File CVE-2016-6351-qemut-scsi-esp-make-cmdbuf-big-en... of Package xen

Overview Repositories Revisions Requests Users Attributes Meta

File CVE-2016-6351-qemut-scsi-esp-make-cmdbuf-big-enough-for-maximum-CDB-size.patch of Package xen (Revision ed6e95243e41f0e55bab66a694574eed)

Currently displaying revision ed6e95243e41f0e55bab66a694574eed , Show latest

References:  bsc#990843 CVE-2016-6351

Subject: scsi: esp: make cmdbuf big enough for maximum CDB size
From: Prasad J Pandit pjp@fedoraproject.org Thu Jun 16 00:22:35 2016 +0200
Date: Thu Jun 16 18:39:05 2016 +0200:
Git: 926cde5f3e4d2504ed161ed0cb771ac7cad6fd11

While doing DMA read into ESP command buffer 's->cmdbuf', it could
write past the 's->cmdbuf' area, if it was transferring more than 16
bytes.  Increase the command buffer size to 32, which is maximum when
's->do_cmd' is set, and add a check on 'len' to avoid OOB access.

Reported-by: Li Qiang <liqiang6-s@360.cn>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

Index: xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/hw/esp.c
===================================================================
--- xen-4.7.0-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/esp.c
+++ xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/hw/esp.c
@@ -26,6 +26,8 @@
 #include "scsi-disk.h"
 #include "scsi.h"
 
+#include <assert.h>
+
 /* debug ESP card */
 //#define DEBUG_ESP
 
@@ -49,6 +51,7 @@ do { printf("ESP ERROR: %s: " fmt, __fun
 
 #define ESP_REGS 16
 #define TI_BUFSZ 16
+#define ESP_CMDBUF_SZ 32
 
 typedef struct ESPState ESPState;
 
@@ -64,7 +67,7 @@ struct ESPState {
     uint32_t dma;
     SCSIDevice *scsi_dev[ESP_MAX_DEVS];
     SCSIDevice *current_dev;
-    uint8_t cmdbuf[TI_BUFSZ];
+    uint8_t cmdbuf[ESP_CMDBUF_SZ];
     uint32_t cmdlen;
     uint32_t do_cmd;
 
@@ -294,6 +297,8 @@ static void esp_do_dma(ESPState *s)
     len = s->dma_left;
     if (s->do_cmd) {
         DPRINTF("command len %d + %d\n", s->cmdlen, len);
+        assert (s->cmdlen <= sizeof(s->cmdbuf) &&
+                len <= sizeof(s->cmdbuf) - s->cmdlen);
         s->dma_memory_read(s->dma_opaque, &s->cmdbuf[s->cmdlen], len);
         s->ti_size = 0;
         s->cmdlen = 0;
@@ -382,7 +387,7 @@ static void handle_ti(ESPState *s)
     s->dma_counter = dmalen;
 
     if (s->do_cmd)
-        minlen = (dmalen < 32) ? dmalen : 32;
+        minlen = (dmalen < ESP_CMDBUF_SZ) ? dmalen : ESP_CMDBUF_SZ;
     else if (s->ti_size < 0)
         minlen = (dmalen < -s->ti_size) ? dmalen : -s->ti_size;
     else
@@ -476,7 +481,7 @@ static void esp_mem_writeb(void *opaque,
         break;
     case ESP_FIFO:
         if (s->do_cmd) {
-            if (s->cmdlen < TI_BUFSZ) {
+            if (s->cmdlen < ESP_CMDBUF_SZ) {
                 s->cmdbuf[s->cmdlen++] = val & 0xff;
             } else {
                 ESP_ERROR("fifo overrun\n");

Places

File CVE-2016-6351-qemut-scsi-esp-make-cmdbuf-big-enough-for-maximum-CDB-size.patch of Package xen (Revision ed6e95243e41f0e55bab66a694574eed)

Places