subject:"\[Qemu\-devel\] \[PATCH\] scsi\: esp\: check length before dma read"

Re: [Qemu-devel] [PATCH] scsi: esp: check length before dma read

2016-06-15 Thread P J P

+-- On Wed, 15 Jun 2016, Paolo Bonzini wrote --+ | So a better fix is to change cmdbuf[] to 32 bytes in | include/hw/scsi/esp.h, and define a constant ESP_CMDBUF_SZ equal to 32 | that can be used in handle_ti and in the definition of cmdbuf. Sent a revised patch v3. Thank you. -- Prasad J Pandit

Re: [Qemu-devel] [PATCH] scsi: esp: check length before dma read

2016-06-15 Thread Paolo Bonzini

On 15/06/2016 14:11, Laszlo Ersek wrote: > (1) In my opinion, this check is not sufficient. All of the following > objects: > > - the "len" local variable > - the "ESPState.dma_left" field > - the "ESPState.cmdlen" field > > have type "uint32_t" (that is, "unsigned int"). Therefore the

Re: [Qemu-devel] [PATCH] scsi: esp: check length before dma read

2016-06-15 Thread Laszlo Ersek

On 06/15/16 11:29, P J P wrote: > From: Prasad J Pandit > > While doing DMA read into ESP command buffer 's->cmdbuf', the > length parameter could exceed the buffer size. Add check to avoid > OOB access. > > Reported-by: Li Qiang > Signed-off-by: Prasad

[Qemu-devel] [PATCH] scsi: esp: check length before dma read

2016-06-15 Thread P J P

From: Prasad J Pandit While doing DMA read into ESP command buffer 's->cmdbuf', the length parameter could exceed the buffer size. Add check to avoid OOB access. Reported-by: Li Qiang Signed-off-by: Prasad J Pandit ---