| From f37ac8619a39498edd225c4a0b3039b28814833d Mon Sep 17 00:00:00 2001 |
| From: Mauro Matteo Cascella <mcascell@redhat.com> |
| Date: Tue, 5 Jul 2022 22:05:43 +0200 |
| Subject: [PATCH 1/2] scsi/lsi53c895a: fix use-after-free in lsi_do_msgout |
| (CVE-2022-0216) |
| |
| Set current_req->req to NULL to prevent reusing a free'd buffer in case of |
| repeated SCSI cancel requests. Thanks to Thomas Huth for suggesting the patch. |
| |
| Fixes: CVE-2022-0216 |
| Resolves: https://gitlab.com/qemu-project/qemu/-/issues/972 |
| Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com> |
| Reviewed-by: Thomas Huth <thuth@redhat.com> |
| Message-Id: <20220705200543.2366809-1-mcascell@redhat.com> |
| Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> |
| |
| Upstream-Status: Backport [6c8fa961da5e60f574bb52fd3ad44b1e9e8ad4b8] |
| CVE: CVE-2022-0216 |
| |
| Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> |
| --- |
| hw/scsi/lsi53c895a.c | 3 ++- |
| 1 file changed, 2 insertions(+), 1 deletion(-) |
| |
| diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c |
| index c8773f73f..99ea42d49 100644 |
| --- a/hw/scsi/lsi53c895a.c |
| +++ b/hw/scsi/lsi53c895a.c |
| @@ -1028,8 +1028,9 @@ static void lsi_do_msgout(LSIState *s) |
| case 0x0d: |
| /* The ABORT TAG message clears the current I/O process only. */ |
| trace_lsi_do_msgout_abort(current_tag); |
| - if (current_req) { |
| + if (current_req && current_req->req) { |
| scsi_req_cancel(current_req->req); |
| + current_req->req = NULL; |
| } |
| lsi_disconnect(s); |
| break; |
| -- |
| 2.33.0 |
| |