Skip to content
Commit 961c74a8 authored by Paolo Bonzini's avatar Paolo Bonzini Committed by Michael Roth
Browse files

scsi: fix buffer overflow in scsi_req_parse_cdb (CVE-2015-5158) 



This is a guest-triggerable buffer overflow present in QEMU 2.2.0
and newer.  scsi_cdb_length returns -1 as an error value, but the
caller does not check it.

Luckily, the massive overflow means that QEMU will just SIGSEGV,
making the impact much smaller.

Reported-by: default avatarZhu Donghai (朱东海) <donghai.zdh@alibaba-inc.com>
Fixes: 1894df02
Reviewed-by: default avatarFam Zheng <famz@redhat.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit c170aad8)
Signed-off-by: default avatarMichael Roth <mdroth@linux.vnet.ibm.com>
parent 98fe91ed
Show whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment