[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PULL 19/24] esp: check dma length before reading scsi comm
From: |
Paolo Bonzini |
Subject: |
[Qemu-devel] [PULL 19/24] esp: check dma length before reading scsi command(CVE-2016-4441) |
Date: |
Mon, 23 May 2016 17:09:54 +0200 |
From: Prasad J Pandit <address@hidden>
The 53C9X Fast SCSI Controller(FSC) comes with an internal 16-byte
FIFO buffer. It is used to handle command and data transfer.
Routine get_cmd() uses DMA to read scsi commands into this buffer.
Add check to validate DMA length against buffer size to avoid any
overrun.
Fixes CVE-2016-4441.
Reported-by: Li Qiang <address@hidden>
Cc: address@hidden
Signed-off-by: Prasad J Pandit <address@hidden>
Message-Id: <address@hidden>
Signed-off-by: Paolo Bonzini <address@hidden>
---
hw/scsi/esp.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
index 01497e6..591c817 100644
--- a/hw/scsi/esp.c
+++ b/hw/scsi/esp.c
@@ -82,7 +82,7 @@ void esp_request_cancelled(SCSIRequest *req)
}
}
-static uint32_t get_cmd(ESPState *s, uint8_t *buf)
+static uint32_t get_cmd(ESPState *s, uint8_t *buf, uint8_t buflen)
{
uint32_t dmalen;
int target;
@@ -92,6 +92,9 @@ static uint32_t get_cmd(ESPState *s, uint8_t *buf)
dmalen = s->rregs[ESP_TCLO];
dmalen |= s->rregs[ESP_TCMID] << 8;
dmalen |= s->rregs[ESP_TCHI] << 16;
+ if (dmalen > buflen) {
+ return 0;
+ }
s->dma_memory_read(s->dma_opaque, buf, dmalen);
} else {
dmalen = s->ti_size;
@@ -166,7 +169,7 @@ static void handle_satn(ESPState *s)
s->dma_cb = handle_satn;
return;
}
- len = get_cmd(s, buf);
+ len = get_cmd(s, buf, sizeof(buf));
if (len)
do_cmd(s, buf);
}
@@ -180,7 +183,7 @@ static void handle_s_without_atn(ESPState *s)
s->dma_cb = handle_s_without_atn;
return;
}
- len = get_cmd(s, buf);
+ len = get_cmd(s, buf, sizeof(buf));
if (len) {
do_busid_cmd(s, buf, 0);
}
@@ -192,7 +195,7 @@ static void handle_satn_stop(ESPState *s)
s->dma_cb = handle_satn_stop;
return;
}
- s->cmdlen = get_cmd(s, s->cmdbuf);
+ s->cmdlen = get_cmd(s, s->cmdbuf, sizeof(s->cmdbuf));
if (s->cmdlen) {
trace_esp_handle_satn_stop(s->cmdlen);
s->do_cmd = 1;
--
1.8.3.1
- [Qemu-devel] [PULL 13/24] memory: remove unnecessary masking of MemoryRegion ram_addr, (continued)
- [Qemu-devel] [PULL 13/24] memory: remove unnecessary masking of MemoryRegion ram_addr, Paolo Bonzini, 2016/05/23
- [Qemu-devel] [PULL 07/24] ioapic: clear remote irr bit for edge-triggered interrupts, Paolo Bonzini, 2016/05/23
- [Qemu-devel] [PULL 01/24] exec.c: Ensure right alignment also for file backed ram, Paolo Bonzini, 2016/05/23
- [Qemu-devel] [PULL 02/24] docs/atomics.txt: Update pointer to linux macro, Paolo Bonzini, 2016/05/23
- [Qemu-devel] [PULL 10/24] exec: adjust rcu_read_lock requirement, Paolo Bonzini, 2016/05/23
- [Qemu-devel] [PULL 18/24] esp: check command buffer length before write(CVE-2016-4439), Paolo Bonzini, 2016/05/23
- [Qemu-devel] [PULL 04/24] configure: Allow builds with extra warnings, Paolo Bonzini, 2016/05/23
- [Qemu-devel] [PULL 15/24] Remove config-devices.mak on 'make clean', Paolo Bonzini, 2016/05/23
- [Qemu-devel] [PULL 14/24] cpus.c: Use pthread_sigmask() rather than sigprocmask(), Paolo Bonzini, 2016/05/23
- [Qemu-devel] [PULL 23/24] nmi: remove x86 specific nmi handling, Paolo Bonzini, 2016/05/23
- [Qemu-devel] [PULL 19/24] esp: check dma length before reading scsi command(CVE-2016-4441),
Paolo Bonzini <=
- [Qemu-devel] [PULL 12/24] memory: Drop FlatRange.romd_mode, Paolo Bonzini, 2016/05/23
- [Qemu-devel] [PULL 17/24] scripts/signrom.py: Check for magic in option ROMs., Paolo Bonzini, 2016/05/23
- [Qemu-devel] [PULL 11/24] memory: Remove code for mr->may_overlap, Paolo Bonzini, 2016/05/23
- [Qemu-devel] [PULL 16/24] scripts/signrom.py: Allow option ROM checksum script to write the size header., Paolo Bonzini, 2016/05/23
- [Qemu-devel] [PULL 24/24] cpus: call the core nmi injection function, Paolo Bonzini, 2016/05/23
- [Qemu-devel] [PULL 20/24] iscsi: pass SCSI status back for SG_IO, Paolo Bonzini, 2016/05/23
- [Qemu-devel] [PULL 22/24] target-i386: add a generic x86 nmi handler, Paolo Bonzini, 2016/05/23
- [Qemu-devel] [PULL 21/24] coccinelle: add g_assert_cmp* to macro file, Paolo Bonzini, 2016/05/23
- Re: [Qemu-devel] [PULL 00/24] Misc patches for 2016-05-23, Peter Maydell, 2016/05/23