| commit | 7f61f4690dd153be98900a2a508b88989e692753 | |
| author | Prasad J Pandit <pjp@fedoraproject.org> | |
| Wed, 31 Aug 2016 06:49:29 +0000 (31 12:19 +0530) | ||
| committer | Paolo Bonzini <pbonzini@redhat.com> | |
| Tue, 13 Sep 2016 17:08:46 +0000 (13 19:08 +0200) | ||
| tree | 22d6c3e4fd3a9aa96fddc028633690fd5f196e9b | treesnapshot (tar.gz zip) |
| parent | 48b6206305b8d56524ac2ee347b68e6e0a528559 | commitdiff |
vmw_pvscsi: check page count while initialising descriptor rings
Vmware Paravirtual SCSI emulation uses command descriptors to
process SCSI commands. These descriptors come with their ring
buffers. A guest could set the page count for these rings to
an arbitrary value, leading to infinite loop or OOB access.
Add check to avoid it.
Reported-by: Tom Victor <vv474172261@gmail.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-Id: <1472626169-12989-1-git-send-email-ppandit@redhat.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Vmware Paravirtual SCSI emulation uses command descriptors to
process SCSI commands. These descriptors come with their ring
buffers. A guest could set the page count for these rings to
an arbitrary value, leading to infinite loop or OOB access.
Add check to avoid it.
Reported-by: Tom Victor <vv474172261@gmail.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-Id: <1472626169-12989-1-git-send-email-ppandit@redhat.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
| hw/scsi/vmw_pvscsi.c | diffblobblamehistory |