关键信息 Bug ID: 2021869 CVE ID: CVE-2021-3947 摘要: QEMU: NVME: out-of-bounds memory read in nvme_changed_nslist 状态: CLOSED NOTABUG 产品: Security Response 组件: Vulnerability 版本: unspecified 硬件: All 操作系统: Linux 优先级: medium 严重性: medium 描述 A stack buffer overflow flaw was found in NVME in QEMU. The flaw lies in hw/nvme/ctrl.c:nvme_changed_nslist() where a variable named (Log Page offset) is controlled by guest which if set to bigger than 4096 could lead to an integer underflow. Another variable can also be partially controlled by the guest which would lead to a stack buffer overflow. Since this flaw allows an attacker to read out of bounds memory it could lead to disclosure of sensitive information. 相关链接和补丁 提议的上游补丁: https://lore.kernel.org/qemu-devel/20211111153125.2258176-1-philmd@redhat.com/ 最终上游修复 (v3): https://lore.kernel.org/qemu-devel/20211117132335.41850-1-its@irrelevant.dk/ 已在上游修复: https://gitlab.com/qemu-project/qemu/-/commit/e2c57529c9306e4