pool/xen
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
factory
xen/CVE-2016-6351-qemut-scsi-esp-make-cmdbuf-big-enough-for-maximum-CDB-size.patch
Charles Arnold c8a1704907 - bsc#978413 - PV guest upgrade from sles11sp4 to sles12sp2 alpha3 
failed on sles11sp4 xen host.
  pygrub-handle-one-line-menu-entries.patch

- bsc#990843 - VUL-1: CVE-2016-6351: xen: qemu: scsi: esp: OOB
  write access in esp_do_dma
  CVE-2016-6351-qemut-scsi-esp-make-cmdbuf-big-enough-for-maximum-CDB-size.patch

OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=444
2016-07-29 21:59:43 +00:00

74 lines
2.5 KiB
Diff
Raw Permalink Blame History

References: bsc#990843 CVE-2016-6351
Subject: scsi: esp: make cmdbuf big enough for maximum CDB size
From: Prasad J Pandit pjp@fedoraproject.org Thu Jun 16 00:22:35 2016 +0200
Date: Thu Jun 16 18:39:05 2016 +0200:
Git: 926cde5f3e4d2504ed161ed0cb771ac7cad6fd11
While doing DMA read into ESP command buffer 's->cmdbuf', it could
write past the 's->cmdbuf' area, if it was transferring more than 16
bytes. Increase the command buffer size to 32, which is maximum when
's->do_cmd' is set, and add a check on 'len' to avoid OOB access.
Reported-by: Li Qiang <liqiang6-s@360.cn>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Index: xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/hw/esp.c
===================================================================
--- xen-4.7.0-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/esp.c
+++ xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/hw/esp.c
@@ -26,6 +26,8 @@
#include "scsi-disk.h"
#include "scsi.h"
+#include <assert.h>
+
/* debug ESP card */
//#define DEBUG_ESP
@@ -49,6 +51,7 @@ do { printf("ESP ERROR: %s: " fmt, __fun
#define ESP_REGS 16
#define TI_BUFSZ 16
+#define ESP_CMDBUF_SZ 32
typedef struct ESPState ESPState;
@@ -64,7 +67,7 @@ struct ESPState {
uint32_t dma;
SCSIDevice *scsi_dev[ESP_MAX_DEVS];
SCSIDevice *current_dev;
- uint8_t cmdbuf[TI_BUFSZ];
+ uint8_t cmdbuf[ESP_CMDBUF_SZ];
uint32_t cmdlen;
uint32_t do_cmd;
@@ -294,6 +297,8 @@ static void esp_do_dma(ESPState *s)
len = s->dma_left;
if (s->do_cmd) {
DPRINTF("command len %d + %d\n", s->cmdlen, len);
+ assert (s->cmdlen <= sizeof(s->cmdbuf) &&
+ len <= sizeof(s->cmdbuf) - s->cmdlen);
s->dma_memory_read(s->dma_opaque, &s->cmdbuf[s->cmdlen], len);
s->ti_size = 0;
s->cmdlen = 0;
@@ -382,7 +387,7 @@ static void handle_ti(ESPState *s)
s->dma_counter = dmalen;
if (s->do_cmd)
- minlen = (dmalen < 32) ? dmalen : 32;
+ minlen = (dmalen < ESP_CMDBUF_SZ) ? dmalen : ESP_CMDBUF_SZ;
else if (s->ti_size < 0)
minlen = (dmalen < -s->ti_size) ? dmalen : -s->ti_size;
else
@@ -476,7 +481,7 @@ static void esp_mem_writeb(void *opaque,
break;
case ESP_FIFO:
if (s->do_cmd) {
- if (s->cmdlen < TI_BUFSZ) {
+ if (s->cmdlen < ESP_CMDBUF_SZ) {
s->cmdbuf[s->cmdlen++] = val & 0xff;
} else {
ESP_ERROR("fifo overrun\n");
Reference in New Issue View Git Blame Copy Permalink