Bug 1205131 - (CVE-2022-3872) VUL-0: CVE-2022-3872: kvm,qemu: sdhci: buffer data port register off-by-one read/write
(CVE-2022-3872)
VUL-0: CVE-2022-3872: kvm,qemu: sdhci: buffer data port register off-by-one r...
Status: NEW
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Minor
: ---
Assigned To: E-mail List
Security Team bot
https://smash.suse.de/issue/347270/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-11-07 10:16 UTC by Carlos López
Modified: 2023-01-12 08:53 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Carlos López 2022-11-07 10:16:22 UTC
rh#2140567

An off-by-one read/write issue was found in the SDHCI device of QEMU. It occurs when reading/writing the Buffer Data Port Register in sdhci_read_dataport and sdhci_write_dataport, respectively, if data_count == block_size. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=2140567
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3872
Comment 1 Carlos López 2022-11-07 10:19:30 UTC
There are no commit references from RedHat. The most similar fix I could find would be the one below, although it is not an off-by-one bug but a reentrancy issue:
https://gitlab.com/qemu-project/qemu/-/commit/799f7f0104a3f2e0fea06ee7b31a1c293cd7c948
Comment 2 Carlos López 2023-01-12 08:53:18 UTC
Proposed patch (not merged yet):
https://lists.nongnu.org/archive/html/qemu-devel/2022-11/msg01161.html