[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PULL 18/24] esp: check command buffer length before write(
From: |
Paolo Bonzini |
Subject: |
[Qemu-devel] [PULL 18/24] esp: check command buffer length before write(CVE-2016-4439) |
Date: |
Mon, 23 May 2016 17:09:53 +0200 |
From: Prasad J Pandit <address@hidden>
The 53C9X Fast SCSI Controller(FSC) comes with an internal 16-byte
FIFO buffer. It is used to handle command and data transfer. While
writing to this command buffer 's->cmdbuf[TI_BUFSZ=16]', a check
was missing to validate input length. Add check to avoid OOB write
access.
Fixes CVE-2016-4439.
Reported-by: Li Qiang <address@hidden>
Cc: address@hidden
Signed-off-by: Prasad J Pandit <address@hidden>
Message-Id: <address@hidden>
Signed-off-by: Paolo Bonzini <address@hidden>
---
hw/scsi/esp.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
index 8961be2..01497e6 100644
--- a/hw/scsi/esp.c
+++ b/hw/scsi/esp.c
@@ -448,7 +448,11 @@ void esp_reg_write(ESPState *s, uint32_t saddr, uint64_t
val)
break;
case ESP_FIFO:
if (s->do_cmd) {
- s->cmdbuf[s->cmdlen++] = val & 0xff;
+ if (s->cmdlen < TI_BUFSZ) {
+ s->cmdbuf[s->cmdlen++] = val & 0xff;
+ } else {
+ trace_esp_error_fifo_overrun();
+ }
} else if (s->ti_size == TI_BUFSZ - 1) {
trace_esp_error_fifo_overrun();
} else {
--
1.8.3.1
- [Qemu-devel] [PULL 03/24] i386: kvmvapic: initialise imm32 variable, (continued)
- [Qemu-devel] [PULL 03/24] i386: kvmvapic: initialise imm32 variable, Paolo Bonzini, 2016/05/23
- [Qemu-devel] [PULL 06/24] ioapic: keep RO bits for IOAPIC entry, Paolo Bonzini, 2016/05/23
- [Qemu-devel] [PULL 05/24] target-i386: key sfence availability on CPUID_SSE, not CPUID_SSE2, Paolo Bonzini, 2016/05/23
- [Qemu-devel] [PULL 09/24] memory: drop find_ram_block(), Paolo Bonzini, 2016/05/23
- [Qemu-devel] [PULL 08/24] vl: change runstate only if new state is different from current state, Paolo Bonzini, 2016/05/23
- [Qemu-devel] [PULL 13/24] memory: remove unnecessary masking of MemoryRegion ram_addr, Paolo Bonzini, 2016/05/23
- [Qemu-devel] [PULL 07/24] ioapic: clear remote irr bit for edge-triggered interrupts, Paolo Bonzini, 2016/05/23
- [Qemu-devel] [PULL 01/24] exec.c: Ensure right alignment also for file backed ram, Paolo Bonzini, 2016/05/23
- [Qemu-devel] [PULL 02/24] docs/atomics.txt: Update pointer to linux macro, Paolo Bonzini, 2016/05/23
- [Qemu-devel] [PULL 10/24] exec: adjust rcu_read_lock requirement, Paolo Bonzini, 2016/05/23
- [Qemu-devel] [PULL 18/24] esp: check command buffer length before write(CVE-2016-4439),
Paolo Bonzini <=
- [Qemu-devel] [PULL 04/24] configure: Allow builds with extra warnings, Paolo Bonzini, 2016/05/23
- [Qemu-devel] [PULL 15/24] Remove config-devices.mak on 'make clean', Paolo Bonzini, 2016/05/23
- [Qemu-devel] [PULL 14/24] cpus.c: Use pthread_sigmask() rather than sigprocmask(), Paolo Bonzini, 2016/05/23
- [Qemu-devel] [PULL 23/24] nmi: remove x86 specific nmi handling, Paolo Bonzini, 2016/05/23
- [Qemu-devel] [PULL 19/24] esp: check dma length before reading scsi command(CVE-2016-4441), Paolo Bonzini, 2016/05/23
- [Qemu-devel] [PULL 12/24] memory: Drop FlatRange.romd_mode, Paolo Bonzini, 2016/05/23
- [Qemu-devel] [PULL 17/24] scripts/signrom.py: Check for magic in option ROMs., Paolo Bonzini, 2016/05/23
- [Qemu-devel] [PULL 11/24] memory: Remove code for mr->may_overlap, Paolo Bonzini, 2016/05/23
- [Qemu-devel] [PULL 16/24] scripts/signrom.py: Allow option ROM checksum script to write the size header., Paolo Bonzini, 2016/05/23
- [Qemu-devel] [PULL 24/24] cpus: call the core nmi injection function, Paolo Bonzini, 2016/05/23