summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--meta/recipes-devtools/qemu/qemu.inc1
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2021-3392.patch45
2 files changed, 46 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 46b784241e..062d7907cf 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -54,6 +54,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
54 file://CVE-2021-3416_9.patch \ 54 file://CVE-2021-3416_9.patch \
55 file://CVE-2021-3416_10.patch \ 55 file://CVE-2021-3416_10.patch \
56 file://CVE-2021-20257.patch \ 56 file://CVE-2021-20257.patch \
57 file://CVE-2021-3392.patch \
57 " 58 "
58UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" 59UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
59 60
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3392.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3392.patch
new file mode 100644
index 0000000000..1c688827db
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3392.patch
@@ -0,0 +1,45 @@
1From 3431b01b43584de5f710c40605fe3251f81c0e11 Mon Sep 17 00:00:00 2001
2From: Minjae Kim <flowergom@gmail.com>
3Date: Tue, 27 Apr 2021 02:09:49 +0000
4Subject: [PATCH] scsi: mptsas: dequeue request object in case of an error
5 (CVE-2021-3392)
6
7From: Prasad J Pandit <pjp@fedoraproject.org>
8
9While processing SCSI i/o requests in mptsas_process_scsi_io_request(),
10the Megaraid emulator appends new MPTSASRequest object 'req' to
11the 's->pending' queue. In case of an error, this same object gets
12dequeued in mptsas_free_request() only if SCSIRequest object
13'req->sreq' is initialised. This may lead to a use-after-free issue.
14Unconditionally dequeue 'req' object from 's->pending' to avoid it.
15
16Fixes: CVE-2021-3392
17Buglink: https://bugs.launchpad.net/qemu/+bug/1914236
18Reported-by: Cheolwoo Myung <cwmyung@snu.ac.kr>
19Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
20
21Upstream-Status: Acepted
22[https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg00488.html]
23CVE: CVE-2021-3392
24Signed-off-by: Minjae Kim <flowergom@gmail.com>
25---
26 hw/scsi/mptsas.c | 2 +-
27 1 file changed, 1 insertion(+), 1 deletion(-)
28
29diff --git a/hw/scsi/mptsas.c b/hw/scsi/mptsas.c
30index f86616544..adff5b0bf 100644
31--- a/hw/scsi/mptsas.c
32+++ b/hw/scsi/mptsas.c
33@@ -257,8 +257,8 @@ static void mptsas_free_request(MPTSASRequest *req)
34 req->sreq->hba_private = NULL;
35 scsi_req_unref(req->sreq);
36 req->sreq = NULL;
37- QTAILQ_REMOVE(&s->pending, req, next);
38 }
39+ QTAILQ_REMOVE(&s->pending, req, next);
40 qemu_sglist_destroy(&req->qsg);
41 g_free(req);
42 }
43--
442.17.1
45