File CVE-2018-18849-qemut-lsi53c895a-OOB-msg-buffer-... of Package xen

Overview Repositories Revisions Requests Users Attributes Meta

File CVE-2018-18849-qemut-lsi53c895a-OOB-msg-buffer-access-leads-to-DoS.patch of Package xen (Revision 9835cbb403594f6a3356847debe1b465)

Currently displaying revision 9835cbb403594f6a3356847debe1b465 , Show latest

References: bsc#1114423 CVE-2018-18849

From: Prasad J Pandit <address@hidden>

While writing a message in 'lsi_do_msgin', message length value
in 'msg_len' could be invalid due to an invalid migration stream.
Add an assertion to avoid an out of bounds access, and reject
the incoming migration data if it contains an invalid message
length.

Discovered by Deja vu Security. Reported by Oracle.

Signed-off-by: Prasad J Pandit <address@hidden>
Message-Id: <address@hidden>
Signed-off-by: Paolo Bonzini <address@hidden>
---
 hw/scsi/lsi53c895a.c | 19 +++++++++++++++++--
 1 file changed, 17 insertions(+), 2 deletions(-)

Index: xen-4.9.3-testing/tools/qemu-xen-traditional-dir-remote/hw/lsi53c895a.c
===================================================================
--- xen-4.9.3-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/lsi53c895a.c
+++ xen-4.9.3-testing/tools/qemu-xen-traditional-dir-remote/hw/lsi53c895a.c
@@ -14,6 +14,7 @@
 #include "pci.h"
 #include "scsi-disk.h"
 #include "block_int.h"
+#include <assert.h>
 
 //#define DEBUG_LSI
 //#define DEBUG_LSI_REG
@@ -725,10 +726,11 @@ static void lsi_disconnect(LSIState *s)
 
 static void lsi_do_msgin(LSIState *s)
 {
-    int len;
+    uint8_t len;
     DPRINTF("Message in len=%d/%d\n", s->dbc, s->msg_len);
     s->sfbr = s->msg[0];
     len = s->msg_len;
+    assert(len > 0 && len <= LSI_MAX_MSGIN_LEN);
     if (len > s->dbc)
         len = s->dbc;
     cpu_physical_memory_write(s->dnad, s->msg, len);
@@ -1451,8 +1453,10 @@ static uint8_t lsi_reg_readb(LSIState *s
         return s->ccntl1;
     case 0x58: /* SBDL */
         /* Some drivers peek at the data bus during the MSG IN phase.  */
-        if ((s->sstat1 & PHASE_MASK) == PHASE_MI)
+        if ((s->sstat1 & PHASE_MASK) == PHASE_MI) {
+            assert(s->msg_len > 0);
             return s->msg[0];
+        }
         return 0;
     case 0x59: /* SBDL high */
         return 0;

Places

File CVE-2018-18849-qemut-lsi53c895a-OOB-msg-buffer-access-leads-to-DoS.patch of Package xen (Revision 9835cbb403594f6a3356847debe1b465)

Places