www.infradead.org Git - users/dwmw2/qemu.git/commit

author	Paolo Bonzini <pbonzini@redhat.com>
	Tue, 21 Jul 2015 06:59:39 +0000 (08:59 +0200)
committer	Michael Roth <mdroth@linux.vnet.ibm.com>
	Thu, 30 Jul 2015 03:13:25 +0000 (22:13 -0500)
commit	961c74a841ae6d2ef03f6684c9f74fbdf8f472b1
tree	48b104cdafa95154368f6f59464625e7e70e9119	tree
parent	98fe91ed66f09001a596009625210fb0d9324c50	commit \| diff

scsi: fix buffer overflow in scsi_req_parse_cdb (CVE-2015-5158)

This is a guest-triggerable buffer overflow present in QEMU 2.2.0
and newer. scsi_cdb_length returns -1 as an error value, but the
caller does not check it.

Luckily, the massive overflow means that QEMU will just SIGSEGV,
making the impact much smaller.

Reported-by: Zhu Donghai (朱东海) <donghai.zdh@alibaba-inc.com>
Fixes: 1894df02811f6b79ea3ffbf1084599d96f316173
Reviewed-by: Fam Zheng <famz@redhat.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit c170aad8b057223b1139d72e5ce7acceafab4fa9)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>