| commit | 8b95d8e1d5157c7875ad6c0315b2b42b1f66a184 | |
| author | Prasad J Pandit <pjp@fedoraproject.org> | |
| Mon, 23 May 2016 10:48:05 +0000 (23 16:18 +0530) | ||
| committer | Michael Roth <mdroth@linux.vnet.ibm.com> | |
| Fri, 5 Aug 2016 18:31:47 +0000 (5 13:31 -0500) | ||
| tree | 269f315782775b4ab4f7e8dae6fcaa4561446289 | treesnapshot (tar.gz zip) |
| parent | 54eb4cf5fc5dc38ac56bb63b8bc5b609f05286a6 | commitdiff |
scsi: pvscsi: check command descriptor ring buffer size (CVE-2016-4952)
Vmware Paravirtual SCSI emulation uses command descriptors to
process SCSI commands. These descriptors come with their ring
buffers. A guest could set the ring buffer size to an arbitrary
value leading to OOB access issue. Add check to avoid it.
Reported-by: Li Qiang <liqiang6-s@360.cn>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Cc: qemu-stable@nongnu.org
Message-Id: <1464000485-27041-1-git-send-email-ppandit@redhat.com>
Reviewed-by: Shmulik Ladkani <shmulik.ladkani@ravellosystems.com>
Reviewed-by: Dmitry Fleytman <dmitry@daynix.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 3e831b40e015ba34dfb55ff11f767001839425ff)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Vmware Paravirtual SCSI emulation uses command descriptors to
process SCSI commands. These descriptors come with their ring
buffers. A guest could set the ring buffer size to an arbitrary
value leading to OOB access issue. Add check to avoid it.
Reported-by: Li Qiang <liqiang6-s@360.cn>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Cc: qemu-stable@nongnu.org
Message-Id: <1464000485-27041-1-git-send-email-ppandit@redhat.com>
Reviewed-by: Shmulik Ladkani <shmulik.ladkani@ravellosystems.com>
Reviewed-by: Dmitry Fleytman <dmitry@daynix.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 3e831b40e015ba34dfb55ff11f767001839425ff)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
| hw/scsi/vmw_pvscsi.c | diffblobblamehistory |