Bug 1808510 (CVE-2020-12829)

Summary: CVE-2020-12829 qemu: OOB read and write due to integer overflow in sm501_2d_operation() in hw/display/sm501.c
Product: [Other] Security Response Reporter: Mauro Matteo Cascella <mcascell>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: 1015138407, ailan, amit, areis, berrange, cfergeau, dbecker, drjones, dwmw2, imammedo, itamar, jen, jferlan, jforbes, jjoyce, jmaloy, jpadman, jschluet, kbasil, knoel, lhh, lkundrak, lpeer, m.a.young, mburns, mkenneth, mrezanin, mst, pbonzini, ribarry, rjones, robinlee.sysu, sclewis, slinaber, virt-maint, virt-maint, vkuznets, xen-maint
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
An integer overflow flaw was found in the SM501 display driver implementation of the QEMU emulator. This flaw occurs in the COPY_AREA macro while handling MMIO write operations through the sm501_2d_engine_write() callback. A local attacker could abuse this flaw to crash the QEMU process on the host, resulting in a denial of service.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-04-15 10:31:49 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1819670, 1819639, 1819640, 1819641, 1819643, 1819645, 1819669, 1819671, 1819694, 1819695, 1819701    
Bug Blocks: 1786593    

Description Mauro Matteo Cascella 2020-02-28 17:11:41 UTC 
An out-of-bounds read/write vulnerability was found in function Sm501_2d_operation() in hw/display/sm501.c. The OOB flaw is caused by an integer overflow in COPY_AREA when the `rtl` parameter is set to 1, and either `src_y` or `src_x` is less than `operation_height`. Please refer to the following duplicate bug for further details: https://bugzilla.redhat.com/show_bug.cgi?id=1786026.

Upstream fix:
https://git.qemu.org/?p=qemu.git;a=commit;h=b15a22bbcbe6a78dc3d88fe3134985e4cdd87de4
Comment 1 Mauro Matteo Cascella 2020-03-03 17:18:03 UTC 
*** Bug 1786026 has been marked as a duplicate of this bug. ***
Comment 4 Mauro Matteo Cascella 2020-04-01 09:43:14 UTC 
Created qemu tracking bugs for this issue:

Affects: epel-7 [bug 1819670]
Affects: fedora-all [bug 1819669]


Created xen tracking bugs for this issue:

Affects: fedora-all [bug 1819671]
Comment 6 Mauro Matteo Cascella 2020-04-01 11:00:22 UTC 
Acknowledgments:

Name: Ziming Zhang
Comment 12 Mauro Matteo Cascella 2020-04-15 08:26:04 UTC 
Statement:

This flaw did not affect the versions of `qemu-kvm` as shipped with Red Hat Enterprise Linux 6, as they did not include the vulnerable code, which was introduced in a later version of the package.
Red Hat Enterprise Linux 7, 8 and RHEL Advanced Virtualization are not affected by this flaw, as the SM501 device is not built and shipped with the products listed.
Comment 15 Mauro Matteo Cascella 2020-05-14 07:51:12 UTC 
CVE-2020-12829 assigned via MITRE form.