On 4/18/21 7:14 AM, Philippe Mathieu-Daudé wrote: > On 4/16/21 1:33 PM, Philippe Mathieu-Daudé wrote: >> Cc'ing maintainers. >> >> On 4/16/21 1:27 PM, Philippe Mathieu-Daudé wrote: >>> On 4/16/21 12:22 PM, Michael Tokarev wrote: >>>> During previous attempt to fix CVE-2021-3392 it was discovered >>>> that MPTSASState.pending is actually not used. So instead of >>>> fixing the prob, just remove the offending code entirely >>> >>> What problem? > > Digging a bit I found: > https://bugs.launchpad.net/qemu/+bug/1914236 > and Paolo's comment: > https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg02660.html > > So your patch now makes sense, but please: > > 1/ Reword including Prasad description: > > """ > While processing SCSI i/o requests in mptsas_process_scsi_io_request(), > the Megaraid emulator appends new MPTSASRequest object 'req' to > the 's->pending' queue. In case of an error, this same object gets > dequeued in mptsas_free_request() only if SCSIRequest object > 'req->sreq' is initialised. This may lead to a use-after-free issue. > > Since MPTSASState.pending is actually not used, simply remove it. > """ > > 2/ Add: > > BugLink: https://bugs.launchpad.net/qemu/+bug/1914236 (CVE-2021-3392) > Fixes: e351b826112 ("hw: Add support for LSI SAS1068 (mptsas) device")
And: Reported-by: Cheolwoo Myung <[email protected]> > With it: > Reviewed-by: Philippe Mathieu-Daudé <[email protected]> > >>>> Signed-off-by: Michael Tokarev <[email protected]> >>>> Cc: Prasad J Pandit <[email protected]> >>>> Cc: [email protected] >>>> --- >>>> hw/scsi/mptsas.c | 4 ---- >>>> hw/scsi/mptsas.h | 1 - >>>> 2 files changed, 5 deletions(-)
