cf91b1dfd9
CVE-2016-4952 scsi: pvscsi: out-of-bounds access issue CVE-2016-4964: scsi: mptsas infinite loop (bz #1339157) CVE-2016-5106: scsi: megasas: out-of-bounds write (bz #1339581) CVE-2016-5105: scsi: megasas: stack information leakage (bz #1339585) CVE-2016-5107: scsi: megasas: out-of-bounds read (bz #1339573) CVE-2016-4454: display: vmsvga: out-of-bounds read (bz #1340740) CVE-2016-4453: display: vmsvga: infinite loop (bz #1340744) CVE-2016-5126: block: iscsi: buffer overflow (bz #1340925) CVE-2016-5238: scsi: esp: OOB write (bz #1341932) CVE-2016-5338: scsi: esp: OOB r/w access (bz #1343325) CVE-2016-5337: scsi: megasas: information leakage (bz #1343910) Fix crash with -nodefaults -sdl (bz #1340931) Add deps on edk2-ovmf and edk2-aarch64
35 lines
1.1 KiB
Diff
35 lines
1.1 KiB
Diff
From: Peter Lieven <pl@kamp.de>
|
|
Date: Tue, 24 May 2016 10:59:28 +0200
|
|
Subject: [PATCH] block/iscsi: avoid potential overflow of acb->task->cdb
|
|
|
|
at least in the path via virtio-blk the maximum size is not
|
|
restricted.
|
|
|
|
Cc: qemu-stable@nongnu.org
|
|
Signed-off-by: Peter Lieven <pl@kamp.de>
|
|
Message-Id: <1464080368-29584-1-git-send-email-pl@kamp.de>
|
|
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
|
(cherry picked from commit a6b3167fa0e825aebb5a7cd8b437b6d41584a196)
|
|
---
|
|
block/iscsi.c | 7 +++++++
|
|
1 file changed, 7 insertions(+)
|
|
|
|
diff --git a/block/iscsi.c b/block/iscsi.c
|
|
index 302baf8..172e6cf 100644
|
|
--- a/block/iscsi.c
|
|
+++ b/block/iscsi.c
|
|
@@ -837,6 +837,13 @@ static BlockAIOCB *iscsi_aio_ioctl(BlockDriverState *bs,
|
|
return &acb->common;
|
|
}
|
|
|
|
+ if (acb->ioh->cmd_len > SCSI_CDB_MAX_SIZE) {
|
|
+ error_report("iSCSI: ioctl error CDB exceeds max size (%d > %d)",
|
|
+ acb->ioh->cmd_len, SCSI_CDB_MAX_SIZE);
|
|
+ qemu_aio_unref(acb);
|
|
+ return NULL;
|
|
+ }
|
|
+
|
|
acb->task = malloc(sizeof(struct scsi_task));
|
|
if (acb->task == NULL) {
|
|
error_report("iSCSI: Failed to allocate task for scsi command. %s",
|