A heap-based buffer overflow vulnerability was found in QEMU in the SDHCI device emulation support. It could occur while doing a multi block SDMA transfer via sdhci_sdma_transfer_multi_blocks() routine. A guest user or process could use this flaw to crash the QEMU process on the host resulting in a denial-of-service condition, or potentially execute arbitrary code with privileges of the QEMU process on the host.
Name: Alexander Bulekov
This flaw did not affect the following versions of QEMU as they did not include support for SDHCI device emulation:
* `qemu-kvm-ma` as shipped with Red Hat Enterprise Linux 7.
* `qemu-kvm-rhev` as shipped with Red Hat Virtualization and Red Hat OpenStack.
* `qemu-kvm` as shipped with Red Hat Enterprise Linux 6, 7, 8, and RHEL Advanced Virtualization.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):
Is this just a duplicate of CVE-2020-25085?
In reply to comment #10:
> Is this just a duplicate of CVE-2020-25085?
Yeah, looks like they are very similar. Apparently, CVE-2020-25085 is caused by an issue in SDHC_BLKSIZE case , while this CVE deals with multi block SDMA (sdhci_sdma_transfer_multi_blocks). As far as I understand, what seems to be the patch for CVE-2020-25085  does not fix this CVE. And the patch for this CVE (comment 9) has not been merged upstream. So in a sense it's reasonable to keep them separate.
In any case, I'm also noticing that bug 1892960  is still reproducible upstream, which is very strange. I will need to investigate further, as I may be wrong...
Hi. FYI the confusion between the 2 CVEs led https://ubuntu.com/security/CVE-2020-17380 to be fixed using .
If there's a fix, it might make sense to request a new CVE so it makes it to the distros.
> If there's a fix, it might make sense to request a new CVE so it makes it to
> the distros.
Agreed, will request/assign a new CVE for this. Thank you.
CVE-2021-3409 assigned. Please refer to BZ#1928146 for further updates, most notably upstream patch(es) when they get finalized.