A use-after-free vulnerability was found in the am53c974 SCSI host bus adapter emulation of QEMU. It could occur in the esp_do_dma() function in hw/scsi/esp.c while handling the 'Information Transfer' command (CMD_TI). A privileged guest user may abuse this issue to crash the QEMU process on the host, resulting in a denial of service or potential code execution with the privileges of the QEMU process.
Acknowledgments: Name: Cheolwoo Myung
Created qemu tracking bugs for this issue: Affects: fedora-all [bug 1910374] Created xen tracking bugs for this issue: Affects: fedora-all [bug 1910375]
Please refer to the following upstream bug for how to reproduce this issue: https://bugs.launchpad.net/qemu/+bug/1909247
Statement: This issue does not affect the following products, as the `qemu-kvm` package does not include support for the am53c974 SCSI controller emulation: * Red Hat Enterprise Linux * Red Hat Enterprise Linux Advanced Virtualization * Red Hat OpenStack Platform
Patchset v4: https://lists.gnu.org/archive/html/qemu-devel/2021-04/msg01000.html Upstream commits: https://git.qemu.org/?p=qemu.git;a=commit;h=0db895361b8a82e1114372ff9f4857abea605701 https://git.qemu.org/?p=qemu.git;a=commit;h=e392255766071c8cac480da3a9ae4f94e56d7cbc https://git.qemu.org/?p=qemu.git;a=commit;h=e5455b8c1c6170c788f3c0fd577cc3be53539a99 https://git.qemu.org/?p=qemu.git;a=commit;h=c5fef9112b15c4b5494791cdf8bbb40bc1938dd3 https://git.qemu.org/?p=qemu.git;a=commit;h=7b320a8e67a534925048cbabfa51431e0349dafd https://git.qemu.org/?p=qemu.git;a=commit;h=99545751734035b76bd372c4e7215bb337428d89 https://git.qemu.org/?p=qemu.git;a=commit;h=fa7505c154d4d00ad89a747be2eda556643ce00e https://git.qemu.org/?p=qemu.git;a=commit;h=fbc6510e3379fa8f8370bf71198f0ce733bf07f9 https://git.qemu.org/?p=qemu.git;a=commit;h=0ebb5fd80589835153a0c2baa1b8cc7a04e67a93 https://git.qemu.org/?p=qemu.git;a=commit;h=324c8809897c8c53ad05c3a7147d272f1711cd5e https://git.qemu.org/?p=qemu.git;a=commit;h=607206948cacda4a80be5b976dba490970a18a76
It is strongly recommended to apply all the commits listed above, to fix the numerous issues that were addressed in the patchset alongside this CVE. That being said, the specific commits strictly needed for this CVE should be the following ones: https://git.qemu.org/?p=qemu.git;a=commit;h=7b320a8e67a534925048cbabfa51431e0349dafd https://git.qemu.org/?p=qemu.git;a=commit;h=fa7505c154d4d00ad89a747be2eda556643ce00e https://git.qemu.org/?p=qemu.git;a=commit;h=fbc6510e3379fa8f8370bf71198f0ce733bf07f9
External References: https://www.openwall.com/lists/oss-security/2021/04/16/3