6f47abb900
xen-4.7.0-testing-src.tar.bz2 - Dropped xen.pkgconfig-4.7.patch xsa164.patch OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=434
34 lines
1.2 KiB
Diff
34 lines
1.2 KiB
Diff
References: bsc#980716 CVE-2016-4439
|
|
|
|
The 53C9X Fast SCSI Controller(FSC) comes with an internal 16-byte
|
|
FIFO buffer. It is used to handle command and data transfer. While
|
|
writing to this command buffer 's->cmdbuf[TI_BUFSZ=16]', a check
|
|
was missing to validate input length. Add check to avoid OOB write
|
|
access.
|
|
|
|
Fixes CVE-2016-4439
|
|
Reported-by: Li Qiang <address@hidden>
|
|
|
|
Signed-off-by: Prasad J Pandit <address@hidden>
|
|
---
|
|
hw/scsi/esp.c | 6 +++++-
|
|
1 file changed, 5 insertions(+), 1 deletion(-)
|
|
|
|
Index: xen-4.4.4-testing/tools/qemu-xen-traditional-dir-remote/hw/esp.c
|
|
===================================================================
|
|
--- xen-4.4.4-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/esp.c
|
|
+++ xen-4.4.4-testing/tools/qemu-xen-traditional-dir-remote/hw/esp.c
|
|
@@ -471,7 +471,11 @@ static void esp_mem_writeb(void *opaque,
|
|
break;
|
|
case ESP_FIFO:
|
|
if (s->do_cmd) {
|
|
- s->cmdbuf[s->cmdlen++] = val & 0xff;
|
|
+ if (s->cmdlen < TI_BUFSZ) {
|
|
+ s->cmdbuf[s->cmdlen++] = val & 0xff;
|
|
+ } else {
|
|
+ ESP_ERROR("fifo overrun\n");
|
|
+ }
|
|
} else if (s->ti_size == TI_BUFSZ - 1) {
|
|
ESP_ERROR("fifo overrun\n");
|
|
} else {
|