst, pmatouse, yanghliu
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-03-03 17:18:03 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
gdb debugging crash scene, c language poc file, poc binary file none

Description ziming zhang 2019-12-23 06:43:52 UTC 
Created attachment 1647274 [details]
gdb debugging crash scene, c language poc file, poc binary file

Description of problem:
Sm501_2d_operation function in hw / display / sm501.c has out-of-bounds read and write problems due to integer overflow.

The overflow process occurs in COPY_AREA. When the rtl parameter is set to 1, and src_y is less than operation_height or src_x is less than operation_width, this error is caused

Version-Release number of selected component (if applicable):
4.2.0
4.1.0
4.0.1

How reproducible:
I execute qemu with this parameter.
qemu-system-ppc -hda ./debian_squeeze_powerpc_standard.qcow2 -nographic -device sm501 -L pc-bios
qcow2 file download link:https://people.debian.org/~aurel32/qemu/powerpc/

This error can be triggered after uploading the poc file in the attachment

Steps to Reproduce:
1.Use qemu-system-ppc to start the simulated environment
2.Use lspci to determine the location of the sm501 device.
In my tests it was /sys/devices/pci0000:00/0000:00:04.0
3.Compile poc through powerpc-linux-gnu-gcc and upload it to the simulation environment.

Actual results:
An attacker in a guest VM can use this flaw to cause a denial of service

Expected results:
An attacker in a guest VM can use this flaw to cause a denial of service

Additional info:
Comment 1 ziming zhang 2019-12-24 07:14:34 UTC 
 CVE request
Comment 2 Mauro Matteo Cascella 2020-03-03 17:15:31 UTC 
Hi,

please submit a CVE request to MITRE: https://cveform.mitre.org.
If you have any questions, I suggest contacting secalert for further details about CVE assignment.

Thank you.
Comment 3 Mauro Matteo Cascella 2020-03-03 17:18:03 UTC 
Closing this bug as a duplicate of 1808510.

*** This bug has been marked as a duplicate of bug 1808510 ***