cf91b1dfd9
CVE-2016-4952 scsi: pvscsi: out-of-bounds access issue CVE-2016-4964: scsi: mptsas infinite loop (bz #1339157) CVE-2016-5106: scsi: megasas: out-of-bounds write (bz #1339581) CVE-2016-5105: scsi: megasas: stack information leakage (bz #1339585) CVE-2016-5107: scsi: megasas: out-of-bounds read (bz #1339573) CVE-2016-4454: display: vmsvga: out-of-bounds read (bz #1340740) CVE-2016-4453: display: vmsvga: infinite loop (bz #1340744) CVE-2016-5126: block: iscsi: buffer overflow (bz #1340925) CVE-2016-5238: scsi: esp: OOB write (bz #1341932) CVE-2016-5338: scsi: esp: OOB r/w access (bz #1343325) CVE-2016-5337: scsi: megasas: information leakage (bz #1343910) Fix crash with -nodefaults -sdl (bz #1340931) Add deps on edk2-ovmf and edk2-aarch64
34 lines
1.2 KiB
Diff
34 lines
1.2 KiB
Diff
From: Prasad J Pandit <pjp@fedoraproject.org>
|
|
Date: Tue, 31 May 2016 23:23:27 +0530
|
|
Subject: [PATCH] scsi: esp: check buffer length before reading scsi command
|
|
|
|
The 53C9X Fast SCSI Controller(FSC) comes with an internal 16-byte
|
|
FIFO buffer. It is used to handle command and data transfer.
|
|
Routine get_cmd() in non-DMA mode, uses 'ti_size' to read scsi
|
|
command into a buffer. Add check to validate command length against
|
|
buffer size to avoid any overrun.
|
|
|
|
Reported-by: Li Qiang <liqiang6-s@360.cn>
|
|
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
|
Message-Id: <1464717207-7549-1-git-send-email-ppandit@redhat.com>
|
|
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
|
(cherry picked from commit d3cdc49138c30be1d3c2f83d18f85d9fdee95f1a)
|
|
---
|
|
hw/scsi/esp.c | 3 +++
|
|
1 file changed, 3 insertions(+)
|
|
|
|
diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
|
|
index 591c817..c2f6f8f 100644
|
|
--- a/hw/scsi/esp.c
|
|
+++ b/hw/scsi/esp.c
|
|
@@ -98,6 +98,9 @@ static uint32_t get_cmd(ESPState *s, uint8_t *buf, uint8_t buflen)
|
|
s->dma_memory_read(s->dma_opaque, buf, dmalen);
|
|
} else {
|
|
dmalen = s->ti_size;
|
|
+ if (dmalen > TI_BUFSZ) {
|
|
+ return 0;
|
|
+ }
|
|
memcpy(buf, s->ti_buf, dmalen);
|
|
buf[0] = buf[2] >> 5;
|
|
}
|