mirror of
https://git.yoctoproject.org/poky
synced 2026-04-04 23:02:22 +02:00
qemu: fix CVE-2022-0216
Backport relevant patches to fix CVE-2022-0216. (From OE-Core rev: f2ebd772edd9508af9b557b184d7716a7004f46d) Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
Sakib Sajal
committed by
Richard Purdie
Richard Purdie
parent
29ee816927
commit
1d9d4e54c9
@@ -41,6 +41,8 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
|
||||
file://CVE-2021-3929.patch \
|
||||
file://CVE-2021-4158.patch \
|
||||
file://CVE-2022-0358.patch \
|
||||
file://CVE-2022-0216_1.patch \
|
||||
file://CVE-2022-0216_2.patch \
|
||||
"
|
||||
UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
|
||||
|
||||
|
||||
42
meta/recipes-devtools/qemu/qemu/CVE-2022-0216_1.patch
Normal file
42
meta/recipes-devtools/qemu/qemu/CVE-2022-0216_1.patch
Normal file
@@ -0,0 +1,42 @@
|
||||
From 1cedc914b2c4b4e0c9dfcd1b0e02917af35b5eb6 Mon Sep 17 00:00:00 2001
|
||||
From: Mauro Matteo Cascella <mcascell@redhat.com>
|
||||
Date: Tue, 5 Jul 2022 22:05:43 +0200
|
||||
Subject: [PATCH 1/3] scsi/lsi53c895a: fix use-after-free in lsi_do_msgout
|
||||
(CVE-2022-0216)
|
||||
|
||||
Set current_req->req to NULL to prevent reusing a free'd buffer in case of
|
||||
repeated SCSI cancel requests. Thanks to Thomas Huth for suggesting the patch.
|
||||
|
||||
Fixes: CVE-2022-0216
|
||||
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/972
|
||||
Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
|
||||
Reviewed-by: Thomas Huth <thuth@redhat.com>
|
||||
Message-Id: <20220705200543.2366809-1-mcascell@redhat.com>
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
|
||||
Upstream-Status: Backport [6c8fa961da5e60f574bb52fd3ad44b1e9e8ad4b8]
|
||||
CVE: CVE-2022-0216
|
||||
|
||||
Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
|
||||
---
|
||||
hw/scsi/lsi53c895a.c | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c
|
||||
index 85e907a78..8033cf050 100644
|
||||
--- a/hw/scsi/lsi53c895a.c
|
||||
+++ b/hw/scsi/lsi53c895a.c
|
||||
@@ -1029,8 +1029,9 @@ static void lsi_do_msgout(LSIState *s)
|
||||
case 0x0d:
|
||||
/* The ABORT TAG message clears the current I/O process only. */
|
||||
trace_lsi_do_msgout_abort(current_tag);
|
||||
- if (current_req) {
|
||||
+ if (current_req && current_req->req) {
|
||||
scsi_req_cancel(current_req->req);
|
||||
+ current_req->req = NULL;
|
||||
}
|
||||
lsi_disconnect(s);
|
||||
break;
|
||||
--
|
||||
2.33.0
|
||||
|
||||
52
meta/recipes-devtools/qemu/qemu/CVE-2022-0216_2.patch
Normal file
52
meta/recipes-devtools/qemu/qemu/CVE-2022-0216_2.patch
Normal file
@@ -0,0 +1,52 @@
|
||||
From 8f2c2cb908758192d5ebc00605cbf0989b8a507c Mon Sep 17 00:00:00 2001
|
||||
From: Mauro Matteo Cascella <mcascell@redhat.com>
|
||||
Date: Mon, 11 Jul 2022 14:33:16 +0200
|
||||
Subject: [PATCH 3/3] scsi/lsi53c895a: really fix use-after-free in
|
||||
lsi_do_msgout (CVE-2022-0216)
|
||||
|
||||
Set current_req to NULL, not current_req->req, to prevent reusing a free'd
|
||||
buffer in case of repeated SCSI cancel requests. Also apply the fix to
|
||||
CLEAR QUEUE and BUS DEVICE RESET messages as well, since they also cancel
|
||||
the request.
|
||||
|
||||
Thanks to Alexander Bulekov for providing a reproducer.
|
||||
|
||||
Fixes: CVE-2022-0216
|
||||
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/972
|
||||
Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
|
||||
Tested-by: Alexander Bulekov <alxndr@bu.edu>
|
||||
Message-Id: <20220711123316.421279-1-mcascell@redhat.com>
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
|
||||
Upstream-Status: Backport [4367a20cc442c56b05611b4224de9a61908f9eac]
|
||||
CVE: CVE-2022-0216
|
||||
|
||||
Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
|
||||
---
|
||||
hw/scsi/lsi53c895a.c | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c
|
||||
index 8033cf050..fbe3fa3dd 100644
|
||||
--- a/hw/scsi/lsi53c895a.c
|
||||
+++ b/hw/scsi/lsi53c895a.c
|
||||
@@ -1031,7 +1031,7 @@ static void lsi_do_msgout(LSIState *s)
|
||||
trace_lsi_do_msgout_abort(current_tag);
|
||||
if (current_req && current_req->req) {
|
||||
scsi_req_cancel(current_req->req);
|
||||
- current_req->req = NULL;
|
||||
+ current_req = NULL;
|
||||
}
|
||||
lsi_disconnect(s);
|
||||
break;
|
||||
@@ -1057,6 +1057,7 @@ static void lsi_do_msgout(LSIState *s)
|
||||
/* clear the current I/O process */
|
||||
if (s->current) {
|
||||
scsi_req_cancel(s->current->req);
|
||||
+ current_req = NULL;
|
||||
}
|
||||
|
||||
/* As the current implemented devices scsi_disk and scsi_generic
|
||||
--
|
||||
2.33.0
|
||||
|
||||
Reference in New Issue
Block a user