From 962365cb7062373cac84b56e541760de59597dcd Mon Sep 17 00:00:00 2001 From: Paolo Bonzini Date: Tue, 15 Sep 2015 13:06:30 +0200 Subject: [PATCH 03/22] scsi: fix buffer overflow in scsi_req_parse_cdb (CVE-2015-5158) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Message-id: <1442322391-7561-1-git-send-email-pbonzini@redhat.com> Patchwork-id: 67768 O-Subject: [RHEL7.2 qemu-kvm-rhev PATCH] scsi: fix buffer overflow in scsi_req_parse_cdb (CVE-2015-5158) Bugzilla: 1244334 RH-Acked-by: Fam Zheng RH-Acked-by: Thomas Huth RH-Acked-by: Laszlo Ersek This is a guest-triggerable buffer overflow present in QEMU 2.2.0 and newer. scsi_cdb_length returns -1 as an error value, but the caller does not check it. Luckily, the massive overflow means that QEMU will just SIGSEGV, making the impact much smaller. Reported-by: Zhu Donghai (朱东海) Fixes: 1894df02811f6b79ea3ffbf1084599d96f316173 Reviewed-by: Fam Zheng Cc: qemu-stable@nongnu.org Signed-off-by: Paolo Bonzini (cherry picked from commit c170aad8b057223b1139d72e5ce7acceafab4fa9) Signed-off-by: Miroslav Rezanina --- hw/scsi/scsi-bus.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/hw/scsi/scsi-bus.c b/hw/scsi/scsi-bus.c index f50b2f0..f0ae462 100644 --- a/hw/scsi/scsi-bus.c +++ b/hw/scsi/scsi-bus.c @@ -1239,10 +1239,15 @@ int scsi_cdb_length(uint8_t *buf) { int scsi_req_parse_cdb(SCSIDevice *dev, SCSICommand *cmd, uint8_t *buf) { int rc; + int len; cmd->lba = -1; - cmd->len = scsi_cdb_length(buf); + len = scsi_cdb_length(buf); + if (len < 0) { + return -1; + } + cmd->len = len; switch (dev->type) { case TYPE_TAPE: rc = scsi_req_stream_xfer(cmd, dev, buf); -- 1.8.3.1