1From 1cedc914b2c4b4e0c9dfcd1b0e02917af35b5eb6 Mon Sep 17 00:00:00 2001 2From: Mauro Matteo Cascella <mcascell@redhat.com> 3Date: Tue, 5 Jul 2022 22:05:43 +0200 4Subject: [PATCH 1/3] scsi/lsi53c895a: fix use-after-free in lsi_do_msgout 5 (CVE-2022-0216) 6 7Set current_req->req to NULL to prevent reusing a free'd buffer in case of 8repeated SCSI cancel requests. Thanks to Thomas Huth for suggesting the patch. 9 10Fixes: CVE-2022-0216 11Resolves: https://gitlab.com/qemu-project/qemu/-/issues/972 12Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com> 13Reviewed-by: Thomas Huth <thuth@redhat.com> 14Message-Id: <20220705200543.2366809-1-mcascell@redhat.com> 15Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> 16 17Upstream-Status: Backport [6c8fa961da5e60f574bb52fd3ad44b1e9e8ad4b8] 18CVE: CVE-2022-0216 19 20Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> 21--- 22 hw/scsi/lsi53c895a.c | 3 ++- 23 1 file changed, 2 insertions(+), 1 deletion(-) 24 25diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c 26index 85e907a78..8033cf050 100644 27--- a/hw/scsi/lsi53c895a.c 28+++ b/hw/scsi/lsi53c895a.c 29@@ -1029,8 +1029,9 @@ static void lsi_do_msgout(LSIState *s) 30 case 0x0d: 31 /* The ABORT TAG message clears the current I/O process only. */ 32 trace_lsi_do_msgout_abort(current_tag); 33- if (current_req) { 34+ if (current_req && current_req->req) { 35 scsi_req_cancel(current_req->req); 36+ current_req->req = NULL; 37 } 38 lsi_disconnect(s); 39 break; 40-- 412.33.0 42 43