Commit 6c8fa961 authored by Mauro Matteo Cascella's avatar Mauro Matteo Cascella Committed by Paolo Bonzini
Browse files

scsi/lsi53c895a: fix use-after-free in lsi_do_msgout (CVE-2022-0216)

Set current_req->req to NULL to prevent reusing a free'd buffer in case of
repeated SCSI cancel requests. Thanks to Thomas Huth for suggesting the patch.

Fixes: CVE-2022-0216
Resolves: #972


Signed-off-by: Mauro Matteo Cascella's avatarMauro Matteo Cascella <mcascell@redhat.com>
Reviewed-by: Thomas Huth's avatarThomas Huth <thuth@redhat.com>
Message-Id: <20220705200543.2366809-1-mcascell@redhat.com>
Signed-off-by: Paolo Bonzini's avatarPaolo Bonzini <pbonzini@redhat.com>
parent 170ed475
......@@ -1028,8 +1028,9 @@ static void lsi_do_msgout(LSIState *s)
case 0x0d:
/* The ABORT TAG message clears the current I/O process only. */
trace_lsi_do_msgout_abort(current_tag);
if (current_req) {
if (current_req && current_req->req) {
scsi_req_cancel(current_req->req);
current_req->req = NULL;
}
lsi_disconnect(s);
break;
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment