File CVE-2016-5338-qemuu-scsi-esp-OOB-rw-access-whil... of Package xen.10697

Overview Repositories Revisions Requests Users Attributes Meta

File CVE-2016-5338-qemuu-scsi-esp-OOB-rw-access-while-processing-ESP_FIFO.patch of Package xen.10697

References: bsc#983984 CVE-2016-5338

The 53C9X Fast SCSI Controller(FSC) comes with internal 16-byte
FIFO buffers. One is used to handle commands and other is for
information transfer. Three control variables 'ti_rptr',
'ti_wptr' and 'ti_size' are used to control r/w access to the
information transfer buffer ti_buf[TI_BUFSZ=16]. In that,

'ti_rptr' is used as read index, where read occurs.
'ti_wptr' is a write index, where write would occur.
'ti_size' indicates total bytes to be read from the buffer.

While reading/writing to this buffer, index could exceed its
size. Add check to avoid OOB r/w access.

Reported-by: Huawei PSIRT <address@hidden>
Reported-by: Li Qiang <address@hidden>
Signed-off-by: Prasad J Pandit <address@hidden>
---
 hw/scsi/esp.c | 20 +++++++++-----------
 1 file changed, 9 insertions(+), 11 deletions(-)

Update as per:
  -> https://lists.gnu.org/archive/html/qemu-devel/2016-06/msg01326.html

Index: xen-4.4.4-testing/tools/qemu-xen-dir-remote/hw/scsi/esp.c
===================================================================
--- xen-4.4.4-testing.orig/tools/qemu-xen-dir-remote/hw/scsi/esp.c
+++ xen-4.4.4-testing/tools/qemu-xen-dir-remote/hw/scsi/esp.c
@@ -401,19 +401,17 @@ uint64_t esp_reg_read(ESPState *s, uint3
     trace_esp_mem_readb(saddr, s->rregs[saddr]);
     switch (saddr) {
     case ESP_FIFO:
-        if (s->ti_size > 0) {
+        if ((s->rregs[ESP_RSTAT] & STAT_PIO_MASK) == 0) {
+            /* Data out.  */
+            qemu_log_mask(LOG_UNIMP, "esp: PIO data read not implemented\n");
+            s->rregs[ESP_FIFO] = 0;
+            esp_raise_irq(s);
+        } else if (s->ti_rptr < s->ti_wptr) {
             s->ti_size--;
-            if ((s->rregs[ESP_RSTAT] & STAT_PIO_MASK) == 0) {
-                /* Data out.  */
-                qemu_log_mask(LOG_UNIMP,
-                              "esp: PIO data read not implemented\n");
-                s->rregs[ESP_FIFO] = 0;
-            } else {
-                s->rregs[ESP_FIFO] = s->ti_buf[s->ti_rptr++];
-            }
+            s->rregs[ESP_FIFO] = s->ti_buf[s->ti_rptr++];
             esp_raise_irq(s);
         }
-        if (s->ti_size == 0) {
+        if (s->ti_rptr == s->ti_wptr) {
             s->ti_rptr = 0;
             s->ti_wptr = 0;
         }
@@ -450,7 +448,7 @@ void esp_reg_write(ESPState *s, uint32_t
             } else {
                 trace_esp_error_fifo_overrun();
             }
-        } else if (s->ti_size == TI_BUFSZ - 1) {
+        } else if (s->ti_wptr == TI_BUFSZ - 1) {
             trace_esp_error_fifo_overrun();
         } else {
             s->ti_size++;

Places

File CVE-2016-5338-qemuu-scsi-esp-OOB-rw-access-while-processing-ESP_FIFO.patch of Package xen.10697

Places