Bug 2036953 (CVE-2022-0216)

Summary: CVE-2022-0216 QEMU: use-after-free in lsi_do_msgout function in hw/scsi/lsi53c895a.c
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: berrange, cfergeau, crobinso, dbecker, eglynn, gkamathe, jen, jferlan, jforbes, jjoyce, jmaloy, jschluet, knoel, lhh, lkundrak, lpeer, m.a.young, mburns, mkenneth, mrezanin, mst, ntait, ondrejj, pbonzini, philmd, ribarry, rjones, sclewis, security-response-team, slinaber, slong, spower, virt-maint, virt-maint
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A use-after-free vulnerability was found in the LSI53C895A SCSI Host Bus Adapter emulation of QEMU. The flaw occurs while processing repeated messages to cancel the current SCSI request via the lsi_do_msgout function. This flaw allows a malicious privileged user within the guest to crash the QEMU process on the host, resulting in a denial of service.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-04-01 12:25:19 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2070900, 2070899, 2070902    
Bug Blocks: 2054405, 2064637    

Description Pedro Sampaio 2022-01-04 13:59:44 UTC 
A use after free issue was found in the `hw/scsi/lsi53c895a.c` specifically in `lsi_do_msgout` function. `lsi_do_msgout` function is used to receive
message from the OS, and do something based on that message. In this case, one message only has one-byte size.
Comment 5 Mauro Matteo Cascella 2022-04-01 10:10:50 UTC 
Created qemu tracking bugs for this issue:

Affects: epel-7 [bug 2070900]
Affects: fedora-all [bug 2070902]


Created xen tracking bugs for this issue:

Affects: fedora-all [bug 2070899]
Comment 6 Mauro Matteo Cascella 2022-04-01 10:22:01 UTC 
STAR Labs security advisory: https://starlabs.sg/advisories/22/22-0216.
Comment 7 Product Security DevOps Team 2022-04-01 12:25:16 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-0216
Comment 8 Mauro Matteo Cascella 2022-04-08 20:14:59 UTC 
Upstream issue:
https://gitlab.com/qemu-project/qemu/-/issues/972
Comment 9 Mauro Matteo Cascella 2022-08-01 12:09:27 UTC 
Upstream commit:
https://gitlab.com/qemu-project/qemu/-/commit/4367a20cc4