[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-stable] [PATCH 053/156] virtio-scsi: fix buffer overrun on invalid
From: |
Michael Roth |
Subject: |
[Qemu-stable] [PATCH 053/156] virtio-scsi: fix buffer overrun on invalid state load |
Date: |
Tue, 8 Jul 2014 12:17:24 -0500 |
From: "Michael S. Tsirkin" <address@hidden>
CVE-2013-4542
hw/scsi/scsi-bus.c invokes load_request.
virtio_scsi_load_request does:
qemu_get_buffer(f, (unsigned char *)&req->elem, sizeof(req->elem));
this probably can make elem invalid, for example,
make in_num or out_num huge, then:
virtio_scsi_parse_req(s, vs->cmd_vqs[n], req);
will do:
if (req->elem.out_num > 1) {
qemu_sgl_init_external(req, &req->elem.out_sg[1],
&req->elem.out_addr[1],
req->elem.out_num - 1);
} else {
qemu_sgl_init_external(req, &req->elem.in_sg[1],
&req->elem.in_addr[1],
req->elem.in_num - 1);
}
and this will access out of array bounds.
Note: this adds security checks within assert calls since
SCSIBusInfo's load_request cannot fail.
For now simply disable builds with NDEBUG - there seems
to be little value in supporting these.
Cc: Andreas Färber <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
Signed-off-by: Juan Quintela <address@hidden>
(cherry picked from commit 3c3ce981423e0d6c18af82ee62f1850c2cda5976)
Signed-off-by: Michael Roth <address@hidden>
---
hw/scsi/virtio-scsi.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/hw/scsi/virtio-scsi.c b/hw/scsi/virtio-scsi.c
index 3fa6d07..3c867c6 100644
--- a/hw/scsi/virtio-scsi.c
+++ b/hw/scsi/virtio-scsi.c
@@ -147,6 +147,15 @@ static void *virtio_scsi_load_request(QEMUFile *f,
SCSIRequest *sreq)
qemu_get_be32s(f, &n);
assert(n < vs->conf.num_queues);
qemu_get_buffer(f, (unsigned char *)&req->elem, sizeof(req->elem));
+ /* TODO: add a way for SCSIBusInfo's load_request to fail,
+ * and fail migration instead of asserting here.
+ * When we do, we might be able to re-enable NDEBUG below.
+ */
+#ifdef NDEBUG
+#error building with NDEBUG is not supported
+#endif
+ assert(req->elem.in_num <= ARRAY_SIZE(req->elem.in_sg));
+ assert(req->elem.out_num <= ARRAY_SIZE(req->elem.out_sg));
virtio_scsi_parse_req(s, vs->cmd_vqs[n], req);
scsi_req_ref(sreq);
--
1.9.1
- [Qemu-stable] [PATCH 051/156] tsc210x: fix buffer overrun on invalid state load, (continued)
- [Qemu-stable] [PATCH 051/156] tsc210x: fix buffer overrun on invalid state load, Michael Roth, 2014/07/10
- [Qemu-stable] [PATCH 118/156] qcow1: Validate L2 table size (CVE-2014-0222), Michael Roth, 2014/07/10
- [Qemu-stable] [PATCH 069/156] qemu-iotests: add ./check -cloop support, Michael Roth, 2014/07/10
- [Qemu-stable] [PATCH 015/156] hw/net/stellaris_enet: Restructure tx_fifo code to avoid buffer overrun, Michael Roth, 2014/07/10
- [Qemu-stable] [PATCH 152/156] qapi: zero-initialize all QMP command parameters, Michael Roth, 2014/07/10
- [Qemu-stable] [PATCH 026/156] po/Makefile: fix $SRC_PATH reference, Michael Roth, 2014/07/10
- [Qemu-stable] [PATCH 139/156] rdma: bug fixes, Michael Roth, 2014/07/10
- [Qemu-stable] [PATCH 081/156] bochs: Fix bitmap offset calculation, Michael Roth, 2014/07/10
- [Qemu-stable] [PATCH 143/156] KVM: Fix GSI number space limit, Michael Roth, 2014/07/10
- [Qemu-stable] [PATCH 140/156] scsi-disk: fix bug in scsi_block_new_request() introduced by commit 137745c, Michael Roth, 2014/07/10
- [Qemu-stable] [PATCH 053/156] virtio-scsi: fix buffer overrun on invalid state load,
Michael Roth <=
- [Qemu-stable] [PATCH 109/156] block: Limit request size (CVE-2014-0143), Michael Roth, 2014/07/10
- [Qemu-stable] [PATCH 007/156] scsi: Change scsi sense buf size to 252, Michael Roth, 2014/07/10
- [Qemu-stable] [PATCH 108/156] dmg: prevent chunk buffer overflow (CVE-2014-0145), Michael Roth, 2014/07/10
- [Qemu-stable] [PATCH 095/156] qcow2: Zero-initialise first cluster for new images, Michael Roth, 2014/07/10
- [Qemu-stable] [PATCH 115/156] parallels: Sanity check for s->tracks (CVE-2014-0142), Michael Roth, 2014/07/10
- [Qemu-stable] [PATCH 102/156] dmg: coding style and indentation cleanup, Michael Roth, 2014/07/10
- [Qemu-stable] [PATCH 100/156] qcow2: Protect against some integer overflows in bdrv_check, Michael Roth, 2014/07/10
- [Qemu-stable] [PATCH 101/156] qcow2: Fix new L1 table size check (CVE-2014-0143), Michael Roth, 2014/07/10