cardoe 15/07/25 19:53:47 Added: qemu-2.3.0-CVE-2015-5158.patch Log: Add fix from upstream for CVE-2015-5158 #555680 by Agostino Sarubbo. (Portage version: 2.2.20/cvs/Linux x86_64, signed Manifest commit with key A2BC03DC87ED1BD4!)
Revision Changes Path 1.1 app-emulation/qemu/files/qemu-2.3.0-CVE-2015-5158.patch file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/qemu/files/qemu-2.3.0-CVE-2015-5158.patch?rev=1.1&view=markup plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/qemu/files/qemu-2.3.0-CVE-2015-5158.patch?rev=1.1&content-type=text/plain Index: qemu-2.3.0-CVE-2015-5158.patch =================================================================== commit c170aad8b057223b1139d72e5ce7acceafab4fa9 Author: Paolo Bonzini <[email protected]> Date: Tue Jul 21 08:59:39 2015 +0200 scsi: fix buffer overflow in scsi_req_parse_cdb (CVE-2015-5158) This is a guest-triggerable buffer overflow present in QEMU 2.2.0 and newer. scsi_cdb_length returns -1 as an error value, but the caller does not check it. Luckily, the massive overflow means that QEMU will just SIGSEGV, making the impact much smaller. Reported-by: Zhu Donghai (朱东海) <[email protected]> Fixes: 1894df02811f6b79ea3ffbf1084599d96f316173 Reviewed-by: Fam Zheng <[email protected]> Cc: [email protected] Signed-off-by: Paolo Bonzini <[email protected]> diff --git a/hw/scsi/scsi-bus.c b/hw/scsi/scsi-bus.c index f50b2f0..f0ae462 100644 --- a/hw/scsi/scsi-bus.c +++ b/hw/scsi/scsi-bus.c @@ -1239,10 +1239,15 @@ int scsi_cdb_length(uint8_t *buf) { int scsi_req_parse_cdb(SCSIDevice *dev, SCSICommand *cmd, uint8_t *buf) { int rc; + int len; cmd->lba = -1; - cmd->len = scsi_cdb_length(buf); + len = scsi_cdb_length(buf); + if (len < 0) { + return -1; + } + cmd->len = len; switch (dev->type) { case TYPE_TAPE: rc = scsi_req_stream_xfer(cmd, dev, buf);
