[CVE-2020-29443] QEMU: ide: atapi: OOB access while processing read
Reported on : 24 Aug 2020 Shipped on : 1 Dec 2020 Type : OOB read/write In Function : ide_atapi_cmd_reply_end You must enable AHCI to reproduce this bug. From QEMU: An out-of-bounds read access issue was found in the ATAPI Emulator of QEMU. It occurs while processing ATAPI read command if logical block address(LBA) is set to an invalid value. A guest user may use this flaw to crash the QEMU process on the host resulting in DoS scenario. =============== PS: Actually this can be also an OOB write, this can escape the VM. It's not "only an OOB read" issue as they described. I've gave them detailed analysis, the PoC, and ask them to reply me if there's anything I need to explain to them. I've mentioned this OOBW many times in the report but anyway they just kept ignoring me, and wrote: "The report skimped on the details" "the buffer overrun is only a read" So I gave up make any dissent after I saw their commit logs, but I'd like to clarify it here. ===============