Huawei Technologies Co., Ltd
|
42a23f0a2f
|
ide:atapi: check io_buffer_index in ide_atapi_cmd_reply_end
Fix CVE-2020-29443
During data transfer via packet command in 'ide_atapi_cmd_reply_end'
's->io_buffer_index' could exceed the 's->io_buffer' length, leading
to OOB access issue. Add check to avoid it.
...
#9 ahci_pio_transfer ../hw/ide/ahci.c:1383
#10 ide_transfer_start_norecurse ../hw/ide/core.c:553
#11 ide_atapi_cmd_reply_end ../hw/ide/atapi.c:284
#12 ide_atapi_cmd_read_pio ../hw/ide/atapi.c:329
#13 ide_atapi_cmd_read ../hw/ide/atapi.c:442
#14 cmd_read ../hw/ide/atapi.c:988
#15 ide_atapi_cmd ../hw/ide/atapi.c:1352
#16 ide_transfer_start ../hw/ide/core.c:561
#17 cmd_packet ../hw/ide/core.c:1729
#18 ide_exec_cmd ../hw/ide/core.c:2107
#19 handle_reg_h2d_fis ../hw/ide/ahci.c:1267
#20 handle_cmd ../hw/ide/ahci.c:1318
#21 check_cmd ../hw/ide/ahci.c:592
#22 ahci_port_write ../hw/ide/ahci.c:373
#23 ahci_mem_write ../hw/ide/ahci.c:513
Reported-by: Wenxiang Qian <leonwxqian@gmail.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Signed-off-by: Jiajie Li <lijiajie11@huawei.com>
|
2021-02-26 16:27:53 +08:00 |
|