[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-stable] [PATCH 48/53] scsi: fix buffer overflow in scsi_req_parse_
|
From: |
Michael Roth |
|
Subject: |
[Qemu-stable] [PATCH 48/53] scsi: fix buffer overflow in scsi_req_parse_cdb (CVE-2015-5158) |
|
Date: |
Thu, 30 Jul 2015 06:33:03 -0500 |
From: Paolo Bonzini <address@hidden>
This is a guest-triggerable buffer overflow present in QEMU 2.2.0
and newer. scsi_cdb_length returns -1 as an error value, but the
caller does not check it.
Luckily, the massive overflow means that QEMU will just SIGSEGV,
making the impact much smaller.
Reported-by: Zhu Donghai (朱东海) <address@hidden>
Fixes: 1894df02811f6b79ea3ffbf1084599d96f316173
Reviewed-by: Fam Zheng <address@hidden>
Cc: address@hidden
Signed-off-by: Paolo Bonzini <address@hidden>
(cherry picked from commit c170aad8b057223b1139d72e5ce7acceafab4fa9)
Signed-off-by: Michael Roth <address@hidden>
---
hw/scsi/scsi-bus.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/hw/scsi/scsi-bus.c b/hw/scsi/scsi-bus.c
index bd2c0e4..0c506db 100644
--- a/hw/scsi/scsi-bus.c
+++ b/hw/scsi/scsi-bus.c
@@ -1239,10 +1239,15 @@ int scsi_cdb_length(uint8_t *buf) {
int scsi_req_parse_cdb(SCSIDevice *dev, SCSICommand *cmd, uint8_t *buf)
{
int rc;
+ int len;
cmd->lba = -1;
- cmd->len = scsi_cdb_length(buf);
+ len = scsi_cdb_length(buf);
+ if (len < 0) {
+ return -1;
+ }
+ cmd->len = len;
switch (dev->type) {
case TYPE_TAPE:
rc = scsi_req_stream_xfer(cmd, dev, buf);
--
1.9.1
- [Qemu-stable] [PATCH 38/53] s390x/ipl: Fix boot if no bootindex was specified, (continued)
- [Qemu-stable] [PATCH 38/53] s390x/ipl: Fix boot if no bootindex was specified, Michael Roth, 2015/07/30
- [Qemu-stable] [PATCH 39/53] spapr_vty: lookup should only return valid VTY objects, Michael Roth, 2015/07/30
- [Qemu-stable] [PATCH 03/53] Strip brackets from vnc host, Michael Roth, 2015/07/30
- [Qemu-stable] [PATCH 42/53] block: Initialize local_err in bdrv_append_temp_snapshot, Michael Roth, 2015/07/30
- [Qemu-stable] [PATCH 43/53] mips/kvm: Fix Big endian 32-bit register access, Michael Roth, 2015/07/30
- [Qemu-stable] [PATCH 02/53] block/iscsi: do not forget to logout from target, Michael Roth, 2015/07/30
- [Qemu-stable] [PATCH 45/53] vfio/pci: Fix RTL8168 NIC quirks, Michael Roth, 2015/07/30
- [Qemu-stable] [PATCH 46/53] virtio-net: unbreak any layout, Michael Roth, 2015/07/30
- [Qemu-stable] [PATCH 40/53] target-ppc: fix hugepage support when using memory-backend-file, Michael Roth, 2015/07/30
- [Qemu-stable] [PATCH 44/53] mips/kvm: Sign extend registers written to KVM, Michael Roth, 2015/07/30
- [Qemu-stable] [PATCH 48/53] scsi: fix buffer overflow in scsi_req_parse_cdb (CVE-2015-5158),
Michael Roth <=
- [Qemu-stable] [PATCH 47/53] vfio/pci: Fix bootindex, Michael Roth, 2015/07/30
- [Qemu-stable] [PATCH 50/53] block: qemu-iotests - add check for multiplication overflow in vpc, Michael Roth, 2015/07/30
- [Qemu-stable] [PATCH 49/53] block: vpc - prevent overflow if max_table_entries >= 0x40000000, Michael Roth, 2015/07/30
- [Qemu-stable] [PATCH 04/53] nbd/trivial: fix type cast for ioctl, Michael Roth, 2015/07/30
- [Qemu-stable] [PATCH 41/53] Fix irq route entries exceeding KVM_MAX_IRQ_ROUTES, Michael Roth, 2015/07/30
- [Qemu-stable] [PATCH 51/53] ide: Check array bounds before writing to io_buffer (CVE-2015-5154), Michael Roth, 2015/07/30
- [Qemu-stable] [PATCH 52/53] ide/atapi: Fix START STOP UNIT command completion, Michael Roth, 2015/07/30
- [Qemu-stable] [PATCH 53/53] ide: Clear DRQ after handling all expected accesses, Michael Roth, 2015/07/30
- [Qemu-stable] [PATCH 06/53] vmdk: Fix overflow if l1_size is 0x20000000, Michael Roth, 2015/07/30
- [Qemu-stable] [PATCH 05/53] vmdk: Fix next_cluster_sector for compressed write, Michael Roth, 2015/07/30