cf91b1dfd9
CVE-2016-4952 scsi: pvscsi: out-of-bounds access issue CVE-2016-4964: scsi: mptsas infinite loop (bz #1339157) CVE-2016-5106: scsi: megasas: out-of-bounds write (bz #1339581) CVE-2016-5105: scsi: megasas: stack information leakage (bz #1339585) CVE-2016-5107: scsi: megasas: out-of-bounds read (bz #1339573) CVE-2016-4454: display: vmsvga: out-of-bounds read (bz #1340740) CVE-2016-4453: display: vmsvga: infinite loop (bz #1340744) CVE-2016-5126: block: iscsi: buffer overflow (bz #1340925) CVE-2016-5238: scsi: esp: OOB write (bz #1341932) CVE-2016-5338: scsi: esp: OOB r/w access (bz #1343325) CVE-2016-5337: scsi: megasas: information leakage (bz #1343910) Fix crash with -nodefaults -sdl (bz #1340931) Add deps on edk2-ovmf and edk2-aarch64
77 lines
2.4 KiB
Diff
77 lines
2.4 KiB
Diff
From: Paolo Bonzini <pbonzini@redhat.com>
|
|
Date: Wed, 15 Jun 2016 14:29:33 +0200
|
|
Subject: [PATCH] scsi: esp: clean up handle_ti/esp_do_dma if s->do_cmd
|
|
|
|
Avoid duplicated code between esp_do_dma and handle_ti. esp_do_dma
|
|
has the same code that handle_ti contains after the call to esp_do_dma;
|
|
but the code in handle_ti is never reached because it is in an "else if".
|
|
Remove the else and also the pointless return.
|
|
|
|
esp_do_dma also has a partially dead assignment of the to_device
|
|
variable. Sink it to the point where it's actually used.
|
|
|
|
Finally, assert that the other caller of esp_do_dma (esp_transfer_data)
|
|
only transfers data and not a command. This is true because get_cmd
|
|
cancels the old request synchronously before its caller handle_satn_stop
|
|
sets do_cmd to 1.
|
|
|
|
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
|
|
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
|
(cherry picked from commit 7f0b6e114ae4e142e2b3dfc9fac138f4a30edc4f)
|
|
---
|
|
hw/scsi/esp.c | 11 ++++-------
|
|
1 file changed, 4 insertions(+), 7 deletions(-)
|
|
|
|
diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
|
|
index 6407844..68d3e4d 100644
|
|
--- a/hw/scsi/esp.c
|
|
+++ b/hw/scsi/esp.c
|
|
@@ -245,15 +245,10 @@ static void esp_do_dma(ESPState *s)
|
|
uint32_t len;
|
|
int to_device;
|
|
|
|
- to_device = (s->ti_size < 0);
|
|
len = s->dma_left;
|
|
if (s->do_cmd) {
|
|
trace_esp_do_dma(s->cmdlen, len);
|
|
s->dma_memory_read(s->dma_opaque, &s->cmdbuf[s->cmdlen], len);
|
|
- s->ti_size = 0;
|
|
- s->cmdlen = 0;
|
|
- s->do_cmd = 0;
|
|
- do_cmd(s, s->cmdbuf);
|
|
return;
|
|
}
|
|
if (s->async_len == 0) {
|
|
@@ -263,6 +258,7 @@ static void esp_do_dma(ESPState *s)
|
|
if (len > s->async_len) {
|
|
len = s->async_len;
|
|
}
|
|
+ to_device = (s->ti_size < 0);
|
|
if (to_device) {
|
|
s->dma_memory_read(s->dma_opaque, s->async_buf, len);
|
|
} else {
|
|
@@ -318,6 +314,7 @@ void esp_transfer_data(SCSIRequest *req, uint32_t len)
|
|
{
|
|
ESPState *s = req->hba_private;
|
|
|
|
+ assert(!s->do_cmd);
|
|
trace_esp_transfer_data(s->dma_left, s->ti_size);
|
|
s->async_len = len;
|
|
s->async_buf = scsi_req_get_buf(req);
|
|
@@ -358,13 +355,13 @@ static void handle_ti(ESPState *s)
|
|
s->dma_left = minlen;
|
|
s->rregs[ESP_RSTAT] &= ~STAT_TC;
|
|
esp_do_dma(s);
|
|
- } else if (s->do_cmd) {
|
|
+ }
|
|
+ if (s->do_cmd) {
|
|
trace_esp_handle_ti_cmd(s->cmdlen);
|
|
s->ti_size = 0;
|
|
s->cmdlen = 0;
|
|
s->do_cmd = 0;
|
|
do_cmd(s, s->cmdbuf);
|
|
- return;
|
|
}
|
|
}
|
|
|