motorhead/qemu
1
0
Fork 0
mirror of https://github.com/Motorhead1991/qemu.git synced 2025-12-11 16:00:50 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions
qemu/hw/scsi
History
Michael S. Tsirkin 3c3ce98142 virtio-scsi: fix buffer overrun on invalid state load 
CVE-2013-4542

hw/scsi/scsi-bus.c invokes load_request.

 virtio_scsi_load_request does:
    qemu_get_buffer(f, (unsigned char *)&req->elem, sizeof(req->elem));

this probably can make elem invalid, for example,
make in_num or out_num huge, then:

    virtio_scsi_parse_req(s, vs->cmd_vqs[n], req);

will do:

    if (req->elem.out_num > 1) {
        qemu_sgl_init_external(req, &req->elem.out_sg[1],
                               &req->elem.out_addr[1],
                               req->elem.out_num - 1);
    } else {
        qemu_sgl_init_external(req, &req->elem.in_sg[1],
                               &req->elem.in_addr[1],
                               req->elem.in_num - 1);
    }

and this will access out of array bounds.

Note: this adds security checks within assert calls since
SCSIBusInfo's load_request cannot fail.
For now simply disable builds with NDEBUG - there seems
to be little value in supporting these.

Cc: Andreas Färber <afaerber@suse.de>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
2014-05-05 22:15:02 +02:00
..
esp-pci.c hw: set interrupts using pci irq wrappers 2013-10-14 17:11:45 +03:00
esp.c scsi: Pass size to scsi_bus_new() 2013-08-30 20:14:39 +02:00
lsi53c895a.c pci, pc, acpi fixes, enhancements 2013-10-31 16:58:32 +01:00
Makefile.objs vhost-scsi: new device supporting the tcm_vhost Linux kernel module 2013-04-19 16:18:11 +02:00
megasas.c qdev: Remove hex8/32/64 property types 2014-02-14 21:12:04 +01:00
mfi.h hw: move private headers to hw/ subdirectories. 2013-04-08 18:13:16 +02:00
scsi-bus.c scsi-bus: remove bogus assertion 2014-04-02 13:24:23 +02:00
scsi-disk.c scsi-disk: Add support for port WWN and index descriptors in VPD page 83h 2014-02-22 10:02:24 +01:00
scsi-generic.c scsi: Change scsi sense buf size to 252 2014-02-22 10:02:23 +01:00
spapr_vscsi.c spapr_vscsi: remove duplicate condition check 2014-03-26 13:19:22 +01:00
srp.h spapr-vscsi: add task management 2013-09-12 08:46:21 +02:00
vhost-scsi.c virtio: Convert exit to unrealize 2013-12-09 21:46:49 +01:00
viosrp.h hw: move private headers to hw/ subdirectories. 2013-04-08 18:13:16 +02:00
virtio-scsi.c virtio-scsi: fix buffer overrun on invalid state load 2014-05-05 22:15:02 +02:00
vmw_pvscsi.c scsi: check req pointer before dereferencing it 2014-03-26 13:19:22 +01:00
vmw_pvscsi.h scsi: VMWare PVSCSI paravirtual device implementation 2013-04-19 10:44:17 +02:00