File CVE-2018-18849-qemut-lsi53c895a-OOB-msg-buffer-... of Package xen

Overview Repositories Revisions Requests Users Attributes Meta

File CVE-2018-18849-qemut-lsi53c895a-OOB-msg-buffer-access-leads-to-DoS.patch of Package xen (Revision 554d5ba9a0540086d7a2596d075f8fe1)

Currently displaying revision 554d5ba9a0540086d7a2596d075f8fe1 , Show latest

References: bsc#1114423 CVE-2018-18849

From: Prasad J Pandit <address@hidden>

While writing a message in 'lsi_do_msgin', message length value
in 'msg_len' could be invalid due to an invalid migration stream.
Add an assertion to avoid an out of bounds access, and reject
the incoming migration data if it contains an invalid message
length.

Discovered by Deja vu Security. Reported by Oracle.

Signed-off-by: Prasad J Pandit <address@hidden>
Message-Id: <address@hidden>
Signed-off-by: Paolo Bonzini <address@hidden>
---
 hw/scsi/lsi53c895a.c | 19 +++++++++++++++++--
 1 file changed, 17 insertions(+), 2 deletions(-)

Index: xen-4.9.3-testing/tools/qemu-xen-traditional-dir-remote/hw/lsi53c895a.c
===================================================================
--- xen-4.9.3-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/lsi53c895a.c
+++ xen-4.9.3-testing/tools/qemu-xen-traditional-dir-remote/hw/lsi53c895a.c
@@ -14,6 +14,7 @@
 #include "pci.h"
 #include "scsi-disk.h"
 #include "block_int.h"
+#include <assert.h>
 
 //#define DEBUG_LSI
 //#define DEBUG_LSI_REG
@@ -725,10 +726,11 @@ static void lsi_disconnect(LSIState *s)
 
 static void lsi_do_msgin(LSIState *s)
 {
-    int len;
+    uint8_t len;
     DPRINTF("Message in len=%d/%d\n", s->dbc, s->msg_len);
     s->sfbr = s->msg[0];
     len = s->msg_len;
+    assert(len > 0 && len <= LSI_MAX_MSGIN_LEN);
     if (len > s->dbc)
         len = s->dbc;
     cpu_physical_memory_write(s->dnad, s->msg, len);
@@ -1451,8 +1453,10 @@ static uint8_t lsi_reg_readb(LSIState *s
         return s->ccntl1;
     case 0x58: /* SBDL */
         /* Some drivers peek at the data bus during the MSG IN phase.  */
-        if ((s->sstat1 & PHASE_MASK) == PHASE_MI)
+        if ((s->sstat1 & PHASE_MASK) == PHASE_MI) {
+            assert(s->msg_len > 0);
             return s->msg[0];
+        }
         return 0;
     case 0x59: /* SBDL high */
         return 0;

Places

File CVE-2018-18849-qemut-lsi53c895a-OOB-msg-buffer-access-leads-to-DoS.patch of Package xen (Revision 554d5ba9a0540086d7a2596d075f8fe1)

Places