41 lines
1.3 KiB
Diff
41 lines
1.3 KiB
Diff
commit c170aad8b057223b1139d72e5ce7acceafab4fa9
|
|
Author: Paolo Bonzini <pbonzini@redhat.com>
|
|
Date: Tue Jul 21 08:59:39 2015 +0200
|
|
|
|
scsi: fix buffer overflow in scsi_req_parse_cdb (CVE-2015-5158)
|
|
|
|
This is a guest-triggerable buffer overflow present in QEMU 2.2.0
|
|
and newer. scsi_cdb_length returns -1 as an error value, but the
|
|
caller does not check it.
|
|
|
|
Luckily, the massive overflow means that QEMU will just SIGSEGV,
|
|
making the impact much smaller.
|
|
|
|
Reported-by: Zhu Donghai (朱东海) <donghai.zdh@alibaba-inc.com>
|
|
Fixes: 1894df02811f6b79ea3ffbf1084599d96f316173
|
|
Reviewed-by: Fam Zheng <famz@redhat.com>
|
|
Cc: qemu-stable@nongnu.org
|
|
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
|
|
|
diff --git a/hw/scsi/scsi-bus.c b/hw/scsi/scsi-bus.c
|
|
index f50b2f0..f0ae462 100644
|
|
--- a/hw/scsi/scsi-bus.c
|
|
+++ b/hw/scsi/scsi-bus.c
|
|
@@ -1239,10 +1239,15 @@ int scsi_cdb_length(uint8_t *buf) {
|
|
int scsi_req_parse_cdb(SCSIDevice *dev, SCSICommand *cmd, uint8_t *buf)
|
|
{
|
|
int rc;
|
|
+ int len;
|
|
|
|
cmd->lba = -1;
|
|
- cmd->len = scsi_cdb_length(buf);
|
|
+ len = scsi_cdb_length(buf);
|
|
+ if (len < 0) {
|
|
+ return -1;
|
|
+ }
|
|
|
|
+ cmd->len = len;
|
|
switch (dev->type) {
|
|
case TYPE_TAPE:
|
|
rc = scsi_req_stream_xfer(cmd, dev, buf);
|