Bug 1909766 (CVE-2020-35504) - CVE-2020-35504 QEMU: NULL pointer dereference in scsi_req_continue() in hw/scsi/scsi-bus.c
Summary: CVE-2020-35504 QEMU: NULL pointer dereference in scsi_req_continue() in hw/sc...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2020-35504
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1909772 1909773
Blocks: 1907384
TreeView+ depends on / blocked
 
Reported: 2020-12-21 15:04 UTC by Mauro Matteo Cascella
Modified: 2021-02-22 18:26 UTC (History)
28 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A NULL pointer dereference flaw was found in the SCSI emulation support of QEMU. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability.
Clone Of:
Environment:
Last Closed: 2021-01-08 12:27:42 UTC

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Mauro Matteo Cascella 2020-12-21 15:04:21 UTC 
A NULL pointer dereference issue was found in the SCSI emulation support of QEMU. It could occur in the scsi_req_continue() function in hw/scsi/scsi-bus.c while handling the 'Information Transfer' command (CMD_TI) of the am53c974 SCSI host bus adapter. A privileged guest user may abuse this issue to crash the QEMU process on the host, resulting in a denial of service condition.
Comment 1 Mauro Matteo Cascella 2020-12-21 15:04:27 UTC 
Acknowledgments:

Name: Cheolwoo Myung
Comment 2 Mauro Matteo Cascella 2020-12-21 15:10:41 UTC 
Created qemu tracking bugs for this issue:

Affects: fedora-all [bug 1909772]


Created xen tracking bugs for this issue:

Affects: fedora-all [bug 1909773]
Comment 3 Mauro Matteo Cascella 2020-12-21 16:05:54 UTC 
In reply to comment #0:
> It could occur in the scsi_req_continue() function in
> hw/scsi/scsi-bus.c while handling the 'Information Transfer' command
> (CMD_TI) of the am53c974 SCSI host bus adapter.

More specifically, scsi_req_continue() accepts a 'req' pointer to SCSIRequest which is immediately used to access the 'req->io_canceled' field without any validation. The caller is responsible for passing a valid pointer to scsi_req_continue(). This is not the case for esp_do_dma() in hw/scsi/esp.c which may call scsi_req_continue() with a NULL argument, leading to subsequent NULL pointer dereference.
Comment 5 Mauro Matteo Cascella 2021-01-08 10:41:00 UTC 
Statement:

This issue does not affect Red Hat Enterprise Linux, Red Hat OpenStack Platform and RHEL Advanced Virtualization, as the `qemu-kvm` package does not include support for the am53c974 SCSI controller emulation.
Comment 6 Mauro Matteo Cascella 2021-01-08 10:48:50 UTC 
Please refer to the following upstream bug for how to reproduce this issue: https://bugs.launchpad.net/qemu/+bug/1910723
Comment 7 Product Security DevOps Team 2021-01-08 12:27:42 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-35504
Note You need to log in before you can comment on or make changes to this bug.