[pve-qemu-kvm.git] / debian / patches / extra / CVE-2016-7423-scsi-mptsas-use-g_new0-to-allocate-MPTSASRequest-obj.patch

From 670e56d3ed2918b3861d9216f2c0540d9e9ae0d5 Mon Sep 17 00:00:00 2001
From: Li Qiang <liqiang6-s@360.cn>
Date: Mon, 12 Sep 2016 18:14:11 +0530
Subject: [PATCH] scsi: mptsas: use g_new0 to allocate MPTSASRequest object

When processing IO request in mptsas, it uses g_new to allocate
a 'req' object. If an error occurs before 'req->sreq' is
allocated, It could lead to an OOB write in mptsas_free_request
function. Use g_new0 to avoid it.

Reported-by: Li Qiang <liqiang6-s@360.cn>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-Id: <1473684251-17476-1-git-send-email-ppandit@redhat.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
 hw/scsi/mptsas.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/scsi/mptsas.c b/hw/scsi/mptsas.c
index 0e0a22f..eaae1bb 100644
--- a/hw/scsi/mptsas.c
+++ b/hw/scsi/mptsas.c
@@ -304,7 +304,7 @@ static int mptsas_process_scsi_io_request(MPTSASState *s,
         goto bad;
     }
 
-    req = g_new(MPTSASRequest, 1);
+    req = g_new0(MPTSASRequest, 1);
     QTAILQ_INSERT_TAIL(&s->pending, req, next);
     req->scsi_io = *scsi_io;
     req->dev = s;
-- 
2.1.4
Commit	Line	Data
6ccd2869 FG	1	From 670e56d3ed2918b3861d9216f2c0540d9e9ae0d5 Mon Sep 17 00:00:00 2001
	2	From: Li Qiang <liqiang6-s@360.cn>
	3	Date: Mon, 12 Sep 2016 18:14:11 +0530
	4	Subject: [PATCH] scsi: mptsas: use g_new0 to allocate MPTSASRequest object
	5
	6	When processing IO request in mptsas, it uses g_new to allocate
	7	a 'req' object. If an error occurs before 'req->sreq' is
	8	allocated, It could lead to an OOB write in mptsas_free_request
	9	function. Use g_new0 to avoid it.
	10
	11	Reported-by: Li Qiang <liqiang6-s@360.cn>
	12	Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
	13	Message-Id: <1473684251-17476-1-git-send-email-ppandit@redhat.com>
	14	Cc: qemu-stable@nongnu.org
	15	Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
	16	---
	17	hw/scsi/mptsas.c \| 2 +-
	18	1 file changed, 1 insertion(+), 1 deletion(-)
	19
	20	diff --git a/hw/scsi/mptsas.c b/hw/scsi/mptsas.c
	21	index 0e0a22f..eaae1bb 100644
	22	--- a/hw/scsi/mptsas.c
	23	+++ b/hw/scsi/mptsas.c
	24	@@ -304,7 +304,7 @@ static int mptsas_process_scsi_io_request(MPTSASState *s,
	25	goto bad;
	26	}
	27
	28	- req = g_new(MPTSASRequest, 1);
	29	+ req = g_new0(MPTSASRequest, 1);
	30	QTAILQ_INSERT_TAIL(&s->pending, req, next);
	31	req->scsi_io = *scsi_io;
	32	req->dev = s;
	33	--
	34	2.1.4
	35