!639 fix CVE-2022-0216 (openeuler !333)

From: @bobychen 
Reviewed-by: @yezengruan 
Signed-off-by: @yezengruan

hw-scsi-lsi53c895a-Do-not-abort-when-DMA-requested-a.patch

@@ -0,0 +1,71 @@
+From 35ddae3c3a4231d33f162c67efbcbf0cb57892ad Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
+Date: Tue, 23 Nov 2021 12:17:31 +0100
+Subject: [PATCH 1/3] hw/scsi/lsi53c895a: Do not abort when DMA requested and
+ no data queued
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+If asked for DMA request and no data is available, simply wait
+for data to be queued, do not abort. This fixes:
+
+  $ cat << EOF | \
+    qemu-system-i386 -nographic -M q35,accel=qtest -serial none \
+      -monitor none -qtest stdio -trace lsi* \
+      -drive if=none,id=drive0,file=null-co://,file.read-zeroes=on,format=raw \
+      -device lsi53c895a,id=scsi0 -device scsi-hd,drive=drive0,bus=scsi0.0,channel=0,scsi-id=0,lun=0
+  lsi_reset Reset
+  lsi_reg_write Write reg DSP2 0x2e = 0xff
+  lsi_reg_write Write reg DSP3 0x2f = 0xff
+  lsi_execute_script SCRIPTS dsp=0xffff0000 opcode 0x184a3900 arg 0x4a8b2d75
+  qemu-system-i386: hw/scsi/lsi53c895a.c:624: lsi_do_dma: Assertion `s->current' failed.
+
+  (gdb) bt
+  #5  0x00007ffff4e8a3a6 in __GI___assert_fail
+      (assertion=0x5555560accbc "s->current", file=0x5555560acc28 "hw/scsi/lsi53c895a.c", line=624, function=0x5555560adb18 "lsi_do_dma") at assert.c:101
+  #6  0x0000555555aa33b9 in lsi_do_dma (s=0x555557805ac0, out=1) at hw/scsi/lsi53c895a.c:624
+  #7  0x0000555555aa5042 in lsi_execute_script (s=0x555557805ac0) at hw/scsi/lsi53c895a.c:1250
+  #8  0x0000555555aa757a in lsi_reg_writeb (s=0x555557805ac0, offset=47, val=255 '\377') at hw/scsi/lsi53c895a.c:1984
+  #9  0x0000555555aa875b in lsi_mmio_write (opaque=0x555557805ac0, addr=47, val=255, size=1) at hw/scsi/lsi53c895a.c:2095
+
+Cc: qemu-stable@nongnu.org
+Cc: Gerd Hoffmann <kraxel@redhat.com>
+Cc: Vadim Rozenfeld <vrozenfe@redhat.com>
+Cc: Stefan Hajnoczi <stefanha@redhat.com>
+Reported-by: Jérôme Poulin <jeromepoulin@gmail.com>
+Reported-by: Ruhr-University <bugs-syssec@rub.de>
+Reported-by: Gaoning Pan <pgn@zju.edu.cn>
+Reported-by: Cheolwoo Myung <cwmyung@snu.ac.kr>
+Fixes: b96a0da06bd ("lsi: move dma_len+dma_buf into lsi_request")
+BugLink: https://bugs.launchpad.net/qemu/+bug/697510
+BugLink: https://bugs.launchpad.net/qemu/+bug/1905521
+BugLink: https://bugs.launchpad.net/qemu/+bug/1908515
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/84
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/305
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/552
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Reviewed-by: Laurent Vivier <lvivier@redhat.com>
+Message-Id: <20211123111732.83137-2-philmd@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+---
+ hw/scsi/lsi53c895a.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c
+index 72f7b59ab5..7bbaefaba0 100644
+--- a/hw/scsi/lsi53c895a.c
++++ b/hw/scsi/lsi53c895a.c
+@@ -620,8 +620,7 @@ static void lsi_do_dma(LSIState *s, int out)
+     dma_addr_t addr;
+     SCSIDevice *dev;
+ 
+-    assert(s->current);
+-    if (!s->current->dma_len) {
++    if (!s->current || !s->current->dma_len) {
+         /* Wait until data is available.  */
+         trace_lsi_do_dma_unavailable();
+         return;
+-- 
+2.27.0
+

qemu.spec

@@ -1,6 +1,6 @@
 Name: qemu
 Version: 4.1.0
-Release: 72
+Release: 73
 Epoch: 10
 Summary: QEMU is a generic and open source machine emulator and virtualizer
 License: GPLv2 and BSD and MIT and CC-BY-SA-4.0
@@ -372,6 +372,9 @@ Patch0359: net-dump.c-Suppress-spurious-compiler-warning.patch
 Patch0360: tests-Replace-deprecated-ASN1-code.patch
 Patch0361: hw-block-fdc-Prevent-end-of-track-overrun-CVE-2021-3.patch
 Patch0362: softmmu-Always-initialize-xlat-in-address_space_tran.patch
+Patch0363: hw-scsi-lsi53c895a-Do-not-abort-when-DMA-requested-a.patch
+Patch0364: scsi-lsi53c895a-fix-use-after-free-in-lsi_do_msgout-.patch
+Patch0365: scsi-lsi53c895a-really-fix-use-after-free-in-lsi_do_.patch
 
 BuildRequires: flex
 BuildRequires: bison
@@ -772,6 +775,11 @@ getent passwd qemu >/dev/null || \
 %endif
 
 %changelog
+* Tue Aug 30 2022 yezengruan <yezengruan@huawei.com>
+- hw/scsi/lsi53c895a: Do not abort when DMA requested and no data queued
+- scsi/lsi53c895a: fix use-after-free in lsi_do_msgout (CVE-2022-0216)
+- scsi/lsi53c895a: really fix use-after-free in lsi_do_msgout (CVE-2022-0216)
+
 * Thu Aug 25 2022 yezengruan <yezengruan@huawei.com>
 - Provides qemu-kvm for upgrade
 

scsi-lsi53c895a-fix-use-after-free-in-lsi_do_msgout-.patch

@@ -0,0 +1,37 @@
+From 5588ea3eb3d82faa4a99a7328252aa2bb406af28 Mon Sep 17 00:00:00 2001
+From: Mauro Matteo Cascella <mcascell@redhat.com>
+Date: Tue, 5 Jul 2022 22:05:43 +0200
+Subject: [PATCH 2/3] scsi/lsi53c895a: fix use-after-free in lsi_do_msgout
+ (CVE-2022-0216)
+
+Set current_req->req to NULL to prevent reusing a free'd buffer in case of
+repeated SCSI cancel requests. Thanks to Thomas Huth for suggesting the patch.
+
+Fixes: CVE-2022-0216
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/972
+Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
+Reviewed-by: Thomas Huth <thuth@redhat.com>
+Message-Id: <20220705200543.2366809-1-mcascell@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+---
+ hw/scsi/lsi53c895a.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c
+index 7bbaefaba0..16c4726dcc 100644
+--- a/hw/scsi/lsi53c895a.c
++++ b/hw/scsi/lsi53c895a.c
+@@ -1027,8 +1027,9 @@ static void lsi_do_msgout(LSIState *s)
+         case 0x0d:
+             /* The ABORT TAG message clears the current I/O process only. */
+             trace_lsi_do_msgout_abort(current_tag);
+-            if (current_req) {
++            if (current_req && current_req->req) {
+                 scsi_req_cancel(current_req->req);
++                current_req->req = NULL;
+             }
+             lsi_disconnect(s);
+             break;
+-- 
+2.27.0
+

scsi-lsi53c895a-really-fix-use-after-free-in-lsi_do_.patch

@@ -0,0 +1,47 @@
+From 13136d9656dd738b6e555cad696e4a058f8f0a2b Mon Sep 17 00:00:00 2001
+From: Mauro Matteo Cascella <mcascell@redhat.com>
+Date: Mon, 11 Jul 2022 14:33:16 +0200
+Subject: [PATCH 3/3] scsi/lsi53c895a: really fix use-after-free in
+ lsi_do_msgout (CVE-2022-0216)
+
+Set current_req to NULL, not current_req->req, to prevent reusing a free'd
+buffer in case of repeated SCSI cancel requests.  Also apply the fix to
+CLEAR QUEUE and BUS DEVICE RESET messages as well, since they also cancel
+the request.
+
+Thanks to Alexander Bulekov for providing a reproducer.
+
+Fixes: CVE-2022-0216
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/972
+Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
+Tested-by: Alexander Bulekov <alxndr@bu.edu>
+Message-Id: <20220711123316.421279-1-mcascell@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+---
+ hw/scsi/lsi53c895a.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c
+index 16c4726dcc..88bccf2b4c 100644
+--- a/hw/scsi/lsi53c895a.c
++++ b/hw/scsi/lsi53c895a.c
+@@ -1029,7 +1029,7 @@ static void lsi_do_msgout(LSIState *s)
+             trace_lsi_do_msgout_abort(current_tag);
+             if (current_req && current_req->req) {
+                 scsi_req_cancel(current_req->req);
+-                current_req->req = NULL;
++                current_req = NULL;
+             }
+             lsi_disconnect(s);
+             break;
+@@ -1055,6 +1055,7 @@ static void lsi_do_msgout(LSIState *s)
+             /* clear the current I/O process */
+             if (s->current) {
+                 scsi_req_cancel(s->current->req);
++                current_req = NULL;
+             }
+ 
+             /* As the current implemented devices scsi_disk and scsi_generic
+-- 
+2.27.0
+