1 |
cardoe 15/07/25 19:53:47 |
2 |
|
3 |
Added: qemu-2.3.0-CVE-2015-5158.patch |
4 |
Log: |
5 |
Add fix from upstream for CVE-2015-5158 #555680 by Agostino Sarubbo. |
6 |
|
7 |
(Portage version: 2.2.20/cvs/Linux x86_64, signed Manifest commit with key A2BC03DC87ED1BD4!) |
8 |
|
9 |
Revision Changes Path |
10 |
1.1 app-emulation/qemu/files/qemu-2.3.0-CVE-2015-5158.patch |
11 |
|
12 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/qemu/files/qemu-2.3.0-CVE-2015-5158.patch?rev=1.1&view=markup |
13 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/qemu/files/qemu-2.3.0-CVE-2015-5158.patch?rev=1.1&content-type=text/plain |
14 |
|
15 |
Index: qemu-2.3.0-CVE-2015-5158.patch |
16 |
=================================================================== |
17 |
commit c170aad8b057223b1139d72e5ce7acceafab4fa9 |
18 |
Author: Paolo Bonzini <pbonzini@××××××.com> |
19 |
Date: Tue Jul 21 08:59:39 2015 +0200 |
20 |
|
21 |
scsi: fix buffer overflow in scsi_req_parse_cdb (CVE-2015-5158) |
22 |
|
23 |
This is a guest-triggerable buffer overflow present in QEMU 2.2.0 |
24 |
and newer. scsi_cdb_length returns -1 as an error value, but the |
25 |
caller does not check it. |
26 |
|
27 |
Luckily, the massive overflow means that QEMU will just SIGSEGV, |
28 |
making the impact much smaller. |
29 |
|
30 |
Reported-by: Zhu Donghai (朱东海) <donghai.zdh@×××××××××××.com> |
31 |
Fixes: 1894df02811f6b79ea3ffbf1084599d96f316173 |
32 |
Reviewed-by: Fam Zheng <famz@××××××.com> |
33 |
Cc: qemu-stable@××××××.org |
34 |
Signed-off-by: Paolo Bonzini <pbonzini@××××××.com> |
35 |
|
36 |
diff --git a/hw/scsi/scsi-bus.c b/hw/scsi/scsi-bus.c |
37 |
index f50b2f0..f0ae462 100644 |
38 |
--- a/hw/scsi/scsi-bus.c |
39 |
+++ b/hw/scsi/scsi-bus.c |
40 |
@@ -1239,10 +1239,15 @@ int scsi_cdb_length(uint8_t *buf) { |
41 |
int scsi_req_parse_cdb(SCSIDevice *dev, SCSICommand *cmd, uint8_t *buf) |
42 |
{ |
43 |
int rc; |
44 |
+ int len; |
45 |
|
46 |
cmd->lba = -1; |
47 |
- cmd->len = scsi_cdb_length(buf); |
48 |
+ len = scsi_cdb_length(buf); |
49 |
+ if (len < 0) { |
50 |
+ return -1; |
51 |
+ } |
52 |
|
53 |
+ cmd->len = len; |
54 |
switch (dev->type) { |
55 |
case TYPE_TAPE: |
56 |
rc = scsi_req_stream_xfer(cmd, dev, buf); |