1924042 – (CVE-2021-3392) CVE-2021-3392 QEMU: scsi: mptsas: use-after-free while processing io requests

Bug 1924042 (CVE-2021-3392) - CVE-2021-3392 QEMU: scsi: mptsas: use-after-free while processing io requests

Summary: CVE-2021-3392 QEMU: scsi: mptsas: use-after-free while processing io requests

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2021-3392
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1924043
Blocks:	1908264 1939717
TreeView+	depends on / blocked

Reported:	2021-02-02 13:22 UTC by Prasad Pandit
Modified:	2021-08-04 08:14 UTC (History)
CC List:	47 users (show)
Fixed In Version:	qemu 6.0.0
Doc Type:	---
Doc Text:	A use-after-free flaw was found in the MegaRAID emulator of QEMU. This issue occurs while processing SCSI I/O requests in the case of an error mptsas_free_request() that does not dequeue the request object 'req' from a pending requests queue. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service.
Clone Of:
Environment:
Last Closed:	2021-02-02 14:42:25 UTC
Embargoed:

Attachments	(Terms of Use)

Description Prasad Pandit 2021-02-02 13:22:04 UTC

A use-after-free issue was found in the Megaraid emulator of the QEMU. It occurs while processing SCSI i/o requests because in case of an error mptsas_free_request() does not dequeue request object 'req' from a pending requests' queue. Which later gets processed resulting in the said use-after-free issue. A privileged guest user may use this flaw to crash the QEMU process on the host resulting in DoS scenario.

Upstream patch:
---------------
  -> https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg00488.html

Comment 1 Prasad Pandit 2021-02-02 13:22:14 UTC

Acknowledgments:

Name: Cheolwoo Myung (Seoul National University)

Comment 3 Prasad Pandit 2021-02-02 13:24:47 UTC

Created qemu tracking bugs for this issue:

Affects: fedora-all [bug 1924043]

Comment 4 Product Security DevOps Team 2021-02-02 14:42:25 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-3392

Comment 5 Mauro Matteo Cascella 2021-02-02 16:00:08 UTC

Statement:

This issue does not affect the versions of `qemu-kvm` as shipped with Red Hat products, as they do not include support for the LSI SAS1068 controller emulation.

Comment 6 Mauro Matteo Cascella 2021-04-20 07:29:06 UTC

Upstream fix:
https://git.qemu.org/?p=qemu.git;a=commit;h=3791642c8d60029adf9b00bcb4e34d7d8a1aea4d

Note You need to log in before you can comment on or make changes to this bug.

acaringi
ailan
berrange
bhu
bmasney
brdeoliv
cfergeau
dbecker
dhoward
drjones
dvlasenk
fhrbata
hkrzesin
imammedo
itamar
jen
jferlan
jforbes
jjoyce
jmaloy
jschluet
jshortt
jstancek
knoel
lhh
lpeer
m.a.young
mburns
mkenneth
mrezanin
mst
nmurray
ondrejj
pbonzini
philmd
ptalbert
ribarry
rjones
robinlee.sysu
rvrbovsk
sclewis
slinaber
virt-maint
virt-maint
vkuznets
walters
xen-maint