[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PATCH 2/4] scsi-generic: avoid out-of-bounds access to VPD
|
From: |
Paolo Bonzini |
|
Subject: |
[Qemu-devel] [PATCH 2/4] scsi-generic: avoid out-of-bounds access to VPD page list |
|
Date: |
Mon, 29 Oct 2018 18:34:35 +0100 |
A device can report an excessive number of VPD pages when asked for a
list; this can cause an out-of-bounds access to buf in
scsi_generic_set_vpd_bl_emulation. It should not happen, but
it is technically not incorrect so handle it: do not check any byte
past the allocation length that was sent to the INQUIRY command.
Reported-by: Max Reitz <address@hidden>
Signed-off-by: Paolo Bonzini <address@hidden>
---
hw/scsi/scsi-generic.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/scsi/scsi-generic.c b/hw/scsi/scsi-generic.c
index aebb7cdd82..c5497bbea8 100644
--- a/hw/scsi/scsi-generic.c
+++ b/hw/scsi/scsi-generic.c
@@ -538,7 +538,7 @@ static void scsi_generic_set_vpd_bl_emulation(SCSIDevice *s)
}
page_len = buf[3];
- for (i = 4; i < page_len + 4; i++) {
+ for (i = 4; i < MIN(sizeof(buf), page_len + 4); i++) {
if (buf[i] == 0xb0) {
s->needs_vpd_bl_emulation = false;
return;
--
2.17.1
- [Qemu-devel] [PATCH 0/4] scsi-generic: fixes for Block Limits emulation, Paolo Bonzini, 2018/10/29
- [Qemu-devel] [PATCH 1/4] scsi-generic: keep VPD page list sorted, Paolo Bonzini, 2018/10/29
- [Qemu-devel] [PATCH 2/4] scsi-generic: avoid out-of-bounds access to VPD page list,
Paolo Bonzini <=
- [Qemu-devel] [PATCH 4/4] scsi-generic: do not do VPD emulation for sense other than ILLEGAL_REQUEST, Paolo Bonzini, 2018/10/29
- [Qemu-devel] [PATCH 3/4] scsi-generic: avoid invalid access to struct when emulating block limits, Paolo Bonzini, 2018/10/29
- Re: [Qemu-devel] [PATCH 0/4] scsi-generic: fixes for Block Limits emulation, no-reply, 2018/10/31
- Re: [Qemu-devel] [PATCH 0/4] scsi-generic: fixes for Block Limits emulation, no-reply, 2018/10/31