From 28ef4af30452c90ba53ee38cfedffbfc0143ef1e Mon Sep 17 00:00:00 2001
From: imxcc <xingchaochao@huawei.com>
Date: Mon, 21 Jun 2021 17:15:39 +0800
Subject: [PATCH 1/2] fix cve-2020-35504

esp: always check current_req is not NULL before use in DMA callbacks

Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Signed-off-by: imxcc <xingchaochao@huawei.com>
---
 hw/scsi/esp.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
index 7508d035ca..d1f13b350e 100644
--- a/hw/scsi/esp.c
+++ b/hw/scsi/esp.c
@@ -253,6 +253,9 @@ static void esp_do_dma(ESPState *s)
         s->dma_memory_read(s->dma_opaque, &s->cmdbuf[s->cmdlen], len);
         return;
     }
+    if (!s->current_req) {
+        return;
+    }
     if (s->async_len == 0) {
         /* Defer until data is available.  */
         return;
-- 
Gitee


From 55c478501ecd0a380019b8ec475151a76eb48622 Mon Sep 17 00:00:00 2001
From: imxcc <xingchaochao@huawei.com>
Date: Mon, 21 Jun 2021 17:20:55 +0800
Subject: [PATCH 2/2] fix cve-2020-35505

esp: ensure cmdfifo is not empty and current_dev is non-NULL

Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Signed-off-by: imxcc <xingchaochao@huawei.com>
---
 hw/scsi/esp.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
index d1f13b350e..db6bed4f00 100644
--- a/hw/scsi/esp.c
+++ b/hw/scsi/esp.c
@@ -79,6 +79,7 @@ void esp_request_cancelled(SCSIRequest *req)
         scsi_req_unref(s->current_req);
         s->current_req = NULL;
         s->current_dev = NULL;
+        s->async_len = 0;
     }
 }
 
@@ -113,7 +114,6 @@ static uint32_t get_cmd(ESPState *s, uint8_t *buf, uint8_t buflen)
     if (s->current_req) {
         /* Started a new command before the old one finished.  Cancel it.  */
         scsi_req_cancel(s->current_req);
-        s->async_len = 0;
     }
 
     s->current_dev = scsi_device_find(&s->bus, 0, target, 0);
@@ -136,6 +136,9 @@ static void do_busid_cmd(ESPState *s, uint8_t *buf, uint8_t busid)
 
     trace_esp_do_busid_cmd(busid);
     lun = busid & 7;
+    if (!s->current_dev) {
+        return;
+    }
     current_lun = scsi_device_find(&s->bus, 0, s->current_dev->id, lun);
     s->current_req = scsi_req_new(current_lun, 0, lun, buf, s);
     datalen = scsi_req_enqueue(s->current_req);
-- 
Gitee