[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Stable-7.2.7 18/62] esp: restrict non-DMA transfer length to that of av
From: |
Michael Tokarev |
Subject: |
[Stable-7.2.7 18/62] esp: restrict non-DMA transfer length to that of available data |
Date: |
Thu, 9 Nov 2023 16:58:46 +0300 |
From: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
In the case where a SCSI layer transfer is incorrectly terminated, it is
possible for a TI command to cause a SCSI buffer overflow due to the
expected transfer data length being less than the available data in the
FIFO. When this occurs the unsigned async_len variable underflows and
becomes a large offset which writes past the end of the allocated SCSI
buffer.
Restrict the non-DMA transfer length to be the smallest of the expected
transfer length and the available FIFO data to ensure that it is no longer
possible for the SCSI buffer overflow to occur.
Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1810
Reviewed-by: Thomas Huth <thuth@redhat.com>
Message-ID: <20230913204410.65650-3-mark.cave-ayland@ilande.co.uk>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 77668e4b9bca03a856c27ba899a2513ddf52bb52)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
index 4218a6a960..9b11d8c573 100644
--- a/hw/scsi/esp.c
+++ b/hw/scsi/esp.c
@@ -759,7 +759,8 @@ static void esp_do_nodma(ESPState *s)
}
if (to_device) {
- len = MIN(fifo8_num_used(&s->fifo), ESP_FIFO_SZ);
+ len = MIN(s->async_len, ESP_FIFO_SZ);
+ len = MIN(len, fifo8_num_used(&s->fifo));
esp_fifo_pop_buf(&s->fifo, s->async_buf, len);
s->async_buf += len;
s->async_len -= len;
--
2.39.2
- [Stable-7.2.7 13/62] hw/scsi/scsi-disk: Disallow block sizes smaller than 512 [CVE-2023-42467], (continued)
- [Stable-7.2.7 13/62] hw/scsi/scsi-disk: Disallow block sizes smaller than 512 [CVE-2023-42467], Michael Tokarev, 2023/11/09
- [Stable-7.2.7 06/62] target/ppc: Decrementer fix BookE semantics, Michael Tokarev, 2023/11/09
- [Stable-7.2.7 10/62] hw/cxl: Fix CFMW config memory leak, Michael Tokarev, 2023/11/09
- [Stable-7.2.7 15/62] ui/vnc: fix handling of VNC_FEATURE_XVP, Michael Tokarev, 2023/11/09
- [Stable-7.2.7 11/62] target/arm: Don't skip MTE checks for LDRT/STRT at EL0, Michael Tokarev, 2023/11/09
- [Stable-7.2.7 12/62] accel/tcg: mttcg remove false-negative halted assertion, Michael Tokarev, 2023/11/09
- [Stable-7.2.7 14/62] ui/vnc: fix debug output for invalid audio message, Michael Tokarev, 2023/11/09
- [Stable-7.2.7 16/62] optionrom: Remove build-id section, Michael Tokarev, 2023/11/09
- [Stable-7.2.7 21/62] tests/tcg/i386: correct mask for VPERM2F128/VPERM2I128, Michael Tokarev, 2023/11/09
- [Stable-7.2.7 19/62] scsi-disk: ensure that FORMAT UNIT commands are terminated, Michael Tokarev, 2023/11/09
- [Stable-7.2.7 18/62] esp: restrict non-DMA transfer length to that of available data,
Michael Tokarev <=
- [Stable-7.2.7 20/62] target/i386: fix operand size of unary SSE operations, Michael Tokarev, 2023/11/09
- [Stable-7.2.7 24/62] target/i386: Fix exception classes for MOVNTPS/MOVNTPD., Michael Tokarev, 2023/11/09
- [Stable-7.2.7 23/62] target/i386: Fix exception classes for SSE/AVX instructions., Michael Tokarev, 2023/11/09
- [Stable-7.2.7 26/62] target/i386: fix memory operand size for CVTPS2PD, Michael Tokarev, 2023/11/09
- [Stable-7.2.7 17/62] esp: use correct type for esp_dma_enable() in sysbus_esp_gpio_demux(), Michael Tokarev, 2023/11/09
- [Stable-7.2.7 27/62] hw/display/ramfb: plug slight guest-triggerable leak on mode setting, Michael Tokarev, 2023/11/09
- [Stable-7.2.7 25/62] target/i386: generalize operand size "ph" for use in CVTPS2PD, Michael Tokarev, 2023/11/09
- [Stable-7.2.7 28/62] chardev/char-pty: Avoid losing bytes when the other side just (re-)connected, Michael Tokarev, 2023/11/09
- [Stable-7.2.7 30/62] amd_iommu: Fix APIC address check, Michael Tokarev, 2023/11/09
- [Stable-7.2.7 29/62] linux-user/hppa: Fix struct target_sigcontext layout, Michael Tokarev, 2023/11/09