From nobody Mon Feb  9 08:32:47 2026
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of _spf.google.com designates
 209.85.221.50 as permitted sender) client-ip=209.85.221.50;
 envelope-from=philippe.mathieu.daude@gmail.com; helo=mail-wr1-f50.google.com;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of _spf.google.com designates 209.85.221.50 as
 permitted sender)  smtp.mailfrom=philippe.mathieu.daude@gmail.com;
	dmarc=fail(p=none dis=none)  header.from=amsat.org
ARC-Seal: i=1; a=rsa-sha256; t=1618839772; cv=none;
	d=zohomail.com; s=zohoarc;
	b=bQ38soHSHA+9yfkQMBMqe7Z9f5CUHSSRJmY7FN1/Yz79GBI8TlIyTmo1G1++po4MMlhSmMkoHGEV55xm3g5wsTPbOJu6K3RLIFHBIK0j+1iQRDKP3uD5iGNoORdUFEcSNz6y5QBpGwenqkBzzUU5x+nxbHscQd9JtdoyAaqwWY4=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1618839772;
 h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:MIME-Version:Message-ID:Sender:Subject:To;
	bh=ATiydl4QAEN0F9mJEpmGHmBCiByjc7mLThRon7z1f8g=;
	b=iUccVjMo1e6J+pDV3zf4GEfMPh9/1bM3GoyisghoXHgRuhEX8NO2oBcMP+eHkN5NVlJ9Mo5RxCN72jZq51dCZiF80KnCtS7wHG1QdrUgoeDYyilli0kii1OUWPkuk4xpA8IAb6FTQou9tXA1zEQbVAhApBJ6bmMlCO5OVFg4Dh8=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of _spf.google.com designates 209.85.221.50 as
 permitted sender)  smtp.mailfrom=philippe.mathieu.daude@gmail.com;
	dmarc=fail header.from=<f4bug@amsat.org> (p=none dis=none)
 header.from=<f4bug@amsat.org>
Received: from mail-wr1-f50.google.com (mail-wr1-f50.google.com
 [209.85.221.50]) by mx.zohomail.com
	with SMTPS id 1618839772117625.3663106106568;
 Mon, 19 Apr 2021 06:42:52 -0700 (PDT)
Received: by mail-wr1-f50.google.com with SMTP id j5so33147949wrn.4
        for <importer@patchew.org>; Mon, 19 Apr 2021 06:42:51 -0700 (PDT)
Return-Path: <philippe.mathieu.daude@gmail.com>
Return-Path: <philippe.mathieu.daude@gmail.com>
Received: from x1w.redhat.com (39.red-81-40-121.staticip.rima-tde.net.
 [81.40.121.39])
        by smtp.gmail.com with ESMTPSA id
 g13sm26482616wrr.9.2021.04.19.06.42.48
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 19 Apr 2021 06:42:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=sender:from:to:cc:subject:date:message-id:mime-version
         :content-transfer-encoding;
        bh=ATiydl4QAEN0F9mJEpmGHmBCiByjc7mLThRon7z1f8g=;
        b=mVLdjB+02c8Z44LeXc+QuysVbW9JZxerfSyJdry+sE3PThwo5DnNEoVjMH5jUiv1Lc
         kz7kolAf2+k1W6c6pI5jU+W8RidHzSqREppFf0HKCIV39/nNRZcyRIItm1R2xx8/7qEI
         eUn6Wn2rqlFqWnng2hn2tflQGUVGTNrBeXxNRicTcWe9FnOHaD+4chzgZP6Ho4/WDJb8
         9IJw7r6opDM08kSRTPAaS2UnCK+b3MqFK0hOAwhwtfjQTZ7EUv1RcVnbo/MW01+/a/aQ
         hB1VH4xGgmnK6hS29qJtN7TRAZajbge+xwQrUILm5htX93+TYaIKejHz9TPnB98Wxwt7
         zB7A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:sender:from:to:cc:subject:date:message-id
         :mime-version:content-transfer-encoding;
        bh=ATiydl4QAEN0F9mJEpmGHmBCiByjc7mLThRon7z1f8g=;
        b=GAiEUtPyS6m5V457F6DSRzvfJWxMFnzCRkDE9wKQ03jtimGfJj9umKibS+bwYBVc6Y
         9eBg9z/DE8H3l3NZUNs06Dvt/gS82C0O34kaZRDjO5AObbHPKxb8GhnIMx80KAw9M0km
         uwjp6TXIoEvt4vj2yWtVKIMgCSdMPAp9l/67KCARbb3heSOdRShdBwQsBVJ7CexoKWzb
         firTzmzVYGrxj/B1aphReM1T1Ob/0gOsV1aJ14iY0R4UxDhfTt0iHOmmAsjpDF5JYNtS
         z84okn9UtTIcEGgLgoW7FB+OaqHRCmblwzBCHxSrMgqwc1doy7dUoGlFMvAQO37wi2bQ
         3Iwg==
X-Gm-Message-State: AOAM532g+i8cfz0twyhDfYD7iEj1QA9ws7ktbYN2KnTIeCnhmNcOOhGR
	1nfjjQUf9wJlXKSh0oKW6gc=
X-Google-Smtp-Source: 
 ABdhPJwbLzz3q2vWtVsmUJr8TRUrdSdC0i8EDr/ULWtV3K/SEu40lf65fJB8t4p8HK6cKgqiFDyy3g==
X-Received: by 2002:adf:f108:: with SMTP id r8mr14609973wro.147.1618839770408;
        Mon, 19 Apr 2021 06:42:50 -0700 (PDT)
Sender: =?UTF-8?Q?Philippe_Mathieu=2DDaud=C3=A9?=
 <philippe.mathieu.daude@gmail.com>
From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <f4bug@amsat.org>
To: qemu-devel@nongnu.org
Cc: Fam Zheng <fam@euphon.net>,
	Prasad J Pandit <pjp@fedoraproject.org>,
	Li Qiang <liq3ea@gmail.com>,
	Peter Maydell <peter.maydell@linaro.org>,
	Mauro Matteo Cascella <mcascell@redhat.com>,
	Paolo Bonzini <pbonzini@redhat.com>,
	Michael Tokarev <mjt@tls.msk.ru>,
	qemu-stable@nongnu.org,
	=?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>,
	Cheolwoo Myung <cwmyung@snu.ac.kr>
Subject: [PATCH-for-6.0? v3] mptsas: Remove unused MPTSASState 'pending' field
 (CVE-2021-3392)
Date: Mon, 19 Apr 2021 15:42:47 +0200
Message-Id: <20210419134247.1467982-1-f4bug@amsat.org>
X-Mailer: git-send-email 2.26.3
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-ZohoMail-DKIM: pass (identity @gmail.com)

From: Michael Tokarev <mjt@tls.msk.ru>

While processing SCSI i/o requests in mptsas_process_scsi_io_request(),
the Megaraid emulator appends new MPTSASRequest object 'req' to
the 's->pending' queue. In case of an error, this same object gets
dequeued in mptsas_free_request() only if SCSIRequest object
'req->sreq' is initialised. This may lead to a use-after-free issue.

Since s->pending is actually not used, simply remove it from
MPTSASState.

Cc: qemu-stable@nongnu.org
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Reviewed-by: Philippe Mathieu-Daud=C3=A9 <philmd@redhat.com>
Message-Id: <20210416102243.1293871-1-mjt@msgid.tls.msk.ru>
Suggested-by: Paolo Bonzini <pbonzini@redhat.com>
Reported-by: Cheolwoo Myung <cwmyung@snu.ac.kr>
BugLink: https://bugs.launchpad.net/qemu/+bug/1914236 (CVE-2021-3392)
Fixes: e351b826112 ("hw: Add support for LSI SAS1068 (mptsas) device")
[PMD: Reworded description, added more tags]
Signed-off-by: Philippe Mathieu-Daud=C3=A9 <philmd@redhat.com>
---
v3: Remove now unused variable in mptsas_free_request (pm215)

MJT patch:
https://www.mail-archive.com/qemu-devel@nongnu.org/msg799236.html

Since rc4 is soon, I'm directly respining his patch with my comments
addressed.

This is not a new regression (present since QEMU v2.6.0) but is a
CVE...

PJP first patch:
https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg02660.html
---
 hw/scsi/mptsas.h | 1 -
 hw/scsi/mptsas.c | 6 ------
 2 files changed, 7 deletions(-)

diff --git a/hw/scsi/mptsas.h b/hw/scsi/mptsas.h
index b85ac1a5fcc..c046497db71 100644
--- a/hw/scsi/mptsas.h
+++ b/hw/scsi/mptsas.h
@@ -79,7 +79,6 @@ struct MPTSASState {
     uint16_t reply_frame_size;
=20
     SCSIBus bus;
-    QTAILQ_HEAD(, MPTSASRequest) pending;
 };
=20
 void mptsas_fix_scsi_io_endianness(MPIMsgSCSIIORequest *req);
diff --git a/hw/scsi/mptsas.c b/hw/scsi/mptsas.c
index 7416e787061..db3219e7d20 100644
--- a/hw/scsi/mptsas.c
+++ b/hw/scsi/mptsas.c
@@ -251,13 +251,10 @@ static int mptsas_build_sgl(MPTSASState *s, MPTSASReq=
uest *req, hwaddr addr)
=20
 static void mptsas_free_request(MPTSASRequest *req)
 {
-    MPTSASState *s =3D req->dev;
-
     if (req->sreq !=3D NULL) {
         req->sreq->hba_private =3D NULL;
         scsi_req_unref(req->sreq);
         req->sreq =3D NULL;
-        QTAILQ_REMOVE(&s->pending, req, next);
     }
     qemu_sglist_destroy(&req->qsg);
     g_free(req);
@@ -303,7 +300,6 @@ static int mptsas_process_scsi_io_request(MPTSASState *=
s,
     }
=20
     req =3D g_new0(MPTSASRequest, 1);
-    QTAILQ_INSERT_TAIL(&s->pending, req, next);
     req->scsi_io =3D *scsi_io;
     req->dev =3D s;
=20
@@ -1319,8 +1315,6 @@ static void mptsas_scsi_realize(PCIDevice *dev, Error=
 **errp)
=20
     s->request_bh =3D qemu_bh_new(mptsas_fetch_requests, s);
=20
-    QTAILQ_INIT(&s->pending);
-
     scsi_bus_new(&s->bus, sizeof(s->bus), &dev->qdev, &mptsas_scsi_info, N=
ULL);
 }
=20
--=20
2.26.3