haraldwolff/qemu-patch-raspberry4
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity
qemu-patch-raspberry4/hw
History
Paolo Bonzini e909ff9369 scsi-generic: avoid possible out-of-bounds access to r->buf 
Whenever the allocation length of a SCSI request is shorter than the size of the
VPD page list, page_idx is used blindly to index into r->buf.  Even though
the stores in the insertion sort are protected against overflows, the same is not
true of the reads and the final store of 0xb0.

This basically does the same thing as commit 57dbb58d80 ("scsi-generic: avoid
out-of-bounds access to VPD page list", 2018-11-06), except that here the
allocation length can be chosen by the guest.  Note that according to the SCSI
standard, the contents of the PAGE LENGTH field are not altered based
on the allocation length.

The code was introduced by commit 6c219fc8a1 ("scsi-generic: keep VPD
page list sorted", 2018-11-06) but the overflow was already possible before.

Reported-by: Kevin Wolf <kwolf@redhat.com>
Fixes: a71c775b24
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2019-02-05 16:50:19 +01:00
..
9pfs xen: re-name XenDevice to XenLegacyDevice... 2019-01-14 13:45:40 +00:00
acpi uuid: Make qemu_uuid_bswap() take and return a QemuUUID 2019-02-01 13:46:45 +01:00
adc Include qapi/error.h exactly where needed 2018-02-09 13:50:17 +01:00
alpha elf: Add optional function ptr to load_elf() to parse ELF notes 2019-02-05 16:50:16 +01:00
arm elf: Add optional function ptr to load_elf() to parse ELF notes 2019-02-05 16:50:16 +01:00
audio audio: fix pc speaker init 2019-01-24 13:10:19 +01:00
block xen-block: handle resize callback 2019-02-04 11:04:49 +00:00
bt hw/bt: Replace fprintf(stderr, "*\n" with error_report() 2018-01-22 09:51:00 +01:00
char hw/char/stm32f2xx_usart: Do not update data register when device is disabled 2019-01-21 10:23:10 +00:00
core hw/core/loader.c: Read as long as possible in load_image_size() 2019-02-05 16:50:18 +01:00
cpu qom/cpu: Add cluster_index to CPUState 2019-01-29 11:46:05 +00:00
cris elf: Add optional function ptr to load_elf() to parse ELF notes 2019-02-05 16:50:16 +01:00
display hw/display/milkymist-tmu2: Move inlined code from header to source 2019-02-01 11:58:50 +01:00
dma avoid TABs in files that only contain a few 2019-01-11 15:46:56 +01:00
gpio trace: enforce that every trace-events file has a final newline 2019-01-24 14:16:56 +00:00
hppa elf: Add optional function ptr to load_elf() to parse ELF notes 2019-02-05 16:50:16 +01:00
hyperv hw/hyperv: fix NULL dereference with pure-kvm SynIC 2018-11-26 14:14:38 -02:00
i2c smbus: Add a helper to generate SPD EEPROM data 2019-02-04 18:44:17 +11:00
i386 i386: allow to load initrd below 4 GB for recent linux 2019-02-05 16:50:18 +01:00
ide ide/via: Implement and use native PCI IDE mode 2019-01-25 14:52:12 -05:00
input hw: input: set category of the i8042 device 2019-01-30 10:19:32 +01:00
intc spapr: move the interrupt presenters under machine_data 2019-02-04 18:44:18 +11:00
ipack hw/ipack: Use the IEC binary prefix definitions 2018-07-02 15:41:12 +02:00
ipmi ipmi: Use proper struct reference for BT vmstate 2018-08-23 18:46:25 +02:00
isa configs: Add a CONFIG_SMC37C669 switch for the "smc37c669-superio" device 2018-10-24 07:33:44 +01:00
lm32 elf: Add optional function ptr to load_elf() to parse ELF notes 2019-02-05 16:50:16 +01:00
m68k elf: Add optional function ptr to load_elf() to parse ELF notes 2019-02-05 16:50:16 +01:00
mem memory-device: rewrite address assignment using ranges 2019-01-09 22:09:31 -02:00
microblaze elf: Add optional function ptr to load_elf() to parse ELF notes 2019-02-05 16:50:16 +01:00
mips elf: Add optional function ptr to load_elf() to parse ELF notes 2019-02-05 16:50:16 +01:00
misc hw/misc/armsse-cpuid: Implement SSE-200 CPU_IDENTITY register block 2019-02-01 14:55:43 +00:00
moxie elf: Add optional function ptr to load_elf() to parse ELF notes 2019-02-05 16:50:16 +01:00
net ftgmac100: implement the new MDIO interface on Aspeed SoC 2019-01-21 10:23:11 +00:00
nios2 elf: Add optional function ptr to load_elf() to parse ELF notes 2019-02-05 16:50:16 +01:00
nvram hw/nvram/nrf51_nvm: Add nRF51 non-volatile memories 2019-02-01 15:31:26 +00:00
openrisc elf: Add optional function ptr to load_elf() to parse ELF notes 2019-02-05 16:50:16 +01:00
pci msix: make pba size math more uniform 2019-01-14 19:31:04 -05:00
pci-bridge pci/shpc: perform unplug via the hotplug handler 2018-12-20 11:19:12 -05:00
pci-host elf: Add optional function ptr to load_elf() to parse ELF notes 2019-02-05 16:50:16 +01:00
pcmcia
ppc elf: Add optional function ptr to load_elf() to parse ELF notes 2019-02-05 16:50:16 +01:00
rdma hw/rdma: modify struct initialization 2019-01-19 11:01:33 +02:00
riscv elf: Add optional function ptr to load_elf() to parse ELF notes 2019-02-05 16:50:16 +01:00
s390x elf: Add optional function ptr to load_elf() to parse ELF notes 2019-02-05 16:50:16 +01:00
scsi scsi-generic: avoid possible out-of-bounds access to r->buf 2019-02-05 16:50:19 +01:00
sd hw: sd: set category of the sd memory card 2019-01-30 10:24:20 +01:00
sh4 avoid TABs in files that only contain a few 2019-01-11 15:46:56 +01:00
smbios hw/smbios: Move to the hw/firmware/ subdirectory 2018-12-19 16:48:16 -05:00
sparc elf: Add optional function ptr to load_elf() to parse ELF notes 2019-02-05 16:50:16 +01:00
sparc64 elf: Add optional function ptr to load_elf() to parse ELF notes 2019-02-05 16:50:16 +01:00
ssi aspeed/smc: snoop SPI transfers to fake dummy cycles 2019-01-29 11:46:05 +00:00
timer trivial: Don't include isa.h if it is not really necessary 2019-01-09 11:24:35 +01:00
tpm tpm: clear RAM when "memory overwrite" requested 2019-01-17 21:10:57 -05:00
tricore elf: Add optional function ptr to load_elf() to parse ELF notes 2019-02-05 16:50:16 +01:00
unicore32 hw/input/i8042: Extract declarations from i386/pc.h into input/i8042.h 2018-03-12 16:12:48 +01:00
usb usb-mtp: replace the homebrew write with qemu_write_full 2019-01-30 06:47:52 +01:00
vfio trace: forbid use of %m in trace event format strings 2019-01-24 14:16:56 +00:00
virtio hw/virtio/virtio-balloon: zero-initialize the virtio_balloon_config struct 2019-01-21 17:20:36 +00:00
watchdog hw/watchdog/wdt_i6300esb: remove a unnecessary comment 2019-01-11 15:46:55 +01:00
xen xen: fix xen-bus state model to allow frontend re-connection 2019-02-04 11:04:49 +00:00
xenpv xen: Replace few mentions of xend by libxl 2019-01-14 13:45:40 +00:00
xtensa elf: Add optional function ptr to load_elf() to parse ELF notes 2019-02-05 16:50:16 +01:00
Makefile.objs memory-device: introduce separate config option 2018-10-24 06:44:59 -03:00