]> xenbits.xensource.com Git - qemu-upstream-4.6-testing.git/commitdiff
projects / qemu-upstream-4.6-testing.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 9ad5c2c)
scsi: fix buffer overflow in scsi_req_parse_cdb (CVE-2015-5158)
authorPaolo Bonzini <pbonzini@redhat.com>
Tue, 21 Jul 2015 06:59:39 +0000 (08:59 +0200)
committerStefano Stabellini <stefano.stabellini@eu.citrix.com>
Wed, 29 Jul 2015 15:20:24 +0000 (15:20 +0000)
This is a guest-triggerable buffer overflow present in QEMU 2.2.0
and newer.  scsi_cdb_length returns -1 as an error value, but the
caller does not check it.

Luckily, the massive overflow means that QEMU will just SIGSEGV,
making the impact much smaller.

upstream-commit-id: c170aad8b057223b1139d72e5ce7acceafab4fa9

Reported-by: Zhu Donghai (朱东海) <donghai.zdh@alibaba-inc.com>
Fixes: 1894df02811f6b79ea3ffbf1084599d96f316173
Reviewed-by: Fam Zheng <famz@redhat.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
hw/scsi/scsi-bus.c patch | blob | history

diff --git a/hw/scsi/scsi-bus.c b/hw/scsi/scsi-bus.c
index 9b740a3cfa10250ae7014950415966464cdaecd4..8e4a986cbde3b49a5c63e80f3bee93e27dfc689b 100644 (file)
--- a/hw/scsi/scsi-bus.c
+++ b/hw/scsi/scsi-bus.c
@@ -1234,10 +1234,15 @@ int scsi_cdb_length(uint8_t *buf) {
 int scsi_req_parse_cdb(SCSIDevice *dev, SCSICommand *cmd, uint8_t *buf)
 {
     int rc;
+    int len;
 
     cmd->lba = -1;
-    cmd->len = scsi_cdb_length(buf);
+    len = scsi_cdb_length(buf);
+    if (len < 0) {
+        return -1;
+    }
 
+    cmd->len = len;
     switch (dev->type) {
     case TYPE_TAPE:
         rc = scsi_req_stream_xfer(cmd, dev, buf);
Obsolete Upstream Qemu based repository for xen-4.6-testing