fix various CVEs
[pve-qemu-kvm.git] / debian / patches / extra / CVE-2016-5107-scsi-megasas-check-read_queue_head-index-value.patch
blob6321e22bdae354060b1dd03ac4a622777796961d
1 From 97f8f06928e2a0d3db6157f6cd8dcf3b002dfb9f Mon Sep 17 00:00:00 2001
2 From: Prasad J Pandit <pjp@fedoraproject.org>
3 Date: Wed, 25 May 2016 17:55:10 +0530
4 Subject: [PATCH 3/9] scsi: megasas: check 'read_queue_head' index value
6 While doing MegaRAID SAS controller command frame lookup, routine
7 'megasas_lookup_frame' uses 'read_queue_head' value as an index
8 into 'frames[MEGASAS_MAX_FRAMES=2048]' array. Limit its value
9 within array bounds to avoid any OOB access.
11 Reported-by: Li Qiang <liqiang6-s@360.cn>
12 Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
13 Message-Id: <1464179110-18593-1-git-send-email-ppandit@redhat.com>
14 Reviewed-by: Alexander Graf <agraf@suse.de>
15 Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
16 ---
18 Notes:
19 CVE-2016-5107
21 hw/scsi/megasas.c | 2 ++
22 1 file changed, 2 insertions(+)
24 diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
25 index 05c72b0..ebbe270 100644
26 --- a/hw/scsi/megasas.c
27 +++ b/hw/scsi/megasas.c
28 @@ -649,7 +649,9 @@ static int megasas_init_firmware(MegasasState *s, MegasasCmd *cmd)
29 pa_hi = le32_to_cpu(initq->pi_addr_hi);
30 s->producer_pa = ((uint64_t) pa_hi << 32) | pa_lo;
31 s->reply_queue_head = ldl_le_pci_dma(pcid, s->producer_pa);
32 + s->reply_queue_head %= MEGASAS_MAX_FRAMES;
33 s->reply_queue_tail = ldl_le_pci_dma(pcid, s->consumer_pa);
34 + s->reply_queue_tail %= MEGASAS_MAX_FRAMES;
35 flags = le32_to_cpu(initq->flags);
36 if (flags & MFI_QUEUE_FLAG_CONTEXT64) {
37 s->flags |= MEGASAS_MASK_USE_QUEUE64;
38 --
39 2.1.4