Bug 1924042 (CVE-2021-3392) - CVE-2021-3392 QEMU: scsi: mptsas: use-after-free while processing io requests
Summary: CVE-2021-3392 QEMU: scsi: mptsas: use-after-free while processing io requests
Alias: CVE-2021-3392
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1924043
Blocks: 1908264 1939717
TreeView+ depends on / blocked
Reported: 2021-02-02 13:22 UTC by Prasad Pandit
Modified: 2021-08-04 08:14 UTC (History)
47 users (show)

Fixed In Version: qemu 6.0.0
Doc Type: ---
Doc Text:
A use-after-free flaw was found in the MegaRAID emulator of QEMU. This issue occurs while processing SCSI I/O requests in the case of an error mptsas_free_request() that does not dequeue the request object 'req' from a pending requests queue. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service.
Clone Of:
Last Closed: 2021-02-02 14:42:25 UTC

Attachments (Terms of Use)

Description Prasad Pandit 2021-02-02 13:22:04 UTC
A use-after-free issue was found in the Megaraid emulator of the QEMU. It occurs while processing SCSI i/o requests because in case of an error mptsas_free_request() does not dequeue request object 'req' from a pending requests' queue. Which later gets processed resulting in the said use-after-free issue. A privileged guest user may use this flaw to crash the QEMU process on the host resulting in DoS scenario.

Upstream patch:
  -> https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg00488.html

Comment 1 Prasad Pandit 2021-02-02 13:22:14 UTC

Name: Cheolwoo Myung (Seoul National University)

Comment 3 Prasad Pandit 2021-02-02 13:24:47 UTC
Created qemu tracking bugs for this issue:

Affects: fedora-all [bug 1924043]

Comment 4 Product Security DevOps Team 2021-02-02 14:42:25 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):


Comment 5 Mauro Matteo Cascella 2021-02-02 16:00:08 UTC

This issue does not affect the versions of `qemu-kvm` as shipped with Red Hat products, as they do not include support for the LSI SAS1068 controller emulation.

Comment 6 Mauro Matteo Cascella 2021-04-20 07:29:06 UTC
Upstream fix:

Note You need to log in before you can comment on or make changes to this bug.