An out-of-bounds read/write vulnerability was found in function Sm501_2d_operation() in hw/display/sm501.c. The OOB flaw is caused by an integer overflow in COPY_AREA when the `rtl` parameter is set to 1, and either `src_y` or `src_x` is less than `operation_height`. Please refer to the following duplicate bug for further details: https://bugzilla.redhat.com/show_bug.cgi?id=1786026.
*** Bug 1786026 has been marked as a duplicate of this bug. ***
Created qemu tracking bugs for this issue:
Affects: epel-7 [bug 1819670]
Affects: fedora-all [bug 1819669]
Created xen tracking bugs for this issue:
Affects: fedora-all [bug 1819671]
Name: Ziming Zhang
This flaw did not affect the versions of `qemu-kvm` as shipped with Red Hat Enterprise Linux 6, as they did not include the vulnerable code, which was introduced in a later version of the package.
Red Hat Enterprise Linux 7, 8 and RHEL Advanced Virtualization are not affected by this flaw, as the SM501 device is not built and shipped with the products listed.
CVE-2020-12829 assigned via MITRE form.