Bug 1912765 (CVE-2020-11947) - CVE-2020-11947 QEMU: heap buffer overflow in iscsi_aio_ioctl_cb() in block/iscsi.c may lead to information disclosure
Summary: CVE-2020-11947 QEMU: heap buffer overflow in iscsi_aio_ioctl_cb() in block/is...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-11947
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1912775 1912779 1912973 1912974 1920652
Blocks: 1912963
TreeView+ depends on / blocked
 
Reported: 2021-01-05 11:17 UTC by Marian Rehak
Modified: 2021-05-18 14:51 UTC (History)
30 users (show)

Fixed In Version: qemu 5.0.0
Doc Type: If docs needed, set a value
Doc Text:
A heap buffer overflow flaw was found in the iSCSI support of QEMU. This flaw could lead to an out-of-bounds read access and possible information disclosure from the QEMU process memory to a malicious guest. The highest threat from this vulnerability is to data confidentiality.
Clone Of:
Environment:
Last Closed: 2021-02-23 19:01:59 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:0648 0 None None None 2021-02-23 18:44:17 UTC

Description Marian Rehak 2021-01-05 11:17:06 UTC 
iscsi_aio_ioctl_cb in block/iscsi.c in QEMU 4.1.0 has a heap-based buffer over-read that may disclose unrelated information from process memory to an attacker.

Upstream Reference:

https://git.qemu.org/?p=qemu.git;a=commit;h=ff0507c239a246fd7215b31c5658fc6a3ee1e4c5
Comment 1 Marian Rehak 2021-01-05 11:18:06 UTC 
Created qemu tracking bugs for this issue:

Affects: fedora-all [bug 1912775]


Created xen tracking bugs for this issue:

Affects: fedora-all [bug 1912779]
Comment 3 Mauro Matteo Cascella 2021-01-21 09:10:29 UTC 
Statement:

This flaw has been rated as having a security impact of Low, and is not currently planned to be addressed in future updates of Red Hat Enterprise Linux 7. Red Hat Enterprise Linux 7 is now in Maintenance Support 2 Phase of the support and maintenance life cycle. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.
Comment 4 Mauro Matteo Cascella 2021-01-21 09:12:42 UTC 
External References:

https://www.openwall.com/lists/oss-security/2021/01/13/4
Comment 5 zixchen 2021-01-28 05:18:00 UTC 
I have trouble to reproduce this bug, could you help about the steps of how to get to read 252 bytes stack trace of iscsi_aio_ioctl_cb? Thanks in advance.
Comment 7 Mauro Matteo Cascella 2021-02-01 14:11:06 UTC 
Hello Zixi,

In reply to comment #5:
> I have trouble to reproduce this bug, could you help about the steps of how
> to get to read 252 bytes stack trace of iscsi_aio_ioctl_cb? Thanks in
> advance.

Unfortunately, we do not have any reproducer handy for this flaw. We may reach out to upstream, hopefully they can provide one.
Comment 8 zixchen 2021-02-02 02:42:46 UTC 
(In reply to Mauro Matteo Cascella from comment #7)
> Hello Zixi,
> 
> In reply to comment #5:
> > I have trouble to reproduce this bug, could you help about the steps of how
> > to get to read 252 bytes stack trace of iscsi_aio_ioctl_cb? Thanks in
> > advance.
> 
> Unfortunately, we do not have any reproducer handy for this flaw. We may
> reach out to upstream, hopefully they can provide one.

Hi Mauro,
If it is hard to reproduce or it is not visible to user space, is it ok to just do regression test on this bug?
Comment 9 Mauro Matteo Cascella 2021-02-02 16:22:03 UTC 
In reply to comment #8:
> If it is hard to reproduce or it is not visible to user space, is it ok to
> just do regression test on this bug?

Sounds like a good plan to me. Otherwise please let me know and I'll try to come up with a reproducer for this bug. Thank you.
Comment 10 errata-xmlrpc 2021-02-23 18:44:14 UTC 
This issue has been addressed in the following products:

  Advanced Virtualization for RHEL 8.2.1

Via RHSA-2021:0648 https://access.redhat.com/errata/RHSA-2021:0648
Comment 11 Product Security DevOps Team 2021-02-23 19:01:59 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-11947
Comment 12 errata-xmlrpc 2021-05-18 14:51:50 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:1762 https://access.redhat.com/errata/RHSA-2021:1762
Note You need to log in before you can comment on or make changes to this bug.