qemu-e2k/hw/scsi
Prasad J Pandit 6c1fef6b59 esp: check dma length before reading scsi command(CVE-2016-4441)
The 53C9X Fast SCSI Controller(FSC) comes with an internal 16-byte
FIFO buffer. It is used to handle command and data transfer.
Routine get_cmd() uses DMA to read scsi commands into this buffer.
Add check to validate DMA length against buffer size to avoid any
overrun.

Fixes CVE-2016-4441.

Reported-by: Li Qiang <liqiang6-s@360.cn>
Cc: qemu-stable@nongnu.org
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-Id: <1463654371-11169-3-git-send-email-ppandit@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-05-23 16:53:46 +02:00
..
esp-pci.c
esp.c esp: check dma length before reading scsi command(CVE-2016-4441) 2016-05-23 16:53:46 +02:00
lsi53c895a.c
Makefile.objs
megasas.c
mfi.h
mpi.h
mptconfig.c
mptendian.c
mptsas.c
mptsas.h
scsi-bus.c util: move declarations out of qemu-common.h 2016-03-22 22:20:17 +01:00
scsi-disk.c scsi-disk: Switch to byte-based aio block access 2016-05-12 15:22:09 +02:00
scsi-generic.c
spapr_vscsi.c Fix some typos found by codespell 2016-05-18 15:04:27 +03:00
srp.h
vhost-scsi.c util: move declarations out of qemu-common.h 2016-03-22 22:20:17 +01:00
viosrp.h
virtio-scsi-dataplane.c virtio: merge virtio_queue_aio_set_host_notifier_handler with virtio_queue_set_aio 2016-04-07 19:57:33 +03:00
virtio-scsi.c virtio-scsi: use aio handler for data plane 2016-04-07 19:57:33 +03:00
vmw_pvscsi.c Fix some typos found by codespell 2016-05-18 15:04:27 +03:00
vmw_pvscsi.h