scsi: fix buffer overflow in scsi_req_parse_cdb (CVE-2015-5158)

This is a guest-triggerable buffer overflow present in QEMU 2.2.0 and newer. scsi_cdb_length returns -1 as an error value, but the caller does not check it. Luckily, the massive overflow means that QEMU will just SIGSEGV, making the impact much smaller. Reported-by: Zhu Donghai (朱东海) <donghai.zdh@alibaba-inc.com> Fixes: 1894df02811f6b79ea3ffbf1084599d96f316173 Reviewed-by: Fam Zheng <famz@redhat.com> Cc: qemu-stable@nongnu.org Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
author: Paolo Bonzini <pbonzini@redhat.com> 2015-07-21 08:59:39 +0200
committer: Paolo Bonzini <pbonzini@redhat.com> 2015-07-24 13:57:44 +0200
commit: c170aad8b057223b1139d72e5ce7acceafab4fa9 (patch)
tree: 50a3de66af501ceb759affdbf58e72a2aec2128a /hw
parent: 60928458e5eea3c77a7eb0a4194927872f463947 (diff)
download: qemu-c170aad8b057223b1139d72e5ce7acceafab4fa9.tar.gz
1 files changed, 6 insertions, 1 deletions
diff --git a/hw/scsi/scsi-bus.c b/hw/scsi/scsi-bus.c
index f50b2f08af..f0ae4625ff 100644
--- a/hw/scsi/scsi-bus.c
+++ b/hw/scsi/scsi-bus.c
@@ -1239,10 +1239,15 @@ int scsi_cdb_length(uint8_t *buf) {
 int scsi_req_parse_cdb(SCSIDevice *dev, SCSICommand *cmd, uint8_t *buf)
 {
     int rc;
+    int len;
 
     cmd->lba = -1;
-    cmd->len = scsi_cdb_length(buf);
+    len = scsi_cdb_length(buf);
+    if (len < 0) {
+        return -1;
+    }
 
+    cmd->len = len;
     switch (dev->type) {
     case TYPE_TAPE:
         rc = scsi_req_stream_xfer(cmd, dev, buf);
author	Paolo Bonzini <pbonzini@redhat.com>	2015-07-21 08:59:39 +0200
committer	Paolo Bonzini <pbonzini@redhat.com>	2015-07-24 13:57:44 +0200
commit	c170aad8b057223b1139d72e5ce7acceafab4fa9 (patch)
tree	50a3de66af501ceb759affdbf58e72a2aec2128a /hw
parent	60928458e5eea3c77a7eb0a4194927872f463947 (diff)
download	qemu-c170aad8b057223b1139d72e5ce7acceafab4fa9.tar.gz