QEMU: scsi: use-after-free in mptsas_process_scsi_io_request() of mptsas1068 emulator

Bug #1914236 reported by P J P on 2021-02-02
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
QEMU
Undecided
Unassigned

Bug Description

* Cheolwoo Myung of Seoul National University reported a use-after-free issue in the SCSI Megaraid
  emulator of the QEMU.

* It occurs while handling mptsas_process_scsi_io_request(), as it does not
  check a list in s->pending.

* This was found in version 5.2.0 (master)

==31872==ERROR: AddressSanitizer: heap-use-after-free on address
0x60c000107568 at pc 0x564514950c7c bp 0x7fff524ef4b0 sp 0x7fff524ef4a0 WRITE of size 8 at 0x60c000107568 thread T0
#0 0x564514950c7b in mptsas_process_scsi_io_request ../hw/scsi/mptsas.c:306
#1 0x564514950c7b in mptsas_fetch_request ../hw/scsi/mptsas.c:775
#2 0x564514950c7b in mptsas_fetch_requests ../hw/scsi/mptsas.c:790
#3 0x56451585c25d in aio_bh_poll ../util/async.c:164
#4 0x5645158d7e7d in aio_dispatch ../util/aio-posix.c:381
#5 0x56451585be2d in aio_ctx_dispatch ../util/async.c:306
#6 0x7f1cc8af4416 in g_main_context_dispatch
(/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4c416)
#7 0x56451583f059 in glib_pollfds_poll ../util/main-loop.c:221
#8 0x56451583f059 in os_host_main_loop_wait ../util/main-loop.c:244
#9 0x56451583f059 in main_loop_wait ../util/main-loop.c:520
#10 0x56451536b181 in qemu_main_loop ../softmmu/vl.c:1537
#11 0x5645143ddd3d in main ../softmmu/main.c:50
#12 0x7f1cc2650b96 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
#13 0x5645143eece9 in _start
(/home/cwmyung/prj/hyfuzz/src/qemu-repro/build/qemu-system-i386+0x1d55ce9)

0x60c000107568 is located 104 bytes inside of 120-byte region
[0x60c000107500,0x60c000107578)
freed by thread T0 here:
#0 0x7f1cca9777a8 in __interceptor_free
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0xde7a8)
#1 0x56451495008b in mptsas_process_scsi_io_request ../hw/scsi/mptsas.c:358
#2 0x56451495008b in mptsas_fetch_request ../hw/scsi/mptsas.c:775
#3 0x56451495008b in mptsas_fetch_requests ../hw/scsi/mptsas.c:790
#4 0x7fff524ef8bf (<unknown module>)

previously allocated by thread T0 here:
#0 0x7f1cca977d28 in __interceptor_calloc
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0xded28)
#1 0x7f1cc8af9b10 in g_malloc0
(/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x51b10)
#2 0x7fff524ef8bf (<unknown module>)

SUMMARY: AddressSanitizer: heap-use-after-free ../hw/scsi/mptsas.c:306
in mptsas_process_scsi_io_request
Shadow bytes around the buggy address:
0x0c1880018e50: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c1880018e60: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
0x0c1880018e70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c1880018e80: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c1880018e90: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
=>0x0c1880018ea0: fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd fa
0x0c1880018eb0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c1880018ec0: 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa fa
0x0c1880018ed0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1880018ee0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1880018ef0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==31872==ABORTING

To reproduce this issue, please run the QEMU with the following command
line.

# To enable ASan option, please set configuration with the following command
$ ./configure --target-list=i386-softmmu --disable-werror --enable-sanitizers
$ make

# To reproduce this issue, please run the QEMU process with the
following command line.
$ ./qemu-system-i386 -m 512 -drive
file=./hyfuzz.img,index=0,media=disk,format=raw -device
mptsas1068,id=scsi -device scsi-hd,drive=SysDisk -drive
id=SysDisk,if=none,file=./disk.img

CVE References

P J P (pjps) wrote :

CVE-2021-3392 assigned by Red Hat In.c

P J P (pjps) on 2021-02-02
information type: Private Security → Public Security
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers