qxl_phys2virt() does not check the size of the structure pointed to by the guest physical address pqxl. If pqxl is near the end of the bar1 space, subsequent access to its fields may read past the end into adjacent pages. Proposed patch by Philippe Mathieu-Daudé: https://lists.nongnu.org/archive/html/qemu-devel/2022-11/msg04143.html
Created qemu tracking bugs for this issue: Affects: epel-all [bug 2148543] Affects: fedora-all [bug 2148542]
https://patchwork.ozlabs.org/project/qemu-devel/list/?series=330382
Upstream commits: https://gitlab.com/qemu-project/qemu/-/commit/61c34fc1 https://gitlab.com/qemu-project/qemu/-/commit/b1901de8 https://gitlab.com/qemu-project/qemu/-/commit/8efec0ef https://gitlab.com/qemu-project/qemu/-/commit/6dbbf055 https://gitlab.com/qemu-project/qemu/-/commit/86fdb058
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:0099 https://access.redhat.com/errata/RHSA-2023:0099
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Extended Update Support Via RHSA-2023:0432 https://access.redhat.com/errata/RHSA-2023:0432
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-4144
Created spice tracking bugs for this issue: Affects: fedora-all [bug 2165530]