diff options
author | Paolo Bonzini <pbonzini@redhat.com> | 2015-07-21 08:59:39 +0200 |
---|---|---|
committer | Michael Roth <mdroth@linux.vnet.ibm.com> | 2015-07-29 22:13:25 -0500 |
commit | 961c74a841ae6d2ef03f6684c9f74fbdf8f472b1 (patch) | |
tree | 48b104cdafa95154368f6f59464625e7e70e9119 /hw/scsi | |
parent | 98fe91ed66f09001a596009625210fb0d9324c50 (diff) |
scsi: fix buffer overflow in scsi_req_parse_cdb (CVE-2015-5158)
This is a guest-triggerable buffer overflow present in QEMU 2.2.0
and newer. scsi_cdb_length returns -1 as an error value, but the
caller does not check it.
Luckily, the massive overflow means that QEMU will just SIGSEGV,
making the impact much smaller.
Reported-by: Zhu Donghai (朱东海) <donghai.zdh@alibaba-inc.com>
Fixes: 1894df02811f6b79ea3ffbf1084599d96f316173
Reviewed-by: Fam Zheng <famz@redhat.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit c170aad8b057223b1139d72e5ce7acceafab4fa9)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Diffstat (limited to 'hw/scsi')
-rw-r--r-- | hw/scsi/scsi-bus.c | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/hw/scsi/scsi-bus.c b/hw/scsi/scsi-bus.c index bd2c0e4caa..0c506dbe9c 100644 --- a/hw/scsi/scsi-bus.c +++ b/hw/scsi/scsi-bus.c @@ -1239,10 +1239,15 @@ int scsi_cdb_length(uint8_t *buf) { int scsi_req_parse_cdb(SCSIDevice *dev, SCSICommand *cmd, uint8_t *buf) { int rc; + int len; cmd->lba = -1; - cmd->len = scsi_cdb_length(buf); + len = scsi_cdb_length(buf); + if (len < 0) { + return -1; + } + cmd->len = len; switch (dev->type) { case TYPE_TAPE: rc = scsi_req_stream_xfer(cmd, dev, buf); |