From: Paolo Bonzini <pbonzini@redhat.com>
To: qemu-devel@nongnu.org
Subject: [Qemu-devel] [PULL 13/17] scsi-generic: avoid out-of-bounds access to VPD page list
Date: Tue, 6 Nov 2018 22:37:59 +0100 [thread overview]
Message-ID: <1541540283-45699-14-git-send-email-pbonzini@redhat.com> (raw)
In-Reply-To: <1541540283-45699-1-git-send-email-pbonzini@redhat.com>
A device can report an excessive number of VPD pages when asked for a
list; this can cause an out-of-bounds access to buf in
scsi_generic_set_vpd_bl_emulation. It should not happen, but
it is technically not incorrect so handle it: do not check any byte
past the allocation length that was sent to the INQUIRY command.
Reported-by: Max Reitz <mreitz@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
hw/scsi/scsi-generic.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/scsi/scsi-generic.c b/hw/scsi/scsi-generic.c
index aebb7cd..c5497bb 100644
--- a/hw/scsi/scsi-generic.c
+++ b/hw/scsi/scsi-generic.c
@@ -538,7 +538,7 @@ static void scsi_generic_set_vpd_bl_emulation(SCSIDevice *s)
}
page_len = buf[3];
- for (i = 4; i < page_len + 4; i++) {
+ for (i = 4; i < MIN(sizeof(buf), page_len + 4); i++) {
if (buf[i] == 0xb0) {
s->needs_vpd_bl_emulation = false;
return;
--
1.8.3.1
next prev parent reply other threads:[~2018-11-06 21:48 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-11-06 21:37 [Qemu-devel] [PULL 00/17] Misc patches for QEMU 3.1 hard freeze (?) Paolo Bonzini
2018-11-06 21:37 ` [Qemu-devel] [PULL 01/17] icount: fix deadlock when all cpus are sleeping Paolo Bonzini
2018-11-06 21:37 ` [Qemu-devel] [PULL 02/17] x86: hv_evmcs CPU flag support Paolo Bonzini
2018-11-06 21:37 ` [Qemu-devel] [PULL 03/17] i386: clarify that the Q35 machine type implements a P35 chipset Paolo Bonzini
2018-11-06 21:37 ` [Qemu-devel] [PULL 04/17] ivshmem: fix memory backend leak Paolo Bonzini
2018-11-06 21:37 ` [Qemu-devel] [PULL 05/17] MAINTAINERS: remove or downgrade myself to reviewer from some subsystems Paolo Bonzini
2018-11-06 21:37 ` [Qemu-devel] [PULL 06/17] target/i386: Clear RF on SYSCALL instruction Paolo Bonzini
2018-11-06 21:37 ` [Qemu-devel] [PULL 07/17] memory: learn about non-volatile memory region Paolo Bonzini
2018-11-06 21:37 ` [Qemu-devel] [PULL 08/17] nvdimm: set non-volatile on the " Paolo Bonzini
2018-11-06 21:37 ` [Qemu-devel] [PULL 09/17] memory-mapping: skip non-volatile memory regions in GuestPhysBlockList Paolo Bonzini
2018-11-06 21:37 ` [Qemu-devel] [PULL 10/17] scripts/dump-guest-memory: Synchronize with guest_phys_blocks_region_add Paolo Bonzini
2018-11-06 21:37 ` [Qemu-devel] [PULL 11/17] lsi53c895a: check message length value is valid Paolo Bonzini
2018-11-06 21:37 ` [Qemu-devel] [PULL 12/17] scsi-generic: keep VPD page list sorted Paolo Bonzini
2018-11-06 21:37 ` Paolo Bonzini [this message]
2018-11-06 21:38 ` [Qemu-devel] [PULL 14/17] scsi-generic: avoid invalid access to struct when emulating block limits Paolo Bonzini
2018-11-06 21:38 ` [Qemu-devel] [PULL 15/17] scsi-generic: do not do VPD emulation for sense other than ILLEGAL_REQUEST Paolo Bonzini
2018-11-06 21:38 ` [Qemu-devel] [PULL 16/17] include/qemu/thread.h: Document qemu_thread_atexit* API Paolo Bonzini
2018-11-06 21:38 ` [Qemu-devel] [PULL 17/17] util/qemu-thread-posix: Fix qemu_thread_atexit* for OSX Paolo Bonzini
2018-11-06 23:08 ` [Qemu-devel] [PULL 00/17] Misc patches for QEMU 3.1 hard freeze (?) Peter Maydell
2018-11-08 11:33 ` Peter Maydell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1541540283-45699-14-git-send-email-pbonzini@redhat.com \
--to=pbonzini@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).