An out-of-bounds read/write vulnerability was found in function Sm501_2d_operation() in hw/display/sm501.c. The OOB flaw is caused by an integer overflow in COPY_AREA when the `rtl` parameter is set to 1, and either `src_y` or `src_x` is less than `operation_height`. Please refer to the following duplicate bug for further details: https://bugzilla.redhat.com/show_bug.cgi?id=1786026. Upstream fix: https://git.qemu.org/?p=qemu.git;a=commit;h=b15a22bbcbe6a78dc3d88fe3134985e4cdd87de4
*** Bug 1786026 has been marked as a duplicate of this bug. ***
Created qemu tracking bugs for this issue: Affects: epel-7 [bug 1819670] Affects: fedora-all [bug 1819669] Created xen tracking bugs for this issue: Affects: fedora-all [bug 1819671]
Acknowledgments: Name: Ziming Zhang
Statement: This flaw did not affect the versions of `qemu-kvm` as shipped with Red Hat Enterprise Linux 6, as they did not include the vulnerable code, which was introduced in a later version of the package. Red Hat Enterprise Linux 7, 8 and RHEL Advanced Virtualization are not affected by this flaw, as the SM501 device is not built and shipped with the products listed.
CVE-2020-12829 assigned via MITRE form.