rpms/qemu
3
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
ecee1eccfe
qemu/0022-scsi-esp-check-buffer-length-before-reading-scsi-com.patch
Cole Robinson cf91b1dfd9 CVE-2016-4002: net: buffer overflow in MIPSnet (bz #1326083) 
CVE-2016-4952 scsi: pvscsi: out-of-bounds access issue
CVE-2016-4964: scsi: mptsas infinite loop (bz #1339157)
CVE-2016-5106: scsi: megasas: out-of-bounds write (bz #1339581)
CVE-2016-5105: scsi: megasas: stack information leakage (bz #1339585)
CVE-2016-5107: scsi: megasas: out-of-bounds read (bz #1339573)
CVE-2016-4454: display: vmsvga: out-of-bounds read (bz #1340740)
CVE-2016-4453: display: vmsvga: infinite loop (bz #1340744)
CVE-2016-5126: block: iscsi: buffer overflow (bz #1340925)
CVE-2016-5238: scsi: esp: OOB write (bz #1341932)
CVE-2016-5338: scsi: esp: OOB r/w access (bz #1343325)
CVE-2016-5337: scsi: megasas: information leakage (bz #1343910)
Fix crash with -nodefaults -sdl (bz #1340931)
Add deps on edk2-ovmf and edk2-aarch64
2016-06-22 09:40:57 -04:00

34 lines
1.2 KiB
Diff
Raw Blame History

From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Tue, 31 May 2016 23:23:27 +0530
Subject: [PATCH] scsi: esp: check buffer length before reading scsi command
The 53C9X Fast SCSI Controller(FSC) comes with an internal 16-byte
FIFO buffer. It is used to handle command and data transfer.
Routine get_cmd() in non-DMA mode, uses 'ti_size' to read scsi
command into a buffer. Add check to validate command length against
buffer size to avoid any overrun.
Reported-by: Li Qiang <liqiang6-s@360.cn>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-Id: <1464717207-7549-1-git-send-email-ppandit@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit d3cdc49138c30be1d3c2f83d18f85d9fdee95f1a)
---
hw/scsi/esp.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
index 591c817..c2f6f8f 100644
--- a/hw/scsi/esp.c
+++ b/hw/scsi/esp.c
@@ -98,6 +98,9 @@ static uint32_t get_cmd(ESPState *s, uint8_t *buf, uint8_t buflen)
s->dma_memory_read(s->dma_opaque, buf, dmalen);
} else {
dmalen = s->ti_size;
+ if (dmalen > TI_BUFSZ) {
+ return 0;
+ }
memcpy(buf, s->ti_buf, dmalen);
buf[0] = buf[2] >> 5;
}
Reference in New Issue View Git Blame Copy Permalink