| commit | c170aad8b057223b1139d72e5ce7acceafab4fa9 | |
| author | Paolo Bonzini <pbonzini@redhat.com> | |
| Tue, 21 Jul 2015 06:59:39 +0000 (21 08:59 +0200) | ||
| committer | Paolo Bonzini <pbonzini@redhat.com> | |
| Fri, 24 Jul 2015 11:57:44 +0000 (24 13:57 +0200) | ||
| tree | 50a3de66af501ceb759affdbf58e72a2aec2128a | treesnapshot (tar.gz zip) |
| parent | 60928458e5eea3c77a7eb0a4194927872f463947 | commitdiff |
scsi: fix buffer overflow in scsi_req_parse_cdb (CVE-2015-5158)
This is a guest-triggerable buffer overflow present in QEMU 2.2.0
and newer. scsi_cdb_length returns -1 as an error value, but the
caller does not check it.
Luckily, the massive overflow means that QEMU will just SIGSEGV,
making the impact much smaller.
Reported-by: Zhu Donghai (朱东海) <donghai.zdh@alibaba-inc.com>
Fixes: 1894df02811f6b79ea3ffbf1084599d96f316173
Reviewed-by: Fam Zheng <famz@redhat.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
This is a guest-triggerable buffer overflow present in QEMU 2.2.0
and newer. scsi_cdb_length returns -1 as an error value, but the
caller does not check it.
Luckily, the massive overflow means that QEMU will just SIGSEGV,
making the impact much smaller.
Reported-by: Zhu Donghai (朱东海) <donghai.zdh@alibaba-inc.com>
Fixes: 1894df02811f6b79ea3ffbf1084599d96f316173
Reviewed-by: Fam Zheng <famz@redhat.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
| hw/scsi/scsi-bus.c | diffblobblamehistory |