A heap-based buffer overflow vulnerability was found in QEMU in the SDHCI device emulation support. It could occur while doing a multi block SDMA transfer via sdhci_sdma_transfer_multi_blocks() routine. A guest user or process could use this flaw to crash the QEMU process on the host resulting in a denial-of-service condition, or potentially execute arbitrary code with privileges of the QEMU process on the host.
Acknowledgments: Name: Alexander Bulekov
Statement: This flaw did not affect the following versions of QEMU as they did not include support for SDHCI device emulation: * `qemu-kvm-ma` as shipped with Red Hat Enterprise Linux 7. * `qemu-kvm-rhev` as shipped with Red Hat Virtualization and Red Hat OpenStack. * `qemu-kvm` as shipped with Red Hat Enterprise Linux 6, 7, 8, and RHEL Advanced Virtualization.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-17380
Upstream patch: https://lists.nongnu.org/archive/html/qemu-devel/2020-09/msg01175.html
Is this just a duplicate of CVE-2020-25085?
In reply to comment #10: > Is this just a duplicate of CVE-2020-25085? Yeah, looks like they are very similar. Apparently, CVE-2020-25085 is caused by an issue in SDHC_BLKSIZE case [1], while this CVE deals with multi block SDMA (sdhci_sdma_transfer_multi_blocks). As far as I understand, what seems to be the patch for CVE-2020-25085 [2] does not fix this CVE. And the patch for this CVE (comment 9) has not been merged upstream. So in a sense it's reasonable to keep them separate. In any case, I'm also noticing that bug 1892960 [3] is still reproducible upstream, which is very strange. I will need to investigate further, as I may be wrong... [1] https://nvd.nist.gov/vuln/detail/CVE-2020-25085 [2] https://lists.nongnu.org/archive/html/qemu-devel/2020-09/msg00303.html [3] https://bugs.launchpad.net/qemu/+bug/1892960
Hi. FYI the confusion between the 2 CVEs led https://ubuntu.com/security/CVE-2020-17380 to be fixed using [2]. If there's a fix, it might make sense to request a new CVE so it makes it to the distros.
FYI: https://lists.nongnu.org/archive/html/qemu-devel/2021-02/msg03102.html. > If there's a fix, it might make sense to request a new CVE so it makes it to > the distros. Agreed, will request/assign a new CVE for this. Thank you.
CVE-2021-3409 assigned. Please refer to BZ#1928146 for further updates, most notably upstream patch(es) when they get finalized.