rpms/qemu
3
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
e0a4eb7219
qemu/0013-scsi-initialise-info-object-with-appropriate-size.patch
Cole Robinson 10ec804850 CVE-2015-8745: vmxnet3: don't assert reading registers in bar0 (bz #1295442) 
CVE-2015-8567: net: vmxnet3: host memory leakage (bz #1289818)
CVE-2016-1922: i386: avoid null pointer dereference (bz #1292766)
CVE-2015-8613: buffer overflow in megasas_ctrl_get_info (bz #1284008)
CVE-2015-8701: Buffer overflow in tx_consume in rocker.c (bz #1293720)
CVE-2015-8743: ne2000: OOB memory access in ioport r/w functions (bz #1294787)
CVE-2016-1568: Use-after-free vulnerability in ahci (bz #1297023)
Fix modules.d/kvm.conf example syntax (bz #1298823)
2016-01-20 19:30:26 -05:00

33 lines
1.2 KiB
Diff
Raw Blame History

From: P J P <ppandit@redhat.com>
Date: Mon, 21 Dec 2015 15:13:13 +0530
Subject: [PATCH] scsi: initialise info object with appropriate size
While processing controller 'CTRL_GET_INFO' command, the routine
'megasas_ctrl_get_info' overflows the '&info' object size. Use its
appropriate size to null initialise it.
Reported-by: Qinghao Tang <luodalongde@gmail.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-Id: <alpine.LFD.2.20.1512211501420.22471@wniryva>
Cc: qemu-stable@nongnu.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: P J P <ppandit@redhat.com>
(cherry picked from commit 36fef36b91f7ec0435215860f1458b5342ce2811)
---
hw/scsi/megasas.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
index a04369c..d9b99c0 100644
--- a/hw/scsi/megasas.c
+++ b/hw/scsi/megasas.c
@@ -718,7 +718,7 @@ static int megasas_ctrl_get_info(MegasasState *s, MegasasCmd *cmd)
BusChild *kid;
int num_pd_disks = 0;
- memset(&info, 0x0, cmd->iov_size);
+ memset(&info, 0x0, dcmd_size);
if (cmd->iov_size < dcmd_size) {
trace_megasas_dcmd_invalid_xfer_len(cmd->index, cmd->iov_size,
dcmd_size);
Reference in New Issue View Git Blame Copy Permalink