Bug 1176810 (CVE-2020-25741)

Summary: VUL-1: CVE-2020-25741: kvm,qemu: fdc: null pointer dereference during r/w data transfer
Product: [Novell Products] SUSE Security Incidents Reporter: Wolfgang Frisch <wolfgang.frisch>
Component: IncidentsAssignee: Dario Faggioli <dfaggioli>
Status: RESOLVED WONTFIX QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P4 - Low CC: brogers, gianluca.gabrielli, jose.ziviani, security-team, smash_bz, stoyan.manolov
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/268006/
Whiteboard: CVSSv3.1:SUSE:CVE-2020-25741:4.4:(AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Wolfgang Frisch 2020-09-22 13:08:20 UTC 
CVE-2020-25741:

A null pointer dereference issue was found in the Floppy disk emulator of QEMU. It could occur while transferring data via fdctrl_read_data(), fdctrl_write_data() routines, if current drive has a null block pointer. A guest may use this flaw to crash the QEMU process on the host resulting in DoS scenario.

References:
https://lists.nongnu.org/archive/html/qemu-devel/2020-09/msg07779.html
https://bugzilla.redhat.com/show_bug.cgi?id=1881401
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-25741
Comment 1 Wolfgang Frisch 2020-09-22 13:14:41 UTC 
Affects all supported code streams.
The code in qemu-1.4.2 and older is slightly different, but also lacks the null pointer check.
Comment 4 Dario Faggioli 2023-03-07 22:17:11 UTC 
This issue is rather old, and the proposed patch never made it upstream, nor it was replaced/superseeded by any other one (i.e., the upstream code is still there and still look the same way as it was looking back then, without this patch).

Shall we close it?