qemu-e2k/hw/scsi
Paolo Bonzini e909ff9369 scsi-generic: avoid possible out-of-bounds access to r->buf
Whenever the allocation length of a SCSI request is shorter than the size of the
VPD page list, page_idx is used blindly to index into r->buf.  Even though
the stores in the insertion sort are protected against overflows, the same is not
true of the reads and the final store of 0xb0.

This basically does the same thing as commit 57dbb58d80 ("scsi-generic: avoid
out-of-bounds access to VPD page list", 2018-11-06), except that here the
allocation length can be chosen by the guest.  Note that according to the SCSI
standard, the contents of the PAGE LENGTH field are not altered based
on the allocation length.

The code was introduced by commit 6c219fc8a1 ("scsi-generic: keep VPD
page list sorted", 2018-11-06) but the overflow was already possible before.

Reported-by: Kevin Wolf <kwolf@redhat.com>
Fixes: a71c775b24
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2019-02-05 16:50:19 +01:00
..
emulation.c scsi-generic: avoid invalid access to struct when emulating block limits 2018-11-06 21:35:06 +01:00
esp-pci.c scsi: esp: Defer command completion until previous interrupts have been handled 2019-01-11 13:57:24 +01:00
esp.c scsi: esp: Defer command completion until previous interrupts have been handled 2019-01-11 13:57:24 +01:00
lsi53c895a.c avoid TABs in files that only contain a few 2019-01-11 15:46:56 +01:00
Makefile.objs scsi-generic: avoid invalid access to struct when emulating block limits 2018-11-06 21:35:06 +01:00
megasas.c megasas: fix sglist leak 2018-08-23 13:32:50 +02:00
mfi.h Clean up header guards that don't match their file name 2016-07-12 16:19:16 +02:00
mpi.h hw: Add support for LSI SAS1068 (mptsas) device 2016-02-09 15:45:26 +01:00
mptconfig.c scsi: mptconfig: fix misuse of MPTSAS_CONFIG_PACK 2016-09-13 19:08:46 +02:00
mptendian.c hw/scsi/mptendian: Avoid taking address of fields in packed structs 2018-10-02 19:09:14 +02:00
mptsas.c scsi: mptsas: Mark as storage device 2018-08-23 13:32:50 +02:00
mptsas.h mptsas: really fix migration compatibility 2016-08-03 18:44:56 +02:00
scsi-bus.c qemu/queue.h: simplify reverse access to QTAILQ 2019-01-11 15:46:55 +01:00
scsi-disk.c scsi-disk: Add device_id property 2019-02-01 13:48:11 +01:00
scsi-generic.c scsi-generic: avoid possible out-of-bounds access to r->buf 2019-02-05 16:50:19 +01:00
spapr_vscsi.c scsi: Remove automatic creation of SCSI controllers with -drive if=scsi 2018-03-06 14:00:59 +01:00
srp.h spapr-vscsi: add task management 2013-09-12 08:46:21 +02:00
trace-events scsi: esp: Defer command completion until previous interrupts have been handled 2019-01-11 13:57:24 +01:00
vhost-scsi-common.c vhost-scsi: unify vhost-scsi get_features implementations 2018-08-23 18:46:25 +02:00
vhost-scsi.c qemu: avoid memory leak while remove disk 2019-01-14 19:31:04 -05:00
vhost-user-scsi.c qemu: avoid memory leak while remove disk 2019-01-14 19:31:04 -05:00
viosrp.h
virtio-scsi-dataplane.c Replace '-enable-kvm' with '-accel kvm' in docs and help texts 2018-06-28 19:05:32 +02:00
virtio-scsi.c virtio-scsi: Forbid devices with different iothreads sharing a blockdev 2019-02-01 13:46:45 +01:00
vmw_pvscsi.c qdev: use device_class_set_parent_realize/unrealize/reset() 2018-02-05 13:54:38 +01:00
vmw_pvscsi.h