gentoo/app-emulation/qemu/files/qemu-2.3.0-CVE-2015-5158.patch

commit c170aad8b057223b1139d72e5ce7acceafab4fa9
Author: Paolo Bonzini <pbonzini@redhat.com>
Date:   Tue Jul 21 08:59:39 2015 +0200

    scsi: fix buffer overflow in scsi_req_parse_cdb (CVE-2015-5158)
    
    This is a guest-triggerable buffer overflow present in QEMU 2.2.0
    and newer.  scsi_cdb_length returns -1 as an error value, but the
    caller does not check it.
    
    Luckily, the massive overflow means that QEMU will just SIGSEGV,
    making the impact much smaller.
    
    Reported-by: Zhu Donghai (朱东海) <donghai.zdh@alibaba-inc.com>
    Fixes: 1894df02811f6b79ea3ffbf1084599d96f316173
    Reviewed-by: Fam Zheng <famz@redhat.com>
    Cc: qemu-stable@nongnu.org
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

diff --git a/hw/scsi/scsi-bus.c b/hw/scsi/scsi-bus.c
index f50b2f0..f0ae462 100644
--- a/hw/scsi/scsi-bus.c
+++ b/hw/scsi/scsi-bus.c
@@ -1239,10 +1239,15 @@ int scsi_cdb_length(uint8_t *buf) {
 int scsi_req_parse_cdb(SCSIDevice *dev, SCSICommand *cmd, uint8_t *buf)
 {
     int rc;
+    int len;
 
     cmd->lba = -1;
-    cmd->len = scsi_cdb_length(buf);
+    len = scsi_cdb_length(buf);
+    if (len < 0) {
+        return -1;
+    }
 
+    cmd->len = len;
     switch (dev->type) {
     case TYPE_TAPE:
         rc = scsi_req_stream_xfer(cmd, dev, buf);
[app-emulation/qemu] CVE bump 2015-07-28 06:45:29 +02:00			`commit c170aad8b057223b1139d72e5ce7acceafab4fa9`
			`Author: Paolo Bonzini <pbonzini@redhat.com>`
			`Date: Tue Jul 21 08:59:39 2015 +0200`

			`scsi: fix buffer overflow in scsi_req_parse_cdb (CVE-2015-5158)`

			`This is a guest-triggerable buffer overflow present in QEMU 2.2.0`
			`and newer. scsi_cdb_length returns -1 as an error value, but the`
			`caller does not check it.`

			`Luckily, the massive overflow means that QEMU will just SIGSEGV,`
			`making the impact much smaller.`

			`Reported-by: Zhu Donghai (朱东海) <donghai.zdh@alibaba-inc.com>`
			`Fixes: 1894df02811f6b79ea3ffbf1084599d96f316173`
			`Reviewed-by: Fam Zheng <famz@redhat.com>`
			`Cc: qemu-stable@nongnu.org`
			`Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>`

			`diff --git a/hw/scsi/scsi-bus.c b/hw/scsi/scsi-bus.c`
			`index f50b2f0..f0ae462 100644`
			`--- a/hw/scsi/scsi-bus.c`
			`+++ b/hw/scsi/scsi-bus.c`
			`@@ -1239,10 +1239,15 @@ int scsi_cdb_length(uint8_t *buf) {`
			`int scsi_req_parse_cdb(SCSIDevice dev, SCSICommand cmd, uint8_t *buf)`
			`{`
			`int rc;`
			`+ int len;`

			`cmd->lba = -1;`
			`- cmd->len = scsi_cdb_length(buf);`
			`+ len = scsi_cdb_length(buf);`
			`+ if (len < 0) {`
			`+ return -1;`
			`+ }`

			`+ cmd->len = len;`
			`switch (dev->type) {`
			`case TYPE_TAPE:`
			`rc = scsi_req_stream_xfer(cmd, dev, buf);`