e74c0f316d
CVE-2017-7539: qemu-nbd crashes due to undefined I/O coroutine CVE-2017-11434: slirp: out-of-bounds read while parsing dhcp options CVE-2017-11334: exec: oob access during dma operation CVE-2017-10806: usb-redirect: stack buffer overflow in debug logging CVE-2017-10664: qemu-nbd: server breaks with SIGPIPE upon client abort CVE-2017-9524: nbd: segmentation fault due to client non-negotiation CVE-2017-9503: scsi: null pointer dereference while processing megasas command
35 lines
1.2 KiB
Diff
35 lines
1.2 KiB
Diff
From 1e709e6e073c7907676ea9263a1f92b1bd5fc9ac Mon Sep 17 00:00:00 2001
|
|
From: P J P <ppandit@redhat.com>
|
|
Date: Tue, 25 Apr 2017 18:36:23 +0530
|
|
Subject: [PATCH 11/23] vmw_pvscsi: check message ring page count at
|
|
initialisation
|
|
|
|
A guest could set the message ring page count to zero, resulting in
|
|
infinite loop. Add check to avoid it.
|
|
|
|
Reported-by: YY Z <bigbird475958471@gmail.com>
|
|
Signed-off-by: P J P <ppandit@redhat.com>
|
|
Message-Id: <20170425130623.3649-1-ppandit@redhat.com>
|
|
Reviewed-by: Dmitry Fleytman <dmitry@daynix.com>
|
|
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
|
---
|
|
hw/scsi/vmw_pvscsi.c | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c
|
|
index 75575461e2..4a106da856 100644
|
|
--- a/hw/scsi/vmw_pvscsi.c
|
|
+++ b/hw/scsi/vmw_pvscsi.c
|
|
@@ -202,7 +202,7 @@ pvscsi_ring_init_msg(PVSCSIRingInfo *m, PVSCSICmdDescSetupMsgRing *ri)
|
|
uint32_t len_log2;
|
|
uint32_t ring_size;
|
|
|
|
- if (ri->numPages > PVSCSI_SETUP_MSG_RING_MAX_NUM_PAGES) {
|
|
+ if (!ri->numPages || ri->numPages > PVSCSI_SETUP_MSG_RING_MAX_NUM_PAGES) {
|
|
return -1;
|
|
}
|
|
ring_size = ri->numPages * PVSCSI_MAX_NUM_MSG_ENTRIES_PER_PAGE;
|
|
--
|
|
2.11.0
|
|
|