xemu-project/xemu
1
0
Fork 0
mirror of https://github.com/xemu-project/xemu.git synced 2024-11-30 15:00:34 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
3791642c8d
xemu/hw
History
Michael Tokarev 3791642c8d mptsas: Remove unused MPTSASState 'pending' field (CVE-2021-3392) 
While processing SCSI i/o requests in mptsas_process_scsi_io_request(),
the Megaraid emulator appends new MPTSASRequest object 'req' to
the 's->pending' queue. In case of an error, this same object gets
dequeued in mptsas_free_request() only if SCSIRequest object
'req->sreq' is initialised. This may lead to a use-after-free issue.

Since s->pending is actually not used, simply remove it from
MPTSASState.

Cc: qemu-stable@nongnu.org
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reported-by: Cheolwoo Myung <cwmyung@snu.ac.kr>
Message-id: 20210419134247.1467982-1-f4bug@amsat.org
Message-Id: <20210416102243.1293871-1-mjt@msgid.tls.msk.ru>
Suggested-by: Paolo Bonzini <pbonzini@redhat.com>
Reported-by: Cheolwoo Myung <cwmyung@snu.ac.kr>
BugLink: https://bugs.launchpad.net/qemu/+bug/1914236 (CVE-2021-3392)
Fixes: e351b82611 ("hw: Add support for LSI SAS1068 (mptsas) device")
[PMD: Reworded description, added more tags]
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2021-04-19 15:48:12 +01:00
..
9pfs hw/9pfs/9p-synth: Replaced qemu_mutex_lock with QEMU_LOCK_GUARD 2021-03-16 11:41:49 +01:00
acpi acpi/piix4: reinitialize acpi PM device on reset 2021-04-01 12:19:52 -04:00
adc clock: Add ClockEvent parameter to callbacks 2021-03-08 17:20:01 +00:00
alpha
arm hw/arm/armsse: Make SSE-300 use Cortex-M55 2021-04-17 18:47:11 +01:00
audio hw: Replace anti-social QOM type names 2021-03-19 15:18:43 +01:00
avr hw/avr/arduino: List board schematic links 2021-03-15 00:39:52 +01:00
block hw/block/nvme: drain namespaces on sq deletion 2021-04-12 08:55:23 +02:00
char s390x: css: report errors from ccw_dstream_read/write 2021-04-09 10:52:13 +02:00
core target-arm queue: 2021-04-06 16:04:33 +01:00
cpu cpu/core: Fix "help" of CPU core device types 2021-04-09 16:05:16 -04:00
cris hw: Replace anti-social QOM type names 2021-03-19 15:18:43 +01:00
display hw/display/xlnx_dp: Free FIFOs adding xlnx_dp_finalize() 2021-03-30 14:05:33 +01:00
dma target-arm queue: 2021-03-10 13:57:31 +00:00
gpio hw: gpio: implement gpio-pwr driver for qemu reset/poweroff 2021-01-29 10:47:28 +00:00
hppa
hyperv
i2c hw/i2c/npcm7xx_smbus: Simplify npcm7xx_smbus_init() 2021-03-05 15:17:34 +00:00
i386 acpi: Move setters/getters of oem fields to X86MachineState 2021-03-22 18:58:19 -04:00
ide hw/ide: remove 'ide-drive' device 2021-03-18 09:22:55 +00:00
input
intc * fixes for i386 TCG paging 2021-03-19 18:01:17 +00:00
ipack
ipmi
isa hw/isa/piix4: Migrate Reset Control Register 2021-04-13 12:06:59 +02:00
lm32 hw/lm32/Kconfig: Have MILKYMIST select LM32_DEVICES 2021-03-09 22:37:08 +01:00
m68k m68k: add Virtual M68k Machine 2021-03-15 21:03:06 +01:00
mem memory: add a sparse memory device for fuzzing 2021-03-16 14:30:30 -04:00
microblaze hw: Replace anti-social QOM type names 2021-03-19 15:18:43 +01:00
mips hw/mips/gt64xxx: Trace accesses to ISD registers 2021-03-13 20:29:36 +01:00
misc hw: Replace anti-social QOM type names 2021-03-19 15:18:43 +01:00
moxie
net Revert "net: Move NetClientState.info_str to dynamic allocations" 2021-04-08 17:33:59 +08:00
nios2
nubus
nvram sysemu: Let VMChangeStateHandler take boolean 'running' argument 2021-03-09 23:13:57 +01:00
openrisc
pci virtio-pci: compat page aligned ATS 2021-04-06 07:11:36 -04:00
pci-bridge
pci-host hw/pci-host: Introduce SH_PCI Kconfig entry 2021-03-06 16:18:42 +01:00
pcmcia
ppc spapr.c: always pulse guest IRQ in spapr_core_unplug_request() 2021-04-12 12:27:14 +10:00
rdma pvrdma: wean code off pvrdma_ring.h kernel header 2021-03-15 16:41:22 +08:00
remote multi-process: perform device reset in the remote process 2021-02-10 09:23:28 +00:00
riscv hw/riscv: microchip_pfsoc: Map EMMC/SD mux register 2021-03-22 21:54:40 -04:00
rtc goldfish_rtc: re-arm the alarm after migration 2021-03-04 09:43:29 -05:00
rx qtest: delete superfluous inclusions of qtest.h 2021-03-09 06:03:53 +01:00
s390x s390x: css: report errors from ccw_dstream_read/write 2021-04-09 10:52:13 +02:00
scsi mptsas: Remove unused MPTSASState 'pending' field (CVE-2021-3392) 2021-04-19 15:48:12 +01:00
sd hw/sd: sdhci: Reset the data pointer of s->fifo_buffer[] when a different block size is programmed 2021-03-22 16:56:22 +01:00
sh4 hw/sh4/sh7750_regs: Replace link to license by its full content 2021-03-06 16:19:03 +01:00
smbios
sparc hw: Replace anti-social QOM type names 2021-03-19 15:18:43 +01:00
sparc64 hw/ide: remove 'ide-drive' device 2021-03-18 09:22:55 +00:00
ssi hw/ssi: xilinx_spips: Remove DMA related dead codes from zynqmp_spips 2021-03-10 13:54:51 +00:00
timer hw/timer/renesas_tmr: Add default-case asserts in read_tcnt() 2021-03-30 14:05:34 +01:00
tpm tpm: put some tpm devices into the correct category 2021-02-20 12:36:19 +01:00
tricore tricore: added triboard with tc27x_soc 2021-03-14 14:41:55 +01:00
unicore32
usb hw/usb/hcd-ehci: Fix crash when showing help of EHCI devices 2021-03-26 11:10:49 +01:00
vfio vfio/migrate: Move switch of dirty tracking into vfio_memory_listener 2021-03-16 10:06:44 -06:00
virtio vhost-user-fs: fix features handling 2021-04-13 16:13:41 +01:00
watchdog clock: Add ClockEvent parameter to callbacks 2021-03-08 17:20:01 +00:00
xen pci: add romsize property 2021-02-05 08:52:58 -05:00
xenpv
xtensa
Kconfig semihosting: Move hw/semihosting/ -> semihosting/ 2021-03-10 15:34:12 +00:00
meson.build semihosting: Move hw/semihosting/ -> semihosting/ 2021-03-10 15:34:12 +00:00