2 files changed, 46 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 46b784241e..062d7907cf 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -54,6 +54,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
           file://CVE-2021-3416_9.patch \
           file://CVE-2021-3416_10.patch \
           file://CVE-2021-20257.patch \
+           file://CVE-2021-3392.patch \
           "
 UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3392.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3392.patch
new file mode 100644
index 0000000000..1c688827db
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3392.patch
@@ -0,0 +1,45 @@
+From 3431b01b43584de5f710c40605fe3251f81c0e11 Mon Sep 17 00:00:00 2001
+From: Minjae Kim <flowergom@gmail.com>
+Date: Tue, 27 Apr 2021 02:09:49 +0000
+Subject: [PATCH] scsi: mptsas: dequeue request object in case of an error
+ (CVE-2021-3392)
+From: Prasad J Pandit <pjp@fedoraproject.org>
+While processing SCSI i/o requests in mptsas_process_scsi_io_request(),
+the Megaraid emulator appends new MPTSASRequest object 'req' to
+the 's->pending' queue. In case of an error, this same object gets
+dequeued in mptsas_free_request() only if SCSIRequest object
+'req->sreq' is initialised. This may lead to a use-after-free issue.
+Unconditionally dequeue 'req' object from 's->pending' to avoid it.
+Fixes: CVE-2021-3392
+Buglink: https://bugs.launchpad.net/qemu/+bug/1914236
+Reported-by: Cheolwoo Myung <cwmyung@snu.ac.kr>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Upstream-Status: Acepted
+[https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg00488.html]
+CVE: CVE-2021-3392
+Signed-off-by: Minjae Kim <flowergom@gmail.com>
+---
+ hw/scsi/mptsas.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/hw/scsi/mptsas.c b/hw/scsi/mptsas.c
+index f86616544..adff5b0bf 100644
+--- a/hw/scsi/mptsas.c
+++ b/hw/scsi/mptsas.c
+@@ -257,8 +257,8 @@ static void mptsas_free_request(MPTSASRequest *req)
+         req->sreq->hba_private = NULL;
+         scsi_req_unref(req->sreq);
+         req->sreq = NULL;
+-        QTAILQ_REMOVE(&s->pending, req, next);
+     }
+    QTAILQ_REMOVE(&s->pending, req, next);
+     qemu_sglist_destroy(&req->qsg);
+     g_free(req);
+ }
+-- 
+2.17.1

diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 46b784241e..062d7907cf 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -54,6 +54,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
54	file://CVE-2021-3416_9.patch \	54	file://CVE-2021-3416_9.patch \
55	file://CVE-2021-3416_10.patch \	55	file://CVE-2021-3416_10.patch \
56	file://CVE-2021-20257.patch \	56	file://CVE-2021-20257.patch \
		57	file://CVE-2021-3392.patch \
57	"	58	"
58	UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"	59	UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
59		60


diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3392.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3392.patch new file mode 100644 index 0000000000..1c688827db --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3392.patch
@@ -0,0 +1,45 @@
		1	From 3431b01b43584de5f710c40605fe3251f81c0e11 Mon Sep 17 00:00:00 2001
		2	From: Minjae Kim <flowergom@gmail.com>
		3	Date: Tue, 27 Apr 2021 02:09:49 +0000
		4	Subject: [PATCH] scsi: mptsas: dequeue request object in case of an error
		5	(CVE-2021-3392)
		6
		7	From: Prasad J Pandit <pjp@fedoraproject.org>
		8
		9	While processing SCSI i/o requests in mptsas_process_scsi_io_request(),
		10	the Megaraid emulator appends new MPTSASRequest object 'req' to
		11	the 's->pending' queue. In case of an error, this same object gets
		12	dequeued in mptsas_free_request() only if SCSIRequest object
		13	'req->sreq' is initialised. This may lead to a use-after-free issue.
		14	Unconditionally dequeue 'req' object from 's->pending' to avoid it.
		15
		16	Fixes: CVE-2021-3392
		17	Buglink: https://bugs.launchpad.net/qemu/+bug/1914236
		18	Reported-by: Cheolwoo Myung <cwmyung@snu.ac.kr>
		19	Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
		20
		21	Upstream-Status: Acepted
		22	[https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg00488.html]
		23	CVE: CVE-2021-3392
		24	Signed-off-by: Minjae Kim <flowergom@gmail.com>
		25	---
		26	hw/scsi/mptsas.c \| 2 +-
		27	1 file changed, 1 insertion(+), 1 deletion(-)
		28
		29	diff --git a/hw/scsi/mptsas.c b/hw/scsi/mptsas.c
		30	index f86616544..adff5b0bf 100644
		31	--- a/hw/scsi/mptsas.c
		32	+++ b/hw/scsi/mptsas.c
		33	@@ -257,8 +257,8 @@ static void mptsas_free_request(MPTSASRequest *req)
		34	req->sreq->hba_private = NULL;
		35	scsi_req_unref(req->sreq);
		36	req->sreq = NULL;
		37	- QTAILQ_REMOVE(&s->pending, req, next);
		38	}
		39	+ QTAILQ_REMOVE(&s->pending, req, next);
		40	qemu_sglist_destroy(&req->qsg);
		41	g_free(req);
		42	}
		43	--
		44	2.17.1
		45