ZDI lsi53c895a use-after-free (CVE-2024-6519)

ZDI reported a use-after-free (CVE-2024-6519) in the LSI53C895A SCSI controller:

While the bug is a genuine issue and was assigned a CVE in 2024, the QEMU security team never evaluated whether it qualified as a CVE from the point of view of QEMU's security policy. As noted in the Red Hat CVE page, the device is unlikely to be used in association with untrusted guests.

Issue details:

LSI virtual device support SCSI Scripts. Instructions and operands are iteratively loaded from a DMA buffer in lsi_execute_script
ACPI controller is mapped into the device address space. It is then possible to trigger ACPI handler pci_write from lsi_execute_script
Through ACPI MMIO we can eject any PCI slot, including requesting LSI53C895A device. That calls do_pci_unregister_device() and free related objects.
At the end of acpi_pcihp_eject_slot, the controller unparent the device that results in freeing it including the device LSIState
Once returning from the unregistration lsi_execute_script continue to iterate, and work with freed state device.

Stack trace:

ERROR: AddressSanitizer: heap-use-after-free on address 0x627000015ee8
at pc 0x55f1a6c06b72 bp 0x7ffc42f15590 sp 0x7ffc42f15580
WRITE of size 4 at 0x627000015ee8 thread T0
#0 0x55f1a6c06b71 in scripts_timer_cb ../hw/scsi/lsi53c895a.c:2327
#1 0x55f1a769b7c4 in timerlist_run_timers ../util/qemu-timer.c:576
#2 0x55f1a769b7c4 in timerlist_run_timers ../util/qemu-timer.c:501
#3 0x55f1a769bc63 in qemu_clock_run_timers ../util/qemu-timer.c:590
#4 0x55f1a769bc63 in qemu_clock_run_all_timers ../util/qemu-timer.c:672
#5 0x55f1a7691471 in main_loop_wait ../util/main-loop.c:600
#6 0x55f1a6dc3f6e in qemu_main_loop ../system/runstate.c:783
#7 0x55f1a72b978a in qemu_default_main ../system/main.c:37
#8 0x7f05ade4b082 in __libc_start_main ../csu/libc-start.c:308
#9 0x55f1a678f64d in _start
(qemu-9.0.0/build/qemu-system-x86_64+0xa5264d)

0x627000015ee8 is located 3560 bytes inside of 12160-byte region
[0x627000015100,0x627000018080)
freed by thread T1 here:
#0 0x7f05af5c340f in __interceptor_free
../../../../src/libsanitizer/asan/asan_malloc_linux.cc:122
#1 0x55f1a72cf8fd in object_finalize ../qom/object.c:751
#2 0x55f1a72cf8fd in object_unref ../qom/object.c:1254

previously allocated by thread T0 here:
#0 0x7f05af5c3808 in __interceptor_malloc
../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
#1 0x7f05aef44e98 in g_malloc (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x57e98)

Thread T1 created by T0 here:
#0 0x7f05af4f0815 in __interceptor_pthread_create
../../../../src/libsanitizer/asan/asan_interceptors.cc:208
#1 0x55f1a766458d in qemu_thread_create ../util/qemu-thread-posix.c:581
#2 0x55f1a7cbf857
(qemu-9.0.0/build/qemu-system-x86_64+0x1f82857)

SUMMARY: AddressSanitizer: heap-use-after-free
../hw/scsi/lsi53c895a.c:2327in scripts_timer_cb
Shadow bytes around the buggy address:
0x0c4e7fffab80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4e7fffab90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4e7fffaba0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4e7fffabb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4e7fffabc0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4e7fffabd0: fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd
0x0c4e7fffabe0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4e7fffabf0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4e7fffac00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4e7fffac10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4e7fffac20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07=20
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
=3D=3D33782=3D=3DABORTING

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information