Bug 1909769 (CVE-2020-35505)

Summary: CVE-2020-35505 QEMU: NULL pointer dereference in do_busid_cmd() in hw/scsi/esp.c
Product: [Other] Security Response Reporter: Mauro Matteo Cascella <mcascell>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: berrange, cfergeau, dbecker, itamar, jen, jferlan, jforbes, jjoyce, jmaloy, jschluet, knoel, lhh, lpeer, m.a.young, mburns, mkenneth, mrezanin, mst, ondrejj, pbonzini, philmd, ribarry, rjones, robinlee.sysu, sclewis, slinaber, virt-maint, virt-maint
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: qemu 6.0.0 Doc Type: If docs needed, set a value
Doc Text:
A NULL pointer dereference flaw was found in the am53c974 SCSI host bus adapter emulation of QEMU. This issue occurs while handling the 'Information Transfer' command. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-12-21 19:31:08 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1909770, 1909771    
Bug Blocks: 1907384    

Description Mauro Matteo Cascella 2020-12-21 15:09:48 UTC 
A NULL pointer dereference issue was found in the am53c974 SCSI host bus adapter emulation of QEMU. It could occur in the do_busid_cmd() function in hw/scsi/esp.c while handling the 'Information Transfer' command (CMD_TI). A privileged guest user may abuse this issue to crash the QEMU process on the host, resulting in a denial of service condition.
Comment 1 Mauro Matteo Cascella 2020-12-21 15:09:55 UTC 
Acknowledgments:

Name: Cheolwoo Myung
Comment 2 Mauro Matteo Cascella 2020-12-21 15:10:18 UTC 
Created qemu tracking bugs for this issue:

Affects: fedora-all [bug 1909770]


Created xen tracking bugs for this issue:

Affects: fedora-all [bug 1909771]
Comment 4 Mauro Matteo Cascella 2020-12-21 16:22:31 UTC 
In reply to comment #0:
> It could occur in the do_busid_cmd() function in
> hw/scsi/esp.c while handling the 'Information Transfer' command (CMD_TI).

More specifically, function do_busid_cmd() does not ensure that 's->current_dev' is a valid pointer to SCSIDevice. This pointer is used to access the 's->current_dev->id' field when finding a SCSI device through scsi_device_find().
Comment 5 Mauro Matteo Cascella 2020-12-22 09:54:51 UTC 
Statement:

This issue does not affect Red Hat Enterprise Linux, Red Hat OpenStack Platform and RHEL Advanced Virtualization, as the `qemu-kvm` package does not include support for the am53c974 SCSI controller emulation.
Comment 7 Mauro Matteo Cascella 2021-01-08 10:49:12 UTC 
Please refer to the following upstream bug for how to reproduce this issue: https://bugs.launchpad.net/qemu/+bug/1910723
Comment 8 Mauro Matteo Cascella 2021-04-14 13:19:17 UTC 
Patchset v4:
https://lists.gnu.org/archive/html/qemu-devel/2021-04/msg01000.html

Upstream commits:
https://git.qemu.org/?p=qemu.git;a=commit;h=0db895361b8a82e1114372ff9f4857abea605701
https://git.qemu.org/?p=qemu.git;a=commit;h=e392255766071c8cac480da3a9ae4f94e56d7cbc
https://git.qemu.org/?p=qemu.git;a=commit;h=e5455b8c1c6170c788f3c0fd577cc3be53539a99
https://git.qemu.org/?p=qemu.git;a=commit;h=c5fef9112b15c4b5494791cdf8bbb40bc1938dd3
https://git.qemu.org/?p=qemu.git;a=commit;h=7b320a8e67a534925048cbabfa51431e0349dafd
https://git.qemu.org/?p=qemu.git;a=commit;h=99545751734035b76bd372c4e7215bb337428d89
https://git.qemu.org/?p=qemu.git;a=commit;h=fa7505c154d4d00ad89a747be2eda556643ce00e
https://git.qemu.org/?p=qemu.git;a=commit;h=fbc6510e3379fa8f8370bf71198f0ce733bf07f9
https://git.qemu.org/?p=qemu.git;a=commit;h=0ebb5fd80589835153a0c2baa1b8cc7a04e67a93
https://git.qemu.org/?p=qemu.git;a=commit;h=324c8809897c8c53ad05c3a7147d272f1711cd5e
https://git.qemu.org/?p=qemu.git;a=commit;h=607206948cacda4a80be5b976dba490970a18a76
Comment 9 Mauro Matteo Cascella 2021-04-16 09:12:24 UTC 
It is strongly recommended to apply all the commits listed above, to fix the numerous issues that were addressed in the patchset alongside this CVE. That being said, the specific commit strictly needed for this CVE should be the following one:
https://git.qemu.org/?p=qemu.git;a=commit;h=99545751734035b76bd372c4e7215bb337428d89
Comment 10 Mauro Matteo Cascella 2021-04-16 15:25:14 UTC 
External References:

https://www.openwall.com/lists/oss-security/2021/04/16/3