* [hardknott][PATCH] qemu: fix CVE-2021-3392
@ 2021-04-27 8:07 Minjae Kim
2021-04-27 8:16 ` [OE-core] " Anuj Mittal
0 siblings, 1 reply; 2+ messages in thread
From: Minjae Kim @ 2021-04-27 8:07 UTC (permalink / raw)
To: openembedded-core; +Cc: Minjae Kim
scsi: use-after-free in mptsas_process_scsi_io_request() of mptsas1068 emulator
---
meta/recipes-devtools/qemu/qemu.inc | 1 +
.../qemu/qemu/CVE-2021-3392.patch | 45 +++++++++++++++++++
2 files changed, 46 insertions(+)
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3392.patch
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index a625809597..1c4866ec0c 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -31,6 +31,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
file://determinism.patch \
file://0001-tests-meson.build-use-relative-path-to-refer-to-file.patch \
file://CVE-2021-20203.patch \
+ file://CVE-2021-3392.patch \
"
UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3392.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3392.patch
new file mode 100644
index 0000000000..1c688827db
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3392.patch
@@ -0,0 +1,45 @@
+From 3431b01b43584de5f710c40605fe3251f81c0e11 Mon Sep 17 00:00:00 2001
+From: Minjae Kim <flowergom@gmail.com>
+Date: Tue, 27 Apr 2021 02:09:49 +0000
+Subject: [PATCH] scsi: mptsas: dequeue request object in case of an error
+ (CVE-2021-3392)
+
+From: Prasad J Pandit <pjp@fedoraproject.org>
+
+While processing SCSI i/o requests in mptsas_process_scsi_io_request(),
+the Megaraid emulator appends new MPTSASRequest object 'req' to
+the 's->pending' queue. In case of an error, this same object gets
+dequeued in mptsas_free_request() only if SCSIRequest object
+'req->sreq' is initialised. This may lead to a use-after-free issue.
+Unconditionally dequeue 'req' object from 's->pending' to avoid it.
+
+Fixes: CVE-2021-3392
+Buglink: https://bugs.launchpad.net/qemu/+bug/1914236
+Reported-by: Cheolwoo Myung <cwmyung@snu.ac.kr>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+
+Upstream-Status: Acepted
+[https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg00488.html]
+CVE: CVE-2021-3392
+Signed-off-by: Minjae Kim <flowergom@gmail.com>
+---
+ hw/scsi/mptsas.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/scsi/mptsas.c b/hw/scsi/mptsas.c
+index f86616544..adff5b0bf 100644
+--- a/hw/scsi/mptsas.c
++++ b/hw/scsi/mptsas.c
+@@ -257,8 +257,8 @@ static void mptsas_free_request(MPTSASRequest *req)
+ req->sreq->hba_private = NULL;
+ scsi_req_unref(req->sreq);
+ req->sreq = NULL;
+- QTAILQ_REMOVE(&s->pending, req, next);
+ }
++ QTAILQ_REMOVE(&s->pending, req, next);
+ qemu_sglist_destroy(&req->qsg);
+ g_free(req);
+ }
+--
+2.17.1
+
--
2.24.3 (Apple Git-128)
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [OE-core] [hardknott][PATCH] qemu: fix CVE-2021-3392
2021-04-27 8:07 [hardknott][PATCH] qemu: fix CVE-2021-3392 Minjae Kim
@ 2021-04-27 8:16 ` Anuj Mittal
0 siblings, 0 replies; 2+ messages in thread
From: Anuj Mittal @ 2021-04-27 8:16 UTC (permalink / raw)
To: openembedded-core, flowergom
Hello,
Thank you for the patch.
On Tue, 2021-04-27 at 17:07 +0900, Minjae Kim wrote:
> scsi: use-after-free in mptsas_process_scsi_io_request() of mptsas1068
> emulator
This will need your Signed-off-by.
It looks like you are picking an older version of the change from
mailing list. The upstream commit should be backported instead.
Upstream-Status should also be Backport in that case.
https://github.com/qemu/qemu/commit/3791642c8d60029adf9b00bcb4e34d7d8a1aea4d
Thanks,
Anuj
> ---
> meta/recipes-devtools/qemu/qemu.inc | 1 +
> .../qemu/qemu/CVE-2021-3392.patch | 45 +++++++++++++++++++
> 2 files changed, 46 insertions(+)
> create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3392.patch
>
> diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-
> devtools/qemu/qemu.inc
> index a625809597..1c4866ec0c 100644
> --- a/meta/recipes-devtools/qemu/qemu.inc
> +++ b/meta/recipes-devtools/qemu/qemu.inc
> @@ -31,6 +31,7 @@ SRC_URI = "
> https://download.qemu.org/${BPN}-${PV}.tar.xz \
> file://determinism.patch \
>
> file://0001-tests-meson.build-use-relative-path-to-refer-to-file.patch
> \
> file://CVE-2021-20203.patch \
> + file://CVE-2021-3392.patch \
> "
> UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
>
> diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3392.patch
> b/meta/recipes-devtools/qemu/qemu/CVE-2021-3392.patch
> new file mode 100644
> index 0000000000..1c688827db
> --- /dev/null
> +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3392.patch
> @@ -0,0 +1,45 @@
> +From 3431b01b43584de5f710c40605fe3251f81c0e11 Mon Sep 17 00:00:00 2001
> +From: Minjae Kim <flowergom@gmail.com>
> +Date: Tue, 27 Apr 2021 02:09:49 +0000
> +Subject: [PATCH] scsi: mptsas: dequeue request object in case of an
> error
> + (CVE-2021-3392)
> +
> +From: Prasad J Pandit <pjp@fedoraproject.org>
> +
> +While processing SCSI i/o requests in
> mptsas_process_scsi_io_request(),
> +the Megaraid emulator appends new MPTSASRequest object 'req' to
> +the 's->pending' queue. In case of an error, this same object gets
> +dequeued in mptsas_free_request() only if SCSIRequest object
> +'req->sreq' is initialised. This may lead to a use-after-free issue.
> +Unconditionally dequeue 'req' object from 's->pending' to avoid it.
> +
> +Fixes: CVE-2021-3392
> +Buglink: https://bugs.launchpad.net/qemu/+bug/1914236
> +Reported-by: Cheolwoo Myung <cwmyung@snu.ac.kr>
> +Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
> +
> +Upstream-Status: Acepted
> +[https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg00488.html]
> +CVE: CVE-2021-3392
> +Signed-off-by: Minjae Kim <flowergom@gmail.com>
> +---
> + hw/scsi/mptsas.c | 2 +-
> + 1 file changed, 1 insertion(+), 1 deletion(-)
> +
> +diff --git a/hw/scsi/mptsas.c b/hw/scsi/mptsas.c
> +index f86616544..adff5b0bf 100644
> +--- a/hw/scsi/mptsas.c
> ++++ b/hw/scsi/mptsas.c
> +@@ -257,8 +257,8 @@ static void mptsas_free_request(MPTSASRequest
> *req)
> + req->sreq->hba_private = NULL;
> + scsi_req_unref(req->sreq);
> + req->sreq = NULL;
> +- QTAILQ_REMOVE(&s->pending, req, next);
> + }
> ++ QTAILQ_REMOVE(&s->pending, req, next);
> + qemu_sglist_destroy(&req->qsg);
> + g_free(req);
> + }
> +--
> +2.17.1
> +
>
>
>
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-04-27 8:16 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-04-27 8:07 [hardknott][PATCH] qemu: fix CVE-2021-3392 Minjae Kim
2021-04-27 8:16 ` [OE-core] " Anuj Mittal
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.