Overview

File CVE-2016-5337-qemuu-scsi-megasas-information-leakage-in-megasas_ctrl_get_info.patch of Package xen.11298

References: bsc#83973 CVE-2016-5337

While reading information via 'megasas_ctrl_get_info' routine,
a local bios version buffer isn't null terminated. Add the
terminating null byte to avoid any OOB access.

Reported-by: Li Qiang <address@hidden>
Reviewed-by: Peter Maydell <address@hidden>
Signed-off-by: Prasad J Pandit <address@hidden>
Signed-off-by: Paolo Bonzini <address@hidden>
---
 hw/scsi/megasas.c | 1 +
 1 file changed, 1 insertion(+)

Index: xen-4.5.3-testing/tools/qemu-xen-dir-remote/hw/scsi/megasas.c
===================================================================
--- xen-4.5.3-testing.orig/tools/qemu-xen-dir-remote/hw/scsi/megasas.c
+++ xen-4.5.3-testing/tools/qemu-xen-dir-remote/hw/scsi/megasas.c
@@ -728,6 +728,7 @@ static int megasas_ctrl_get_info(Megasas
 
         ptr = memory_region_get_ram_ptr(&pci_dev->rom);
         memcpy(biosver, ptr + 0x41, 31);
+        biosver[31] = 0;
         memcpy(info.image_component[1].name, "BIOS", 4);
         memcpy(info.image_component[1].version, biosver,
                strlen((const char *)biosver));
openSUSE Build Service is sponsored by
Places