]>
Commit | Line | Data |
---|---|---|
06fb0513 WB |
1 | From 97f8f06928e2a0d3db6157f6cd8dcf3b002dfb9f Mon Sep 17 00:00:00 2001 |
2 | From: Prasad J Pandit <pjp@fedoraproject.org> | |
3 | Date: Wed, 25 May 2016 17:55:10 +0530 | |
4 | Subject: [PATCH 3/9] scsi: megasas: check 'read_queue_head' index value | |
5 | ||
6 | While doing MegaRAID SAS controller command frame lookup, routine | |
7 | 'megasas_lookup_frame' uses 'read_queue_head' value as an index | |
8 | into 'frames[MEGASAS_MAX_FRAMES=2048]' array. Limit its value | |
9 | within array bounds to avoid any OOB access. | |
10 | ||
11 | Reported-by: Li Qiang <liqiang6-s@360.cn> | |
12 | Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> | |
13 | Message-Id: <1464179110-18593-1-git-send-email-ppandit@redhat.com> | |
14 | Reviewed-by: Alexander Graf <agraf@suse.de> | |
15 | Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> | |
16 | --- | |
17 | ||
18 | Notes: | |
19 | CVE-2016-5107 | |
20 | ||
21 | hw/scsi/megasas.c | 2 ++ | |
22 | 1 file changed, 2 insertions(+) | |
23 | ||
24 | diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c | |
25 | index 05c72b0..ebbe270 100644 | |
26 | --- a/hw/scsi/megasas.c | |
27 | +++ b/hw/scsi/megasas.c | |
28 | @@ -649,7 +649,9 @@ static int megasas_init_firmware(MegasasState *s, MegasasCmd *cmd) | |
29 | pa_hi = le32_to_cpu(initq->pi_addr_hi); | |
30 | s->producer_pa = ((uint64_t) pa_hi << 32) | pa_lo; | |
31 | s->reply_queue_head = ldl_le_pci_dma(pcid, s->producer_pa); | |
32 | + s->reply_queue_head %= MEGASAS_MAX_FRAMES; | |
33 | s->reply_queue_tail = ldl_le_pci_dma(pcid, s->consumer_pa); | |
34 | + s->reply_queue_tail %= MEGASAS_MAX_FRAMES; | |
35 | flags = le32_to_cpu(initq->flags); | |
36 | if (flags & MFI_QUEUE_FLAG_CONTEXT64) { | |
37 | s->flags |= MEGASAS_MASK_USE_QUEUE64; | |
38 | -- | |
39 | 2.1.4 | |
40 |