QEMU before 8.2.0 has an integer underflow, and resultant buffer overflow, via a TI command when an expected non-DMA transfer length is less than the length of the available FIFO data. This occurs in espdonodma in hw/scsi/esp.c because of an underflow of async_len.
[ { "source": "https://github.com/qemu/qemu/commit/77668e4b9bca03a856c27ba899a2513ddf52bb52", "deprecated": false, "digest": { "function_hash": "313434556632100557964674966874116284659", "length": 1292.0 }, "target": { "file": "hw/scsi/esp.c", "function": "esp_do_nodma" }, "id": "CVE-2024-24474-21ac6013", "signature_type": "Function", "signature_version": "v1" }, { "source": "https://github.com/qemu/qemu/commit/77668e4b9bca03a856c27ba899a2513ddf52bb52", "deprecated": false, "digest": { "line_hashes": [ "129997302582071570892692090689245596637", "323551469098876647757246510303823415793", "28156816571240943432124849330020674131", "224242890912468711811369873366595762494" ], "threshold": 0.9 }, "target": { "file": "hw/scsi/esp.c" }, "id": "CVE-2024-24474-9cc79d4c", "signature_type": "Line", "signature_version": "v1" } ]