From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:32777)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <pbonzini@redhat.com>) id 1ZIa29-0005Qa-In
	for qemu-devel@nongnu.org; Fri, 24 Jul 2015 06:16:54 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <pbonzini@redhat.com>) id 1ZIa23-0000l5-HV
	for qemu-devel@nongnu.org; Fri, 24 Jul 2015 06:16:53 -0400
From: Paolo Bonzini <pbonzini@redhat.com>
Date: Fri, 24 Jul 2015 12:16:27 +0200
Message-Id: <1437732994-20478-7-git-send-email-pbonzini@redhat.com>
In-Reply-To: <1437732994-20478-1-git-send-email-pbonzini@redhat.com>
References: <1437732994-20478-1-git-send-email-pbonzini@redhat.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Subject: [Qemu-devel] [PULL 06/13] scsi: fix buffer overflow in
	scsi_req_parse_cdb (CVE-2015-5158)
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org

This is a guest-triggerable buffer overflow present in QEMU 2.2.0
and newer.  scsi_cdb_length returns -1 as an error value, but the
caller does not check it.

Luckily, the massive overflow means that QEMU will just SIGSEGV,
making the impact much smaller.

Reported-by: Zhu Donghai (=E6=9C=B1=E4=B8=9C=E6=B5=B7) <donghai.zdh@aliba=
ba-inc.com>
Fixes: 1894df02811f6b79ea3ffbf1084599d96f316173
Reviewed-by: Fam Zheng <famz@redhat.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
 hw/scsi/scsi-bus.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/hw/scsi/scsi-bus.c b/hw/scsi/scsi-bus.c
index f50b2f0..f0ae462 100644
--- a/hw/scsi/scsi-bus.c
+++ b/hw/scsi/scsi-bus.c
@@ -1239,10 +1239,15 @@ int scsi_cdb_length(uint8_t *buf) {
 int scsi_req_parse_cdb(SCSIDevice *dev, SCSICommand *cmd, uint8_t *buf)
 {
     int rc;
+    int len;
=20
     cmd->lba =3D -1;
-    cmd->len =3D scsi_cdb_length(buf);
+    len =3D scsi_cdb_length(buf);
+    if (len < 0) {
+        return -1;
+    }
=20
+    cmd->len =3D len;
     switch (dev->type) {
     case TYPE_TAPE:
         rc =3D scsi_req_stream_xfer(cmd, dev, buf);
--=20
2.4.3