xref: /OK3568_Linux_fs/yocto/poky/meta/recipes-devtools/qemu/qemu/CVE-2022-0216_2.patch (revision 4882a59341e53eb6f0b4789bf948001014eff981)

From 8f2c2cb908758192d5ebc00605cbf0989b8a507c Mon Sep 17 00:00:00 2001
From: Mauro Matteo Cascella <mcascell@redhat.com>
Date: Mon, 11 Jul 2022 14:33:16 +0200
Subject: [PATCH 3/3] scsi/lsi53c895a: really fix use-after-free in
 lsi_do_msgout (CVE-2022-0216)

Set current_req to NULL, not current_req->req, to prevent reusing a free'd
buffer in case of repeated SCSI cancel requests.  Also apply the fix to
CLEAR QUEUE and BUS DEVICE RESET messages as well, since they also cancel
the request.

Thanks to Alexander Bulekov for providing a reproducer.

Fixes: CVE-2022-0216
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/972
Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
Tested-by: Alexander Bulekov <alxndr@bu.edu>
Message-Id: <20220711123316.421279-1-mcascell@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

Upstream-Status: Backport [4367a20cc442c56b05611b4224de9a61908f9eac]
CVE: CVE-2022-0216

Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
---
 hw/scsi/lsi53c895a.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c
index 8033cf050..fbe3fa3dd 100644
--- a/hw/scsi/lsi53c895a.c
+++ b/hw/scsi/lsi53c895a.c
@@ -1031,7 +1031,7 @@ static void lsi_do_msgout(LSIState *s)
             trace_lsi_do_msgout_abort(current_tag);
             if (current_req && current_req->req) {
                 scsi_req_cancel(current_req->req);
-                current_req->req = NULL;
+                current_req = NULL;
             }
             lsi_disconnect(s);
             break;
@@ -1057,6 +1057,7 @@ static void lsi_do_msgout(LSIState *s)
             /* clear the current I/O process */
             if (s->current) {
                 scsi_req_cancel(s->current->req);
+                current_req = NULL;
             }

             /* As the current implemented devices scsi_disk and scsi_generic
--
2.33.0