mirrors/qemu
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
77668e4b9b
qemu/hw/scsi
History
Mark Cave-Ayland 77668e4b9b esp: restrict non-DMA transfer length to that of available data 
In the case where a SCSI layer transfer is incorrectly terminated, it is
possible for a TI command to cause a SCSI buffer overflow due to the
expected transfer data length being less than the available data in the
FIFO. When this occurs the unsigned async_len variable underflows and
becomes a large offset which writes past the end of the allocated SCSI
buffer.

Restrict the non-DMA transfer length to be the smallest of the expected
transfer length and the available FIFO data to ensure that it is no longer
possible for the SCSI buffer overflow to occur.

Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1810
Reviewed-by: Thomas Huth <thuth@redhat.com>
Message-ID: <20230913204410.65650-3-mark.cave-ayland@ilande.co.uk>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2023-10-03 10:29:39 +02:00
..
emulation.c
esp-pci.c bulk: Remove pointless QOM casts 2023-06-05 20:48:34 +02:00
esp.c esp: restrict non-DMA transfer length to that of available data 2023-10-03 10:29:39 +02:00
Kconfig hw/scsi: Introduce VHOST_SCSI_COMMON symbol in Kconfig 2023-06-23 02:54:44 -04:00
lsi53c895a.c hw/other: spelling fixes 2023-09-21 11:31:16 +03:00
megasas.c hw/scsi/megasas: Silent GCC duplicated-cond warning 2023-06-13 11:28:58 +02:00
meson.build hw/virtio: Build various target-agnostic objects just once 2023-06-23 02:54:44 -04:00
mfi.h hw/other: spelling fixes 2023-09-21 11:31:16 +03:00
mpi.h
mptconfig.c nomaintainer: Fix Lesser GPL version number 2020-11-15 17:04:40 +01:00
mptendian.c nomaintainer: Fix Lesser GPL version number 2020-11-15 17:04:40 +01:00
mptsas.c mptsas: avoid shadowed local variables 2023-09-25 18:25:03 +02:00
mptsas.h include/hw/pci: Split pci_device.h off pci.h 2023-01-08 01:54:22 -05:00
scsi-bus.c scsi: clear unit attention only for REPORT LUNS commands 2023-07-14 11:10:58 +02:00
scsi-disk.c hw/scsi/scsi-disk: Disallow block sizes smaller than 512 [CVE-2023-42467] 2023-09-25 18:25:03 +02:00
scsi-generic.c scsi-generic: fix buffer overflow on block limits inquiry 2023-05-18 08:53:51 +02:00
spapr_vscsi.c scsi: Use device_cold_reset() and bus_cold_reset() 2022-10-18 13:58:04 +02:00
srp.h
trace-events virtio-scsi: implement BlockDevOps->drained_begin() 2023-05-30 17:32:02 +02:00
trace.h trace: switch position of headers to what Meson requires 2020-08-21 06:18:24 -04:00
vhost-scsi-common.c vhost-scsi: fix memleak of vsc->inflight 2023-01-08 01:54:23 -05:00
vhost-scsi.c hw/virtio: Remove unnecessary 'virtio-access.h' header 2023-06-23 02:54:44 -04:00
vhost-user-scsi.c hw/virtio: Remove unnecessary 'virtio-access.h' header 2023-06-23 02:54:44 -04:00
viosrp.h Updated the FSF address to <https://www.gnu.org/licenses/> 2023-02-27 09:15:39 +01:00
virtio-scsi-dataplane.c hw/virtio: Remove unnecessary 'virtio-access.h' header 2023-06-23 02:54:44 -04:00
virtio-scsi.c virtio-scsi: avoid dangling host notifier in ->ioeventfd_stop() 2023-06-26 09:50:00 -04:00
vmw_pvscsi.c hw: replace most qemu_bh_new calls with qemu_bh_new_guarded 2023-04-28 11:31:54 +02:00
vmw_pvscsi.h