[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PATCH v2 0/3] Megasas: fix OOB access and NULL dereference issues
From: |
P J P |
Subject: |
[PATCH v2 0/3] Megasas: fix OOB access and NULL dereference issues |
Date: |
Thu, 14 May 2020 00:55:37 +0530 |
From: Prasad J Pandit <address@hidden>
Hello,
* First patch fixes an OOB access issue which may occur when a guest user
sets 'reply_queue_head' field to a negative or large positive value,
via 'struct mfi_init_qinfo' object in megasas_init_firmware(), such that
'index' variables in megasas_lookup_frame() goes beyond the
s->frames[MEGASAS_MAX_FRAMES=2048] array bounds.
-> https://lists.gnu.org/archive/html/qemu-devel/2020-05/msg03131.html
* Second patch fixes a NULL pointer dereference issue which may occur
if megasas_enqueue_frame() routine returns a NULL frame for a given
'frame_addr' address.
-> https://bugs.launchpad.net/qemu/+bug/1878259
* Third patch updates other numeric fields of MegasasState to unsigned type.
Thank you.
--
Prasad J Pandit (3):
megasas: use unsigned type for reply_queue_head and check index
megasas: avoid NULL pointer dereference
megasas: use unsigned type for positive numeric fields
hw/scsi/megasas.c | 44 ++++++++++++++++++++++----------------------
1 file changed, 22 insertions(+), 22 deletions(-)
--
2.25.4
- [PATCH v2 0/3] Megasas: fix OOB access and NULL dereference issues,
P J P <=