Re: [PATCH-for-6.0? v3] mptsas: Remove unused MPTSASState 'pending' field (CVE-2021-3392)

[Philippe Mathieu-Daudé]

On 4/19/21 6:47 PM, Peter Maydell wrote:
> On Mon, 19 Apr 2021 at 14:42, Philippe Mathieu-Daudé <f4bug@amsat.org> wrote:
>>
>> From: Michael Tokarev <mjt@tls.msk.ru>
>>
>> While processing SCSI i/o requests in mptsas_process_scsi_io_request(),
>> the Megaraid emulator appends new MPTSASRequest object 'req' to
>> the 's->pending' queue. In case of an error, this same object gets
>> dequeued in mptsas_free_request() only if SCSIRequest object
>> 'req->sreq' is initialised. This may lead to a use-after-free issue.
>>
>> Since s->pending is actually not used, simply remove it from
>> MPTSASState.
>>
>> Cc: qemu-stable@nongnu.org
>> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
>> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
>> Message-Id: <20210416102243.1293871-1-mjt@msgid.tls.msk.ru>
>> Suggested-by: Paolo Bonzini <pbonzini@redhat.com>
>> Reported-by: Cheolwoo Myung <cwmyung@snu.ac.kr>
>> BugLink: https://bugs.launchpad.net/qemu/+bug/1914236 (CVE-2021-3392)
>> Fixes: e351b826112 ("hw: Add support for LSI SAS1068 (mptsas) device")
>> [PMD: Reworded description, added more tags]
>> Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
>> ---
>> v3: Remove now unused variable in mptsas_free_request (pm215)
>>
>> MJT patch:
>> https://www.mail-archive.com/qemu-devel@nongnu.org/msg799236.html
>>
>> Since rc4 is soon, I'm directly respining his patch with my comments
>> addressed.
>>
>> This is not a new regression (present since QEMU v2.6.0) but is a
>> CVE...
>>
>> PJP first patch:
>> https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg02660.html
> 
> This is clearly-safe and since it's marked as a CVE and we're doing
> rc4 anyway we might as well put it in. Applied to master, thanks.

Thank you!

Phil.