1842912 – (CVE-2020-13765) CVE-2020-13765 QEMU: loader: OOB access while loading registered ROM may lead to code execution

Bug 1842912 (CVE-2020-13765) - CVE-2020-13765 QEMU: loader: OOB access while loading registered ROM may lead to code execution

Summary: CVE-2020-13765 QEMU: loader: OOB access while loading registered ROM may lead...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2020-13765
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1842922 1842923 1842924 1842925
Blocks:	1755361
TreeView+	depends on / blocked

Reported:	2020-06-02 11:37 UTC by Prasad Pandit
Modified:	2021-03-02 20:17 UTC (History)
CC List:	25 users (show)
Fixed In Version:	QEMU 4.2.0
Doc Type:	If docs needed, set a value
Doc Text:	An out-of-bound write access flaw was found in the way QEMU loads ROM contents at boot time. This flaw occurs in the rom_copy() routine while loading the contents of a 32-bit -kernel image into memory. Running an untrusted -kernel image may load contents at arbitrary memory locations, potentially leading to code execution with the privileges of the QEMU process.
Clone Of:
Environment:
Last Closed:	2021-02-02 14:41:48 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2021:0347	0	None	None	None	2021-02-02 12:06:49 UTC

Description Prasad Pandit 2020-06-02 11:37:35 UTC

An out-of-bound write access issue was found in the way QEMU loads ROM contents at boot time. It occurs in rom_copy() routine while loading contents of a 32-bit -kernel image into memory. Running an untrusted -kernel image may load contents at arbitrary memory locations, potentially leading to code execution with the privileges of the QEMU process.

Upstream patch:
---------------
  -> https://git.qemu.org/?p=qemu.git;a=commitdiff;h=e423455c4f23a1a828901c78fe6d03b7dde79319

Reference:
----------
  -> https://bugs.launchpad.net/qemu/+bug/1844635
  -> https://www.openwall.com/lists/oss-security/2020/06/03/6

Comment 8 errata-xmlrpc 2021-02-02 12:06:41 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2021:0347 https://access.redhat.com/errata/RHSA-2021:0347

Comment 9 Product Security DevOps Team 2021-02-02 14:41:48 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-13765

Comment 10 Nick Tait 2021-03-02 20:17:29 UTC

Statement:

In Red Hat OpenStack Platform, because the flaw has a lower impact and the fix would require a substantial amount of development, no update will be provided at this time for the RHOSP qemu-kvm-rhev package.

Note You need to log in before you can comment on or make changes to this bug.

amit
berrange
cfergeau
dbecker
dwmw2
itamar
jen
jferlan
jjoyce
jmaloy
jschluet
knoel
lhh
lpeer
mburns
mkenneth
mrezanin
mst
pbonzini
ribarry
rjones
sclewis
slinaber
virt-maint
virt-maint