Описание
QEMU before 8.2.0 has an integer underflow, and resultant buffer overflow, via a TI command when an expected non-DMA transfer length is less than the length of the available FIFO data. This occurs in esp_do_nodma in hw/scsi/esp.c because of an underflow of async_len.
A flaw was found in the am53c974 SCSI controller emulation of QEMU. When an SCSI layer transfer is incorrectly terminated, it is possible for a TI command to cause an SCSI buffer overflow due to the expected transfer data length being less than the available data in the FIFO. When this occurs, the unsigned async_len variable underflows and becomes a large offset, which writes past the end of the allocated SCSI buffer. This flaw could allow a malicious guest to crash QEMU and cause a denial of service condition.
Отчет
The qemu-kvm versions, as shipped with Red Hat Enterprise Linux and RHEL Advanced Virtualization, are not affected by this CVE as they did not include support for the am53c974 SCSI controller emulation.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 6 | qemu-kvm | Not affected | ||
| Red Hat Enterprise Linux 7 | qemu-kvm | Not affected | ||
| Red Hat Enterprise Linux 7 | qemu-kvm-ma | Not affected | ||
| Red Hat Enterprise Linux 8 | virt:rhel/qemu-kvm | Not affected | ||
| Red Hat Enterprise Linux 8 Advanced Virtualization | virt:av/qemu-kvm | Not affected | ||
| Red Hat Enterprise Linux 9 | qemu-kvm | Not affected |
Показывать по
Дополнительная информация
Статус:
5.3 Medium
CVSS3
Связанные уязвимости
QEMU before 8.2.0 has an integer underflow, and resultant buffer overflow, via a TI command when an expected non-DMA transfer length is less than the length of the available FIFO data. This occurs in esp_do_nodma in hw/scsi/esp.c because of an underflow of async_len.
QEMU before 8.2.0 has an integer underflow, and resultant buffer overflow, via a TI command when an expected non-DMA transfer length is less than the length of the available FIFO data. This occurs in esp_do_nodma in hw/scsi/esp.c because of an underflow of async_len.
QEMU before 8.2.0 has an integer underflow, and resultant buffer overf ...
5.3 Medium
CVSS3