Upstream commit [1] was supposed to fix CVE-2020-17380 and CVE-2020-25085, both involving a heap buffer overflow in the SDHCI controller emulation of QEMU. In fact, it turned out it was still possible to reproduce the same issue with specially crafted input, inducing a bogus transfer and subsequent out-of-bounds read/write access in sdhci_do_adma() or sdhci_sdma_transfer_multi_blocks(). [1] https://git.qemu.org/?p=qemu.git;a=commit;h=dfba99f17feb6d4a129da19d38df1bcd8579d1c3
Statement: This flaw does not affect the versions of `qemu-kvm` as shipped with Red Hat products, as they do not include support for SDHCI device emulation.
Created qemu tracking bugs for this issue: Affects: epel-7 [bug 1928171] Affects: fedora-all [bug 1928170]
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-3409
Upstream patch series: https://lists.nongnu.org/archive/html/qemu-devel/2021-03/msg00949.html
External References: https://www.openwall.com/lists/oss-security/2021/03/09/1
Upstream commits: https://git.qemu.org/?p=qemu.git;a=commit;h=b263d8f928001b5cfa2a993ea43b7a5b3a1811e8 https://git.qemu.org/?p=qemu.git;a=commit;h=8be45cc947832b3c02144c9d52921f499f2d77fe https://git.qemu.org/?p=qemu.git;a=commit;h=bc6f28995ff88f5d82c38afcfd65406f0ae375aa https://git.qemu.org/?p=qemu.git;a=commit;h=5cd7aa3451b76bb19c0f6adc2b931f091e5d7fcd https://git.qemu.org/?p=qemu.git;a=commit;h=cffb446e8fd19a14e1634c7a3a8b07be3f01d5c9