Bug 1114540

Summary: VUL-0: CVE-2018-16847: xen: qemu: nvme: Out-of-bounds r/w buffer access in cmb operations
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: IncidentsAssignee: Charles Arnold <carnold>
Status: RESOLVED INVALID QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: rfrohl, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/218536/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Marcus Meissner 2018-11-02 17:55:46 UTC
+++ This bug was initially created as a clone of Bug #1114529 +++

rh#1644052

An OOB heap buffer r/w access issue was found in the NVM Express Controller emulation in QEMU.  It could occur in nvme_cmb_ops routines in nvme devices. A guest user/process could use this flaw to crash the QEMU process resulting in DoS or potentially run arbitrary code with privileges of the QEMU process.

Upstream patch:
---------------
  -> https://lists.gnu.org/archive/html/qemu-devel/2018-11/msg00200.html

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1644052
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-16847
http://seclists.org/oss-sec/2018/q4/124
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16847
https://lists.gnu.org/archive/html/qemu-devel/2018-11/msg00200.html
Comment 1 Charles Arnold 2018-11-02 19:02:00 UTC
Support for Controller Memory Buffers (CMB) in the NVM Express Controller
driver for upstream Xen qemu was added in May of 2017.
See commit a896f7f26a1a0417322463439825073c1a917e41

This means that no shipping version of the upstream Xen qemu has the code
being patched by this fix. The upstream Xen qemu was dropped in SLE12-SP2.
SLE12-SP1 upstream Xen qemu pre-dates the existence of CMB in the driver.

So nothing on the Xen side to be patched. We can close this bug.
Comment 2 Marcus Meissner 2018-11-03 07:18:37 UTC
thx for checking!