10ec804850
CVE-2015-8567: net: vmxnet3: host memory leakage (bz #1289818) CVE-2016-1922: i386: avoid null pointer dereference (bz #1292766) CVE-2015-8613: buffer overflow in megasas_ctrl_get_info (bz #1284008) CVE-2015-8701: Buffer overflow in tx_consume in rocker.c (bz #1293720) CVE-2015-8743: ne2000: OOB memory access in ioport r/w functions (bz #1294787) CVE-2016-1568: Use-after-free vulnerability in ahci (bz #1297023) Fix modules.d/kvm.conf example syntax (bz #1298823)
33 lines
1.2 KiB
Diff
33 lines
1.2 KiB
Diff
From: P J P <ppandit@redhat.com>
|
|
Date: Mon, 21 Dec 2015 15:13:13 +0530
|
|
Subject: [PATCH] scsi: initialise info object with appropriate size
|
|
|
|
While processing controller 'CTRL_GET_INFO' command, the routine
|
|
'megasas_ctrl_get_info' overflows the '&info' object size. Use its
|
|
appropriate size to null initialise it.
|
|
|
|
Reported-by: Qinghao Tang <luodalongde@gmail.com>
|
|
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
|
Message-Id: <alpine.LFD.2.20.1512211501420.22471@wniryva>
|
|
Cc: qemu-stable@nongnu.org
|
|
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
|
Signed-off-by: P J P <ppandit@redhat.com>
|
|
(cherry picked from commit 36fef36b91f7ec0435215860f1458b5342ce2811)
|
|
---
|
|
hw/scsi/megasas.c | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
|
|
index a04369c..d9b99c0 100644
|
|
--- a/hw/scsi/megasas.c
|
|
+++ b/hw/scsi/megasas.c
|
|
@@ -718,7 +718,7 @@ static int megasas_ctrl_get_info(MegasasState *s, MegasasCmd *cmd)
|
|
BusChild *kid;
|
|
int num_pd_disks = 0;
|
|
|
|
- memset(&info, 0x0, cmd->iov_size);
|
|
+ memset(&info, 0x0, dcmd_size);
|
|
if (cmd->iov_size < dcmd_size) {
|
|
trace_megasas_dcmd_invalid_xfer_len(cmd->index, cmd->iov_size,
|
|
dcmd_size);
|