File CVE-2016-5338-qemut-scsi-esp-OOB-rw-access-whil... of Package xen

Overview Repositories Revisions Requests Users Attributes Meta

File CVE-2016-5338-qemut-scsi-esp-OOB-rw-access-while-processing-ESP_FIFO.patch of Package xen (Revision 494cd99450b66e32f0dd20f566525818)

Currently displaying revision 494cd99450b66e32f0dd20f566525818 , Show latest

References: bsc#983984 CVE-2016-5338

The 53C9X Fast SCSI Controller(FSC) comes with internal 16-byte
FIFO buffers. One is used to handle commands and other is for
information transfer. Three control variables 'ti_rptr',
'ti_wptr' and 'ti_size' are used to control r/w access to the
information transfer buffer ti_buf[TI_BUFSZ=16]. In that,

'ti_rptr' is used as read index, where read occurs.
'ti_wptr' is a write index, where write would occur.
'ti_size' indicates total bytes to be read from the buffer.

While reading/writing to this buffer, index could exceed its
size. Add check to avoid OOB r/w access.

Reported-by: Huawei PSIRT <address@hidden>
Reported-by: Li Qiang <address@hidden>
Signed-off-by: Prasad J Pandit <address@hidden>
---
 hw/scsi/esp.c | 20 +++++++++-----------
 1 file changed, 9 insertions(+), 11 deletions(-)

Update as per:
  -> https://lists.gnu.org/archive/html/qemu-devel/2016-06/msg01326.html

Index: xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/hw/esp.c
===================================================================
--- xen-4.7.0-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/esp.c
+++ xen-4.7.0-testing/tools/qemu-xen-traditional-dir-remote/hw/esp.c
@@ -435,18 +435,17 @@ static uint32_t esp_mem_readb(void *opaq
     DPRINTF("read reg[%d]: 0x%2.2x\n", saddr, s->rregs[saddr]);
     switch (saddr) {
     case ESP_FIFO:
-        if (s->ti_size > 0) {
+        if ((s->rregs[ESP_RSTAT] & STAT_PIO_MASK) == 0) {
+            /* Data out.  */
+            ESP_ERROR("PIO data read not implemented\n");
+            s->rregs[ESP_FIFO] = 0;
+            esp_raise_irq(s);
+        } else if (s->ti_rptr < s->ti_wptr) {
             s->ti_size--;
-            if ((s->rregs[ESP_RSTAT] & STAT_PIO_MASK) == 0) {
-                /* Data out.  */
-                ESP_ERROR("PIO data read not implemented\n");
-                s->rregs[ESP_FIFO] = 0;
-            } else {
-                s->rregs[ESP_FIFO] = s->ti_buf[s->ti_rptr++];
-            }
+            s->rregs[ESP_FIFO] = s->ti_buf[s->ti_rptr++];
             esp_raise_irq(s);
         }
-        if (s->ti_size == 0) {
+        if (s->ti_rptr == s->ti_wptr) {
             s->ti_rptr = 0;
             s->ti_wptr = 0;
         }
@@ -482,7 +481,7 @@ static void esp_mem_writeb(void *opaque,
             } else {
                 ESP_ERROR("fifo overrun\n");
             }
-        } else if (s->ti_size == TI_BUFSZ - 1) {
+        } else if (s->ti_wptr == TI_BUFSZ - 1) {
             ESP_ERROR("fifo overrun\n");
         } else {
             s->ti_size++;

Places

File CVE-2016-5338-qemut-scsi-esp-OOB-rw-access-while-processing-ESP_FIFO.patch of Package xen (Revision 494cd99450b66e32f0dd20f566525818)

Places