Bug 1786026 - QEMU: sm501_2d_operation() in hw/display/sm501.c allows out-of-bounds write and read operations.(CVE request)
Summary: QEMU: sm501_2d_operation() in hw/display/sm501.c allows out-of-bounds write ...
Keywords:
Status: CLOSED DUPLICATE of bug 1808510
Alias: None
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-12-23 06:43 UTC by zhang zi ming(Codesafe Team of Legendsec at Qi'anxin Group)
Modified: 2020-03-05 18:24 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-03-03 17:18:03 UTC


Attachments (Terms of Use)
gdb debugging crash scene, c language poc file, poc binary file (128.54 KB, application/zip)
2019-12-23 06:43 UTC, zhang zi ming(Codesafe Team of Legendsec at Qi'anxin Group)
no flags Details

Description zhang zi ming(Codesafe Team of Legendsec at Qi'anxin Group) 2019-12-23 06:43:52 UTC
Created attachment 1647274 [details]
gdb debugging crash scene, c language poc file, poc binary file

Description of problem:
Sm501_2d_operation function in hw / display / sm501.c has out-of-bounds read and write problems due to integer overflow.

The overflow process occurs in COPY_AREA. When the rtl parameter is set to 1, and src_y is less than operation_height or src_x is less than operation_width, this error is caused

Version-Release number of selected component (if applicable):
4.2.0
4.1.0
4.0.1

How reproducible:
I execute qemu with this parameter.
qemu-system-ppc -hda ./debian_squeeze_powerpc_standard.qcow2 -nographic -device sm501 -L pc-bios
qcow2 file download link:https://people.debian.org/~aurel32/qemu/powerpc/

This error can be triggered after uploading the poc file in the attachment

Steps to Reproduce:
1.Use qemu-system-ppc to start the simulated environment
2.Use lspci to determine the location of the sm501 device.
In my tests it was /sys/devices/pci0000:00/0000:00:04.0
3.Compile poc through powerpc-linux-gnu-gcc and upload it to the simulation environment.

Actual results:
An attacker in a guest VM can use this flaw to cause a denial of service

Expected results:
An attacker in a guest VM can use this flaw to cause a denial of service

Additional info:

Comment 1 zhang zi ming(Codesafe Team of Legendsec at Qi'anxin Group) 2019-12-24 07:14:34 UTC
 CVE request

Comment 2 Mauro Matteo Cascella 2020-03-03 17:15:31 UTC
Hi,

please submit a CVE request to MITRE: https://cveform.mitre.org.
If you have any questions, I suggest contacting secalert@redhat.com for further details about CVE assignment.

Thank you.

Comment 3 Mauro Matteo Cascella 2020-03-03 17:18:03 UTC
Closing this bug as a duplicate of 1808510.

*** This bug has been marked as a duplicate of bug 1808510 ***


Note You need to log in before you can comment on or make changes to this bug.