diff options
author | Anuj Mittal <anuj.mittal@intel.com> | 2021-05-05 10:37:43 +0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2021-05-06 08:41:26 +0100 |
commit | db4d9619aa881e8c1b34cc2b77da86ad2fdfe990 (patch) | |
tree | aeaf2c583d1a32273dd1de47f54ab7834eaa310c /meta/recipes-devtools/qemu | |
parent | 0a0c83d083a24c0741858e3321ff4e78c378bb87 (diff) | |
download | poky-db4d9619aa881e8c1b34cc2b77da86ad2fdfe990.tar.gz |
Revert "qemu: fix CVE-2021-3392"
This reverts commit 5e8e08df8b5d0040ad911d3c51f63e7fec1858b4.
This is an incomplete fix.
(From OE-Core rev: 2e7494cd388c5d03a95d8a54d6231e7fe7fd46ef)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-devtools/qemu')
-rw-r--r-- | meta/recipes-devtools/qemu/qemu.inc | 1 | ||||
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2021-3392.patch | 45 |
2 files changed, 0 insertions, 46 deletions
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 486f404668..810d8b7c8a 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc | |||
@@ -54,7 +54,6 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ | |||
54 | file://CVE-2021-3416_9.patch \ | 54 | file://CVE-2021-3416_9.patch \ |
55 | file://CVE-2021-3416_10.patch \ | 55 | file://CVE-2021-3416_10.patch \ |
56 | file://CVE-2021-20257.patch \ | 56 | file://CVE-2021-20257.patch \ |
57 | file://CVE-2021-3392.patch \ | ||
58 | file://CVE-2020-27821.patch \ | 57 | file://CVE-2020-27821.patch \ |
59 | file://CVE-2021-20263.patch \ | 58 | file://CVE-2021-20263.patch \ |
60 | " | 59 | " |
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3392.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3392.patch deleted file mode 100644 index 1c688827db..0000000000 --- a/meta/recipes-devtools/qemu/qemu/CVE-2021-3392.patch +++ /dev/null | |||
@@ -1,45 +0,0 @@ | |||
1 | From 3431b01b43584de5f710c40605fe3251f81c0e11 Mon Sep 17 00:00:00 2001 | ||
2 | From: Minjae Kim <flowergom@gmail.com> | ||
3 | Date: Tue, 27 Apr 2021 02:09:49 +0000 | ||
4 | Subject: [PATCH] scsi: mptsas: dequeue request object in case of an error | ||
5 | (CVE-2021-3392) | ||
6 | |||
7 | From: Prasad J Pandit <pjp@fedoraproject.org> | ||
8 | |||
9 | While processing SCSI i/o requests in mptsas_process_scsi_io_request(), | ||
10 | the Megaraid emulator appends new MPTSASRequest object 'req' to | ||
11 | the 's->pending' queue. In case of an error, this same object gets | ||
12 | dequeued in mptsas_free_request() only if SCSIRequest object | ||
13 | 'req->sreq' is initialised. This may lead to a use-after-free issue. | ||
14 | Unconditionally dequeue 'req' object from 's->pending' to avoid it. | ||
15 | |||
16 | Fixes: CVE-2021-3392 | ||
17 | Buglink: https://bugs.launchpad.net/qemu/+bug/1914236 | ||
18 | Reported-by: Cheolwoo Myung <cwmyung@snu.ac.kr> | ||
19 | Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> | ||
20 | |||
21 | Upstream-Status: Acepted | ||
22 | [https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg00488.html] | ||
23 | CVE: CVE-2021-3392 | ||
24 | Signed-off-by: Minjae Kim <flowergom@gmail.com> | ||
25 | --- | ||
26 | hw/scsi/mptsas.c | 2 +- | ||
27 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
28 | |||
29 | diff --git a/hw/scsi/mptsas.c b/hw/scsi/mptsas.c | ||
30 | index f86616544..adff5b0bf 100644 | ||
31 | --- a/hw/scsi/mptsas.c | ||
32 | +++ b/hw/scsi/mptsas.c | ||
33 | @@ -257,8 +257,8 @@ static void mptsas_free_request(MPTSASRequest *req) | ||
34 | req->sreq->hba_private = NULL; | ||
35 | scsi_req_unref(req->sreq); | ||
36 | req->sreq = NULL; | ||
37 | - QTAILQ_REMOVE(&s->pending, req, next); | ||
38 | } | ||
39 | + QTAILQ_REMOVE(&s->pending, req, next); | ||
40 | qemu_sglist_destroy(&req->qsg); | ||
41 | g_free(req); | ||
42 | } | ||
43 | -- | ||
44 | 2.17.1 | ||
45 | |||