1 files changed, 52 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2022-0216-2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2022-0216-2.patch
new file mode 100644
index 0000000000..137906cd30
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2022-0216-2.patch
@@ -0,0 +1,52 @@
+From 4367a20cc442c56b05611b4224de9a61908f9eac Mon Sep 17 00:00:00 2001
+From: Mauro Matteo Cascella <mcascell@redhat.com>
+Date: Mon, 11 Jul 2022 14:33:16 +0200
+Subject: [PATCH] scsi/lsi53c895a: really fix use-after-free in lsi_do_msgout
+ (CVE-2022-0216)
+Set current_req to NULL, not current_req->req, to prevent reusing a free'd
+buffer in case of repeated SCSI cancel requests.  Also apply the fix to
+CLEAR QUEUE and BUS DEVICE RESET messages as well, since they also cancel
+the request.
+Thanks to Alexander Bulekov for providing a reproducer.
+Fixes: CVE-2022-0216
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/972
+Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
+Tested-by: Alexander Bulekov <alxndr@bu.edu>
+Message-Id: <20220711123316.421279-1-mcascell@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+https://gitlab.com/qemu-project/qemu/-/commit/4367a20cc4
+CVE: CVE-2022-0216
+Upstream-Status: Backport
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ hw/scsi/lsi53c895a.c               |  3 +-
+ 1 files changed, 2 insertions(+), 1 deletion(-)
+diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c
+index 99ea42d49b..ad5f5e5f39 100644
+--- a/hw/scsi/lsi53c895a.c
+++ b/hw/scsi/lsi53c895a.c
+@@ -1030,7 +1030,7 @@ static void lsi_do_msgout(LSIState *s)
+             trace_lsi_do_msgout_abort(current_tag);
+             if (current_req && current_req->req) {
+                 scsi_req_cancel(current_req->req);
+-                current_req->req = NULL;
+                current_req = NULL;
+             }
+             lsi_disconnect(s);
+             break;
+@@ -1056,6 +1056,7 @@ static void lsi_do_msgout(LSIState *s)
+             /* clear the current I/O process */
+             if (s->current) {
+                 scsi_req_cancel(s->current->req);
+                current_req = NULL;
+             }
+ 
+             /* As the current implemented devices scsi_disk and scsi_generic
+-- 
+GitLab

diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2022-0216-2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2022-0216-2.patch new file mode 100644 index 0000000000..137906cd30 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2022-0216-2.patch
@@ -0,0 +1,52 @@
	1	From 4367a20cc442c56b05611b4224de9a61908f9eac Mon Sep 17 00:00:00 2001
	2	From: Mauro Matteo Cascella <mcascell@redhat.com>
	3	Date: Mon, 11 Jul 2022 14:33:16 +0200
	4	Subject: [PATCH] scsi/lsi53c895a: really fix use-after-free in lsi_do_msgout
	5	(CVE-2022-0216)
	6
	7	Set current_req to NULL, not current_req->req, to prevent reusing a free'd
	8	buffer in case of repeated SCSI cancel requests. Also apply the fix to
	9	CLEAR QUEUE and BUS DEVICE RESET messages as well, since they also cancel
	10	the request.
	11
	12	Thanks to Alexander Bulekov for providing a reproducer.
	13
	14	Fixes: CVE-2022-0216
	15	Resolves: https://gitlab.com/qemu-project/qemu/-/issues/972
	16	Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
	17	Tested-by: Alexander Bulekov <alxndr@bu.edu>
	18	Message-Id: <20220711123316.421279-1-mcascell@redhat.com>
	19	Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
	20
	21	https://gitlab.com/qemu-project/qemu/-/commit/4367a20cc4
	22	CVE: CVE-2022-0216
	23	Upstream-Status: Backport
	24	Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
	25	---
	26	hw/scsi/lsi53c895a.c \| 3 +-
	27	1 files changed, 2 insertions(+), 1 deletion(-)
	28
	29	diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c
	30	index 99ea42d49b..ad5f5e5f39 100644
	31	--- a/hw/scsi/lsi53c895a.c
	32	+++ b/hw/scsi/lsi53c895a.c
	33	@@ -1030,7 +1030,7 @@ static void lsi_do_msgout(LSIState *s)
	34	trace_lsi_do_msgout_abort(current_tag);
	35	if (current_req && current_req->req) {
	36	scsi_req_cancel(current_req->req);
	37	- current_req->req = NULL;
	38	+ current_req = NULL;
	39	}
	40	lsi_disconnect(s);
	41	break;
	42	@@ -1056,6 +1056,7 @@ static void lsi_do_msgout(LSIState *s)
	43	/* clear the current I/O process */
	44	if (s->current) {
	45	scsi_req_cancel(s->current->req);
	46	+ current_req = NULL;
	47	}
	48
	49	/* As the current implemented devices scsi_disk and scsi_generic
	50	--
	51	GitLab
	52