[Qemu-stable] [PATCH 14/56] esp: check dma length before reading scsi co

qemu-stable

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Qemu-stable] [PATCH 14/56] esp: check dma length before reading scsi co

From:	Michael Roth
Subject:	[Qemu-stable] [PATCH 14/56] esp: check dma length before reading scsi command(CVE-2016-4441)
Date:	Mon, 8 Aug 2016 16:03:45 -0500

From: Prasad J Pandit <address@hidden>

The 53C9X Fast SCSI Controller(FSC) comes with an internal 16-byte
FIFO buffer. It is used to handle command and data transfer.
Routine get_cmd() uses DMA to read scsi commands into this buffer.
Add check to validate DMA length against buffer size to avoid any
overrun.

Fixes CVE-2016-4441.

Reported-by: Li Qiang <address@hidden>
Cc: address@hidden
Signed-off-by: Prasad J Pandit <address@hidden>
Message-Id: <address@hidden>
Signed-off-by: Paolo Bonzini <address@hidden>
(cherry picked from commit 6c1fef6b59563cc415f21e03f81539ed4b33ad90)
Signed-off-by: Michael Roth <address@hidden>
---
 hw/scsi/esp.c | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
index 01497e6..591c817 100644
--- a/hw/scsi/esp.c
+++ b/hw/scsi/esp.c
@@ -82,7 +82,7 @@ void esp_request_cancelled(SCSIRequest *req)
     }
 }
 
-static uint32_t get_cmd(ESPState *s, uint8_t *buf)
+static uint32_t get_cmd(ESPState *s, uint8_t *buf, uint8_t buflen)
 {
     uint32_t dmalen;
     int target;
@@ -92,6 +92,9 @@ static uint32_t get_cmd(ESPState *s, uint8_t *buf)
         dmalen = s->rregs[ESP_TCLO];
         dmalen |= s->rregs[ESP_TCMID] << 8;
         dmalen |= s->rregs[ESP_TCHI] << 16;
+        if (dmalen > buflen) {
+            return 0;
+        }
         s->dma_memory_read(s->dma_opaque, buf, dmalen);
     } else {
         dmalen = s->ti_size;
@@ -166,7 +169,7 @@ static void handle_satn(ESPState *s)
         s->dma_cb = handle_satn;
         return;
     }
-    len = get_cmd(s, buf);
+    len = get_cmd(s, buf, sizeof(buf));
     if (len)
         do_cmd(s, buf);
 }
@@ -180,7 +183,7 @@ static void handle_s_without_atn(ESPState *s)
         s->dma_cb = handle_s_without_atn;
         return;
     }
-    len = get_cmd(s, buf);
+    len = get_cmd(s, buf, sizeof(buf));
     if (len) {
         do_busid_cmd(s, buf, 0);
     }
@@ -192,7 +195,7 @@ static void handle_satn_stop(ESPState *s)
         s->dma_cb = handle_satn_stop;
         return;
     }
-    s->cmdlen = get_cmd(s, s->cmdbuf);
+    s->cmdlen = get_cmd(s, s->cmdbuf, sizeof(s->cmdbuf));
     if (s->cmdlen) {
         trace_esp_handle_satn_stop(s->cmdlen);
         s->do_cmd = 1;
-- 
1.9.1

[Prev in Thread]

Current Thread

[Next in Thread]

[Qemu-stable] [PATCH 00/56] Patch Round-up for stable 2.6.1, freeze on 2016-08-12, Michael Roth, 2016/08/08
- [Qemu-stable] [PATCH 09/56] configure: Allow builds with extra warnings, Michael Roth, 2016/08/08
- [Qemu-stable] [PATCH 10/56] migration: regain control of images when migration fails to complete, Michael Roth, 2016/08/08
- [Qemu-stable] [PATCH 11/56] json-streamer: Don't leak tokens on incomplete parse, Michael Roth, 2016/08/08
- [Qemu-stable] [PATCH 12/56] json-streamer: fix double-free on exiting during a parse, Michael Roth, 2016/08/08
- [Qemu-stable] [PATCH 13/56] esp: check command buffer length before write(CVE-2016-4439), Michael Roth, 2016/08/08
- [Qemu-stable] [PATCH 16/56] usb/ohci: Fix crash with when specifying too many num-ports, Michael Roth, 2016/08/08
- [Qemu-stable] [PATCH 15/56] block/nfs: refuse readahead if cache.direct is on, Michael Roth, 2016/08/08
- [Qemu-stable] [PATCH 17/56] vga: add sr_vbe register set, Michael Roth, 2016/08/08
- [Qemu-stable] [PATCH 14/56] esp: check dma length before reading scsi command(CVE-2016-4441), Michael Roth <=
- [Qemu-stable] [PATCH 22/56] Fix configure test for PBKDF2 in nettle, Michael Roth, 2016/08/08
- [Qemu-stable] [PATCH 19/56] block/iscsi: avoid potential overflow of acb->task->cdb, Michael Roth, 2016/08/08
- [Qemu-stable] [PATCH 01/56] i386: kvmvapic: initialise imm32 variable, Michael Roth, 2016/08/08
- [Qemu-stable] [PATCH 18/56] vfio: Fix broken EEH, Michael Roth, 2016/08/08
- [Qemu-stable] [PATCH 20/56] nbd: Don't trim unrequested bytes, Michael Roth, 2016/08/08
- [Qemu-stable] [PATCH 24/56] scsi: mptsas: infinite loop while fetching requests, Michael Roth, 2016/08/08
- [Qemu-stable] [PATCH 21/56] savevm: fail if migration blockers are present, Michael Roth, 2016/08/08
- [Qemu-stable] [PATCH 23/56] scsi: pvscsi: check command descriptor ring buffer size (CVE-2016-4952), Michael Roth, 2016/08/08
- [Qemu-stable] [PATCH 26/56] vmsvga: move fifo sanity checks to vmsvga_fifo_length, Michael Roth, 2016/08/08
- [Qemu-stable] [PATCH 30/56] io: remove mistaken call to object_ref on QTask, Michael Roth, 2016/08/08

Prev by Date: [Qemu-stable] [PATCH 17/56] vga: add sr_vbe register set
Next by Date: [Qemu-stable] [PATCH 22/56] Fix configure test for PBKDF2 in nettle
Previous by thread: [Qemu-stable] [PATCH 17/56] vga: add sr_vbe register set
Next by thread: [Qemu-stable] [PATCH 22/56] Fix configure test for PBKDF2 in nettle
Index(es):
- Date
- Thread