Bug 1909766 (CVE-2020-35504)

Summary: CVE-2020-35504 QEMU: NULL pointer dereference in scsi_req_continue() in hw/scsi/scsi-bus.c
Product: [Other] Security Response Reporter: Mauro Matteo Cascella <mcascell>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: berrange, cfergeau, dbecker, itamar, jen, jferlan, jforbes, jjoyce, jmaloy, jschluet, knoel, lhh, lpeer, m.a.young, mburns, mkenneth, mrezanin, mst, ondrejj, pbonzini, philmd, ribarry, rjones, robinlee.sysu, sclewis, slinaber, virt-maint, virt-maint
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: qemu 6.0.0 Doc Type: If docs needed, set a value
Doc Text:
A NULL pointer dereference flaw was found in the SCSI emulation support of QEMU. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability.
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-01-08 12:27:42 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1909772, 1909773    
Bug Blocks: 1907384    

Description Mauro Matteo Cascella 2020-12-21 15:04:21 UTC
A NULL pointer dereference issue was found in the SCSI emulation support of QEMU. It could occur in the scsi_req_continue() function in hw/scsi/scsi-bus.c while handling the 'Information Transfer' command (CMD_TI) of the am53c974 SCSI host bus adapter. A privileged guest user may abuse this issue to crash the QEMU process on the host, resulting in a denial of service condition.

Comment 1 Mauro Matteo Cascella 2020-12-21 15:04:27 UTC
Acknowledgments:

Name: Cheolwoo Myung

Comment 2 Mauro Matteo Cascella 2020-12-21 15:10:41 UTC
Created qemu tracking bugs for this issue:

Affects: fedora-all [bug 1909772]


Created xen tracking bugs for this issue:

Affects: fedora-all [bug 1909773]

Comment 3 Mauro Matteo Cascella 2020-12-21 16:05:54 UTC
In reply to comment #0:
> It could occur in the scsi_req_continue() function in
> hw/scsi/scsi-bus.c while handling the 'Information Transfer' command
> (CMD_TI) of the am53c974 SCSI host bus adapter.

More specifically, scsi_req_continue() accepts a 'req' pointer to SCSIRequest which is immediately used to access the 'req->io_canceled' field without any validation. The caller is responsible for passing a valid pointer to scsi_req_continue(). This is not the case for esp_do_dma() in hw/scsi/esp.c which may call scsi_req_continue() with a NULL argument, leading to subsequent NULL pointer dereference.

Comment 5 Mauro Matteo Cascella 2021-01-08 10:41:00 UTC
Statement:

This issue does not affect Red Hat Enterprise Linux, Red Hat OpenStack Platform and RHEL Advanced Virtualization, as the `qemu-kvm` package does not include support for the am53c974 SCSI controller emulation.

Comment 6 Mauro Matteo Cascella 2021-01-08 10:48:50 UTC
Please refer to the following upstream bug for how to reproduce this issue: https://bugs.launchpad.net/qemu/+bug/1910723

Comment 7 Product Security DevOps Team 2021-01-08 12:27:42 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-35504

Comment 9 Mauro Matteo Cascella 2021-04-16 09:11:37 UTC
It is strongly recommended to apply all the commits listed above, to fix the numerous issues that were addressed in the patchset alongside this CVE. That being said, the specific commit strictly needed for this CVE should be the following one:
https://git.qemu.org/?p=qemu.git;a=commit;h=0db895361b8a82e1114372ff9f4857abea605701

Comment 10 Mauro Matteo Cascella 2021-04-16 15:25:10 UTC
External References:

https://www.openwall.com/lists/oss-security/2021/04/16/3