diff options
Diffstat (limited to 'meta/recipes-devtools/qemu/qemu/CVE-2022-0216_1.patch')
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2022-0216_1.patch | 42 |
1 files changed, 42 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2022-0216_1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2022-0216_1.patch new file mode 100644 index 0000000000..de7458fc72 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2022-0216_1.patch @@ -0,0 +1,42 @@ +From 1cedc914b2c4b4e0c9dfcd1b0e02917af35b5eb6 Mon Sep 17 00:00:00 2001 +From: Mauro Matteo Cascella <mcascell@redhat.com> +Date: Tue, 5 Jul 2022 22:05:43 +0200 +Subject: [PATCH 1/3] scsi/lsi53c895a: fix use-after-free in lsi_do_msgout + (CVE-2022-0216) + +Set current_req->req to NULL to prevent reusing a free'd buffer in case of +repeated SCSI cancel requests. Thanks to Thomas Huth for suggesting the patch. + +Fixes: CVE-2022-0216 +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/972 +Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com> +Reviewed-by: Thomas Huth <thuth@redhat.com> +Message-Id: <20220705200543.2366809-1-mcascell@redhat.com> +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> + +Upstream-Status: Backport [6c8fa961da5e60f574bb52fd3ad44b1e9e8ad4b8] +CVE: CVE-2022-0216 + +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> +--- + hw/scsi/lsi53c895a.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c +index 85e907a78..8033cf050 100644 +--- a/hw/scsi/lsi53c895a.c ++++ b/hw/scsi/lsi53c895a.c +@@ -1029,8 +1029,9 @@ static void lsi_do_msgout(LSIState *s) + case 0x0d: + /* The ABORT TAG message clears the current I/O process only. */ + trace_lsi_do_msgout_abort(current_tag); +- if (current_req) { ++ if (current_req && current_req->req) { + scsi_req_cancel(current_req->req); ++ current_req->req = NULL; + } + lsi_disconnect(s); + break; +-- +2.33.0 + |