From: P J P <ppandit@redhat.com>
To: Qemu Developers <qemu-devel@nongnu.org>
Cc: Paolo Bonzini <pbonzini@redhat.com>, Li Qiang <liqiang6-s@360.cn>,
Prasad J Pandit <pjp@fedoraproject.org>
Subject: [Qemu-devel] [PATCH 1/2] scsi: check command buffer length before write(CVE-2016-4439)
Date: Thu, 19 May 2016 16:09:30 +0530 [thread overview]
Message-ID: <1463654371-11169-2-git-send-email-ppandit@redhat.com> (raw)
In-Reply-To: <1463654371-11169-1-git-send-email-ppandit@redhat.com>
From: Prasad J Pandit <pjp@fedoraproject.org>
The 53C9X Fast SCSI Controller(FSC) comes with an internal 16-byte
FIFO buffer. It is used to handle command and data transfer. While
writing to this command buffer 's->cmdbuf[TI_BUFSZ=16]', a check
was missing to validate input length. Add check to avoid OOB write
access.
Fixes CVE-2016-4439
Reported-by: Li Qiang <liqiang6-s@360.cn>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
---
hw/scsi/esp.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
index 8961be2..01497e6 100644
--- a/hw/scsi/esp.c
+++ b/hw/scsi/esp.c
@@ -448,7 +448,11 @@ void esp_reg_write(ESPState *s, uint32_t saddr, uint64_t val)
break;
case ESP_FIFO:
if (s->do_cmd) {
- s->cmdbuf[s->cmdlen++] = val & 0xff;
+ if (s->cmdlen < TI_BUFSZ) {
+ s->cmdbuf[s->cmdlen++] = val & 0xff;
+ } else {
+ trace_esp_error_fifo_overrun();
+ }
} else if (s->ti_size == TI_BUFSZ - 1) {
trace_esp_error_fifo_overrun();
} else {
--
2.5.5
next prev parent reply other threads:[~2016-05-19 10:39 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-05-19 10:39 [Qemu-devel] [PATCH 0/2] Qemu: scsi: esp: check command buffer input length P J P
2016-05-19 10:39 ` P J P [this message]
2016-05-19 10:39 ` [Qemu-devel] [PATCH 2/2] scsi: check dma length before reading scsi command(CVE-2016-4441) P J P
2016-05-19 11:35 ` [Qemu-devel] [PATCH 0/2] Qemu: scsi: esp: check command buffer input length Paolo Bonzini
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1463654371-11169-2-git-send-email-ppandit@redhat.com \
--to=ppandit@redhat.com \
--cc=liqiang6-s@360.cn \
--cc=pbonzini@redhat.com \
--cc=pjp@fedoraproject.org \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).