1a90c34242
Submit includes numerous security fixes, patches which help fulfill FATE regarding xen pv-usb. and a fix openQA is needing. OBS-URL: https://build.opensuse.org/request/show/400970 OBS-URL: https://build.opensuse.org/package/show/Virtualization/qemu?expand=0&rev=299
38 lines
1.3 KiB
Diff
38 lines
1.3 KiB
Diff
From 30f011dc5ea3328e6bef4923f60e03a5664425f9 Mon Sep 17 00:00:00 2001
|
|
From: Peter Lieven <pl@kamp.de>
|
|
Date: Tue, 24 May 2016 10:59:28 +0200
|
|
Subject: [PATCH] block/iscsi: avoid potential overflow of acb->task->cdb
|
|
|
|
at least in the path via virtio-blk the maximum size is not
|
|
restricted.
|
|
|
|
Cc: qemu-stable@nongnu.org
|
|
Signed-off-by: Peter Lieven <pl@kamp.de>
|
|
Message-Id: <1464080368-29584-1-git-send-email-pl@kamp.de>
|
|
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
|
(cherry picked from commit a6b3167fa0e825aebb5a7cd8b437b6d41584a196)
|
|
[BR: CVE-2016-5126 BSC#982285]
|
|
Signed-off-by: Bruce Rogers <brogers@suse.com>
|
|
---
|
|
block/iscsi.c | 7 +++++++
|
|
1 file changed, 7 insertions(+)
|
|
|
|
diff --git a/block/iscsi.c b/block/iscsi.c
|
|
index 302baf8..172e6cf 100644
|
|
--- a/block/iscsi.c
|
|
+++ b/block/iscsi.c
|
|
@@ -837,6 +837,13 @@ static BlockAIOCB *iscsi_aio_ioctl(BlockDriverState *bs,
|
|
return &acb->common;
|
|
}
|
|
|
|
+ if (acb->ioh->cmd_len > SCSI_CDB_MAX_SIZE) {
|
|
+ error_report("iSCSI: ioctl error CDB exceeds max size (%d > %d)",
|
|
+ acb->ioh->cmd_len, SCSI_CDB_MAX_SIZE);
|
|
+ qemu_aio_unref(acb);
|
|
+ return NULL;
|
|
+ }
|
|
+
|
|
acb->task = malloc(sizeof(struct scsi_task));
|
|
if (acb->task == NULL) {
|
|
error_report("iSCSI: Failed to allocate task for scsi command. %s",
|