QEMU: scsi: use-after-free in mptsas_process_scsi_io_request() of mptsas1068 emulator
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
QEMU |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
* Cheolwoo Myung of Seoul National University reported a use-after-free issue in the SCSI Megaraid
emulator of the QEMU.
* It occurs while handling mptsas_
check a list in s->pending.
* This was found in version 5.2.0 (master)
==31872==ERROR: AddressSanitizer: heap-use-after-free on address
0x60c000107568 at pc 0x564514950c7c bp 0x7fff524ef4b0 sp 0x7fff524ef4a0 WRITE of size 8 at 0x60c000107568 thread T0
#0 0x564514950c7b in mptsas_
#1 0x564514950c7b in mptsas_
#2 0x564514950c7b in mptsas_
#3 0x56451585c25d in aio_bh_poll ../util/async.c:164
#4 0x5645158d7e7d in aio_dispatch ../util/
#5 0x56451585be2d in aio_ctx_dispatch ../util/async.c:306
#6 0x7f1cc8af4416 in g_main_
(/usr/lib/
#7 0x56451583f059 in glib_pollfds_poll ../util/
#8 0x56451583f059 in os_host_
#9 0x56451583f059 in main_loop_wait ../util/
#10 0x56451536b181 in qemu_main_loop ../softmmu/
#11 0x5645143ddd3d in main ../softmmu/
#12 0x7f1cc2650b96 in __libc_start_main
(/lib/x86_
#13 0x5645143eece9 in _start
(/home/
0x60c000107568 is located 104 bytes inside of 120-byte region
[0x60c000107500
freed by thread T0 here:
#0 0x7f1cca9777a8 in __interceptor_free
(/usr/lib/
#1 0x56451495008b in mptsas_
#2 0x56451495008b in mptsas_
#3 0x56451495008b in mptsas_
#4 0x7fff524ef8bf (<unknown module>)
previously allocated by thread T0 here:
#0 0x7f1cca977d28 in __interceptor_
(/usr/lib/
#1 0x7f1cc8af9b10 in g_malloc0
(/usr/lib/
#2 0x7fff524ef8bf (<unknown module>)
SUMMARY: AddressSanitizer: heap-use-after-free ../hw/scsi/
in mptsas_
Shadow bytes around the buggy address:
0x0c1880018e50: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c1880018e60: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
0x0c1880018e70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c1880018e80: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c1880018e90: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
=>0x0c1880018ea0: fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd fa
0x0c1880018eb0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c1880018ec0: 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa fa
0x0c1880018ed0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1880018ee0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1880018ef0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==31872==ABORTING
To reproduce this issue, please run the QEMU with the following command
line.
# To enable ASan option, please set configuration with the following command
$ ./configure --target-
$ make
# To reproduce this issue, please run the QEMU process with the
following command line.
$ ./qemu-system-i386 -m 512 -drive
file=./
mptsas1068,id=scsi -device scsi-hd,
id=SysDisk,
CVE References
information type: | Private Security → Public Security |
Changed in qemu: | |
status: | Fix Committed → Fix Released |
CVE-2021-3392 assigned by Red Hat In.c