Bug 1205131 - (CVE-2022-3872) VUL-0: CVE-2022-3872: kvm,qemu: sdhci: buffer data port register off-by-one read/write
VUL-0: CVE-2022-3872: kvm,qemu: sdhci: buffer data port register off-by-one r...
Status: NEW
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other Other
: P3 - Medium : Minor
: ---
Assigned To: E-mail List
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2022-11-07 10:16 UTC by Carlos López
Modified: 2023-01-12 08:53 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Carlos López 2022-11-07 10:16:22 UTC

An off-by-one read/write issue was found in the SDHCI device of QEMU. It occurs when reading/writing the Buffer Data Port Register in sdhci_read_dataport and sdhci_write_dataport, respectively, if data_count == block_size. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition.

Comment 1 Carlos López 2022-11-07 10:19:30 UTC
There are no commit references from RedHat. The most similar fix I could find would be the one below, although it is not an off-by-one bug but a reentrancy issue:
Comment 2 Carlos López 2023-01-12 08:53:18 UTC
Proposed patch (not merged yet):