A stack buffer overflow flaw was found in NVME in QEMU. The flaw lies in hw/nvme/ctrl.c:nvme_changed_nslist() where a variable named off (Log Page offset) is controlled by guest which if set to bigger than 4096 could lead to an integer underflow. Another variable buf_len can also be partially controlled by the guest which would lead to a stack buffer overflow. Since this flaw allows an attacker to read out of bounds memory it could lead to disclosure of sensitive information.
Created qemu tracking bugs for this issue: Affects: epel-7 [bug 2022084] Affects: fedora-all [bug 2022085]
(In reply to msiddiqu from comment #0) > A stack overflow flaw was found in NVME in QEMU. The flaw lies in > hw/nvme/ctrl.c:nvme_changed_nslist() where a variable named off (Log Page > offset) is controlled by guest which if set to bigger than 4096 could lead > to an integer underflow. Another variable buf_len can also be partially > controlled by the guest which would lead to a stack buffer overflow. Since > this flaw allows an attacker to read out of bounds memory it could lead to > disclosure of sensitive information. Proposed upstream patch: https://lore.kernel.org/qemu-devel/20211111153125.2258176-1-philmd@redhat.com/
Likely final upstream fix (v3): https://lore.kernel.org/qemu-devel/20211117132335.41850-1-its@irrelevant.dk/
Fixed upstream by https://gitlab.com/qemu-project/qemu/-/commit/e2c57529c9306e4