| commit | de594e47659029316bbf9391efb79da0a1a08e08 | |
| author | Paolo Bonzini <pbonzini@redhat.com> | |
| Wed, 14 Aug 2019 12:05:21 +0000 (14 17:35 +0530) | ||
| committer | Paolo Bonzini <pbonzini@redhat.com> | |
| Tue, 20 Aug 2019 18:00:52 +0000 (20 20:00 +0200) | ||
| tree | 22f8f2a895bcf13ac6b57d574b48a44344bfa99b | treesnapshot (tar.gz zip) |
| parent | a060297822ea6b4194bf36654e58c802448a3eea | commitdiff |
scsi: lsi: exit infinite loop while executing script (CVE-2019-12068)
When executing script in lsi_execute_script(), the LSI scsi adapter
emulator advances 's->dsp' index to read next opcode. This can lead
to an infinite loop if the next opcode is empty. Move the existing
loop exit after 10k iterations so that it covers no-op opcodes as
well.
Reported-by: Bugs SysSec <bugs-syssec@rub.de>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
When executing script in lsi_execute_script(), the LSI scsi adapter
emulator advances 's->dsp' index to read next opcode. This can lead
to an infinite loop if the next opcode is empty. Move the existing
loop exit after 10k iterations so that it covers no-op opcodes as
well.
Reported-by: Bugs SysSec <bugs-syssec@rub.de>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
| hw/scsi/lsi53c895a.c | diffblobblamehistory |