Headline
CVE-2020-13362: Re: [PATCH v2 0/3] Megasas: fix OOB access and NULL dereference issues
In QEMU 5.0.0 and earlier, megasas_lookup_frame in hw/scsi/megasas.c has an out-of-bounds read via a crafted reply_queue_head field from a guest OS user.
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
From:
Paolo Bonzini
Subject:
Re: [PATCH v2 0/3] Megasas: fix OOB access and NULL dereference issues
Date:
Thu, 21 May 2020 17:35:32 +0200
User-agent:
Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.6.0
On 13/05/20 21:25, P J P wrote:
From: Prasad J Pandit address@hidden
Hello,
* First patch fixes an OOB access issue which may occur when a guest user sets ‘reply_queue_head’ field to a negative or large positive value, via ‘struct mfi_init_qinfo’ object in megasas_init_firmware(), such that ‘index’ variables in megasas_lookup_frame() goes beyond the s->frames[MEGASAS_MAX_FRAMES=2048] array bounds. -> https://lists.gnu.org/archive/html/qemu-devel/2020-05/msg03131.html
* Second patch fixes a NULL pointer dereference issue which may occur if megasas_enqueue_frame() routine returns a NULL frame for a given ‘frame_addr’ address. -> https://bugs.launchpad.net/qemu/+bug/1878259
* Third patch updates other numeric fields of MegasasState to unsigned type.
Thank you. – Prasad J Pandit (3): megasas: use unsigned type for reply_queue_head and check index megasas: avoid NULL pointer dereference megasas: use unsigned type for positive numeric fields
hw/scsi/megasas.c | 44 +++++++++++++++++++++±--------------------- 1 file changed, 22 insertions(+), 22 deletions(-)
– 2.25.4
Queued, thanks (but see my comment on patch 2).
Thanks,
Paolo
[PATCH v2 1/3] megasas: use unsigned type for reply_queue_head and check index, (continued)
- [PATCH v2 1/3] megasas: use unsigned type for reply_queue_head and check index, P J P, 2020/05/13
- Re: [PATCH v2 1/3] megasas: use unsigned type for reply_queue_head and check index, Alexander Bulekov, 2020/05/13
- Re: [PATCH v2 1/3] megasas: use unsigned type for reply_queue_head and check index, Darren Kenny, 2020/05/14
- Re: [PATCH v2 1/3] megasas: use unsigned type for reply_queue_head and check index, P J P, 2020/05/14
- [PATCH v2 2/3] megasas: avoid NULL pointer dereference, P J P, 2020/05/13
- Re: [PATCH v2 2/3] megasas: avoid NULL pointer dereference, Alexander Bulekov, 2020/05/13
- Re: [PATCH v2 2/3] megasas: avoid NULL pointer dereference, Darren Kenny, 2020/05/14
- Re: [PATCH v2 2/3] megasas: avoid NULL pointer dereference, Paolo Bonzini, 2020/05/21
- [PATCH v2 3/3] megasas: use unsigned type for positive numeric fields, P J P, 2020/05/13
- Re: [PATCH v2 3/3] megasas: use unsigned type for positive numeric fields, Darren Kenny, 2020/05/14
- Re: [PATCH v2 0/3] Megasas: fix OOB access and NULL dereference issues, Paolo Bonzini <=
- [PATCH v2 1/3] megasas: use unsigned type for reply_queue_head and check index, P J P, 2020/05/13
Prev by Date: Re: [PATCH v2 2/3] megasas: avoid NULL pointer dereference
Next by Date: [PATCH] minikconf: explicitly set encoding to UTF-8
Previous by thread: Re: [PATCH v2 3/3] megasas: use unsigned type for positive numeric fields
Next by thread: [PATCH Kernel v19 0/8] Add UAPIs to support migration for VFIO devices
Index(es):
- Date
- Thread