2036953 – (CVE-2022-0216) CVE-2022-0216 QEMU: use-after-free in lsi_do_msgout function in hw/scsi/lsi53c895a.c

Bug 2036953 (CVE-2022-0216) - CVE-2022-0216 QEMU: use-after-free in lsi_do_msgout function in hw/scsi/lsi53c895a.c

Summary: CVE-2022-0216 QEMU: use-after-free in lsi_do_msgout function in hw/scsi/lsi53...

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2022-0216
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2070900 2070899 2070902
Blocks:	2054405 2064637
TreeView+	depends on / blocked

Reported:	2022-01-04 13:59 UTC by Pedro Sampaio
Modified:	2024-03-29 09:18 UTC (History)
CC List:	34 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	A use-after-free vulnerability was found in the LSI53C895A SCSI Host Bus Adapter emulation of QEMU. The flaw occurs while processing repeated messages to cancel the current SCSI request via the lsi_do_msgout function. This flaw allows a malicious privileged user within the guest to crash the QEMU process on the host, resulting in a denial of service.
Clone Of:
Environment:
Last Closed:	2022-04-01 12:25:19 UTC
Embargoed:

Attachments	(Terms of Use)

Description Pedro Sampaio 2022-01-04 13:59:44 UTC

A use after free issue was found in the `hw/scsi/lsi53c895a.c` specifically in `lsi_do_msgout` function. `lsi_do_msgout` function is used to receive
message from the OS, and do something based on that message. In this case, one message only has one-byte size.

Comment 5 Mauro Matteo Cascella 2022-04-01 10:10:50 UTC

Created qemu tracking bugs for this issue:

Affects: epel-7 [bug 2070900]
Affects: fedora-all [bug 2070902]


Created xen tracking bugs for this issue:

Affects: fedora-all [bug 2070899]

Comment 6 Mauro Matteo Cascella 2022-04-01 10:22:01 UTC

STAR Labs security advisory: https://starlabs.sg/advisories/22/22-0216.

Comment 7 Product Security DevOps Team 2022-04-01 12:25:16 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-0216

Comment 8 Mauro Matteo Cascella 2022-04-08 20:14:59 UTC

Upstream issue:
https://gitlab.com/qemu-project/qemu/-/issues/972

Comment 9 Mauro Matteo Cascella 2022-08-01 12:09:27 UTC

Upstream commit:
https://gitlab.com/qemu-project/qemu/-/commit/4367a20cc4

Note You need to log in before you can comment on or make changes to this bug.

berrange
cfergeau
crobinso
dbecker
eglynn
gkamathe
jen
jferlan
jforbes
jjoyce
jmaloy
jschluet
knoel
lhh
lkundrak
lpeer
m.a.young
mburns
mkenneth
mrezanin
mst
ntait
ondrejj
pbonzini
philmd
ribarry
rjones
sclewis
security-response-team
slinaber
slong
spower
virt-maint
virt-maint