1198038 – (CVE-2022-0216) VUL-1: CVE-2022-0216: kvm,qemu: use-after-free in lsi_do_msgout function in hw/scsi/lsi53c895a.c

Bug 1198038 (CVE-2022-0216) - VUL-1: CVE-2022-0216: kvm,qemu: use-after-free in lsi_do_msgout function in hw/scsi/lsi53c895a.c

Summary: VUL-1: CVE-2022-0216: kvm,qemu: use-after-free in lsi_do_msgout function in h...

Status:	RESOLVED FIXED

Alias:	CVE-2022-0216

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P4 - Low Severity: Minor
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/327829/
Whiteboard:	CVSSv3.1:SUSE:CVE-2022-0216:5.3:(AV:L...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2022-04-04 14:54 UTC by Robert Frohl
Modified:	2024-07-10 13:28 UTC (History)
CC List:	4 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Robert Frohl 2022-04-04 14:54:34 UTC

rh#2036953

A use after free issue was found in the `hw/scsi/lsi53c895a.c` specifically in `lsi_do_msgout` function. `lsi_do_msgout` function is used to receive
message from the OS, and do something based on that message. In this case, one message only has one-byte size.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=2036953
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-0216

Comment 1 Dario Faggioli 2022-05-23 15:36:46 UTC

It looks to me that this is the upstream issue:
https://gitlab.com/qemu-project/qemu/-/issues/972

And it also looks to me that there's not a fix for it yet. Or am I missing it?

Comment 2 Claudio Fontana 2022-05-23 16:41:46 UTC

Hi Dario, worst case scenario the link you point to does show an effective work around though, I'd be very surprised if that patch from Thomas Huth would not be effective in practice.
As a vul-1 with low score there is probably more time to integrate a better / more agreed on solution though.

Just my 2c.

Comment 3 Dario Faggioli 2022-07-15 09:05:05 UTC

(In reply to Claudio Fontana from comment #2)
> As a vul-1 with low score there is probably more time to integrate a better
> / more agreed on solution though.
> 
Which seems to have arrived:
https://gitlab.com/qemu-project/qemu/-/commit/6c8fa961da5e60f574bb52fd3ad44b1e9e8ad4b8

Will work on it

Comment 4 Dario Faggioli 2022-07-22 07:12:47 UTC

(In reply to Dario Faggioli from comment #3)
> (In reply to Claudio Fontana from comment #2)
> > As a vul-1 with low score there is probably more time to integrate a better
> > / more agreed on solution though.
> > 
> Which seems to have arrived:
> https://gitlab.com/qemu-project/qemu/-/commit/
> 6c8fa961da5e60f574bb52fd3ad44b1e9e8ad4b8
> 
> Will work on it
>
And it seems that there is also this one, which is actually the real fix:

scsi/lsi53c895a: really fix use-after-free in lsi_do_msgout (CVE-2022-0216)
https://gitlab.com/qemu-project/qemu/-/commit/4367a20cc442c56b05611b4224de9a61908f9eac

I'll backport it as well...

Comment 5 OBSbugzilla Bot 2022-07-22 14:40:09 UTC

This is an autogenerated message for OBS integration:
This bug (1198038) was mentioned in
https://build.opensuse.org/request/show/990694 Factory / qemu

Comment 6 OBSbugzilla Bot 2022-07-22 22:40:02 UTC

This is an autogenerated message for OBS integration:
This bug (1198038) was mentioned in
https://build.opensuse.org/request/show/990725 Factory / qemu

Comment 13 Swamp Workflow Management 2022-10-17 10:21:12 UTC

SUSE-SU-2022:3594-1: An update that solves 5 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1175144,1182282,1192115,1198035,1198037,1198038
CVE References: CVE-2021-3409,CVE-2021-4206,CVE-2021-4207,CVE-2022-0216,CVE-2022-35414
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    qemu-4.2.1-150200.69.1
openSUSE Leap 15.3 (src):    qemu-4.2.1-150200.69.1
SUSE Manager Server 4.1 (src):    qemu-4.2.1-150200.69.1
SUSE Manager Retail Branch Server 4.1 (src):    qemu-4.2.1-150200.69.1
SUSE Manager Proxy 4.1 (src):    qemu-4.2.1-150200.69.1
SUSE Linux Enterprise Server for SAP 15-SP2 (src):    qemu-4.2.1-150200.69.1
SUSE Linux Enterprise Server 15-SP2-LTSS (src):    qemu-4.2.1-150200.69.1
SUSE Linux Enterprise Server 15-SP2-BCL (src):    qemu-4.2.1-150200.69.1
SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src):    qemu-4.2.1-150200.69.1
SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src):    qemu-4.2.1-150200.69.1
SUSE Enterprise Storage 7 (src):    qemu-4.2.1-150200.69.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 14 Swamp Workflow Management 2022-10-19 16:23:52 UTC

SUSE-SU-2022:3660-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1192115,1198038,1201367
CVE References: CVE-2022-0216,CVE-2022-35414
JIRA References: 
Sources used:
openSUSE Leap Micro 5.2 (src):    qemu-5.2.0-150300.118.3
openSUSE Leap 15.3 (src):    qemu-5.2.0-150300.118.3, qemu-linux-user-5.2.0-150300.118.2, qemu-testsuite-5.2.0-150300.118.5
SUSE Linux Enterprise Module for Server Applications 15-SP3 (src):    qemu-5.2.0-150300.118.3
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    qemu-5.2.0-150300.118.3
SUSE Linux Enterprise Micro 5.2 (src):    qemu-5.2.0-150300.118.3
SUSE Linux Enterprise Micro 5.1 (src):    qemu-5.2.0-150300.118.3

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 15 Swamp Workflow Management 2022-10-26 14:10:20 UTC

SUSE-SU-2022:3768-1: An update that solves 7 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1175144,1182282,1185000,1192463,1198035,1198037,1198038,1201367
CVE References: CVE-2020-17380,CVE-2021-3409,CVE-2021-3507,CVE-2021-4206,CVE-2021-4207,CVE-2022-0216,CVE-2022-35414
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    qemu-3.1.1.1-150100.80.43.2
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    qemu-3.1.1.1-150100.80.43.2
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    qemu-3.1.1.1-150100.80.43.2
SUSE Linux Enterprise Server 15-SP1-BCL (src):    qemu-3.1.1.1-150100.80.43.2
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    qemu-3.1.1.1-150100.80.43.2
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    qemu-3.1.1.1-150100.80.43.2
SUSE Enterprise Storage 6 (src):    qemu-3.1.1.1-150100.80.43.2
SUSE CaaS Platform 4.0 (src):    qemu-3.1.1.1-150100.80.43.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 16 Swamp Workflow Management 2022-10-27 16:24:30 UTC

SUSE-SU-2022:3795-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1192115,1198038,1201367
CVE References: CVE-2022-0216,CVE-2022-35414
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    qemu-6.2.0-150400.37.8.2, qemu-linux-user-6.2.0-150400.37.8.1, qemu-testsuite-6.2.0-150400.37.8.4
SUSE Linux Enterprise Module for Server Applications 15-SP4 (src):    qemu-6.2.0-150400.37.8.2
SUSE Linux Enterprise Module for Basesystem 15-SP4 (src):    qemu-6.2.0-150400.37.8.2
SUSE Linux Enterprise Micro 5.3 (src):    qemu-6.2.0-150400.37.8.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 19 Maintenance Automation 2023-03-16 12:30:24 UTC

SUSE-SU-2023:0761-1: An update that solves 14 vulnerabilities can now be installed.

Category: security (important)
Bug References: 1172033, 1172382, 1175144, 1180207, 1182282, 1185000, 1193880, 1197653, 1198035, 1198038, 1198712, 1201367, 1205808
CVE References: CVE-2020-13253, CVE-2020-13754, CVE-2020-14394, CVE-2020-17380, CVE-2020-25085, CVE-2021-3409, CVE-2021-3507, CVE-2021-3929, CVE-2021-4206, CVE-2022-0216, CVE-2022-1050, CVE-2022-26354, CVE-2022-35414, CVE-2022-4144
Sources used:
SUSE Linux Enterprise High Performance Computing 12 SP5 (src): qemu-3.1.1.1-66.1
SUSE Linux Enterprise Server 12 SP5 (src): qemu-3.1.1.1-66.1
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): qemu-3.1.1.1-66.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 20 Maintenance Automation 2023-03-21 12:30:09 UTC

SUSE-SU-2023:0840-1: An update that solves six vulnerabilities and has one fix can now be installed.

Category: security (important)
Bug References: 1180207, 1185000, 1193880, 1197653, 1198038, 1202364, 1205808
CVE References: CVE-2020-14394, CVE-2021-3507, CVE-2021-3929, CVE-2022-0216, CVE-2022-1050, CVE-2022-4144
Sources used:
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): qemu-5.2.0-150300.121.2
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): qemu-5.2.0-150300.121.2
SUSE Linux Enterprise Real Time 15 SP3 (src): qemu-5.2.0-150300.121.2
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): qemu-5.2.0-150300.121.2
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): qemu-5.2.0-150300.121.2
SUSE Manager Proxy 4.2 (src): qemu-5.2.0-150300.121.2
SUSE Manager Retail Branch Server 4.2 (src): qemu-5.2.0-150300.121.2
SUSE Manager Server 4.2 (src): qemu-5.2.0-150300.121.2
SUSE Enterprise Storage 7.1 (src): qemu-5.2.0-150300.121.2
SUSE Linux Enterprise Micro 5.1 (src): qemu-5.2.0-150300.121.2
SUSE Linux Enterprise Micro 5.2 (src): qemu-5.2.0-150300.121.2
SUSE Linux Enterprise Micro for Rancher 5.2 (src): qemu-5.2.0-150300.121.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 23 Maintenance Automation 2023-06-02 12:30:05 UTC

SUSE-SU-2023:2358-1: An update that solves four vulnerabilities and has three fixes can now be installed.

Category: security (important)
Bug References: 1187529, 1192463, 1193621, 1193880, 1198035, 1198037, 1198038
CVE References: CVE-2021-3929, CVE-2021-4206, CVE-2021-4207, CVE-2022-0216
Sources used:
SUSE Linux Enterprise Server 12 SP2 BCL 12-SP2 (src): qemu-2.6.2-41.76.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 24 Dario Faggioli 2023-08-04 10:47:48 UTC

And, with 12-SP4 done (in https://build.suse.de/request/show/304637), this should finally be fine, I think.

Handing it back (hoping for the MR to be accepted :-) )

Comment 25 Maintenance Automation 2024-04-23 12:30:12 UTC

SUSE-SU-2024:1395-1: An update that solves five vulnerabilities can now be installed.

Category: security (important)
Bug References: 1190011, 1198038, 1207205, 1212850, 1213925
CVE References: CVE-2021-3750, CVE-2022-0216, CVE-2023-0330, CVE-2023-3180, CVE-2023-3354
Maintenance Incident: [SUSE:Maintenance:33441](https://smelt.suse.de/incident/33441/)
Sources used:
SUSE Linux Enterprise High Performance Computing 12 SP5 (src):
 qemu-3.1.1.1-72.1
SUSE Linux Enterprise Server 12 SP5 (src):
 qemu-3.1.1.1-72.1
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src):
 qemu-3.1.1.1-72.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 26 Andrea Mattiazzo 2024-07-10 13:28:37 UTC

All done, closing.