Bugzilla – Bug 1145642
VUL-1: CVE-2019-12067: kvm,qemu: ide: ahci: add check to avoid null dereference
Last modified: 2021-04-02 17:52:40 UTC
From: Prasad J Pandit <address@hidden>
AHCI emulator while committing DMA buffer in ahci_commit_buf()
may do a NULL dereference if the command header 'ad->cur_cmd'
is null. Add check to avoid it.
It seems that the issue introduced in version 2.2. Based on this tracked as affected SLE-12-SP1,SP2,SP3,SP4 and SLE15-GA,SP1
No kvm ships a vulnerable qemu version
Upstream didn't agree with this change, as it seems that if there actually is an issue here, it needs to be fixes elsewhere. So for now, I won't apply this patch.
should this be closed? do we have an alternative approach working for upstream that we included?
Hi Bruce, is there any update about this fix?
I don't see any follow up on this issue anywhere. It was pointed out that the fix associated with this CVE would indeed be different than the one proposed, and I see no evidence in the code that such a fix was ever applied to the upstream codebase.
We should close this as not an issue. Returning back to the security team.