10a6644014
while writing to 's->cmdbuf' in get_cmd CVE-2016-4441-qemut-scsi-esp-OOB-write-while-writing-to-cmdbuf-in-get_cmd.patch - bsc#980716 - VUL-0: CVE-2016-4439: xen: scsi: esp: OOB write while writing to 's->cmdbuf' in esp_reg_write CVE-2016-4439-qemut-scsi-esp-OOB-write-while-writing-to-cmdbuf-in-esp_reg_write.patch OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=432
34 lines
1.2 KiB
Diff
34 lines
1.2 KiB
Diff
References: bsc#980716 CVE-2016-4439
|
|
|
|
The 53C9X Fast SCSI Controller(FSC) comes with an internal 16-byte
|
|
FIFO buffer. It is used to handle command and data transfer. While
|
|
writing to this command buffer 's->cmdbuf[TI_BUFSZ=16]', a check
|
|
was missing to validate input length. Add check to avoid OOB write
|
|
access.
|
|
|
|
Fixes CVE-2016-4439
|
|
Reported-by: Li Qiang <address@hidden>
|
|
|
|
Signed-off-by: Prasad J Pandit <address@hidden>
|
|
---
|
|
hw/scsi/esp.c | 6 +++++-
|
|
1 file changed, 5 insertions(+), 1 deletion(-)
|
|
|
|
Index: xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/hw/esp.c
|
|
===================================================================
|
|
--- xen-4.7.0-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/esp.c
|
|
+++ xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/hw/esp.c
|
|
@@ -471,7 +471,11 @@ static void esp_mem_writeb(void *opaque,
|
|
break;
|
|
case ESP_FIFO:
|
|
if (s->do_cmd) {
|
|
- s->cmdbuf[s->cmdlen++] = val & 0xff;
|
|
+ if (s->cmdlen < TI_BUFSZ) {
|
|
+ s->cmdbuf[s->cmdlen++] = val & 0xff;
|
|
+ } else {
|
|
+ ESP_ERROR("fifo overrun\n");
|
|
+ }
|
|
} else if (s->ti_size == TI_BUFSZ - 1) {
|
|
ESP_ERROR("fifo overrun\n");
|
|
} else {
|