Bug 1909996 (CVE-2020-35506) - CVE-2020-35506 QEMU: use after free vulnerability in esp_do_dma() in hw/scsi/esp.c
Summary: CVE-2020-35506 QEMU: use after free vulnerability in esp_do_dma() in hw/scsi/...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2020-35506
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1910374 1910375
Blocks: 1907384
TreeView+ depends on / blocked
 
Reported: 2020-12-22 09:35 UTC by Mauro Matteo Cascella
Modified: 2021-04-16 15:25 UTC (History)
28 users (show)

Fixed In Version: qemu 6.0.0
Doc Type: ---
Doc Text:
A use-after-free vulnerability was found in the am53c974 SCSI host bus adapter emulation of QEMU during the handling of the 'Information Transfer' command (CMD_TI). This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service or potential code execution with the privileges of the QEMU process.
Clone Of:
Environment:
Last Closed: 2020-12-22 13:31:04 UTC


Attachments (Terms of Use)

Description Mauro Matteo Cascella 2020-12-22 09:35:16 UTC
A use-after-free vulnerability was found in the am53c974 SCSI host bus adapter emulation of QEMU. It could occur in the esp_do_dma() function in hw/scsi/esp.c while handling the 'Information Transfer' command (CMD_TI). A privileged guest user may abuse this issue to crash the QEMU process on the host, resulting in a denial of service or potential code execution with the privileges of the QEMU process.

Comment 1 Mauro Matteo Cascella 2020-12-22 09:35:28 UTC
Acknowledgments:

Name: Cheolwoo Myung

Comment 5 Mauro Matteo Cascella 2020-12-23 16:14:54 UTC
Created qemu tracking bugs for this issue:

Affects: fedora-all [bug 1910374]


Created xen tracking bugs for this issue:

Affects: fedora-all [bug 1910375]

Comment 6 Mauro Matteo Cascella 2021-01-08 10:50:53 UTC
Please refer to the following upstream bug for how to reproduce this issue: https://bugs.launchpad.net/qemu/+bug/1909247

Comment 7 Mauro Matteo Cascella 2021-04-14 12:53:52 UTC
Statement:

This issue does not affect the following products, as the `qemu-kvm` package does not include support for the am53c974 SCSI controller emulation:
* Red Hat Enterprise Linux
* Red Hat Enterprise Linux Advanced Virtualization
* Red Hat OpenStack Platform

Comment 9 Mauro Matteo Cascella 2021-04-16 09:30:53 UTC
It is strongly recommended to apply all the commits listed above, to fix the numerous issues that were addressed in the patchset alongside this CVE. That being said, the specific commits strictly needed for this CVE should be the following ones:
https://git.qemu.org/?p=qemu.git;a=commit;h=7b320a8e67a534925048cbabfa51431e0349dafd
https://git.qemu.org/?p=qemu.git;a=commit;h=fa7505c154d4d00ad89a747be2eda556643ce00e
https://git.qemu.org/?p=qemu.git;a=commit;h=fbc6510e3379fa8f8370bf71198f0ce733bf07f9

Comment 10 Mauro Matteo Cascella 2021-04-16 15:25:19 UTC
External References:

https://www.openwall.com/lists/oss-security/2021/04/16/3


Note You need to log in before you can comment on or make changes to this bug.