scsi-generic: avoid possible out-of-bounds access to r->buf
Whenever the allocation length of a SCSI request is shorter than the size of the VPD page list, page_idx is used blindly to index into r->buf. Even though the stores in the insertion sort are protected against overflows, the same is not true of the reads and the final store of 0xb0. This basically does the same thing as commit 57dbb58d ("scsi-generic: avoid out-of-bounds access to VPD page list", 2018-11-06), except that here the allocation length can be chosen by the guest. Note that according to the SCSI standard, the contents of the PAGE LENGTH field are not altered based on the allocation length. The code was introduced by commit 6c219fc8 ("scsi-generic: keep VPD page list sorted", 2018-11-06) but the overflow was already possible before. Reported-by: NKevin Wolf <kwolf@redhat.com> Fixes: a71c775bSigned-off-by: NPaolo Bonzini <pbonzini@redhat.com> (cherry picked from commit e909ff93) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
Showing
想要评论请 注册 或 登录