From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:58014) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ZHuqX-0005MP-CN for qemu-devel@nongnu.org; Wed, 22 Jul 2015 10:18:13 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ZHuqS-0001AJ-CQ for qemu-devel@nongnu.org; Wed, 22 Jul 2015 10:18:09 -0400 From: Paolo Bonzini Date: Wed, 22 Jul 2015 16:18:00 +0200 Message-Id: <1437574681-18362-1-git-send-email-pbonzini@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Subject: [Qemu-devel] [PATCH] scsi: fix buffer overflow in scsi_req_parse_cdb (CVE-2015-5158) List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org This is a guest-triggerable buffer overflow present in QEMU 2.2.0 and newer. scsi_cdb_length returns -1 as an error value, but the caller does not check it. Luckily, the massive overflow means that QEMU will just SIGSEGV, making the impact much smaller. Reported-by: Zhu Donghai (=E6=9C=B1=E4=B8=9C=E6=B5=B7) Fixes: 1894df02811f6b79ea3ffbf1084599d96f316173 Cc: qemu-stable@nongnu.org --- hw/scsi/scsi-bus.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/hw/scsi/scsi-bus.c b/hw/scsi/scsi-bus.c index f50b2f0..f0ae462 100644 --- a/hw/scsi/scsi-bus.c +++ b/hw/scsi/scsi-bus.c @@ -1239,10 +1239,15 @@ int scsi_cdb_length(uint8_t *buf) { int scsi_req_parse_cdb(SCSIDevice *dev, SCSICommand *cmd, uint8_t *buf) { int rc; + int len; =20 cmd->lba =3D -1; - cmd->len =3D scsi_cdb_length(buf); + len =3D scsi_cdb_length(buf); + if (len < 0) { + return -1; + } =20 + cmd->len =3D len; switch (dev->type) { case TYPE_TAPE: rc =3D scsi_req_stream_xfer(cmd, dev, buf); --=20 2.4.3