scsi: fix buffer overflow in scsi_req_parse_cdb (CVE-2015-5158) - bwlp/qemu.git - Experimental fork of QEMU with video encoding patches

diff options

author	Paolo Bonzini	2015-07-21 08:59:39 +0200
committer	Paolo Bonzini	2015-07-24 13:57:44 +0200
commit	c170aad8b057223b1139d72e5ce7acceafab4fa9 (patch)
tree	50a3de66af501ceb759affdbf58e72a2aec2128a /util
parent	vnc: fix memory leak (diff)
download	qemu-c170aad8b057223b1139d72e5ce7acceafab4fa9.tar.gz qemu-c170aad8b057223b1139d72e5ce7acceafab4fa9.tar.xz qemu-c170aad8b057223b1139d72e5ce7acceafab4fa9.zip

scsi: fix buffer overflow in scsi_req_parse_cdb (CVE-2015-5158)

This is a guest-triggerable buffer overflow present in QEMU 2.2.0 and newer. scsi_cdb_length returns -1 as an error value, but the caller does not check it. Luckily, the massive overflow means that QEMU will just SIGSEGV, making the impact much smaller. Reported-by: Zhu Donghai (朱东海) <donghai.zdh@alibaba-inc.com> Fixes: 1894df02811f6b79ea3ffbf1084599d96f316173 Reviewed-by: Fam Zheng <famz@redhat.com> Cc: qemu-stable@nongnu.org Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

Diffstat (limited to 'util')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: