Bug 1145642 - (CVE-2019-12067) VUL-1: CVE-2019-12067: kvm,qemu: ide: ahci: add check to avoid null dereference
(CVE-2019-12067)
VUL-1: CVE-2019-12067: kvm,qemu: ide: ahci: add check to avoid null dereference
Status: NEW
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Minor
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/239444/
CVSSv3:SUSE:CVE-2019-12067:3.3:(AV:L/...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-08-14 14:21 UTC by Marcus Meissner
Modified: 2021-04-02 17:52 UTC (History)
5 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2019-08-14 14:21:50 UTC
CVE-2019-12067

https://lists.gnu.org/archive/html/qemu-devel/2019-08/msg01358.html

From: Prasad J Pandit <address@hidden>

AHCI emulator while committing DMA buffer in ahci_commit_buf()
may do a NULL dereference if the command header 'ad->cur_cmd'
is null. Add check to avoid it.
Comment 1 Alexandros Toptsoglou 2019-08-23 13:47:23 UTC
It seems that the issue introduced in version 2.2. Based on this tracked as affected SLE-12-SP1,SP2,SP3,SP4 and SLE15-GA,SP1 

No kvm ships a vulnerable qemu version
Comment 2 Bruce Rogers 2019-11-04 21:55:44 UTC
Upstream didn't agree with this change, as it seems that if there actually is an issue here, it needs to be fixes elsewhere. So for now, I won't apply this patch.
Comment 3 Claudio Fontana 2021-01-18 17:00:57 UTC
should this be closed? do we have an alternative approach working for upstream that we included?
Comment 4 Gianluca Gabrielli 2021-04-02 11:59:16 UTC
Hi Bruce, is there any update about this fix?
Comment 5 Bruce Rogers 2021-04-02 17:52:40 UTC
I don't see any follow up on this issue anywhere. It was pointed out that the fix associated with this CVE would indeed be different than the one proposed, and I see no evidence in the code that such a fix was ever applied to the upstream codebase.

We should close this as not an issue. Returning back to the security team.