cf91b1dfd9
CVE-2016-4952 scsi: pvscsi: out-of-bounds access issue CVE-2016-4964: scsi: mptsas infinite loop (bz #1339157) CVE-2016-5106: scsi: megasas: out-of-bounds write (bz #1339581) CVE-2016-5105: scsi: megasas: stack information leakage (bz #1339585) CVE-2016-5107: scsi: megasas: out-of-bounds read (bz #1339573) CVE-2016-4454: display: vmsvga: out-of-bounds read (bz #1340740) CVE-2016-4453: display: vmsvga: infinite loop (bz #1340744) CVE-2016-5126: block: iscsi: buffer overflow (bz #1340925) CVE-2016-5238: scsi: esp: OOB write (bz #1341932) CVE-2016-5338: scsi: esp: OOB r/w access (bz #1343325) CVE-2016-5337: scsi: megasas: information leakage (bz #1343910) Fix crash with -nodefaults -sdl (bz #1340931) Add deps on edk2-ovmf and edk2-aarch64
37 lines
1.2 KiB
Diff
37 lines
1.2 KiB
Diff
From: Gerd Hoffmann <kraxel@redhat.com>
|
|
Date: Mon, 30 May 2016 09:09:19 +0200
|
|
Subject: [PATCH] vmsvga: add more fifo checks
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
Make sure all fifo ptrs are within range.
|
|
|
|
Fixes: CVE-2016-4454
|
|
Cc: qemu-stable@nongnu.org
|
|
Cc: P J P <ppandit@redhat.com>
|
|
Reported-by: 李强 <liqiang6-s@360.cn>
|
|
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
|
Message-id: 1464592161-18348-3-git-send-email-kraxel@redhat.com
|
|
(cherry picked from commit c2e3c54d3960bc53bfa3a5ce7ea7a050b9be267e)
|
|
---
|
|
hw/display/vmware_vga.c | 5 ++++-
|
|
1 file changed, 4 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
|
|
index 63a7c05..a26e62e 100644
|
|
--- a/hw/display/vmware_vga.c
|
|
+++ b/hw/display/vmware_vga.c
|
|
@@ -563,7 +563,10 @@ static inline int vmsvga_fifo_length(struct vmsvga_state_s *s)
|
|
if (CMD(min) < (uint8_t *) s->cmd->fifo - (uint8_t *) s->fifo) {
|
|
return 0;
|
|
}
|
|
- if (CMD(max) > SVGA_FIFO_SIZE) {
|
|
+ if (CMD(max) > SVGA_FIFO_SIZE ||
|
|
+ CMD(min) >= SVGA_FIFO_SIZE ||
|
|
+ CMD(stop) >= SVGA_FIFO_SIZE ||
|
|
+ CMD(next_cmd) >= SVGA_FIFO_SIZE) {
|
|
return 0;
|
|
}
|
|
if (CMD(max) < CMD(min) + 10 * 1024) {
|