A use after free issue was found in the `hw/scsi/lsi53c895a.c` specifically in `lsi_do_msgout` function. `lsi_do_msgout` function is used to receive message from the OS, and do something based on that message. In this case, one message only has one-byte size.
Created qemu tracking bugs for this issue: Affects: epel-7 [bug 2070900] Affects: fedora-all [bug 2070902] Created xen tracking bugs for this issue: Affects: fedora-all [bug 2070899]
STAR Labs security advisory: https://starlabs.sg/advisories/22/22-0216.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-0216
Upstream issue: https://gitlab.com/qemu-project/qemu/-/issues/972
Upstream commit: https://gitlab.com/qemu-project/qemu/-/commit/4367a20cc4