qemu/hw-scsi-lsi53c895a-add-missing-decrement-of-reentran.patch

From 19692eed451101e16399673cd5c3ee9c684cfde0 Mon Sep 17 00:00:00 2001
From: Sven Schnelle <svens@stackframe.org>
Date: Sun, 28 Jan 2024 21:22:14 +0100
Subject: [PATCH] hw/scsi/lsi53c895a: add missing decrement of reentrancy
 counter

When the maximum count of SCRIPTS instructions is reached, the code
stops execution and returns, but fails to decrement the reentrancy
counter. This effectively renders the SCSI controller unusable
because on next entry the reentrancy counter is still above the limit.

This bug was seen on HP-UX 10.20 which seems to trigger SCRIPTS
loops.

Fixes: b987718bbb ("hw/scsi/lsi53c895a: Fix reentrancy issues in the LSI controller (CVE-2023-0330)")
Signed-off-by: Sven Schnelle <svens@stackframe.org>
Message-ID: <20240128202214.2644768-1-svens@stackframe.org>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Tested-by: Helge Deller <deller@gmx.de>
Signed-off-by: Thomas Huth <thuth@redhat.com>
---
 hw/scsi/lsi53c895a.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c
index f7559051c5..71f1505227 100644
--- a/hw/scsi/lsi53c895a.c
+++ b/hw/scsi/lsi53c895a.c
@@ -1159,6 +1159,7 @@ again:
         lsi_script_scsi_interrupt(s, LSI_SIST0_UDC, 0);
         lsi_disconnect(s);
         trace_lsi_execute_script_stop();
+        reentrancy_level--;
         return;
     }
     insn = read_dword(s, s->dsp);
-- 
2.27.0
QEMU update to version 6.2.0-89 - qga-win: Fix guest-get-fsinfo multi-disks collection - hw/timer: fix systick trace message - virtio-net: correctly copy vnet header when flushing TX (CVE-2023-6693) - ui/clipboard: mark type as not available when there is no data (CVE-2023-6683) - esp: restrict non-DMA transfer length to that of available data (CVE-2024-24474) - hw/scsi/lsi53c895a: add missing decrement of reentrancy counter - hw/scsi/lsi53c895a: Fix reentrancy issues in the LSI controller (CVE-2023-0330) - net: Update MemReentrancyGuard for NIC (CVE-2023-3019) - net: Provide MemReentrancyGuard * to qemu_new_nic() Signed-off-by: Jiabo Feng <fengjiabo1@huawei.com> 2024-03-09 14:37:51 +08:00			`From 19692eed451101e16399673cd5c3ee9c684cfde0 Mon Sep 17 00:00:00 2001`
			`From: Sven Schnelle <svens@stackframe.org>`
			`Date: Sun, 28 Jan 2024 21:22:14 +0100`
			`Subject: [PATCH] hw/scsi/lsi53c895a: add missing decrement of reentrancy`
			`counter`

			`When the maximum count of SCRIPTS instructions is reached, the code`
			`stops execution and returns, but fails to decrement the reentrancy`
			`counter. This effectively renders the SCSI controller unusable`
			`because on next entry the reentrancy counter is still above the limit.`

			`This bug was seen on HP-UX 10.20 which seems to trigger SCRIPTS`
			`loops.`

			`Fixes: b987718bbb ("hw/scsi/lsi53c895a: Fix reentrancy issues in the LSI controller (CVE-2023-0330)")`
			`Signed-off-by: Sven Schnelle <svens@stackframe.org>`
			`Message-ID: <20240128202214.2644768-1-svens@stackframe.org>`
			`Reviewed-by: Thomas Huth <thuth@redhat.com>`
			`Tested-by: Helge Deller <deller@gmx.de>`
			`Signed-off-by: Thomas Huth <thuth@redhat.com>`
			`---`
			`hw/scsi/lsi53c895a.c \| 1 +`
			`1 file changed, 1 insertion(+)`

			`diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c`
			`index f7559051c5..71f1505227 100644`
			`--- a/hw/scsi/lsi53c895a.c`
			`+++ b/hw/scsi/lsi53c895a.c`
			`@@ -1159,6 +1159,7 @@ again:`
			`lsi_script_scsi_interrupt(s, LSI_SIST0_UDC, 0);`
			`lsi_disconnect(s);`
			`trace_lsi_execute_script_stop();`
			`+ reentrancy_level--;`
			`return;`
			`}`
			`insn = read_dword(s, s->dsp);`
			`--`
			`2.27.0`