719266 – (CVE-2020-11869) <app-emulation/qemu-4.2.0-r6: Integer overflow in ati_2d_blt() in hw/display/ati-2d.c (CVE-2020-11869)

Bug 719266 (CVE-2020-11869) - <app-emulation/qemu-4.2.0-r6: Integer overflow in ati_2d_blt() in hw/display/ati-2d.c (CVE-2020-11869)

Summary: <app-emulation/qemu-4.2.0-r6: Integer overflow in ati_2d_blt() in hw/display/...

Status:	RESOLVED FIXED

Alias:	CVE-2020-11869

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	B3 [noglsa cve]
Keywords:

Depends on:
Blocks:

Reported:	2020-04-24 17:57 UTC by Sam James
Modified:	2020-05-04 01:39 UTC (History)
CC List:	3 users (show)

See Also:
Package list:	app-emulation/qemu-4.2.0-r6 amd64 x86
Runtime testing required:	---

Flags:	nattka: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sam James archtester

2020-04-24 17:57:04 UTC

Description:
"An integer overflow flaw was found in QEMU in the way it implemented the
ATI VGA
emulation. This flaw occurs in the ati_2d_blt() routine while handling MMIO
write
operations through ati_mm_write() callback. A malicious guest could abuse
this
flaw to crash the QEMU process, resulting in a denial of service."

Patch: https://git.qemu.org/?p=qemu.git;a=commit;h=ac2071c3791b67fc7af78b8ceb320c01ca1b5df7

Comment 1 Sam James archtester

2020-04-24 17:57:32 UTC

@maintainer(s), please apply the provided patch

Comment 2 Larry the Git Cow gentoo-dev

2020-04-24 19:59:44 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e5295c1235bc8f39e9b30c6c1671611f8602e969

commit e5295c1235bc8f39e9b30c6c1671611f8602e969
Author:     Sergei Trofimovich <slyfox@gentoo.org>
AuthorDate: 2020-04-24 19:59:21 +0000
Commit:     Sergei Trofimovich <slyfox@gentoo.org>
CommitDate: 2020-04-24 19:59:37 +0000

    app-emulation/qemu: fix int overflow in ati-2d, bug #719266
    
    Direct backport of upstream ac2071c3791b67fc7af78b8ceb
    "ati-vga: Fix checks in ati_2d_blt() to avoid crash"
    
    Bug: https://bugs.gentoo.org/719266
    Package-Manager: Portage-2.3.99, Repoman-2.3.22
    Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org>

 .../qemu/files/qemu-4.2.0-ati-vga-crash.patch      |  94 +++
 app-emulation/qemu/qemu-4.2.0-r6.ebuild            | 834 +++++++++++++++++++++
 2 files changed, 928 insertions(+)

Comment 3 Sam James archtester

2020-04-24 20:11:05 UTC

@maintainer(s), please advise if ready for stabilisation, or call yourself

Comment 4 Mikle Kolyada (RETIRED) archtester

2020-04-25 10:44:29 UTC

amd64 stable

Comment 5 Yury German Gentoo Infrastructure

2020-04-25 22:49:30 UTC

Arches please finish stabilizing x86

Comment 6 Thomas Deutschmann (RETIRED) gentoo-dev

2020-04-26 23:48:39 UTC

x86 stable

Comment 7 Sam James archtester

2020-04-27 00:15:45 UTC

@maintainer(s), please cleanup

Comment 8 Larry the Git Cow gentoo-dev

2020-04-27 06:48:33 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ea29697f54f95ce75abbd22e3935360be3f11189

commit ea29697f54f95ce75abbd22e3935360be3f11189
Author:     Sergei Trofimovich <slyfox@gentoo.org>
AuthorDate: 2020-04-27 06:48:19 +0000
Commit:     Sergei Trofimovich <slyfox@gentoo.org>
CommitDate: 2020-04-27 06:48:27 +0000

    app-emulation/qemu: drop old, bug #719266
    
    Bug: https://bugs.gentoo.org/719266
    Package-Manager: Portage-2.3.99, Repoman-2.3.22
    Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org>

 app-emulation/qemu/qemu-4.2.0-r5.ebuild | 833 --------------------------------
 1 file changed, 833 deletions(-)

Comment 9 Sam James archtester

2020-04-27 06:49:15 UTC

Thanks all!