Bug 2229101 (CVE-2023-4135, ZDI-CAN-21521) - CVE-2023-4135 QEMU: NVMe: out-of-bounds read information disclosure vulnerability
Summary: CVE-2023-4135 QEMU: NVMe: out-of-bounds read information disclosure vulnerabi...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2023-4135, ZDI-CAN-21521
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2229104
Blocks: 2228966
TreeView+ depends on / blocked
 
Reported: 2023-08-04 07:46 UTC by Mauro Matteo Cascella
Modified: 2023-08-23 17:12 UTC (History)
11 users (show)

Fixed In Version: qemu-kvm 8.1.0
Doc Type: If docs needed, set a value
Doc Text:
A heap out-of-bounds memory read flaw was found in the virtual nvme device in QEMU. The QEMU process does not validate an offset provided by the guest before computing a host heap pointer, which is used for copying data back to the guest. Arbitrary heap memory relative to an allocated buffer can be disclosed.
Clone Of:
Environment:
Last Closed: 2023-08-04 13:04:31 UTC
Embargoed:


Attachments (Terms of Use)

Description Mauro Matteo Cascella 2023-08-04 07:46:37 UTC
A heap out of bounds memory read was found in the virtual nvme device in QEMU. An offset provided by guest is not validated by qemu process before computing a host heap pointer, which is used for copying data back to guest. Arbitrary heap memory relative to an allocated buffer can be disclosed.

ZDI security advisory:
https://www.zerodayinitiative.com/advisories/ZDI-CAN-21521

Upstream patch:
https://lists.nongnu.org/archive/html/qemu-devel/2023-08/msg00516.html

Comment 1 Mauro Matteo Cascella 2023-08-04 07:52:45 UTC
Created qemu tracking bugs for this issue:

Affects: fedora-all [bug 2229104]

Comment 2 Product Security DevOps Team 2023-08-04 13:04:29 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2023-4135

Comment 3 Mauro Matteo Cascella 2023-08-08 07:01:02 UTC
Upstream commit:
https://gitlab.com/qemu-project/qemu/-/commit/ecb1b7b082d3b7dceff0e486a114502fc52c0fdf


Note You need to log in before you can comment on or make changes to this bug.