A flaw was found in the ATI VGA emulation of QEMU. An inconsistent check and use of dst_[x|y] and s->regs.dst_[x|y] may lead to out-of-bounds write of vram_ptr. This flaw occurs in the ati_2d_blt() routine while handling MMIO write operations from the guest. A malicious guest user could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition.
Note: this is similar to CVE-2020-11869, CVE-2020-24352 and CVE-2020-27616.
Created qemu tracking bugs for this issue:
Affects: fedora-all [bug 1979882]
Has this issue been forwarded/notified to upstream?
In reply to comment #4:
> Has this issue been forwarded/notified to upstream?
Yes, this was reported upstream via qemu-security mailing list. The impact of this CVE is very minimal as the ati-vga device is still experimental and not really meant to be used in production environments. This may be the reason why it's not been addressed so far. I'll reach out to QEMU maintainer(s) to ask if they have any feedback about this.
Could CVE-2021-3638 be fixed by this commit?
Author: Prasad J Pandit <email@example.com>
Date: Wed Oct 21 16:08:18 2020 +0530
ati: check x y display parameter values
The source and destination x,y display parameters in ati_2d_blt()
may run off the vga limits if either of s->regs.[src|dst]_[xy] is
zero. Check the parameter values to avoid potential crash.
Reported-by: Gaoning Pan <firstname.lastname@example.org>
Signed-off-by: Prasad J Pandit <email@example.com>
Signed-off-by: Gerd Hoffmann <firstname.lastname@example.org>
I don't think so, because that was the patch for CVE-2020-27616: https://bugzilla.redhat.com/show_bug.cgi?id=1894036#c0.
And it 's still possible to reproduce this issue with that patch applied.