Bug 2036953 (CVE-2022-0216) - CVE-2022-0216 QEMU: use-after-free in lsi_do_msgout function in hw/scsi/lsi53c895a.c
Summary: CVE-2022-0216 QEMU: use-after-free in lsi_do_msgout function in hw/scsi/lsi53...
Alias: CVE-2022-0216
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 2070900 2070899 2070902
Blocks: 2054405 2064637
TreeView+ depends on / blocked
Reported: 2022-01-04 13:59 UTC by Pedro Sampaio
Modified: 2023-09-20 15:05 UTC (History)
34 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A use-after-free vulnerability was found in the LSI53C895A SCSI Host Bus Adapter emulation of QEMU. The flaw occurs while processing repeated messages to cancel the current SCSI request via the lsi_do_msgout function. This flaw allows a malicious privileged user within the guest to crash the QEMU process on the host, resulting in a denial of service.
Clone Of:
Last Closed: 2022-04-01 12:25:19 UTC

Attachments (Terms of Use)

Description Pedro Sampaio 2022-01-04 13:59:44 UTC
A use after free issue was found in the `hw/scsi/lsi53c895a.c` specifically in `lsi_do_msgout` function. `lsi_do_msgout` function is used to receive
message from the OS, and do something based on that message. In this case, one message only has one-byte size.

Comment 5 Mauro Matteo Cascella 2022-04-01 10:10:50 UTC
Created qemu tracking bugs for this issue:

Affects: epel-7 [bug 2070900]
Affects: fedora-all [bug 2070902]

Created xen tracking bugs for this issue:

Affects: fedora-all [bug 2070899]

Comment 6 Mauro Matteo Cascella 2022-04-01 10:22:01 UTC
STAR Labs security advisory: https://starlabs.sg/advisories/22-0216.

Comment 7 Product Security DevOps Team 2022-04-01 12:25:16 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):


Comment 8 Mauro Matteo Cascella 2022-04-08 20:14:59 UTC
Upstream issue:

Comment 9 Mauro Matteo Cascella 2022-08-01 12:09:27 UTC
Upstream commit:

Note You need to log in before you can comment on or make changes to this bug.