On 29.10.18 18:34, Paolo Bonzini wrote: > A device can report an excessive number of VPD pages when asked for a > list; this can cause an out-of-bounds access to buf in > scsi_generic_set_vpd_bl_emulation. It should not happen, but > it is technically not incorrect so handle it: do not check any byte > past the allocation length that was sent to the INQUIRY command.
(Minor note: Since the list must be kept in ascending order, it's fully
correct to only check the first sizeof(buf) - 4 == 0xf6 bytes, because
it actually has to be at index 0xb0 or before, if the device supports it.)
> Reported-by: Max Reitz <mre...@redhat.com>
> Signed-off-by: Paolo Bonzini <pbonz...@redhat.com>
> ---
> hw/scsi/scsi-generic.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/hw/scsi/scsi-generic.c b/hw/scsi/scsi-generic.c
> index aebb7cdd82..c5497bbea8 100644
> --- a/hw/scsi/scsi-generic.c
> +++ b/hw/scsi/scsi-generic.c
> @@ -538,7 +538,7 @@ static void scsi_generic_set_vpd_bl_emulation(SCSIDevice
> *s)
> }
>
> page_len = buf[3];
You lost your enthusiasm for fixing the accesses to be proper big-endian
16-bit accesses so quickly? :-)
> - for (i = 4; i < page_len + 4; i++) {
> + for (i = 4; i < MIN(sizeof(buf), page_len + 4); i++) {
Reviewed-by: Max Reitz <mre...@redhat.com>
> if (buf[i] == 0xb0) {
> s->needs_vpd_bl_emulation = false;
> return;
>
signature.asc
Description: OpenPGP digital signature
