scsi/lsi53c895a: fix use-after-free in lsi_do_msgout (CVE-2022-0216)
Set current_req->req to NULL to prevent reusing a free'd buffer in case of repeated SCSI cancel requests. Thanks to Thomas Huth for suggesting the patch. Fixes: CVE-2022-0216 Resolves: https://gitlab.com/qemu-project/qemu/-/issues/972 Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com> Reviewed-by: Thomas Huth <thuth@redhat.com> Message-Id: <20220705200543.2366809-1-mcascell@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
This commit is contained in:
parent
170ed475cd
commit
6c8fa961da
|
@ -1028,8 +1028,9 @@ static void lsi_do_msgout(LSIState *s)
|
||||||
case 0x0d:
|
case 0x0d:
|
||||||
/* The ABORT TAG message clears the current I/O process only. */
|
/* The ABORT TAG message clears the current I/O process only. */
|
||||||
trace_lsi_do_msgout_abort(current_tag);
|
trace_lsi_do_msgout_abort(current_tag);
|
||||||
if (current_req) {
|
if (current_req && current_req->req) {
|
||||||
scsi_req_cancel(current_req->req);
|
scsi_req_cancel(current_req->req);
|
||||||
|
current_req->req = NULL;
|
||||||
}
|
}
|
||||||
lsi_disconnect(s);
|
lsi_disconnect(s);
|
||||||
break;
|
break;
|
||||||
|
|
Loading…
Reference in New Issue