Bug 1213975 (CVE-2023-4135)

Summary:	VUL-0: CVE-2023-4135: kvm,qemu: NVMe: out-of-bounds read in nvme_fdp_events()
Product:	[Novell Products] SUSE Security Incidents	Reporter:	Carlos López <carlos.lopez>
Component:	Incidents	Assignee:	Security Team bot <security-team>
Status:	RESOLVED FIXED	QA Contact:	Security Team bot <security-team>
Severity:	Normal
Priority:	P3 - Medium	CC:	cathy.hu, dfaggioli, security-team, stoyan.manolov
Version:	unspecified
Target Milestone:	---
Hardware:	Other
OS:	Other
URL:	https://smash.suse.de/issue/374190/
Whiteboard:	CVSSv3.1:SUSE:CVE-2023-4135:6.7:(AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:H)
Found By:	Security Response Team	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---

Description Carlos López 2023-08-04 08:12:02 UTC

CVE-2023-4135

A heap out of bounds memory read was found in the virtual nvme device in QEMU. An offset provided by guest is not validated by qemu process before computing a host heap pointer, which is used for copying data back to guest. Arbitrary heap memory relative to an allocated buffer can be disclosed.

ZDI security advisory:
https://www.zerodayinitiative.com/advisories/ZDI-CAN-21521

Upstream patch:
https://lists.nongnu.org/archive/html/qemu-devel/2023-08/msg00516.html

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-4135
https://bugzilla.redhat.com/show_bug.cgi?id=2229101

Comment 1 Carlos López 2023-08-04 08:16:40 UTC

Affects:
- SUSE:ALP:Source:Standard:1.0/qemu
- openSUSE:Factory/qemu

Patch not merged yet.

Comment 2 Cathy Hu 2023-09-25 08:09:17 UTC

Patch is upstream now:
https://gitlab.com/qemu-project/qemu/-/commit/ecb1b7b082d3b7dceff0e486a114502fc52c0fdf

Comment 5 Dario Faggioli 2023-10-06 09:12:33 UTC

The fix is in 8.1, so we're done. Handing back