diff options
| author | Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> | 2024-03-24 19:17:01 +0000 |
|---|---|---|
| committer | Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> | 2024-04-04 15:17:53 +0100 |
| commit | 3cc70889a35a972358e9b0e768a06b7159def1f3 (patch) | |
| tree | 1e2908ffcdbeb082db911ae782409184a9bb861c /scripts/qapi | |
| parent | 5aa0df4067cfc9bf74f08787d31b007957c7d899 (diff) | |
| download | qemu-3cc70889a35a972358e9b0e768a06b7159def1f3.zip qemu-3cc70889a35a972358e9b0e768a06b7159def1f3.tar.gz qemu-3cc70889a35a972358e9b0e768a06b7159def1f3.tar.bz2 | |
esp.c: prevent cmdfifo overflow in esp_cdb_ready()
During normal use the cmdfifo will never wrap internally and cmdfifo_cdb_offset
will always indicate the start of the SCSI CDB. However it is possible that a
malicious guest could issue an invalid ESP command sequence such that cmdfifo
wraps internally and cmdfifo_cdb_offset could point beyond the end of the FIFO
data buffer.
Add an extra check to fifo8_peek_buf() to ensure that if the cmdfifo has wrapped
internally then esp_cdb_ready() will exit rather than allow scsi_cdb_length() to
access data outside the cmdfifo data buffer.
Reported-by: Chuhong Yuan <hslester96@gmail.com>
Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-Id: <20240324191707.623175-13-mark.cave-ayland@ilande.co.uk>
Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Diffstat (limited to 'scripts/qapi')
0 files changed, 0 insertions, 0 deletions