mirror of
https://git.yoctoproject.org/poky
synced 2026-05-30 00:20:08 +00:00
qemu: fix CVE-2022-0216
Backport relevant patches to fix CVE-2022-0216. (From OE-Core rev: f2ebd772edd9508af9b557b184d7716a7004f46d) Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
Sakib Sajal
committed by
Richard Purdie
Richard Purdie
parent
29ee816927
commit
1d9d4e54c9
@@ -41,6 +41,8 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
|
|||||||
file://CVE-2021-3929.patch \
|
file://CVE-2021-3929.patch \
|
||||||
file://CVE-2021-4158.patch \
|
file://CVE-2021-4158.patch \
|
||||||
file://CVE-2022-0358.patch \
|
file://CVE-2022-0358.patch \
|
||||||
|
file://CVE-2022-0216_1.patch \
|
||||||
|
file://CVE-2022-0216_2.patch \
|
||||||
"
|
"
|
||||||
UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
|
UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
|
||||||
|
|
||||||
|
|||||||
@@ -0,0 +1,42 @@
|
|||||||
|
From 1cedc914b2c4b4e0c9dfcd1b0e02917af35b5eb6 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Mauro Matteo Cascella <mcascell@redhat.com>
|
||||||
|
Date: Tue, 5 Jul 2022 22:05:43 +0200
|
||||||
|
Subject: [PATCH 1/3] scsi/lsi53c895a: fix use-after-free in lsi_do_msgout
|
||||||
|
(CVE-2022-0216)
|
||||||
|
|
||||||
|
Set current_req->req to NULL to prevent reusing a free'd buffer in case of
|
||||||
|
repeated SCSI cancel requests. Thanks to Thomas Huth for suggesting the patch.
|
||||||
|
|
||||||
|
Fixes: CVE-2022-0216
|
||||||
|
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/972
|
||||||
|
Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
|
||||||
|
Reviewed-by: Thomas Huth <thuth@redhat.com>
|
||||||
|
Message-Id: <20220705200543.2366809-1-mcascell@redhat.com>
|
||||||
|
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||||
|
|
||||||
|
Upstream-Status: Backport [6c8fa961da5e60f574bb52fd3ad44b1e9e8ad4b8]
|
||||||
|
CVE: CVE-2022-0216
|
||||||
|
|
||||||
|
Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
|
||||||
|
---
|
||||||
|
hw/scsi/lsi53c895a.c | 3 ++-
|
||||||
|
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c
|
||||||
|
index 85e907a78..8033cf050 100644
|
||||||
|
--- a/hw/scsi/lsi53c895a.c
|
||||||
|
+++ b/hw/scsi/lsi53c895a.c
|
||||||
|
@@ -1029,8 +1029,9 @@ static void lsi_do_msgout(LSIState *s)
|
||||||
|
case 0x0d:
|
||||||
|
/* The ABORT TAG message clears the current I/O process only. */
|
||||||
|
trace_lsi_do_msgout_abort(current_tag);
|
||||||
|
- if (current_req) {
|
||||||
|
+ if (current_req && current_req->req) {
|
||||||
|
scsi_req_cancel(current_req->req);
|
||||||
|
+ current_req->req = NULL;
|
||||||
|
}
|
||||||
|
lsi_disconnect(s);
|
||||||
|
break;
|
||||||
|
--
|
||||||
|
2.33.0
|
||||||
|
|
||||||
@@ -0,0 +1,52 @@
|
|||||||
|
From 8f2c2cb908758192d5ebc00605cbf0989b8a507c Mon Sep 17 00:00:00 2001
|
||||||
|
From: Mauro Matteo Cascella <mcascell@redhat.com>
|
||||||
|
Date: Mon, 11 Jul 2022 14:33:16 +0200
|
||||||
|
Subject: [PATCH 3/3] scsi/lsi53c895a: really fix use-after-free in
|
||||||
|
lsi_do_msgout (CVE-2022-0216)
|
||||||
|
|
||||||
|
Set current_req to NULL, not current_req->req, to prevent reusing a free'd
|
||||||
|
buffer in case of repeated SCSI cancel requests. Also apply the fix to
|
||||||
|
CLEAR QUEUE and BUS DEVICE RESET messages as well, since they also cancel
|
||||||
|
the request.
|
||||||
|
|
||||||
|
Thanks to Alexander Bulekov for providing a reproducer.
|
||||||
|
|
||||||
|
Fixes: CVE-2022-0216
|
||||||
|
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/972
|
||||||
|
Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
|
||||||
|
Tested-by: Alexander Bulekov <alxndr@bu.edu>
|
||||||
|
Message-Id: <20220711123316.421279-1-mcascell@redhat.com>
|
||||||
|
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||||
|
|
||||||
|
Upstream-Status: Backport [4367a20cc442c56b05611b4224de9a61908f9eac]
|
||||||
|
CVE: CVE-2022-0216
|
||||||
|
|
||||||
|
Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
|
||||||
|
---
|
||||||
|
hw/scsi/lsi53c895a.c | 3 ++-
|
||||||
|
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c
|
||||||
|
index 8033cf050..fbe3fa3dd 100644
|
||||||
|
--- a/hw/scsi/lsi53c895a.c
|
||||||
|
+++ b/hw/scsi/lsi53c895a.c
|
||||||
|
@@ -1031,7 +1031,7 @@ static void lsi_do_msgout(LSIState *s)
|
||||||
|
trace_lsi_do_msgout_abort(current_tag);
|
||||||
|
if (current_req && current_req->req) {
|
||||||
|
scsi_req_cancel(current_req->req);
|
||||||
|
- current_req->req = NULL;
|
||||||
|
+ current_req = NULL;
|
||||||
|
}
|
||||||
|
lsi_disconnect(s);
|
||||||
|
break;
|
||||||
|
@@ -1057,6 +1057,7 @@ static void lsi_do_msgout(LSIState *s)
|
||||||
|
/* clear the current I/O process */
|
||||||
|
if (s->current) {
|
||||||
|
scsi_req_cancel(s->current->req);
|
||||||
|
+ current_req = NULL;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* As the current implemented devices scsi_disk and scsi_generic
|
||||||
|
--
|
||||||
|
2.33.0
|
||||||
|
|
||||||
Reference in New Issue
Block a user