[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-stable] [Qemu-devel] [PATCH] scsi: fix buffer overflow in scsi
From: |
Paolo Bonzini |
Subject: |
Re: [Qemu-stable] [Qemu-devel] [PATCH] scsi: fix buffer overflow in scsi_req_parse_cdb (CVE-2015-5158) |
Date: |
Wed, 22 Jul 2015 18:22:17 +0200 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.0.1 |
On 22/07/2015 16:27, Daniel P. Berrange wrote:
> On Wed, Jul 22, 2015 at 04:18:00PM +0200, Paolo Bonzini wrote:
> > This is a guest-triggerable buffer overflow present in QEMU 2.2.0
> > and newer. scsi_cdb_length returns -1 as an error value, but the
> > caller does not check it.
> >
> > Luckily, the massive overflow means that QEMU will just SIGSEGV,
> > making the impact much smaller.
>
> FWIW, would be nice to mention which disk frontends could trigger
> this bug. eg was it all of the devices in hw/scsi/ or just a subset ?
All of them.
Paolo