From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:54123) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1b3LMr-000657-Vd for qemu-devel@nongnu.org; Thu, 19 May 2016 06:39:53 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1b3LMm-0001ZU-3y for qemu-devel@nongnu.org; Thu, 19 May 2016 06:39:48 -0400 Received: from mx1.redhat.com ([209.132.183.28]:57618) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1b3LMl-0001ZK-UD for qemu-devel@nongnu.org; Thu, 19 May 2016 06:39:44 -0400 From: P J P Date: Thu, 19 May 2016 16:09:29 +0530 Message-Id: <1463654371-11169-1-git-send-email-ppandit@redhat.com> Subject: [Qemu-devel] [PATCH 0/2] Qemu: scsi: esp: check command buffer input length List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Qemu Developers Cc: Paolo Bonzini , Li Qiang , Prasad J Pandit From: Prasad J Pandit Hello, The ESP 53C9X Fast SCSI Controller(FSC) comes with an internal 16-byte FIFO buffer. It is used to handle command and data transfer between controller and the bus. Couple of OOB write access issues were found and reported in its emulation by Mr Li Qiang of 360.cn Inc. Please see below are the proposed patches to fix these issues. Thank you. -- Prasad J Pandit (2): scsi: check command buffer length before write(CVE-2016-4439) scsi: check dma length before reading scsi command(CVE-2016-4441) hw/scsi/esp.c | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) -- 2.5.5