From: "Philippe Mathieu-Daudé" <philmd@redhat.com>
To: Peter Maydell <peter.maydell@linaro.org>
Cc: "Fam Zheng" <fam@euphon.net>,
"Mauro Matteo Cascella" <mcascell@redhat.com>,
"Prasad J Pandit" <pjp@fedoraproject.org>,
"Michael Tokarev" <mjt@tls.msk.ru>,
"Cheolwoo Myung" <cwmyung@snu.ac.kr>,
"Li Qiang" <liq3ea@gmail.com>,
"QEMU Developers" <qemu-devel@nongnu.org>,
qemu-stable <qemu-stable@nongnu.org>,
"Paolo Bonzini" <pbonzini@redhat.com>,
"Philippe Mathieu-Daudé" <philmd@redhat.com>
Subject: Re: [PATCH-for-6.0? v3] mptsas: Remove unused MPTSASState 'pending' field (CVE-2021-3392)
Date: Mon, 19 Apr 2021 19:07:30 +0200 [thread overview]
Message-ID: <9fdc42bd-c9aa-d8e4-a1f2-1c517cddd9b9@redhat.com> (raw)
In-Reply-To: <CAFEAcA-NvHvstggDD=wy_HFcaeQQikWA0M46vS_Jn27=qq1gWw@mail.gmail.com>
On 4/19/21 6:47 PM, Peter Maydell wrote:
> On Mon, 19 Apr 2021 at 14:42, Philippe Mathieu-Daudé <f4bug@amsat.org> wrote:
>>
>> From: Michael Tokarev <mjt@tls.msk.ru>
>>
>> While processing SCSI i/o requests in mptsas_process_scsi_io_request(),
>> the Megaraid emulator appends new MPTSASRequest object 'req' to
>> the 's->pending' queue. In case of an error, this same object gets
>> dequeued in mptsas_free_request() only if SCSIRequest object
>> 'req->sreq' is initialised. This may lead to a use-after-free issue.
>>
>> Since s->pending is actually not used, simply remove it from
>> MPTSASState.
>>
>> Cc: qemu-stable@nongnu.org
>> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
>> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
>> Message-Id: <20210416102243.1293871-1-mjt@msgid.tls.msk.ru>
>> Suggested-by: Paolo Bonzini <pbonzini@redhat.com>
>> Reported-by: Cheolwoo Myung <cwmyung@snu.ac.kr>
>> BugLink: https://bugs.launchpad.net/qemu/+bug/1914236 (CVE-2021-3392)
>> Fixes: e351b826112 ("hw: Add support for LSI SAS1068 (mptsas) device")
>> [PMD: Reworded description, added more tags]
>> Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
>> ---
>> v3: Remove now unused variable in mptsas_free_request (pm215)
>>
>> MJT patch:
>> https://www.mail-archive.com/qemu-devel@nongnu.org/msg799236.html
>>
>> Since rc4 is soon, I'm directly respining his patch with my comments
>> addressed.
>>
>> This is not a new regression (present since QEMU v2.6.0) but is a
>> CVE...
>>
>> PJP first patch:
>> https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg02660.html
>
> This is clearly-safe and since it's marked as a CVE and we're doing
> rc4 anyway we might as well put it in. Applied to master, thanks.
Thank you!
Phil.
prev parent reply other threads:[~2021-04-19 17:11 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-04-19 13:42 [PATCH-for-6.0? v3] mptsas: Remove unused MPTSASState 'pending' field (CVE-2021-3392) Philippe Mathieu-Daudé
2021-04-19 16:47 ` Peter Maydell
2021-04-19 17:07 ` Philippe Mathieu-Daudé [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=9fdc42bd-c9aa-d8e4-a1f2-1c517cddd9b9@redhat.com \
--to=philmd@redhat.com \
--cc=cwmyung@snu.ac.kr \
--cc=fam@euphon.net \
--cc=liq3ea@gmail.com \
--cc=mcascell@redhat.com \
--cc=mjt@tls.msk.ru \
--cc=pbonzini@redhat.com \
--cc=peter.maydell@linaro.org \
--cc=pjp@fedoraproject.org \
--cc=qemu-devel@nongnu.org \
--cc=qemu-stable@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).