Bug 1906388

Summary: QEMU: division by zero in zynq_slcr_compute_pll() in hw/misc/zynq_slcr.c
Product: [Other] Security Response Reporter: Mauro Matteo Cascella <mcascell>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: unspecifiedCC: ailan, berrange, cfergeau, dbecker, drjones, eglynn, imammedo, itamar, jen, jferlan, jforbes, jjoyce, jmaloy, jschluet, knoel, lhh, lkundrak, lpeer, m.a.young, mburns, mgarciac, mkenneth, mrezanin, mst, ondrejj, pbonzini, philmd, ribarry, rjones, robinlee.sysu, sclewis, slinaber, virt-maint, virt-maint, vkuznets, xen-maint
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-12-10 12:47:07 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1906513, 1906514    
Bug Blocks: 1903276    

Description Mauro Matteo Cascella 2020-12-10 12:09:23 UTC 
A divide by zero issue was found in the Xilinx Zynq platform emulation of QEMU, available through arm/aarch64 targets. Specifically, function zynq_slcr_compute_pll() in hw/misc/zynq_slcr.c computes the output frequency using input frequency and PLL_CTRL register without properly validating the latter. A guest user may be able to exploit this flaw to crash the QEMU process on the host, resulting in a denial of service.
Comment 1 Mauro Matteo Cascella 2020-12-10 12:09:42 UTC 
Acknowledgments:

Name: Gaoning Pan (Zhejiang University)
Comment 2 Mauro Matteo Cascella 2020-12-10 17:07:10 UTC 
Created qemu tracking bugs for this issue:

Affects: epel-7 [bug 1906514]
Affects: fedora-all [bug 1906513]
Comment 4 Mauro Matteo Cascella 2020-12-11 14:02:21 UTC 
Statement:

This issue does not affect the versions of `qemu-kvm` as shipped with Red Hat products, as they do not include support for the Xilinx Zynq platform emulation. Additionally, Red Hat Product Security does not consider this bug to be a security vulnerability because it only affects the non-virtualization use case. For further information, please refer to the QEMU Security page: https://www.qemu.org/docs/master/system/security.html.
Comment 5 Philippe Mathieu-Daudé 2020-12-15 22:30:18 UTC 
FWIW, upstream fix:
https://git.qemu.org/?p=qemu.git;a=commit;h=98a8cc741dad9cb4738f81a994bcf8d77d619152