iscsi_aio_ioctl_cb in block/iscsi.c in QEMU 4.1.0 has a heap-based buffer over-read that may disclose unrelated information from process memory to an attacker. Upstream Reference: https://git.qemu.org/?p=qemu.git;a=commit;h=ff0507c239a246fd7215b31c5658fc6a3ee1e4c5
Created qemu tracking bugs for this issue: Affects: fedora-all [bug 1912775] Created xen tracking bugs for this issue: Affects: fedora-all [bug 1912779]
Statement: This flaw has been rated as having a security impact of Low, and is not currently planned to be addressed in future updates of Red Hat Enterprise Linux 7. Red Hat Enterprise Linux 7 is now in Maintenance Support 2 Phase of the support and maintenance life cycle. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.
External References: https://www.openwall.com/lists/oss-security/2021/01/13/4
I have trouble to reproduce this bug, could you help about the steps of how to get to read 252 bytes stack trace of iscsi_aio_ioctl_cb? Thanks in advance.
Hello Zixi, In reply to comment #5: > I have trouble to reproduce this bug, could you help about the steps of how > to get to read 252 bytes stack trace of iscsi_aio_ioctl_cb? Thanks in > advance. Unfortunately, we do not have any reproducer handy for this flaw. We may reach out to upstream, hopefully they can provide one.
(In reply to Mauro Matteo Cascella from comment #7) > Hello Zixi, > > In reply to comment #5: > > I have trouble to reproduce this bug, could you help about the steps of how > > to get to read 252 bytes stack trace of iscsi_aio_ioctl_cb? Thanks in > > advance. > > Unfortunately, we do not have any reproducer handy for this flaw. We may > reach out to upstream, hopefully they can provide one. Hi Mauro, If it is hard to reproduce or it is not visible to user space, is it ok to just do regression test on this bug?
In reply to comment #8: > If it is hard to reproduce or it is not visible to user space, is it ok to > just do regression test on this bug? Sounds like a good plan to me. Otherwise please let me know and I'll try to come up with a reproducer for this bug. Thank you.
This issue has been addressed in the following products: Advanced Virtualization for RHEL 8.2.1 Via RHSA-2021:0648 https://access.redhat.com/errata/RHSA-2021:0648
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-11947
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:1762 https://access.redhat.com/errata/RHSA-2021:1762