QEMU before 8.2.0 has an integer underflow, and resultant buffer overflow, via a TI command when an expected non-DMA transfer length is less than the length of the available FIFO data. This occurs in espdonodma in hw/scsi/esp.c because of an underflow of async_len.
{ "vanir_signatures": [ { "digest": { "length": 1292.0, "function_hash": "313434556632100557964674966874116284659" }, "signature_type": "Function", "deprecated": false, "source": "https://github.com/qemu/qemu/commit/77668e4b9bca03a856c27ba899a2513ddf52bb52", "id": "CVE-2024-24474-21ac6013", "target": { "function": "esp_do_nodma", "file": "hw/scsi/esp.c" }, "signature_version": "v1" }, { "digest": { "threshold": 0.9, "line_hashes": [ "129997302582071570892692090689245596637", "323551469098876647757246510303823415793", "28156816571240943432124849330020674131", "224242890912468711811369873366595762494" ] }, "signature_type": "Line", "deprecated": false, "source": "https://github.com/qemu/qemu/commit/77668e4b9bca03a856c27ba899a2513ddf52bb52", "id": "CVE-2024-24474-9cc79d4c", "target": { "file": "hw/scsi/esp.c" }, "signature_version": "v1" } ] }