A NULL pointer dereference issue was found in the SCSI emulation support of QEMU. It could occur in the scsi_req_continue() function in hw/scsi/scsi-bus.c while handling the 'Information Transfer' command (CMD_TI) of the am53c974 SCSI host bus adapter. A privileged guest user may abuse this issue to crash the QEMU process on the host, resulting in a denial of service condition.
Name: Cheolwoo Myung
Created qemu tracking bugs for this issue:
Affects: fedora-all [bug 1909772]
Created xen tracking bugs for this issue:
Affects: fedora-all [bug 1909773]
In reply to comment #0:
> It could occur in the scsi_req_continue() function in
> hw/scsi/scsi-bus.c while handling the 'Information Transfer' command
> (CMD_TI) of the am53c974 SCSI host bus adapter.
More specifically, scsi_req_continue() accepts a 'req' pointer to SCSIRequest which is immediately used to access the 'req->io_canceled' field without any validation. The caller is responsible for passing a valid pointer to scsi_req_continue(). This is not the case for esp_do_dma() in hw/scsi/esp.c which may call scsi_req_continue() with a NULL argument, leading to subsequent NULL pointer dereference.
This issue does not affect Red Hat Enterprise Linux, Red Hat OpenStack Platform and RHEL Advanced Virtualization, as the `qemu-kvm` package does not include support for the am53c974 SCSI controller emulation.
Please refer to the following upstream bug for how to reproduce this issue: https://bugs.launchpad.net/qemu/+bug/1910723
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):