Bug 1909769 (CVE-2020-35505) - CVE-2020-35505 QEMU: NULL pointer dereference in do_busid_cmd() in hw/scsi/esp.c
Summary: CVE-2020-35505 QEMU: NULL pointer dereference in do_busid_cmd() in hw/scsi/esp.c
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2020-35505
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1909770 1909771
Blocks: 1907384
TreeView+ depends on / blocked
 
Reported: 2020-12-21 15:09 UTC by Mauro Matteo Cascella
Modified: 2021-04-16 15:25 UTC (History)
28 users (show)

Fixed In Version: qemu 6.0.0
Doc Type: If docs needed, set a value
Doc Text:
A NULL pointer dereference flaw was found in the am53c974 SCSI host bus adapter emulation of QEMU. This issue occurs while handling the 'Information Transfer' command. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability.
Clone Of:
Environment:
Last Closed: 2020-12-21 19:31:08 UTC


Attachments (Terms of Use)

Description Mauro Matteo Cascella 2020-12-21 15:09:48 UTC
A NULL pointer dereference issue was found in the am53c974 SCSI host bus adapter emulation of QEMU. It could occur in the do_busid_cmd() function in hw/scsi/esp.c while handling the 'Information Transfer' command (CMD_TI). A privileged guest user may abuse this issue to crash the QEMU process on the host, resulting in a denial of service condition.

Comment 1 Mauro Matteo Cascella 2020-12-21 15:09:55 UTC
Acknowledgments:

Name: Cheolwoo Myung

Comment 2 Mauro Matteo Cascella 2020-12-21 15:10:18 UTC
Created qemu tracking bugs for this issue:

Affects: fedora-all [bug 1909770]


Created xen tracking bugs for this issue:

Affects: fedora-all [bug 1909771]

Comment 4 Mauro Matteo Cascella 2020-12-21 16:22:31 UTC
In reply to comment #0:
> It could occur in the do_busid_cmd() function in
> hw/scsi/esp.c while handling the 'Information Transfer' command (CMD_TI).

More specifically, function do_busid_cmd() does not ensure that 's->current_dev' is a valid pointer to SCSIDevice. This pointer is used to access the 's->current_dev->id' field when finding a SCSI device through scsi_device_find().

Comment 5 Mauro Matteo Cascella 2020-12-22 09:54:51 UTC
Statement:

This issue does not affect Red Hat Enterprise Linux, Red Hat OpenStack Platform and RHEL Advanced Virtualization, as the `qemu-kvm` package does not include support for the am53c974 SCSI controller emulation.

Comment 7 Mauro Matteo Cascella 2021-01-08 10:49:12 UTC
Please refer to the following upstream bug for how to reproduce this issue: https://bugs.launchpad.net/qemu/+bug/1910723

Comment 9 Mauro Matteo Cascella 2021-04-16 09:12:24 UTC
It is strongly recommended to apply all the commits listed above, to fix the numerous issues that were addressed in the patchset alongside this CVE. That being said, the specific commit strictly needed for this CVE should be the following one:
https://git.qemu.org/?p=qemu.git;a=commit;h=99545751734035b76bd372c4e7215bb337428d89

Comment 10 Mauro Matteo Cascella 2021-04-16 15:25:14 UTC
External References:

https://www.openwall.com/lists/oss-security/2021/04/16/3


Note You need to log in before you can comment on or make changes to this bug.