File esp-ensure-that-do_cmd-is-set-to-zero-be.patch of Package qemu.21548

From: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Date: Wed, 7 Apr 2021 20:58:00 +0100
Subject: esp: ensure that do_cmd is set to zero before submitting an ESP
 select command
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Git-commit: 607206948cacda4a80be5b976dba490970a18a76
References: bsc#1180433, CVE-2020-35504
            bsc#1180434, CVE-2020-35505
            bsc#1180435, CVE-2020-35506

When a CDB has been received and is about to be submitted to the SCSI layer
via one of the ESP select commands, ensure that do_cmd is set to zero before
executing the command.

Otherwise a guest executing 2 valid CDBs in quick sequence can invoke the SCSI
.transfer_data callback again before do_cmd is set to zero by the callback
function triggering an assert at the start of esp_transfer_data().

Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-Id: <20210407195801.685-12-mark.cave-ayland@ilande.co.uk>
Signed-off-by: Jose R Ziviani <jose.ziviani@suse.com>
---
 hw/scsi/esp.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
index 8445ebdb1f14f911498289fb3c73..e1072a3c5afca523b0ac2b51ae15 100644
--- a/hw/scsi/esp.c
+++ b/hw/scsi/esp.c
@@ -246,8 +246,10 @@ static void handle_satn(ESPState *s)
     }
     s->pdma_cb = satn_pdma_cb;
     len = get_cmd(s, buf, sizeof(buf));
-    if (len)
+    if (len) {
+        s->do_cmd = 0;
         do_cmd(s, buf);
+    }
 }
 
 static void s_without_satn_pdma_cb(ESPState *s)
@@ -272,6 +274,7 @@ static void handle_s_without_atn(ESPState *s)
     s->pdma_cb = s_without_satn_pdma_cb;
     len = get_cmd(s, buf, sizeof(buf));
     if (len) {
+        s->do_cmd = 0;
         do_busid_cmd(s, buf, 0);
     }
 }