| commit | 3e831b40e015ba34dfb55ff11f767001839425ff | |
| author | Prasad J Pandit <pjp@fedoraproject.org> | |
| Mon, 23 May 2016 10:48:05 +0000 (23 16:18 +0530) | ||
| committer | Paolo Bonzini <pbonzini@redhat.com> | |
| Sun, 29 May 2016 07:11:10 +0000 (29 09:11 +0200) | ||
| tree | fbaa5e3c5ffaacb7ac16319a71732abadcf4df36 | treesnapshot (tar.gz zip) |
| parent | 60b412dd18362bd4ddc44ba7022aacb6af074b5d | commitdiff |
scsi: pvscsi: check command descriptor ring buffer size (CVE-2016-4952)
Vmware Paravirtual SCSI emulation uses command descriptors to
process SCSI commands. These descriptors come with their ring
buffers. A guest could set the ring buffer size to an arbitrary
value leading to OOB access issue. Add check to avoid it.
Reported-by: Li Qiang <liqiang6-s@360.cn>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Cc: qemu-stable@nongnu.org
Message-Id: <1464000485-27041-1-git-send-email-ppandit@redhat.com>
Reviewed-by: Shmulik Ladkani <shmulik.ladkani@ravellosystems.com>
Reviewed-by: Dmitry Fleytman <dmitry@daynix.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Vmware Paravirtual SCSI emulation uses command descriptors to
process SCSI commands. These descriptors come with their ring
buffers. A guest could set the ring buffer size to an arbitrary
value leading to OOB access issue. Add check to avoid it.
Reported-by: Li Qiang <liqiang6-s@360.cn>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Cc: qemu-stable@nongnu.org
Message-Id: <1464000485-27041-1-git-send-email-ppandit@redhat.com>
Reviewed-by: Shmulik Ladkani <shmulik.ladkani@ravellosystems.com>
Reviewed-by: Dmitry Fleytman <dmitry@daynix.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
| hw/scsi/vmw_pvscsi.c | diffblobblamehistory |