aboutsummaryrefslogtreecommitdiff
path: root/gnu/packages/patches/qemu-CVE-2015-5158.patch
diff options
context:
space:
mode:
Diffstat (limited to 'gnu/packages/patches/qemu-CVE-2015-5158.patch')
-rw-r--r--gnu/packages/patches/qemu-CVE-2015-5158.patch45
1 files changed, 0 insertions, 45 deletions
diff --git a/gnu/packages/patches/qemu-CVE-2015-5158.patch b/gnu/packages/patches/qemu-CVE-2015-5158.patch
deleted file mode 100644
index bedbfc8fa4..0000000000
--- a/gnu/packages/patches/qemu-CVE-2015-5158.patch
+++ /dev/null
@@ -1,45 +0,0 @@
-c170aad8b057223b1139d72e5ce7acceafab4fa9
-Author: Paolo Bonzini <pbonzini@redhat.com>
-Date: Tue Jul 21 08:59:39 2015 +0200
-
- scsi: fix buffer overflow in scsi_req_parse_cdb (CVE-2015-5158)
-
- This is a guest-triggerable buffer overflow present in QEMU 2.2.0
- and newer. scsi_cdb_length returns -1 as an error value, but the
- caller does not check it.
-
- Luckily, the massive overflow means that QEMU will just SIGSEGV,
- making the impact much smaller.
-
- Reported-by: Zhu Donghai (朱东海) <donghai.zdh@alibaba-inc.com>
- Fixes: 1894df02811f6b79ea3ffbf1084599d96f316173
- Reviewed-by: Fam Zheng <famz@redhat.com>
- Cc: qemu-stable@nongnu.org
- Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-
-1 file changed, 6 insertions(+), 1 deletion(-)
- hw/scsi/scsi-bus.c | 7 ++++++-
-
- Modified hw/scsi/scsi-bus.c
-diff --git a/hw/scsi/scsi-bus.c b/hw/scsi/scsi-bus.c
-index f50b2f0..f0ae462 100644
---- a/hw/scsi/scsi-bus.c
-+++ b/hw/scsi/scsi-bus.c
-@@ -1239,10 +1239,15 @@ int scsi_cdb_length(uint8_t *buf) {
- int scsi_req_parse_cdb(SCSIDevice *dev, SCSICommand *cmd, uint8_t *buf)
- {
- int rc;
-+ int len;
-
- cmd->lba = -1;
-- cmd->len = scsi_cdb_length(buf);
-+ len = scsi_cdb_length(buf);
-+ if (len < 0) {
-+ return -1;
-+ }
-
-+ cmd->len = len;
- switch (dev->type) {
- case TYPE_TAPE:
- rc = scsi_req_stream_xfer(cmd, dev, buf);
-