Overview

File CVE-2016-5107-qemuu-scsi-megasas-out-of-bounds-read-in-megasas_lookup_frame-function.patch of Package xen.4218

References: bsc#982026 CVE-2016-5107 

While doing MegaRAID SAS controller command frame lookup, routine
'megasas_lookup_frame' uses 'read_queue_head' value as an index
into 'frames[MEGASAS_MAX_FRAMES=2048]' array. Limit its value
within array bounds to avoid any OOB access.

Reported-by: Li Qiang <address@hidden>
Signed-off-by: Prasad J Pandit <address@hidden>
---
 hw/scsi/megasas.c | 2 ++
 1 file changed, 2 insertions(+)

Update as per
  -> https://lists.gnu.org/archive/html/qemu-devel/2016-05/msg04403.html

Index: xen-4.5.3-testing/tools/qemu-xen-dir-remote/hw/scsi/megasas.c
===================================================================
--- xen-4.5.3-testing.orig/tools/qemu-xen-dir-remote/hw/scsi/megasas.c
+++ xen-4.5.3-testing/tools/qemu-xen-dir-remote/hw/scsi/megasas.c
@@ -608,7 +608,9 @@ static int megasas_init_firmware(Megasas
     pa_hi = le32_to_cpu(initq->pi_addr_hi);
     s->producer_pa = ((uint64_t) pa_hi << 32) | pa_lo;
     s->reply_queue_head = ldl_le_phys(&address_space_memory, s->producer_pa);
+    s->reply_queue_head %= MEGASAS_MAX_FRAMES;
     s->reply_queue_tail = ldl_le_phys(&address_space_memory, s->consumer_pa);
+    s->reply_queue_tail %= MEGASAS_MAX_FRAMES;
     flags = le32_to_cpu(initq->flags);
     if (flags & MFI_QUEUE_FLAG_CONTEXT64) {
         s->flags |= MEGASAS_MASK_USE_QUEUE64;
openSUSE Build Service is sponsored by
Places