|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-changelog] [qemu-upstream-unstable] scsi: fix buffer overflow in scsi_req_parse_cdb (CVE-2015-5158)
commit e40ae8730e83e25f160c7576dd32d882bf2a3846
Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
AuthorDate: Tue Jul 21 08:59:39 2015 +0200
Commit: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>
CommitDate: Wed Jul 29 15:20:24 2015 +0000
scsi: fix buffer overflow in scsi_req_parse_cdb (CVE-2015-5158)
This is a guest-triggerable buffer overflow present in QEMU 2.2.0
and newer. scsi_cdb_length returns -1 as an error value, but the
caller does not check it.
Luckily, the massive overflow means that QEMU will just SIGSEGV,
making the impact much smaller.
upstream-commit-id: c170aad8b057223b1139d72e5ce7acceafab4fa9
Reported-by: Zhu Donghai (��海) <donghai.zdh@xxxxxxxxxxxxxxx>
Fixes: 1894df02811f6b79ea3ffbf1084599d96f316173
Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
Cc: qemu-stable@xxxxxxxxxx
Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
Signed-off-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>
---
hw/scsi/scsi-bus.c | 7 ++++++-
1 files changed, 6 insertions(+), 1 deletions(-)
diff --git a/hw/scsi/scsi-bus.c b/hw/scsi/scsi-bus.c
index 9b740a3..8e4a986 100644
--- a/hw/scsi/scsi-bus.c
+++ b/hw/scsi/scsi-bus.c
@@ -1234,10 +1234,15 @@ int scsi_cdb_length(uint8_t *buf) {
int scsi_req_parse_cdb(SCSIDevice *dev, SCSICommand *cmd, uint8_t *buf)
{
int rc;
+ int len;
cmd->lba = -1;
- cmd->len = scsi_cdb_length(buf);
+ len = scsi_cdb_length(buf);
+ if (len < 0) {
+ return -1;
+ }
+ cmd->len = len;
switch (dev->type) {
case TYPE_TAPE:
rc = scsi_req_stream_xfer(cmd, dev, buf);
--
generated by git-patchbot for /home/xen/git/qemu-upstream-unstable.git
_______________________________________________ Xen-changelog mailing list Xen-changelog@xxxxxxxxxxxxx http://lists.xensource.com/xen-changelog
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |