QEMU: use after free vulnerability in esp_do_dma() in hw/scsi/esp.c
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
QEMU |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
A use-after-free vulnerability was found in the am53c974 SCSI host bus adapter emulation of QEMU. It could occur in the esp_do_dma() function in hw/scsi/esp.c while handling the 'Information Transfer' command (CMD_TI). A privileged guest user may abuse this flaw to crash the QEMU process on the host, resulting in a denial of service or potential code execution with the privileges of the QEMU process.
This issue was reported by Cheolwoo Myung (Seoul National University).
Original report:
Using hypervisor fuzzer, hyfuzz, I found a use-after-free issue in
am53c974 emulator of QEMU enabled ASan.
It occurs while transferring information, as it does not check the
buffer to be transferred.
A malicious guest user/process could use this flaw to crash the QEMU
process resulting in DoS scenario.
To reproduce this issue, please run the QEMU with the following command
line.
# To enable ASan option, please set configuration with the following
$ ./configure --target-
$ make
# To reproduce this issue, please run the QEMU process with the following command line
$ ./qemu-system-i386 -m 512 -drive file=./
-device am53c974,id=scsi -device scsi-hd,
-drive id=SysDisk,
Please find attached the disk images to reproduce this issue.
CVE References
tags: | added: fuzzer |
Changed in qemu: | |
status: | Fix Released → Fix Committed |
Changed in qemu: | |
status: | Fix Committed → Fix Released |
RHBZ: https:/ /bugzilla. redhat. com/show_ bug.cgi? id=1909996