[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PULL 13/17] scsi-generic: avoid out-of-bounds access to VP
From: |
Paolo Bonzini |
Subject: |
[Qemu-devel] [PULL 13/17] scsi-generic: avoid out-of-bounds access to VPD page list |
Date: |
Tue, 6 Nov 2018 22:37:59 +0100 |
A device can report an excessive number of VPD pages when asked for a
list; this can cause an out-of-bounds access to buf in
scsi_generic_set_vpd_bl_emulation. It should not happen, but
it is technically not incorrect so handle it: do not check any byte
past the allocation length that was sent to the INQUIRY command.
Reported-by: Max Reitz <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
Signed-off-by: Paolo Bonzini <address@hidden>
---
hw/scsi/scsi-generic.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/scsi/scsi-generic.c b/hw/scsi/scsi-generic.c
index aebb7cd..c5497bb 100644
--- a/hw/scsi/scsi-generic.c
+++ b/hw/scsi/scsi-generic.c
@@ -538,7 +538,7 @@ static void scsi_generic_set_vpd_bl_emulation(SCSIDevice *s)
}
page_len = buf[3];
- for (i = 4; i < page_len + 4; i++) {
+ for (i = 4; i < MIN(sizeof(buf), page_len + 4); i++) {
if (buf[i] == 0xb0) {
s->needs_vpd_bl_emulation = false;
return;
--
1.8.3.1
- [Qemu-devel] [PULL 00/17] Misc patches for QEMU 3.1 hard freeze (?), Paolo Bonzini, 2018/11/06
- [Qemu-devel] [PULL 03/17] i386: clarify that the Q35 machine type implements a P35 chipset, Paolo Bonzini, 2018/11/06
- [Qemu-devel] [PULL 13/17] scsi-generic: avoid out-of-bounds access to VPD page list,
Paolo Bonzini <=
- [Qemu-devel] [PULL 01/17] icount: fix deadlock when all cpus are sleeping, Paolo Bonzini, 2018/11/06
- [Qemu-devel] [PULL 16/17] include/qemu/thread.h: Document qemu_thread_atexit* API, Paolo Bonzini, 2018/11/06
- [Qemu-devel] [PULL 14/17] scsi-generic: avoid invalid access to struct when emulating block limits, Paolo Bonzini, 2018/11/06
- [Qemu-devel] [PULL 05/17] MAINTAINERS: remove or downgrade myself to reviewer from some subsystems, Paolo Bonzini, 2018/11/06
- [Qemu-devel] [PULL 17/17] util/qemu-thread-posix: Fix qemu_thread_atexit* for OSX, Paolo Bonzini, 2018/11/06
- [Qemu-devel] [PULL 02/17] x86: hv_evmcs CPU flag support, Paolo Bonzini, 2018/11/06
- [Qemu-devel] [PULL 12/17] scsi-generic: keep VPD page list sorted, Paolo Bonzini, 2018/11/06
- [Qemu-devel] [PULL 11/17] lsi53c895a: check message length value is valid, Paolo Bonzini, 2018/11/06
- [Qemu-devel] [PULL 15/17] scsi-generic: do not do VPD emulation for sense other than ILLEGAL_REQUEST, Paolo Bonzini, 2018/11/06
- [Qemu-devel] [PULL 04/17] ivshmem: fix memory backend leak, Paolo Bonzini, 2018/11/06