CVE-2024-24474: 
NixOS vulnerability analysis and mitigation

QEMU before version 8.2.0 contains a vulnerability (CVE-2024-24474) involving an integer underflow and resultant buffer overflow in the am53c974 SCSI controller emulation. The vulnerability was discovered and disclosed on February 20, 2024, affecting the esp_do_nodma function in hw/scsi/esp.c due to an underflow of async_len variable (RedHat XML).

The vulnerability occurs when a SCSI layer transfer is incorrectly terminated, allowing a TI command to cause a buffer overflow when the expected non-DMA transfer length is less than the available FIFO data. When this happens, the unsigned async_len variable underflows and becomes a large offset, which writes past the end of the allocated SCSI buffer. The vulnerability has been assigned a CVSS v3.1 score of 5.3 (Medium) with the vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L (RedHat XML).

The successful exploitation of this vulnerability could lead to disclosure of sensitive information, modification of data, or a denial of service (DoS) condition. The flaw could allow a malicious guest to crash QEMU and cause a denial of service condition (RedHat XML).

The vulnerability has been fixed in QEMU version 8.2.0. The patch restricts the non-DMA transfer length to be the smallest of the expected transfer length and the available FIFO data to ensure that it is no longer possible for the SCSI buffer overflow to occur (QEMU Commit).