Bug 744780

Summary: use-after-free in QEMU SCSI target code
Product: Red Hat Enterprise Linux 6 Reporter: Paolo Bonzini <pbonzini>
Component: qemu-kvmAssignee: Paolo Bonzini <pbonzini>
Status: CLOSED ERRATA QA Contact: Virtualization Bugs <virt-bugs>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.0CC: acathrow, ehabkost, juzhang, mjenner, mkenneth, pbonzini, syeghiay, tburke, virt-maint
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: qemu-kvm-0.12.1.2-2.202.el6 Doc Type: Bug Fix
Doc Text:
In rare cases, QEMU could handle a SCSI request by using it after its memory had been freed. This could lead to a segmentation fault. SCSI requests are used by QEMU as part of emulating USB mass storage devices.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2011-12-06 16:05:31 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 750914    

Description Paolo Bonzini 2011-10-10 12:56:16 UTC 
Description of problem:
I found a use-after-free in QEMU's SCSI target code.  Upstream it is easily triggered by ejecting a SCSI CD-ROM during anaconda's media test step.  No known reproducer for RHEL6 (we do not have SCSI CD-ROMs), but fixing it is a good idea anyway because it can be triggered by the guest just by cancelling SCSI commands.

Version-Release number of selected component (if applicable):
qemu-kvm-0.12.1.2-2.194.el6
Comment 2 Dor Laor 2011-10-10 17:17:20 UTC 
(In reply to comment #0)
> Description of problem:
> I found a use-after-free in QEMU's SCSI target code.  Upstream it is easily
> triggered by ejecting a SCSI CD-ROM during anaconda's media test step.  No
> known reproducer for RHEL6 (we do not have SCSI CD-ROMs), but fixing it is a
> good idea anyway because it can be triggered by the guest just by cancelling
> SCSI commands.
> 
> Version-Release number of selected component (if applicable):
> qemu-kvm-0.12.1.2-2.194.el6

Since we don't support scsi at all for now, how can this be effective? Shouldn't we wait for 6.3?
Comment 3 Paolo Bonzini 2011-10-11 08:16:24 UTC 
USB implies SCSI. :(
Comment 4 juzhang 2011-10-11 09:01:10 UTC 
> but fixing it is a
> good idea anyway because it can be triggered by the guest just by cancelling
> SCSI commands.
> 
Hi,Paolo

   Would you please provide a efficient way to reproduce this issue?as you mentioned that "can be triggered by the guest just by cancelling
SCSI commands."? please qe detailed steps? thanks
Comment 5 Paolo Bonzini 2011-10-11 10:02:18 UTC 
I don't have a reproducer for RHEL6 right now, but I can try.
Comment 11 juzhang 2011-10-27 06:20:45 UTC 
(In reply to comment #5)
> I don't have a reproducer for RHEL6 right now, but I can try.
Hi,Paolo

   Would you please tell me do you have any idea to reproduce this issue,thanks
Comment 12 Paolo Bonzini 2011-10-27 07:27:27 UTC 
Is it fine to reproduce it with additional patches to QEMU?
Comment 13 juzhang 2011-10-27 07:52:06 UTC 
(In reply to comment #12)
> Is it fine to reproduce it with additional patches to QEMU?
Sure,thanks
Comment 15 Eduardo Habkost 2011-10-28 17:59:06 UTC 
Moving to ON_QA because Errata Tool did not do it
Comment 17 juzhang 2011-11-01 03:22:02 UTC 
> known reproducer for RHEL6 (we do not have SCSI CD-ROMs), but fixing it is a
> good idea anyway because it can be triggered by the guest just by cancelling
> SCSI commands.
Hi,Paolo

Since rhel6 have no scsi-cd,so we can not trigger this issue directly.in rhel6.2,USB implies SCSI.so,our qe will do the following things to verify this issue,it's ok for you?
1.Do usb functional testing.
2.check whether this this patch is applied to rhel6.
Comment 18 juzhang 2011-11-07 02:24:09 UTC 
Since rhel6 have no scsi-cd,so we can not trigger this issue directly.in
rhel6.2,USB implies SCSI.so,our qe will do the following things to verify this
issue.
Verified this issue with qemu-kvm-0.12.1.2-2.207.el6
1.Do usb functional testing,did find regression issues.
https://tcms.engineering.redhat.com/run/29985/

2.check whether this this patch is applied to rhel6.
#rpm -qa --changelog qemu-kvm | grep  744780 
- kvm-scsi-fix-accounting-of-writes.patch [bz#744780]
- kvm-scsi-disk-bump-SCSIRequest-reference-count-until-aio.patch [bz#744780]
- Resolves: bz#744780
Comment 20 Paolo Bonzini 2011-11-17 17:34:50 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
In rare cases, QEMU could handle a SCSI request by using it after its memory had been freed.  This could lead to a segmentation fault.  SCSI requests are used by QEMU as part of emulating USB mass storage devices.
Comment 21 errata-xmlrpc 2011-12-06 16:05:31 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2011-1531.html