1808510 – (CVE-2020-12829) CVE-2020-12829 qemu: OOB read and write due to integer overflow in sm501_2d_operation() in hw/display/sm501.c

Bug 1808510 (CVE-2020-12829) - CVE-2020-12829 qemu: OOB read and write due to integer overflow in sm501_2d_operation() in hw/display/sm501.c

Summary: CVE-2020-12829 qemu: OOB read and write due to integer overflow in sm501_2d_o...

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2020-12829
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	1786026 (view as bug list)
Depends On:	1819670 1819639 1819640 1819641 1819643 1819645 1819669 1819671 1819694 1819695 1819701
Blocks:	1786593
TreeView+	depends on / blocked

Reported:	2020-02-28 17:11 UTC by Mauro Matteo Cascella
Modified:	2021-02-16 20:31 UTC (History)
CC List:	38 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	An integer overflow flaw was found in the SM501 display driver implementation of the QEMU emulator. This flaw occurs in the COPY_AREA macro while handling MMIO write operations through the sm501_2d_engine_write() callback. A local attacker could abuse this flaw to crash the QEMU process on the host, resulting in a denial of service.
Clone Of:
Environment:
Last Closed:	2020-04-15 10:31:49 UTC
Embargoed:

Attachments	(Terms of Use)

Description Mauro Matteo Cascella 2020-02-28 17:11:41 UTC

An out-of-bounds read/write vulnerability was found in function Sm501_2d_operation() in hw/display/sm501.c. The OOB flaw is caused by an integer overflow in COPY_AREA when the `rtl` parameter is set to 1, and either `src_y` or `src_x` is less than `operation_height`. Please refer to the following duplicate bug for further details: https://bugzilla.redhat.com/show_bug.cgi?id=1786026.

Upstream fix:
https://git.qemu.org/?p=qemu.git;a=commit;h=b15a22bbcbe6a78dc3d88fe3134985e4cdd87de4

Comment 1 Mauro Matteo Cascella 2020-03-03 17:18:03 UTC

*** Bug 1786026 has been marked as a duplicate of this bug. ***

Comment 4 Mauro Matteo Cascella 2020-04-01 09:43:14 UTC

Created qemu tracking bugs for this issue:

Affects: epel-7 [bug 1819670]
Affects: fedora-all [bug 1819669]


Created xen tracking bugs for this issue:

Affects: fedora-all [bug 1819671]

Comment 6 Mauro Matteo Cascella 2020-04-01 11:00:22 UTC

Acknowledgments:

Name: Ziming Zhang

Comment 12 Mauro Matteo Cascella 2020-04-15 08:26:04 UTC

Statement:

This flaw did not affect the versions of `qemu-kvm` as shipped with Red Hat Enterprise Linux 6, as they did not include the vulnerable code, which was introduced in a later version of the package.
Red Hat Enterprise Linux 7, 8 and RHEL Advanced Virtualization are not affected by this flaw, as the SM501 device is not built and shipped with the products listed.

Comment 15 Mauro Matteo Cascella 2020-05-14 07:51:12 UTC

CVE-2020-12829 assigned via MITRE form.

Note You need to log in before you can comment on or make changes to this bug.

1015138407
ailan
amit
areis
berrange
cfergeau
dbecker
drjones
dwmw2
imammedo
itamar
jen
jferlan
jforbes
jjoyce
jmaloy
jpadman
jschluet
kbasil
knoel
lhh
lkundrak
lpeer
m.a.young
mburns
mkenneth
mrezanin
mst
pbonzini
ribarry
rjones
robinlee.sysu
sclewis
slinaber
virt-maint
virt-maint
vkuznets
xen-maint