Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP3:GA
xen.4698
CVE-2016-4439-qemut-scsi-esp-OOB-write-while-wr...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File CVE-2016-4439-qemut-scsi-esp-OOB-write-while-writing-to-cmdbuf-in-esp_reg_write.patch of Package xen.4698
References: bsc#980716 CVE-2016-4439 The 53C9X Fast SCSI Controller(FSC) comes with an internal 16-byte FIFO buffer. It is used to handle command and data transfer. While writing to this command buffer 's->cmdbuf[TI_BUFSZ=16]', a check was missing to validate input length. Add check to avoid OOB write access. Fixes CVE-2016-4439 Reported-by: Li Qiang <address@hidden> Signed-off-by: Prasad J Pandit <address@hidden> --- hw/scsi/esp.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) Index: xen-4.4.4-testing/tools/qemu-xen-traditional-dir-remote/hw/esp.c =================================================================== --- xen-4.4.4-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/esp.c +++ xen-4.4.4-testing/tools/qemu-xen-traditional-dir-remote/hw/esp.c @@ -471,7 +471,11 @@ static void esp_mem_writeb(void *opaque, break; case ESP_FIFO: if (s->do_cmd) { - s->cmdbuf[s->cmdlen++] = val & 0xff; + if (s->cmdlen < TI_BUFSZ) { + s->cmdbuf[s->cmdlen++] = val & 0xff; + } else { + ESP_ERROR("fifo overrun\n"); + } } else if (s->ti_size == TI_BUFSZ - 1) { ESP_ERROR("fifo overrun\n"); } else {
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor