scsi/lsi53c895a: fix use-after-free in lsi_do_msgout (CVE-2022-0216)

Set current_req->req to NULL to prevent reusing a free'd buffer in case of repeated SCSI cancel requests. Thanks to Thomas Huth for suggesting the patch. Fixes: CVE-2022-0216 Resolves: #972 Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com> Reviewed-by: Thomas Huth <thuth@redhat.com> Message-Id: <20220705200543.2366809-1-mcascell@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

scsi/lsi53c895a: fix use-after-free in lsi_do_msgout (CVE-2022-0216)
Set current_req->req to NULL to prevent reusing a free'd buffer in case of repeated SCSI cancel requests. Thanks to Thomas Huth for suggesting the patch. Fixes: CVE-2022-0216 Resolves: #972 Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com> Reviewed-by: Thomas Huth <thuth@redhat.com> Message-Id: <20220705200543.2366809-1-mcascell@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
6c8fa961 · Mauro Matteo Cascella · Paolo Bonzini · 170ed475 · 6c8fa961
Commit 6c8fa961 authored Jul 05, 2022 by Mauro Matteo Cascella Committed by Paolo Bonzini Jul 06, 2022
--- a/hw/scsi/lsi53c895a.c
+++ b/hw/scsi/lsi53c895a.c
@@ -1028,8 +1028,9 @@ static void lsi_do_msgout(LSIState *s)
        case 0x0d:
            /* The ABORT TAG message clears the current I/O process only. */
            trace_lsi_do_msgout_abort(current_tag);
-            if (current_req) {
+            if (current_req && current_req->req) {
                scsi_req_cancel(current_req->req);
+                current_req->req = NULL;
            }
            lsi_disconnect(s);
            break;