OpenE2K/qemu-e2k
13
4
Fork 0
Code Issues 4 Pull Requests Projects 2 Releases Activity
4367a20cc4
qemu-e2k/hw/scsi
History
Mauro Matteo Cascella 4367a20cc4 scsi/lsi53c895a: really fix use-after-free in lsi_do_msgout (CVE-2022-0216) 
Set current_req to NULL, not current_req->req, to prevent reusing a free'd
buffer in case of repeated SCSI cancel requests.  Also apply the fix to
CLEAR QUEUE and BUS DEVICE RESET messages as well, since they also cancel
the request.

Thanks to Alexander Bulekov for providing a reproducer.

Fixes: CVE-2022-0216
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/972
Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
Tested-by: Alexander Bulekov <alxndr@bu.edu>
Message-Id: <20220711123316.421279-1-mcascell@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2022-07-13 16:58:57 +02:00
..
emulation.c scsi-generic: avoid invalid access to struct when emulating block limits 2018-11-06 21:35:06 +01:00
esp-pci.c pci: Let pci_dma_rw() take MemTxAttrs argument 2021-12-31 01:05:23 +01:00
esp.c esp: recreate ESPState current_req after migration 2022-03-09 09:29:10 +00:00
Kconfig build: move vhost-scsi configuration to Kconfig 2022-05-07 07:46:58 +02:00
lsi53c895a.c scsi/lsi53c895a: really fix use-after-free in lsi_do_msgout (CVE-2022-0216) 2022-07-13 16:58:57 +02:00
megasas.c include: Move hardware version declarations to new qemu/hw-version.h 2022-02-21 13:30:20 +00:00
meson.build meson: convert hw/scsi 2020-08-21 06:30:28 -04:00
mfi.h Fix 'writeable' typos 2022-06-08 19:38:47 +01:00
mpi.h
mptconfig.c nomaintainer: Fix Lesser GPL version number 2020-11-15 17:04:40 +01:00
mptendian.c nomaintainer: Fix Lesser GPL version number 2020-11-15 17:04:40 +01:00
mptsas.c Remove unnecessary minimum_version_id_old fields 2022-01-28 15:38:23 +01:00
mptsas.h mptsas: Remove unused MPTSASState 'pending' field (CVE-2021-3392) 2021-04-19 15:48:12 +01:00
scsi-bus.c include: Move hardware version declarations to new qemu/hw-version.h 2022-02-21 13:30:20 +00:00
scsi-disk.c block: get rid of blk->guest_block_size 2022-06-24 17:07:06 +02:00
scsi-generic.c block: get rid of blk->guest_block_size 2022-06-24 17:07:06 +02:00
spapr_vscsi.c Trivial: 3 char repeat typos 2022-06-28 11:06:02 +02:00
srp.h
trace-events hw: Fix misleading hexadecimal format 2022-03-24 10:38:42 +00:00
trace.h trace: switch position of headers to what Meson requires 2020-08-21 06:18:24 -04:00
vhost-scsi-common.c vhost-scsi: support inflight io track 2020-09-30 19:09:20 +02:00
vhost-scsi.c virtio: add vhost support for virtio devices 2022-05-16 04:38:40 -04:00
vhost-user-scsi.c hw/vhost-user-scsi|blk: set supports_config flag correctly 2022-06-09 19:32:49 -04:00
viosrp.h hw/scsi/spapr_vscsi: Do not mix SRP IU size with DMA buffer size 2020-03-17 15:08:50 +11:00
virtio-scsi-dataplane.c virtio-scsi: don't waste CPU polling the event virtqueue 2022-05-09 10:45:04 +01:00
virtio-scsi.c virtio: drop name parameter for virtio_init() 2022-05-16 04:38:40 -04:00
vmw_pvscsi.c pci: Let ld*_pci_dma() propagate MemTxResult 2021-12-31 01:05:27 +01:00
vmw_pvscsi.h