Created attachment 1647274 [details] gdb debugging crash scene, c language poc file, poc binary file Description of problem: Sm501_2d_operation function in hw / display / sm501.c has out-of-bounds read and write problems due to integer overflow. The overflow process occurs in COPY_AREA. When the rtl parameter is set to 1, and src_y is less than operation_height or src_x is less than operation_width, this error is caused Version-Release number of selected component (if applicable): 4.2.0 4.1.0 4.0.1 How reproducible: I execute qemu with this parameter. qemu-system-ppc -hda ./debian_squeeze_powerpc_standard.qcow2 -nographic -device sm501 -L pc-bios qcow2 file download link:https://people.debian.org/~aurel32/qemu/powerpc/ This error can be triggered after uploading the poc file in the attachment Steps to Reproduce: 1.Use qemu-system-ppc to start the simulated environment 2.Use lspci to determine the location of the sm501 device. In my tests it was /sys/devices/pci0000:00/0000:00:04.0 3.Compile poc through powerpc-linux-gnu-gcc and upload it to the simulation environment. Actual results: An attacker in a guest VM can use this flaw to cause a denial of service Expected results: An attacker in a guest VM can use this flaw to cause a denial of service Additional info:
CVE request
Hi, please submit a CVE request to MITRE: https://cveform.mitre.org. If you have any questions, I suggest contacting secalert for further details about CVE assignment. Thank you.
Closing this bug as a duplicate of 1808510. *** This bug has been marked as a duplicate of bug 1808510 ***