mirror of https://github.com/xemu-project/xemu.git
a7fcb4c5e0
CVE-2013-4542
hw/scsi/scsi-bus.c invokes load_request.
virtio_scsi_load_request does:
qemu_get_buffer(f, (unsigned char *)&req->elem, sizeof(req->elem));
this probably can make elem invalid, for example,
make in_num or out_num huge, then:
virtio_scsi_parse_req(s, vs->cmd_vqs[n], req);
will do:
if (req->elem.out_num > 1) {
qemu_sgl_init_external(req, &req->elem.out_sg[1],
&req->elem.out_addr[1],
req->elem.out_num - 1);
} else {
qemu_sgl_init_external(req, &req->elem.in_sg[1],
&req->elem.in_addr[1],
req->elem.in_num - 1);
}
and this will access out of array bounds.
Note: this adds security checks within assert calls since
SCSIBusInfo's load_request cannot fail.
For now simply disable builds with NDEBUG - there seems
to be little value in supporting these.
Cc: Andreas Färber <afaerber@suse.de>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit
|
||
|---|---|---|
| .. | ||
| Makefile.objs | ||
| esp-pci.c | ||
| esp.c | ||
| lsi53c895a.c | ||
| megasas.c | ||
| mfi.h | ||
| scsi-bus.c | ||
| scsi-disk.c | ||
| scsi-generic.c | ||
| spapr_vscsi.c | ||
| srp.h | ||
| vhost-scsi.c | ||
| viosrp.h | ||
| virtio-scsi.c | ||
| vmw_pvscsi.c | ||
| vmw_pvscsi.h | ||