Backport of: From 99545751734035b76bd372c4e7215bb337428d89 Mon Sep 17 00:00:00 2001 From: Mark Cave-Ayland Date: Wed, 7 Apr 2021 20:57:55 +0100 Subject: [PATCH] esp: ensure cmdfifo is not empty and current_dev is non-NULL MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit When about to execute a SCSI command, ensure that cmdfifo is not empty and current_dev is non-NULL. This can happen if the guest tries to execute a TI (Transfer Information) command without issuing one of the select commands first. Buglink: https://bugs.launchpad.net/qemu/+bug/1910723 Buglink: https://bugs.launchpad.net/qemu/+bug/1909247 Signed-off-by: Mark Cave-Ayland Reviewed-by: Philippe Mathieu-Daudé Tested-by: Alexander Bulekov Message-Id: <20210407195801.685-7-mark.cave-ayland@ilande.co.uk> CVE: CVE-2020-35505 Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/CVE-2020-35505.patch?h=ubuntu/focal-security Upstream commit https://github.com/qemu/qemu/commit/99545751734035b76bd372c4e7215bb337428d89 ] Signed-off-by: Chee Yang Lee Signed-off-by: Emily Vekariya --- hw/scsi/esp.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c index c7d701bf..c2a67bc8 100644 --- a/hw/scsi/esp.c +++ b/hw/scsi/esp.c @@ -193,6 +193,10 @@ static void do_busid_cmd(ESPState *s, uint8_t *buf, uint8_t busid) trace_esp_do_busid_cmd(busid); lun = busid & 7; + + if (!s->current_dev) { + return; + } current_lun = scsi_device_find(&s->bus, 0, s->current_dev->id, lun); s->current_req = scsi_req_new(current_lun, 0, lun, buf, s); datalen = scsi_req_enqueue(s->current_req);