cf91b1dfd9
CVE-2016-4952 scsi: pvscsi: out-of-bounds access issue CVE-2016-4964: scsi: mptsas infinite loop (bz #1339157) CVE-2016-5106: scsi: megasas: out-of-bounds write (bz #1339581) CVE-2016-5105: scsi: megasas: stack information leakage (bz #1339585) CVE-2016-5107: scsi: megasas: out-of-bounds read (bz #1339573) CVE-2016-4454: display: vmsvga: out-of-bounds read (bz #1340740) CVE-2016-4453: display: vmsvga: infinite loop (bz #1340744) CVE-2016-5126: block: iscsi: buffer overflow (bz #1340925) CVE-2016-5238: scsi: esp: OOB write (bz #1341932) CVE-2016-5338: scsi: esp: OOB r/w access (bz #1343325) CVE-2016-5337: scsi: megasas: information leakage (bz #1343910) Fix crash with -nodefaults -sdl (bz #1340931) Add deps on edk2-ovmf and edk2-aarch64
30 lines
1.1 KiB
Diff
30 lines
1.1 KiB
Diff
From: Prasad J Pandit <pjp@fedoraproject.org>
|
|
Date: Tue, 7 Jun 2016 16:44:03 +0530
|
|
Subject: [PATCH] scsi: megasas: null terminate bios version buffer
|
|
|
|
While reading information via 'megasas_ctrl_get_info' routine,
|
|
a local bios version buffer isn't null terminated. Add the
|
|
terminating null byte to avoid any OOB access.
|
|
|
|
Reported-by: Li Qiang <liqiang6-s@360.cn>
|
|
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
|
|
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
|
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
|
(cherry picked from commit 844864fbae66935951529408831c2f22367a57b6)
|
|
---
|
|
hw/scsi/megasas.c | 1 +
|
|
1 file changed, 1 insertion(+)
|
|
|
|
diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
|
|
index cc66d36..a9ffc32 100644
|
|
--- a/hw/scsi/megasas.c
|
|
+++ b/hw/scsi/megasas.c
|
|
@@ -773,6 +773,7 @@ static int megasas_ctrl_get_info(MegasasState *s, MegasasCmd *cmd)
|
|
|
|
ptr = memory_region_get_ram_ptr(&pci_dev->rom);
|
|
memcpy(biosver, ptr + 0x41, 31);
|
|
+ biosver[31] = 0;
|
|
memcpy(info.image_component[1].name, "BIOS", 4);
|
|
memcpy(info.image_component[1].version, biosver,
|
|
strlen((const char *)biosver));
|