Headline
CVE-2021-3638: inconsistent check in ati_2d_blt() may lead to out-of-bounds write
An out-of-bounds memory access flaw was found in the ATI VGA device emulation of QEMU. This flaw occurs in the ati_2d_blt() routine while handling MMIO write operations when the guest provides invalid values for the destination display parameters. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service.
Description Mauro Matteo Cascella 2021-07-07 09:20:21 UTC
A flaw was found in the ATI VGA emulation of QEMU. An inconsistent check and use of dst_[x|y] and s->regs.dst_[x|y] may lead to out-of-bounds write of vram_ptr. This flaw occurs in the ati_2d_blt() routine while handling MMIO write operations from the guest. A malicious guest user could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition.
Note: this is similar to CVE-2020-11869, CVE-2020-24352 and CVE-2020-27616.
Comment 2 Mauro Matteo Cascella 2021-07-07 10:22:29 UTC
Created qemu tracking bugs for this issue:
Affects: fedora-all [bug 1979882]
Comment 4 Salvatore Bonaccorso 2021-09-03 13:11:54 UTC
Has this issue been forwarded/notified to upstream?
Comment 5 Mauro Matteo Cascella 2021-09-03 17:14:37 UTC
In reply to comment #4: > Has this issue been forwarded/notified to upstream?
Yes, this was reported upstream via qemu-security mailing list. The impact of this CVE is very minimal as the ati-vga device is still experimental and not really meant to be used in production environments. This may be the reason why it’s not been addressed so far. I’ll reach out to QEMU maintainer(s) to ask if they have any feedback about this.
Thanks.