[pve-qemu-kvm.git] / debian / patches / CVE-2016-5337-scsi-megasas-null-terminate-bios-version-buffer.patch

From 407fb6fce916b8984b5fd288b4a97d61f014dc72 Mon Sep 17 00:00:00 2001
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Tue, 7 Jun 2016 16:44:03 +0530
Subject: [PATCH] scsi: megasas: null terminate bios version buffer

While reading information via 'megasas_ctrl_get_info' routine,
a local bios version buffer isn't null terminated. Add the
terminating null byte to avoid any OOB access.

Reported-by: Li Qiang <liqiang6-s@360.cn>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 844864fbae66935951529408831c2f22367a57b6)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/scsi/megasas.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
index cc66d36..a9ffc32 100644
--- a/hw/scsi/megasas.c
+++ b/hw/scsi/megasas.c
@@ -773,6 +773,7 @@ static int megasas_ctrl_get_info(MegasasState *s, MegasasCmd *cmd)
 
         ptr = memory_region_get_ram_ptr(&pci_dev->rom);
         memcpy(biosver, ptr + 0x41, 31);
+        biosver[31] = 0;
         memcpy(info.image_component[1].name, "BIOS", 4);
         memcpy(info.image_component[1].version, biosver,
                strlen((const char *)biosver));
-- 
2.1.4
Commit	Line	Data
67efab1f WB	1	From 407fb6fce916b8984b5fd288b4a97d61f014dc72 Mon Sep 17 00:00:00 2001
	2	From: Prasad J Pandit <pjp@fedoraproject.org>
	3	Date: Tue, 7 Jun 2016 16:44:03 +0530
	4	Subject: [PATCH] scsi: megasas: null terminate bios version buffer
	5
	6	While reading information via 'megasas_ctrl_get_info' routine,
	7	a local bios version buffer isn't null terminated. Add the
	8	terminating null byte to avoid any OOB access.
	9
	10	Reported-by: Li Qiang <liqiang6-s@360.cn>
	11	Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
	12	Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
	13	Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
	14	(cherry picked from commit 844864fbae66935951529408831c2f22367a57b6)
	15	Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
	16	---
	17	hw/scsi/megasas.c \| 1 +
	18	1 file changed, 1 insertion(+)
	19
	20	diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
	21	index cc66d36..a9ffc32 100644
	22	--- a/hw/scsi/megasas.c
	23	+++ b/hw/scsi/megasas.c
	24	@@ -773,6 +773,7 @@ static int megasas_ctrl_get_info(MegasasState s, MegasasCmd cmd)
	25
	26	ptr = memory_region_get_ram_ptr(&pci_dev->rom);
	27	memcpy(biosver, ptr + 0x41, 31);
	28	+ biosver[31] = 0;
	29	memcpy(info.image_component[1].name, "BIOS", 4);
	30	memcpy(info.image_component[1].version, biosver,
	31	strlen((const char *)biosver));
	32	--
	33	2.1.4
	34