esp: check dma length before reading scsi command(CVE-2016-4441)

The 53C9X Fast SCSI Controller(FSC) comes with an internal 16-byte FIFO buffer. It is used to handle command and data transfer. Routine get_cmd() uses DMA to read scsi commands into this buffer. Add check to validate DMA length against buffer size to avoid any overrun. Fixes CVE-2016-4441. Reported-by: N Li Qiang <liqiang6-s@360.cn> Cc: qemu-stable@nongnu.org Signed-off-by: N Prasad J Pandit <pjp@fedoraproject.org> Message-Id: <1463654371-11169-3-git-send-email-ppandit@redhat.com> Signed-off-by: N Paolo Bonzini <pbonzini@redhat.com> (cherry picked from commit 6c1fef6b) Signed-off-by: N Michael Roth <mdroth@linux.vnet.ibm.com>

esp: check dma length before reading scsi command(CVE-2016-4441)
The 53C9X Fast SCSI Controller(FSC) comes with an internal 16-byte FIFO buffer. It is used to handle command and data transfer. Routine get_cmd() uses DMA to read scsi commands into this buffer. Add check to validate DMA length against buffer size to avoid any overrun. Fixes CVE-2016-4441. Reported-by: N Li Qiang <liqiang6-s@360.cn> Cc: qemu-stable@nongnu.org Signed-off-by: N Prasad J Pandit <pjp@fedoraproject.org> Message-Id: <1463654371-11169-3-git-send-email-ppandit@redhat.com> Signed-off-by: N Paolo Bonzini <pbonzini@redhat.com> (cherry picked from commit 6c1fef6b) Signed-off-by: N Michael Roth <mdroth@linux.vnet.ibm.com>
9b28a7fc · Prasad J Pandit · Michael Roth · 0a5e3685 · 9b28a7fc
隐藏空白更改
内联并排

Showing with 7 addition and 4 deletion

hw/scsi/esp.c hw/scsi/esp.c +7 -4

未找到文件。
--- a/hw/scsi/esp.c
+++ b/hw/scsi/esp.c
@@ -82,7 +82,7 @@ void esp_request_cancelled(SCSIRequest *req)
    }
 }

-static uint32_t get_cmd(ESPState *s, uint8_t *buf)
+static uint32_t get_cmd(ESPState *s, uint8_t *buf, uint8_t buflen)
 {
    uint32_t dmalen;
    int target;
@@ -92,6 +92,9 @@ static uint32_t get_cmd(ESPState *s, uint8_t *buf)
        dmalen = s->rregs[ESP_TCLO];
        dmalen |= s->rregs[ESP_TCMID] << 8;
        dmalen |= s->rregs[ESP_TCHI] << 16;
+        if (dmalen > buflen) {
+            return 0;
+        }
        s->dma_memory_read(s->dma_opaque, buf, dmalen);
    } else {
        dmalen = s->ti_size;
@@ -166,7 +169,7 @@ static void handle_satn(ESPState *s)
        s->dma_cb = handle_satn;
        return;
    }
-    len = get_cmd(s, buf);
+    len = get_cmd(s, buf, sizeof(buf));
    if (len)
        do_cmd(s, buf);
 }
@@ -180,7 +183,7 @@ static void handle_s_without_atn(ESPState *s)
        s->dma_cb = handle_s_without_atn;
        return;
    }
-    len = get_cmd(s, buf);
+    len = get_cmd(s, buf, sizeof(buf));
    if (len) {
        do_busid_cmd(s, buf, 0);
    }
@@ -192,7 +195,7 @@ static void handle_satn_stop(ESPState *s)
        s->dma_cb = handle_satn_stop;
        return;
    }
-    s->cmdlen = get_cmd(s, s->cmdbuf);
+    s->cmdlen = get_cmd(s, s->cmdbuf, sizeof(s->cmdbuf));
    if (s->cmdlen) {
        trace_esp_handle_satn_stop(s->cmdlen);
        s->do_cmd = 1;