REDHAT-BUG-2160151
First published: Wed Jan 11 2023(Updated: )
A vulnerability in the lsi53c895a device which affects the latest version of qemu. The carefully designed PoC can repeatedly trigger DMA writes but does not limit the addresses written to the DMA, resulting in reentrancy issues and eventually overflow. A privileged local user could use this flaw to crash the QEMU process on the host. It is worth noting that the DMA operation is the pci_dma_write() in lsi_mem_write(), so the issue cannot be solved by modifying the 'attrs' flag. The following log can reveal it: ==3850539==ERROR: AddressSanitizer: stack-overflow on address 0x7ffeb10d5e58 (pc 0x55cd154d0f16 bp 0x7ffeb10d6690 sp 0x7ffeb10d5e60 T0) #0 0x55cd154d0f16 in __asan_memcpy llvm/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22:3 #1 0x55cd15b25676 in sparse_mem_read qemu/hw/mem/sparse-mem.c:50:9 #2 0x55cd16c973cd in memory_region_read_accessor qemu/softmmu/memory.c:440:11 #3 0x55cd16c6e9fa in access_with_adjusted_size qemu/softmmu/memory.c:554:18 #4 0x55cd16c6cf11 in memory_region_dispatch_read1 qemu/softmmu/memory.c #5 0x55cd16c6cf11 in memory_region_dispatch_read qemu/softmmu/memory.c:1457:9 #6 0x55cd16cb9270 in flatview_read_continue qemu/softmmu/physmem.c:2892:23 #7 0x55cd16cba14f in flatview_read qemu/softmmu/physmem.c:2934:12 #8 0x55cd16cb9ee3 in address_space_read_full qemu/softmmu/physmem.c:2947:18 #9 0x55cd15ed44c5 in dma_memory_rw_relaxed qemu/include/sysemu/dma.h:87:12 #10 0x55cd15ed44c5 in dma_memory_rw qemu/include/sysemu/dma.h:130:12 #11 0x55cd15ed44c5 in pci_dma_rw qemu/include/hw/pci/pci.h:850:12 #12 0x55cd15ed44c5 in pci_dma_read qemu/include/hw/pci/pci.h:869:12 #13 0x55cd15ed44c5 in read_dword qemu/hw/scsi/lsi53c895a.c:472:5 #14 0x55cd15ed44c5 in lsi_execute_script qemu/hw/scsi/lsi53c895a.c:1154:12 #15 0x55cd15eed0e5 in lsi_command_complete qemu/hw/scsi/lsi53c895a.c:810:5 #16 0x55cd15e3d5c1 in scsi_req_complete qemu/hw/scsi/scsi-bus.c:1518:5 #17 0x55cd15e41f9c in scsi_unit_attention qemu/hw/scsi/scsi-bus.c:422:5 #18 0x55cd15e33c59 in scsi_req_enqueue qemu/hw/scsi/scsi-bus.c:890:10 #19 0x55cd15ed869c in lsi_do_command qemu/hw/scsi/lsi53c895a.c:869:9 #20 0x55cd15ed869c in lsi_execute_script qemu/hw/scsi/lsi53c895a.c:1261:13 #21 0x55cd15ece001 in lsi_reg_writeb qemu/hw/scsi/lsi53c895a.c #22 0x55cd16c6ef86 in memory_region_write_accessor qemu/softmmu/memory.c:492:5 #23 0x55cd16c6e9fa in access_with_adjusted_size qemu/softmmu/memory.c:554:18 #24 0x55cd16c6e2fa in memory_region_dispatch_write qemu/softmmu/memory.c #25 0x55cd16cc274c in flatview_write_continue qemu/softmmu/physmem.c:2825:23 #26 0x55cd16cba662 in flatview_write qemu/softmmu/physmem.c:2867:12 #27 0x55cd16cba3f3 in address_space_write qemu/softmmu/physmem.c:2963:18 #28 0x55cd15ed4d5c in lsi_memcpy qemu/hw/scsi/lsi53c895a.c:1104:9 #29 0x55cd15ed4d5c in lsi_execute_script qemu/hw/scsi/lsi53c895a.c:1563:13 #30 0x55cd15ece001 in lsi_reg_writeb qemu/hw/scsi/lsi53c895a.c
| Affected Software | Affected Version | How to fix |
|---|---|---|
| QEMU |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://lists.nongnu.org/archive/html/qemu-devel/2023-01/msg03411.html
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2161425
- https://access.redhat.com/security/cve/cve-2023-0330
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2160151#c3
- https://lists.nongnu.org/archive/html/qemu-devel/2023-03/msg05057.html
- https://patchew.org/QEMU/20230313082417.827484-1-alxndr@bu.edu/
- https://lists.nongnu.org/archive/html/qemu-devel/2023-03/msg06038.html
- https://gitlab.com/qemu-project/qemu/-/issues/1563
- https://gitlab.com/qemu-project/qemu/-/commit/b987718bbb1d0eabf95499b976212dd5f0120d75
- https://bugzilla.redhat.com/show_bug.cgi?id=2160151
Frequently Asked Questions
What is the severity of REDHAT-BUG-2160151?
The severity of REDHAT-BUG-2160151 is high due to the potential for exploitation by a privileged local user.
How do I fix REDHAT-BUG-2160151?
To fix REDHAT-BUG-2160151, update your QEMU installation to the latest patched version provided by Red Hat.
What specific component is affected by REDHAT-BUG-2160151?
The lsi53c895a device within QEMU is specifically affected by REDHAT-BUG-2160151.
Who can exploit REDHAT-BUG-2160151?
A privileged local user on the system can exploit REDHAT-BUG-2160151 to cause reentrancy issues and overflow.
What kind of issues does REDHAT-BUG-2160151 cause?
REDHAT-BUG-2160151 can cause reentrancy issues and buffer overflow vulnerabilities in the affected component.
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2023-0330
- agent/references
- agent/last-modified-date
- agent/severity
- agent/type
- agent/description
- agent/first-publish-date
- agent/event
- agent/source
- agent/softwarecombine
- agent/tags
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/qemu
- canonical/qemu