diff options
| author | Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> | 2024-03-24 19:17:01 +0000 |
|---|---|---|
| committer | Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> | 2024-04-04 15:17:53 +0100 |
| commit | 3cc70889a35a972358e9b0e768a06b7159def1f3 (patch) | |
| tree | 1e2908ffcdbeb082db911ae782409184a9bb861c /linux-user/openrisc/cpu_loop.c | |
| parent | 5aa0df4067cfc9bf74f08787d31b007957c7d899 (diff) | |
| download | focaccia-qemu-3cc70889a35a972358e9b0e768a06b7159def1f3.tar.gz focaccia-qemu-3cc70889a35a972358e9b0e768a06b7159def1f3.zip | |
esp.c: prevent cmdfifo overflow in esp_cdb_ready()
During normal use the cmdfifo will never wrap internally and cmdfifo_cdb_offset will always indicate the start of the SCSI CDB. However it is possible that a malicious guest could issue an invalid ESP command sequence such that cmdfifo wraps internally and cmdfifo_cdb_offset could point beyond the end of the FIFO data buffer. Add an extra check to fifo8_peek_buf() to ensure that if the cmdfifo has wrapped internally then esp_cdb_ready() will exit rather than allow scsi_cdb_length() to access data outside the cmdfifo data buffer. Reported-by: Chuhong Yuan <hslester96@gmail.com> Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> Reviewed-by: Paolo Bonzini <pbonzini@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Message-Id: <20240324191707.623175-13-mark.cave-ayland@ilande.co.uk> Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Diffstat (limited to 'linux-user/openrisc/cpu_loop.c')
0 files changed, 0 insertions, 0 deletions