| commit | 375667af787453a1678efdd4fe6e542924769779 | |
| author | Paolo Bonzini <pbonzini@redhat.com> | |
| Fri, 11 Jan 2019 16:27:31 +0000 (11 17:27 +0100) | ||
| committer | Michael Roth <mdroth@linux.vnet.ibm.com> | |
| Tue, 30 Jul 2019 20:15:46 +0000 (30 15:15 -0500) | ||
| tree | 20e088cf03a5925eba65043b0337fb954051f02d | treesnapshot (tar.gz zip) |
| parent | bceff528ba310d04baa6617a9fb708b85b85934c | commitdiff |
scsi-generic: avoid possible out-of-bounds access to r->buf
Whenever the allocation length of a SCSI request is shorter than the size of the
VPD page list, page_idx is used blindly to index into r->buf. Even though
the stores in the insertion sort are protected against overflows, the same is not
true of the reads and the final store of 0xb0.
This basically does the same thing as commit 57dbb58d80 ("scsi-generic: avoid
out-of-bounds access to VPD page list", 2018-11-06), except that here the
allocation length can be chosen by the guest. Note that according to the SCSI
standard, the contents of the PAGE LENGTH field are not altered based
on the allocation length.
The code was introduced by commit 6c219fc8a1 ("scsi-generic: keep VPD
page list sorted", 2018-11-06) but the overflow was already possible before.
Reported-by: Kevin Wolf <kwolf@redhat.com>
Fixes: a71c775b24ebc664129eb1d9b4c360590353efd5
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit e909ff93698851777faac3c45d03c1b73f311ea6)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Whenever the allocation length of a SCSI request is shorter than the size of the
VPD page list, page_idx is used blindly to index into r->buf. Even though
the stores in the insertion sort are protected against overflows, the same is not
true of the reads and the final store of 0xb0.
This basically does the same thing as commit 57dbb58d80 ("scsi-generic: avoid
out-of-bounds access to VPD page list", 2018-11-06), except that here the
allocation length can be chosen by the guest. Note that according to the SCSI
standard, the contents of the PAGE LENGTH field are not altered based
on the allocation length.
The code was introduced by commit 6c219fc8a1 ("scsi-generic: keep VPD
page list sorted", 2018-11-06) but the overflow was already possible before.
Reported-by: Kevin Wolf <kwolf@redhat.com>
Fixes: a71c775b24ebc664129eb1d9b4c360590353efd5
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit e909ff93698851777faac3c45d03c1b73f311ea6)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
| hw/scsi/scsi-generic.c | diffblobblamehistory |