packages/qemu
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
qemu/esp-restrict-non-DMA-transfer-length-to-that-of-avai.patch
Jiabo Feng f7e6c9d33c QEMU update to version 6.2.0-89 
- qga-win: Fix guest-get-fsinfo multi-disks collection
- hw/timer: fix systick trace message
- virtio-net: correctly copy vnet header when flushing TX (CVE-2023-6693)
- ui/clipboard: mark type as not available when there is no data (CVE-2023-6683)
- esp: restrict non-DMA transfer length to that of available data (CVE-2024-24474)
- hw/scsi/lsi53c895a: add missing decrement of reentrancy counter
- hw/scsi/lsi53c895a: Fix reentrancy issues in the LSI controller (CVE-2023-0330)
- net: Update MemReentrancyGuard for NIC (CVE-2023-3019)
- net: Provide MemReentrancyGuard * to qemu_new_nic()

Signed-off-by: Jiabo Feng <fengjiabo1@huawei.com>
(cherry picked from commit 18db08e0e64d982b88ad7f29ccd49b19e8c656f0)
2024-03-09 16:58:34 +08:00

44 lines
1.6 KiB
Diff
Raw Blame History

From 67f1bc4fc4d1864a55f6c626967defe5467f5134 Mon Sep 17 00:00:00 2001
From: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Date: Wed, 13 Sep 2023 21:44:09 +0100
Subject: [PATCH] esp: restrict non-DMA transfer length to that of available
data (CVE-2024-24474)
In the case where a SCSI layer transfer is incorrectly terminated, it is
possible for a TI command to cause a SCSI buffer overflow due to the
expected transfer data length being less than the available data in the
FIFO. When this occurs the unsigned async_len variable underflows and
becomes a large offset which writes past the end of the allocated SCSI
buffer.
Restrict the non-DMA transfer length to be the smallest of the expected
transfer length and the available FIFO data to ensure that it is no longer
possible for the SCSI buffer overflow to occur.
Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1810
Reviewed-by: Thomas Huth <thuth@redhat.com>
Message-ID: <20230913204410.65650-3-mark.cave-ayland@ilande.co.uk>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
hw/scsi/esp.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
index f38231f8cd..435a81bbfd 100644
--- a/hw/scsi/esp.c
+++ b/hw/scsi/esp.c
@@ -754,7 +754,8 @@ static void esp_do_nodma(ESPState *s)
}
if (to_device) {
- len = MIN(fifo8_num_used(&s->fifo), ESP_FIFO_SZ);
+ len = MIN(s->async_len, ESP_FIFO_SZ);
+ len = MIN(len, fifo8_num_used(&s->fifo));
esp_fifo_pop_buf(&s->fifo, s->async_buf, len);
s->async_buf += len;
s->async_len -= len;
--
2.27.0
Reference in New Issue View Git Blame Copy Permalink