QEMU before 8.2.0 has an integer underflow, and resultant buffer overflow, via a TI command when an expected non-DMA transfer length is less than the length of the available FIFO data. This occurs in esp_do_nodma in hw/scsi/esp.c because of an underflow of async_len.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Qemu | Ubuntu | bionic | * |
Qemu | Ubuntu | focal | * |
Qemu | Ubuntu | jammy | * |
Qemu | Ubuntu | mantic | * |
Qemu | Ubuntu | trusty | * |
Qemu | Ubuntu | upstream | * |
Qemu | Ubuntu | xenial | * |