28ce061413
access while processing ESP_FIFO CVE-2016-5338-qemut-scsi-esp-OOB-rw-access-while-processing-ESP_FIFO.patch - bsc#982960 - VUL-0: CVE-2016-5238: xen: qemu: scsi: esp: OOB write when using non-DMA mode in get_cmd CVE-2016-5238-qemut-scsi-esp-OOB-write-when-using-non-DMA-mode-in-get_cmd.patch - fate#319989 - Update to Xen 4.7 RC5 xen-4.7.0-testing-src.tar.bz2 - bsc#954872 - script block-dmmd not working as expected - libxl: error: libxl_dm.c (another modification) block-dmmd OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=435
38 lines
1.3 KiB
Diff
38 lines
1.3 KiB
Diff
References: bsc#982960 CVE-2016-5238
|
|
|
|
The 53C9X Fast SCSI Controller(FSC) comes with an internal 16-byte
|
|
FIFO buffer. It is used to handle command and data transfer.
|
|
Routine get_cmd() in non-DMA mode, uses 'ti_size' to read scsi
|
|
command into a buffer. Add check to validate command length against
|
|
buffer size to avoid any overrun.
|
|
|
|
Reported-by: Li Qiang <address@hidden>
|
|
Signed-off-by: Prasad J Pandit <address@hidden>
|
|
---
|
|
hw/scsi/esp.c | 3 +++
|
|
1 file changed, 3 insertions(+)
|
|
|
|
Index: xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/hw/esp.c
|
|
===================================================================
|
|
--- xen-4.7.0-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/esp.c
|
|
+++ xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/hw/esp.c
|
|
@@ -176,6 +176,9 @@ static uint32_t get_cmd(ESPState *s, uin
|
|
s->dma_memory_read(s->dma_opaque, buf, dmalen);
|
|
} else {
|
|
dmalen = s->ti_size;
|
|
+ if (dmalen > TI_BUFSZ) {
|
|
+ return 0;
|
|
+ }
|
|
memcpy(buf, s->ti_buf, dmalen);
|
|
buf[0] = 0;
|
|
}
|
|
@@ -265,7 +268,7 @@ static void write_response(ESPState *s)
|
|
} else {
|
|
s->ti_size = 2;
|
|
s->ti_rptr = 0;
|
|
- s->ti_wptr = 0;
|
|
+ s->ti_wptr = 2;
|
|
s->rregs[ESP_RFLAGS] = 2;
|
|
}
|
|
esp_raise_irq(s);
|