debian/patches/extra/CVE-2016-5126-block-iscsi-avoid-potential-overflow-of-acb-task-cdb.patch

   1 From f684109f3a14cfe0c7a9aa7b478dd6da67ea6b6c Mon Sep 17 00:00:00 2001
   2 From: Peter Lieven <pl@kamp.de>
   3 Date: Tue, 24 May 2016 10:59:28 +0200
   4 Subject: [PATCH 8/9] block/iscsi: avoid potential overflow of acb->task->cdb
   5
   6 at least in the path via virtio-blk the maximum size is not
   7 restricted.
   8
   9 Cc: qemu-stable@nongnu.org
  10 Signed-off-by: Peter Lieven <pl@kamp.de>
  11 Message-Id: <1464080368-29584-1-git-send-email-pl@kamp.de>
  12 Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
  13 ---
  14
  15 Notes:
  16     CVE-2016-5126
  17
  18  block/iscsi.c | 7 +++++++
  19  1 file changed, 7 insertions(+)
  20
  21 diff --git a/block/iscsi.c b/block/iscsi.c
  22 index bd1f1bf..e424f7d 100644
  23 --- a/block/iscsi.c
  24 +++ b/block/iscsi.c
  25 @@ -834,6 +834,13 @@ static BlockAIOCB *iscsi_aio_ioctl(BlockDriverState *bs,
  26          return &acb->common;
  27      }
  28
  29 +    if (acb->ioh->cmd_len > SCSI_CDB_MAX_SIZE) {
  30 +        error_report("iSCSI: ioctl error CDB exceeds max size (%d > %d)",
  31 +                     acb->ioh->cmd_len, SCSI_CDB_MAX_SIZE);
  32 +        qemu_aio_unref(acb);
  33 +        return NULL;
  34 +    }
  35 +
  36      acb->task = malloc(sizeof(struct scsi_task));
  37      if (acb->task == NULL) {
  38          error_report("iSCSI: Failed to allocate task for scsi command. %s",
  39 --
  40 2.1.4
  41