Re: CVE request Qemu: scsi: mptsas: OOB access when freeing MPTSASRequest object

[cve-assign () mitre org]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> Quick emulator(Qemu) built with the LSI SAS1068 Host Bus emulation support, is
> vulnerable to an invalid memory access issue. It could occur while processing
> scsi io requests in mptsas_process_scsi_io_request.
>
> A privileged user inside guest could use this flaw to crash the Qemu process
> instance on the host resulting in DoS.
>
> https://lists.gnu.org/archive/html/qemu-devel/2016-09/msg03604.html
> https://bugzilla.redhat.com/show_bug.cgi?id=1376776
> http://git.qemu.org/?p=qemu.git;a=commit;h=670e56d3ed2918b3861d9216f2c0540d9e9ae0d5

> > scsi: mptsas: use g_new0 to allocate MPTSASRequest object
> >
> > When processing IO request in mptsas, it uses g_new to allocate
> > a 'req' object. If an error occurs before 'req->sreq' is
> > allocated, It could lead to an OOB write in mptsas_free_request
> > function. Use g_new0 to avoid it.

Use CVE-2016-7423.

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJX3CoQAAoJEHb/MwWLVhi2jDcP+wbIpI1ey0NwiBCdBhQhtIcM
OinhQ7vBTP7wqOZqMEnJoWRdK3A56/JxfXs5chnHEUxiiC5sy59sMoDa/wJ9M2yL
WDCzYZLVpTevTW/fbeMnXel3Xc5IFB80yaAuDqXP48f3s1H6bo2ai0giyWdcbdXY
UebsZpm9MHxeqN6DYEGnsYe8audTizfe9swwLeWSUXyttzFLGOrL3pJQE6WBORbu
cbpazz4ylYJcDyY+Th3CNZpFAZGqIcw++DMZKZG00nlgXJ4gWn9raLmfWYVKRumd
JHczsDj36PqKC5kXsrwyd62YV7TCZFzDHGEQN3ZeGIhIbLaKhc9OSif48V3Xu5pH
4SzvmEFiSiRCD5HGgikkzyt+lbNy7rbvry8NWYek/pgeXIYkYdywgKB54fs0jNjv
wVf82M/8QDqFmegkRiEIyF8WsTe6WpwBgRQm7PdNJlyR54gH38/uTCefhPZj9elT
RdgGkqtinff92C12s+A8nH4GIe8uQnGUt2cv39m02htT5NaSZBTAXPQuoVUJTIjM
+xsymnuJSSMzyy351XG+8T+Cc2er7G+dYdf2aZUMItFlPSaK3Ewp5rFkgAYNClJz
D6MWKJeXonSrx4j/+z5tTHma64FEgNfKSupEaf5en0od7lR7zB215xFbv6g6P/3d
8arhpqQkwLxtRAm2n/Ad
=7sOJ
-----END PGP SIGNATURE-----