ide: atapi: check logical block address and read size (CVE-2020-29443)
authorPrasad J Pandit <pjp@fedoraproject.org>
Mon, 18 Jan 2021 11:51:30 +0000 (17:21 +0530)
committerPaolo Bonzini <pbonzini@redhat.com>
Sat, 23 Jan 2021 14:26:40 +0000 (09:26 -0500)
commitb8d7f1bc59276fec85e4d09f1567613a3e14d31e
treef1ab21d5110b354e6f6d50fc13025829d7bab30a
parentbbf901914170c6ee423beb3b8c510038c16d082f
ide: atapi: check logical block address and read size (CVE-2020-29443)

While processing ATAPI cmd_read/cmd_read_cd commands,
Logical Block Address (LBA) maybe invalid OR closer to the last block,
leading to an OOB access issues. Add range check to avoid it.

Fixes: CVE-2020-29443
Reported-by: Wenxiang Qian <leonwxqian@gmail.com>
Suggested-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-Id: <20210118115130.457044-1-ppandit@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
hw/ide/atapi.c