[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] [qemu-upstream-unstable] scsi_target_send_command(): amend stable-1.6 port of the CVE-2013-4344 fix

commit 192d2f4cc7931668d4e4f10e882af3c097193c47
Author:     Laszlo Ersek <lersek@xxxxxxxxxx>
AuthorDate: Sat Nov 2 20:14:21 2013 +0100
Commit:     Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
CommitDate: Mon Dec 9 14:49:49 2013 -0600

    scsi_target_send_command(): amend stable-1.6 port of the CVE-2013-4344 fix
    
    The originally suggested fix for CVE-2013-4344 introduced a regression in
    scsi_target_send_command() / REQUEST_SENSE; the third argument passed to
    scsi_device_get_sense() -- for the "len" parameter -- ignored the
    possibility of the guest SCSI driver requesting truncated (or shorter than
    full) sense data.
    
    This could result in (r->len > req->cmd.xfer) on return, which is not
    valid SCSI.
    
    The problem was addressed in the second round, and the commit on the
    master branch (84642435) is correct. However the stable-1.6 branch (the
    v1.6.1 release) has the original, regressive fix (commit fdcbe7d5); let's
    update it.
    
    Signed-off-by: Laszlo Ersek <lersek@xxxxxxxxxx>
    Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
    Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
---
 hw/scsi/scsi-bus.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

diff --git a/hw/scsi/scsi-bus.c b/hw/scsi/scsi-bus.c
index ad26c25..d352da7 100644
--- a/hw/scsi/scsi-bus.c
+++ b/hw/scsi/scsi-bus.c
@@ -460,7 +460,8 @@ static int32_t scsi_target_send_command(SCSIRequest *req, 
uint8_t *buf)
         break;
     case REQUEST_SENSE:
         scsi_target_alloc_buf(&r->req, SCSI_SENSE_LEN);
-        r->len = scsi_device_get_sense(r->req.dev, r->buf, r->buf_len,
+        r->len = scsi_device_get_sense(r->req.dev, r->buf,
+                                       MIN(req->cmd.xfer, r->buf_len),
                                        (req->cmd.buf[1] & 1) == 0);
         if (r->req.dev->sense_is_ua) {
             scsi_device_unit_attention_reported(req->dev);
--
generated by git-patchbot for /home/xen/git/qemu-upstream-unstable.git

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.