Bug 1808510 (CVE-2020-12829) - CVE-2020-12829 qemu: OOB read and write due to integer overflow in sm501_2d_operation() in hw/display/sm501.c
Summary: CVE-2020-12829 qemu: OOB read and write due to integer overflow in sm501_2d_o...
Alias: CVE-2020-12829
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
: 1786026 (view as bug list)
Depends On: 1819670 1819639 1819640 1819641 1819643 1819645 1819669 1819671 1819694 1819695 1819701
Blocks: 1786593
TreeView+ depends on / blocked
Reported: 2020-02-28 17:11 UTC by Mauro Matteo Cascella
Modified: 2021-02-16 20:31 UTC (History)
38 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
An integer overflow flaw was found in the SM501 display driver implementation of the QEMU emulator. This flaw occurs in the COPY_AREA macro while handling MMIO write operations through the sm501_2d_engine_write() callback. A local attacker could abuse this flaw to crash the QEMU process on the host, resulting in a denial of service.
Clone Of:
Last Closed: 2020-04-15 10:31:49 UTC

Attachments (Terms of Use)

Description Mauro Matteo Cascella 2020-02-28 17:11:41 UTC
An out-of-bounds read/write vulnerability was found in function Sm501_2d_operation() in hw/display/sm501.c. The OOB flaw is caused by an integer overflow in COPY_AREA when the `rtl` parameter is set to 1, and either `src_y` or `src_x` is less than `operation_height`. Please refer to the following duplicate bug for further details: https://bugzilla.redhat.com/show_bug.cgi?id=1786026.

Upstream fix:

Comment 1 Mauro Matteo Cascella 2020-03-03 17:18:03 UTC
*** Bug 1786026 has been marked as a duplicate of this bug. ***

Comment 4 Mauro Matteo Cascella 2020-04-01 09:43:14 UTC
Created qemu tracking bugs for this issue:

Affects: epel-7 [bug 1819670]
Affects: fedora-all [bug 1819669]

Created xen tracking bugs for this issue:

Affects: fedora-all [bug 1819671]

Comment 6 Mauro Matteo Cascella 2020-04-01 11:00:22 UTC

Name: Ziming Zhang

Comment 12 Mauro Matteo Cascella 2020-04-15 08:26:04 UTC

This flaw did not affect the versions of `qemu-kvm` as shipped with Red Hat Enterprise Linux 6, as they did not include the vulnerable code, which was introduced in a later version of the package.
Red Hat Enterprise Linux 7, 8 and RHEL Advanced Virtualization are not affected by this flaw, as the SM501 device is not built and shipped with the products listed.

Comment 15 Mauro Matteo Cascella 2020-05-14 07:51:12 UTC
CVE-2020-12829 assigned via MITRE form.

Note You need to log in before you can comment on or make changes to this bug.