Описание
A flaw was found in QEMU, in the virtio-scsi, virtio-blk, and virtio-crypto devices. The size for virtqueue_push as set in virtio_scsi_complete_req / virtio_blk_req_complete / virito_crypto_req_complete could be larger than the true size of the data which has been sent to guest. Once virtqueue_push() finally calls dma_memory_unmap to ummap the in_iov, it may call the address_space_write function to write back the data. Some uninitialized data may exist in the bounce.buffer, leading to an information leak.
| Релиз | Статус | Примечание |
|---|---|---|
| devel | deferred | 2025-10-29 |
| esm-infra-legacy/trusty | deferred | 2025-10-29 |
| esm-infra/bionic | deferred | 2025-10-29 |
| esm-infra/focal | deferred | 2025-10-29 |
| esm-infra/xenial | deferred | 2025-10-29 |
| focal | ignored | end of standard support, was deferred [2025-10-29] |
| jammy | deferred | 2025-10-29 |
| noble | deferred | 2025-10-29 |
| oracular | ignored | end of life, was deferred [2025-10-29] |
| plucky | deferred | 2025-10-29 |
Показывать по
3.8 Low
CVSS3
Связанные уязвимости
A flaw was found in QEMU, in the virtio-scsi, virtio-blk, and virtio-crypto devices. The size for virtqueue_push as set in virtio_scsi_complete_req / virtio_blk_req_complete / virito_crypto_req_complete could be larger than the true size of the data which has been sent to guest. Once virtqueue_push() finally calls dma_memory_unmap to ummap the in_iov, it may call the address_space_write function to write back the data. Some uninitialized data may exist in the bounce.buffer, leading to an information leak.
A flaw was found in QEMU, in the virtio-scsi, virtio-blk, and virtio-crypto devices. The size for virtqueue_push as set in virtio_scsi_complete_req / virtio_blk_req_complete / virito_crypto_req_complete could be larger than the true size of the data which has been sent to guest. Once virtqueue_push() finally calls dma_memory_unmap to ummap the in_iov, it may call the address_space_write function to write back the data. Some uninitialized data may exist in the bounce.buffer, leading to an information leak.
A flaw was found in QEMU, in the virtio-scsi, virtio-blk, and virtio-c ...
A flaw was found in QEMU, in the virtio-scsi, virtio-blk, and virtio-crypto devices. The size for virtqueue_push as set in virtio_scsi_complete_req / virtio_blk_req_complete / virito_crypto_req_complete could be larger than the true size of the data which has been sent to guest. Once virtqueue_push() finally calls dma_memory_unmap to ummap the in_iov, it may call the address_space_write function to write back the data. Some uninitialized data may exist in the bounce.buffer, leading to an information leak.
3.8 Low
CVSS3