Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP3:GA
xen.4698
CVE-2016-4439-qemuu-scsi-esp-OOB-write-while-wr...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File CVE-2016-4439-qemuu-scsi-esp-OOB-write-while-writing-to-cmdbuf-in-esp_reg_write.patch of Package xen.4698
References: bsc#980716 CVE-2016-4439 The 53C9X Fast SCSI Controller(FSC) comes with an internal 16-byte FIFO buffer. It is used to handle command and data transfer. While writing to this command buffer 's->cmdbuf[TI_BUFSZ=16]', a check was missing to validate input length. Add check to avoid OOB write access. Fixes CVE-2016-4439 Reported-by: Li Qiang <address@hidden> Signed-off-by: Prasad J Pandit <address@hidden> --- hw/scsi/esp.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) Index: xen-4.4.4-testing/tools/qemu-xen-dir-remote/hw/scsi/esp.c =================================================================== --- xen-4.4.4-testing.orig/tools/qemu-xen-dir-remote/hw/scsi/esp.c +++ xen-4.4.4-testing/tools/qemu-xen-dir-remote/hw/scsi/esp.c @@ -439,7 +439,11 @@ void esp_reg_write(ESPState *s, uint32_t break; case ESP_FIFO: if (s->do_cmd) { - s->cmdbuf[s->cmdlen++] = val & 0xff; + if (s->cmdlen < TI_BUFSZ) { + s->cmdbuf[s->cmdlen++] = val & 0xff; + } else { + trace_esp_error_fifo_overrun(); + } } else if (s->ti_size == TI_BUFSZ - 1) { trace_esp_error_fifo_overrun(); } else {
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor