3 files changed, 96 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 44d4c9ca2f..a493ac8add 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -41,6 +41,8 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
           file://CVE-2021-3929.patch \
           file://CVE-2021-4158.patch \
           file://CVE-2022-0358.patch \
+           file://CVE-2022-0216_1.patch \
+           file://CVE-2022-0216_2.patch \
           "
 UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2022-0216_1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2022-0216_1.patch
new file mode 100644
index 0000000000..de7458fc72
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2022-0216_1.patch
@@ -0,0 +1,42 @@
+From 1cedc914b2c4b4e0c9dfcd1b0e02917af35b5eb6 Mon Sep 17 00:00:00 2001
+From: Mauro Matteo Cascella <mcascell@redhat.com>
+Date: Tue, 5 Jul 2022 22:05:43 +0200
+Subject: [PATCH 1/3] scsi/lsi53c895a: fix use-after-free in lsi_do_msgout
+ (CVE-2022-0216)
+Set current_req->req to NULL to prevent reusing a free'd buffer in case of
+repeated SCSI cancel requests. Thanks to Thomas Huth for suggesting the patch.
+Fixes: CVE-2022-0216
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/972
+Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
+Reviewed-by: Thomas Huth <thuth@redhat.com>
+Message-Id: <20220705200543.2366809-1-mcascell@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Upstream-Status: Backport [6c8fa961da5e60f574bb52fd3ad44b1e9e8ad4b8]
+CVE: CVE-2022-0216
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ hw/scsi/lsi53c895a.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c
+index 85e907a78..8033cf050 100644
+--- a/hw/scsi/lsi53c895a.c
+++ b/hw/scsi/lsi53c895a.c
+@@ -1029,8 +1029,9 @@ static void lsi_do_msgout(LSIState *s)
+         case 0x0d:
+             /* The ABORT TAG message clears the current I/O process only. */
+             trace_lsi_do_msgout_abort(current_tag);
+-            if (current_req) {
+            if (current_req && current_req->req) {
+                 scsi_req_cancel(current_req->req);
+                current_req->req = NULL;
+             }
+             lsi_disconnect(s);
+             break;
+-- 
+2.33.0
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2022-0216_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2022-0216_2.patch
new file mode 100644
index 0000000000..12f5a602da
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2022-0216_2.patch
@@ -0,0 +1,52 @@
+From 8f2c2cb908758192d5ebc00605cbf0989b8a507c Mon Sep 17 00:00:00 2001
+From: Mauro Matteo Cascella <mcascell@redhat.com>
+Date: Mon, 11 Jul 2022 14:33:16 +0200
+Subject: [PATCH 3/3] scsi/lsi53c895a: really fix use-after-free in
+ lsi_do_msgout (CVE-2022-0216)
+Set current_req to NULL, not current_req->req, to prevent reusing a free'd
+buffer in case of repeated SCSI cancel requests.  Also apply the fix to
+CLEAR QUEUE and BUS DEVICE RESET messages as well, since they also cancel
+the request.
+Thanks to Alexander Bulekov for providing a reproducer.
+Fixes: CVE-2022-0216
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/972
+Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
+Tested-by: Alexander Bulekov <alxndr@bu.edu>
+Message-Id: <20220711123316.421279-1-mcascell@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Upstream-Status: Backport [4367a20cc442c56b05611b4224de9a61908f9eac]
+CVE: CVE-2022-0216
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ hw/scsi/lsi53c895a.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c
+index 8033cf050..fbe3fa3dd 100644
+--- a/hw/scsi/lsi53c895a.c
+++ b/hw/scsi/lsi53c895a.c
+@@ -1031,7 +1031,7 @@ static void lsi_do_msgout(LSIState *s)
+             trace_lsi_do_msgout_abort(current_tag);
+             if (current_req && current_req->req) {
+                 scsi_req_cancel(current_req->req);
+-                current_req->req = NULL;
+                current_req = NULL;
+             }
+             lsi_disconnect(s);
+             break;
+@@ -1057,6 +1057,7 @@ static void lsi_do_msgout(LSIState *s)
+             /* clear the current I/O process */
+             if (s->current) {
+                 scsi_req_cancel(s->current->req);
+                current_req = NULL;
+             }
+ 
+             /* As the current implemented devices scsi_disk and scsi_generic
+-- 
+2.33.0

diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 44d4c9ca2f..a493ac8add 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -41,6 +41,8 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
41	file://CVE-2021-3929.patch \	41	file://CVE-2021-3929.patch \
42	file://CVE-2021-4158.patch \	42	file://CVE-2021-4158.patch \
43	file://CVE-2022-0358.patch \	43	file://CVE-2022-0358.patch \
		44	file://CVE-2022-0216_1.patch \
		45	file://CVE-2022-0216_2.patch \
44	"	46	"
45	UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"	47	UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
46		48


diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2022-0216_1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2022-0216_1.patch new file mode 100644 index 0000000000..de7458fc72 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2022-0216_1.patch
@@ -0,0 +1,42 @@
		1	From 1cedc914b2c4b4e0c9dfcd1b0e02917af35b5eb6 Mon Sep 17 00:00:00 2001
		2	From: Mauro Matteo Cascella <mcascell@redhat.com>
		3	Date: Tue, 5 Jul 2022 22:05:43 +0200
		4	Subject: [PATCH 1/3] scsi/lsi53c895a: fix use-after-free in lsi_do_msgout
		5	(CVE-2022-0216)
		6
		7	Set current_req->req to NULL to prevent reusing a free'd buffer in case of
		8	repeated SCSI cancel requests. Thanks to Thomas Huth for suggesting the patch.
		9
		10	Fixes: CVE-2022-0216
		11	Resolves: https://gitlab.com/qemu-project/qemu/-/issues/972
		12	Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
		13	Reviewed-by: Thomas Huth <thuth@redhat.com>
		14	Message-Id: <20220705200543.2366809-1-mcascell@redhat.com>
		15	Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
		16
		17	Upstream-Status: Backport [6c8fa961da5e60f574bb52fd3ad44b1e9e8ad4b8]
		18	CVE: CVE-2022-0216
		19
		20	Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
		21	---
		22	hw/scsi/lsi53c895a.c \| 3 ++-
		23	1 file changed, 2 insertions(+), 1 deletion(-)
		24
		25	diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c
		26	index 85e907a78..8033cf050 100644
		27	--- a/hw/scsi/lsi53c895a.c
		28	+++ b/hw/scsi/lsi53c895a.c
		29	@@ -1029,8 +1029,9 @@ static void lsi_do_msgout(LSIState *s)
		30	case 0x0d:
		31	/* The ABORT TAG message clears the current I/O process only. */
		32	trace_lsi_do_msgout_abort(current_tag);
		33	- if (current_req) {
		34	+ if (current_req && current_req->req) {
		35	scsi_req_cancel(current_req->req);
		36	+ current_req->req = NULL;
		37	}
		38	lsi_disconnect(s);
		39	break;
		40	--
		41	2.33.0
		42


diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2022-0216_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2022-0216_2.patch new file mode 100644 index 0000000000..12f5a602da --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2022-0216_2.patch
@@ -0,0 +1,52 @@
		1	From 8f2c2cb908758192d5ebc00605cbf0989b8a507c Mon Sep 17 00:00:00 2001
		2	From: Mauro Matteo Cascella <mcascell@redhat.com>
		3	Date: Mon, 11 Jul 2022 14:33:16 +0200
		4	Subject: [PATCH 3/3] scsi/lsi53c895a: really fix use-after-free in
		5	lsi_do_msgout (CVE-2022-0216)
		6
		7	Set current_req to NULL, not current_req->req, to prevent reusing a free'd
		8	buffer in case of repeated SCSI cancel requests. Also apply the fix to
		9	CLEAR QUEUE and BUS DEVICE RESET messages as well, since they also cancel
		10	the request.
		11
		12	Thanks to Alexander Bulekov for providing a reproducer.
		13
		14	Fixes: CVE-2022-0216
		15	Resolves: https://gitlab.com/qemu-project/qemu/-/issues/972
		16	Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
		17	Tested-by: Alexander Bulekov <alxndr@bu.edu>
		18	Message-Id: <20220711123316.421279-1-mcascell@redhat.com>
		19	Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
		20
		21	Upstream-Status: Backport [4367a20cc442c56b05611b4224de9a61908f9eac]
		22	CVE: CVE-2022-0216
		23
		24	Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
		25	---
		26	hw/scsi/lsi53c895a.c \| 3 ++-
		27	1 file changed, 2 insertions(+), 1 deletion(-)
		28
		29	diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c
		30	index 8033cf050..fbe3fa3dd 100644
		31	--- a/hw/scsi/lsi53c895a.c
		32	+++ b/hw/scsi/lsi53c895a.c
		33	@@ -1031,7 +1031,7 @@ static void lsi_do_msgout(LSIState *s)
		34	trace_lsi_do_msgout_abort(current_tag);
		35	if (current_req && current_req->req) {
		36	scsi_req_cancel(current_req->req);
		37	- current_req->req = NULL;
		38	+ current_req = NULL;
		39	}
		40	lsi_disconnect(s);
		41	break;
		42	@@ -1057,6 +1057,7 @@ static void lsi_do_msgout(LSIState *s)
		43	/* clear the current I/O process */
		44	if (s->current) {
		45	scsi_req_cancel(s->current->req);
		46	+ current_req = NULL;
		47	}
		48
		49	/* As the current implemented devices scsi_disk and scsi_generic
		50	--
		51	2.33.0
		52