[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-stable] [Qemu-devel] [PATCH] scsi: fix buffer overflow in scsi
From: |
Daniel P. Berrange |
Subject: |
Re: [Qemu-stable] [Qemu-devel] [PATCH] scsi: fix buffer overflow in scsi_req_parse_cdb (CVE-2015-5158) |
Date: |
Wed, 22 Jul 2015 15:27:43 +0100 |
User-agent: |
Mutt/1.5.23 (2014-03-12) |
On Wed, Jul 22, 2015 at 04:18:00PM +0200, Paolo Bonzini wrote:
> This is a guest-triggerable buffer overflow present in QEMU 2.2.0
> and newer. scsi_cdb_length returns -1 as an error value, but the
> caller does not check it.
>
> Luckily, the massive overflow means that QEMU will just SIGSEGV,
> making the impact much smaller.
FWIW, would be nice to mention which disk frontends could trigger
this bug. eg was it all of the devices in hw/scsi/ or just a subset ?
>
> Reported-by: Zhu Donghai (朱东海) <address@hidden>
> Fixes: 1894df02811f6b79ea3ffbf1084599d96f316173
> Cc: address@hidden
> ---
> hw/scsi/scsi-bus.c | 7 ++++++-
> 1 file changed, 6 insertions(+), 1 deletion(-)
>
> diff --git a/hw/scsi/scsi-bus.c b/hw/scsi/scsi-bus.c
> index f50b2f0..f0ae462 100644
> --- a/hw/scsi/scsi-bus.c
> +++ b/hw/scsi/scsi-bus.c
> @@ -1239,10 +1239,15 @@ int scsi_cdb_length(uint8_t *buf) {
> int scsi_req_parse_cdb(SCSIDevice *dev, SCSICommand *cmd, uint8_t *buf)
> {
> int rc;
> + int len;
>
> cmd->lba = -1;
> - cmd->len = scsi_cdb_length(buf);
> + len = scsi_cdb_length(buf);
> + if (len < 0) {
> + return -1;
> + }
>
> + cmd->len = len;
> switch (dev->type) {
> case TYPE_TAPE:
> rc = scsi_req_stream_xfer(cmd, dev, buf);
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|