Revert "qemu: fix CVE-2021-3392"

This reverts commit 5e8e08df8b5d0040ad911d3c51f63e7fec1858b4. This is an incomplete fix. (From OE-Core rev: 2e7494cd388c5d03a95d8a54d6231e7fe7fd46ef) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Anuj Mittal <anuj.mittal@intel.com> 2021-05-05 10:37:43 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2021-05-06 08:41:26 +0100
commit: db4d9619aa881e8c1b34cc2b77da86ad2fdfe990 (patch)
tree: aeaf2c583d1a32273dd1de47f54ab7834eaa310c /meta/recipes-devtools/qemu
parent: 0a0c83d083a24c0741858e3321ff4e78c378bb87 (diff)
download: poky-db4d9619aa881e8c1b34cc2b77da86ad2fdfe990.tar.gz
2 files changed, 0 insertions, 46 deletions
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 486f404668..810d8b7c8a 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -54,7 +54,6 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
           file://CVE-2021-3416_9.patch \
           file://CVE-2021-3416_10.patch \
           file://CVE-2021-20257.patch \
-           file://CVE-2021-3392.patch \
           file://CVE-2020-27821.patch \
           file://CVE-2021-20263.patch \
           "
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3392.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3392.patch
deleted file mode 100644
index 1c688827db..0000000000
--- a/meta/recipes-devtools/qemu/qemu/CVE-2021-3392.patch
+++ /dev/null
@@ -1,45 +0,0 @@
-From 3431b01b43584de5f710c40605fe3251f81c0e11 Mon Sep 17 00:00:00 2001
-From: Minjae Kim <flowergom@gmail.com>
-Date: Tue, 27 Apr 2021 02:09:49 +0000
-Subject: [PATCH] scsi: mptsas: dequeue request object in case of an error
- (CVE-2021-3392)
-From: Prasad J Pandit <pjp@fedoraproject.org>
-While processing SCSI i/o requests in mptsas_process_scsi_io_request(),
-the Megaraid emulator appends new MPTSASRequest object 'req' to
-the 's->pending' queue. In case of an error, this same object gets
-dequeued in mptsas_free_request() only if SCSIRequest object
-'req->sreq' is initialised. This may lead to a use-after-free issue.
-Unconditionally dequeue 'req' object from 's->pending' to avoid it.
-Fixes: CVE-2021-3392
-Buglink: https://bugs.launchpad.net/qemu/+bug/1914236
-Reported-by: Cheolwoo Myung <cwmyung@snu.ac.kr>
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Upstream-Status: Acepted
-[https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg00488.html]
-CVE: CVE-2021-3392
-Signed-off-by: Minjae Kim <flowergom@gmail.com>
---
- hw/scsi/mptsas.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-diff --git a/hw/scsi/mptsas.c b/hw/scsi/mptsas.c
-index f86616544..adff5b0bf 100644
--- a/hw/scsi/mptsas.c
-+++ b/hw/scsi/mptsas.c
-@@ -257,8 +257,8 @@ static void mptsas_free_request(MPTSASRequest *req)
-         req->sreq->hba_private = NULL;
-         scsi_req_unref(req->sreq);
-         req->sreq = NULL;
-        QTAILQ_REMOVE(&s->pending, req, next);
-     }
-+    QTAILQ_REMOVE(&s->pending, req, next);
-     qemu_sglist_destroy(&req->qsg);
-     g_free(req);
- }
-- 
-2.17.1
author	Anuj Mittal <anuj.mittal@intel.com>	2021-05-05 10:37:43 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2021-05-06 08:41:26 +0100
commit	db4d9619aa881e8c1b34cc2b77da86ad2fdfe990 (patch)
tree	aeaf2c583d1a32273dd1de47f54ab7834eaa310c /meta/recipes-devtools/qemu
parent	0a0c83d083a24c0741858e3321ff4e78c378bb87 (diff)
download	poky-db4d9619aa881e8c1b34cc2b77da86ad2fdfe990.tar.gz

diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 486f404668..810d8b7c8a 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -54,7 +54,6 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
54	file://CVE-2021-3416_9.patch \	54	file://CVE-2021-3416_9.patch \
55	file://CVE-2021-3416_10.patch \	55	file://CVE-2021-3416_10.patch \
56	file://CVE-2021-20257.patch \	56	file://CVE-2021-20257.patch \
57	file://CVE-2021-3392.patch \
58	file://CVE-2020-27821.patch \	57	file://CVE-2020-27821.patch \
59	file://CVE-2021-20263.patch \	58	file://CVE-2021-20263.patch \
60	"	59	"


diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3392.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3392.patch deleted file mode 100644 index 1c688827db..0000000000 --- a/meta/recipes-devtools/qemu/qemu/CVE-2021-3392.patch +++ /dev/null
@@ -1,45 +0,0 @@
1	From 3431b01b43584de5f710c40605fe3251f81c0e11 Mon Sep 17 00:00:00 2001
2	From: Minjae Kim <flowergom@gmail.com>
3	Date: Tue, 27 Apr 2021 02:09:49 +0000
4	Subject: [PATCH] scsi: mptsas: dequeue request object in case of an error
5	(CVE-2021-3392)
6
7	From: Prasad J Pandit <pjp@fedoraproject.org>
8
9	While processing SCSI i/o requests in mptsas_process_scsi_io_request(),
10	the Megaraid emulator appends new MPTSASRequest object 'req' to
11	the 's->pending' queue. In case of an error, this same object gets
12	dequeued in mptsas_free_request() only if SCSIRequest object
13	'req->sreq' is initialised. This may lead to a use-after-free issue.
14	Unconditionally dequeue 'req' object from 's->pending' to avoid it.
15
16	Fixes: CVE-2021-3392
17	Buglink: https://bugs.launchpad.net/qemu/+bug/1914236
18	Reported-by: Cheolwoo Myung <cwmyung@snu.ac.kr>
19	Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
20
21	Upstream-Status: Acepted
22	[https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg00488.html]
23	CVE: CVE-2021-3392
24	Signed-off-by: Minjae Kim <flowergom@gmail.com>
25	---
26	hw/scsi/mptsas.c \| 2 +-
27	1 file changed, 1 insertion(+), 1 deletion(-)
28
29	diff --git a/hw/scsi/mptsas.c b/hw/scsi/mptsas.c
30	index f86616544..adff5b0bf 100644
31	--- a/hw/scsi/mptsas.c
32	+++ b/hw/scsi/mptsas.c
33	@@ -257,8 +257,8 @@ static void mptsas_free_request(MPTSASRequest *req)
34	req->sreq->hba_private = NULL;
35	scsi_req_unref(req->sreq);
36	req->sreq = NULL;
37	- QTAILQ_REMOVE(&s->pending, req, next);
38	}
39	+ QTAILQ_REMOVE(&s->pending, req, next);
40	qemu_sglist_destroy(&req->qsg);
41	g_free(req);
42	}
43	--
44	2.17.1
45