[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Stable-8.0.1 48/59] scsi-generic: fix buffer overflow on block limits i
From: |
Michael Tokarev |
Subject: |
[Stable-8.0.1 48/59] scsi-generic: fix buffer overflow on block limits inquiry |
Date: |
Tue, 23 May 2023 13:15:08 +0300 |
From: Paolo Bonzini <pbonzini@redhat.com>
Using linux 6.x guest, at boot time, an inquiry on a scsi-generic
device makes qemu crash. This is caused by a buffer overflow when
scsi-generic patches the block limits VPD page.
Do the operations on a temporary on-stack buffer that is guaranteed
to be large enough.
Reported-by: Théo Maillart <tmaillart@freebox.fr>
Analyzed-by: Théo Maillart <tmaillart@freebox.fr>
Cc: qemu-stable@nongnu.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 9bd634b2f5e2f10fe35d7609eb83f30583f2e15a)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
diff --git a/hw/scsi/scsi-generic.c b/hw/scsi/scsi-generic.c
index ac9fa662b4..2417f0ad84 100644
--- a/hw/scsi/scsi-generic.c
+++ b/hw/scsi/scsi-generic.c
@@ -191,12 +191,16 @@ static int scsi_handle_inquiry_reply(SCSIGenericReq *r,
SCSIDevice *s, int len)
if ((s->type == TYPE_DISK || s->type == TYPE_ZBC) &&
(r->req.cmd.buf[1] & 0x01)) {
page = r->req.cmd.buf[2];
- if (page == 0xb0) {
+ if (page == 0xb0 && r->buflen >= 8) {
+ uint8_t buf[16] = {};
+ uint8_t buf_used = MIN(r->buflen, 16);
uint64_t max_transfer = calculate_max_transfer(s);
- stl_be_p(&r->buf[8], max_transfer);
- /* Also take care of the opt xfer len. */
- stl_be_p(&r->buf[12],
- MIN_NON_ZERO(max_transfer, ldl_be_p(&r->buf[12])));
+
+ memcpy(buf, r->buf, buf_used);
+ stl_be_p(&buf[8], max_transfer);
+ stl_be_p(&buf[12], MIN_NON_ZERO(max_transfer, ldl_be_p(&buf[12])));
+ memcpy(r->buf + 8, buf + 8, buf_used - 8);
+
} else if (s->needs_vpd_bl_emulation && page == 0x00 && r->buflen >=
4) {
/*
* Now we're capable of supplying the VPD Block Limits
--
2.39.2
- [Stable-8.0.1 35/59] s390x/tcg: Fix LDER instruction format, (continued)
- [Stable-8.0.1 35/59] s390x/tcg: Fix LDER instruction format, Michael Tokarev, 2023/05/23
- [Stable-8.0.1 42/59] linux-user: Fix mips fp64 executables loading, Michael Tokarev, 2023/05/23
- [Stable-8.0.1 39/59] util/async-teardown: wire up query-command-line-options, Michael Tokarev, 2023/05/23
- [Stable-8.0.1 40/59] docs/about/emulation: fix typo, Michael Tokarev, 2023/05/23
- [Stable-8.0.1 45/59] migration: Minor control flow simplification, Michael Tokarev, 2023/05/23
- [Stable-8.0.1 41/59] tests/docker: bump the xtensa base to debian:11-slim, Michael Tokarev, 2023/05/23
- [Stable-8.0.1 43/59] linux-user: fix getgroups/setgroups allocations, Michael Tokarev, 2023/05/23
- [Stable-8.0.1 44/59] migration: Handle block device inactivation failures better, Michael Tokarev, 2023/05/23
- [Stable-8.0.1 46/59] migration: Attempt disk reactivation in more failure scenarios, Michael Tokarev, 2023/05/23
- [Stable-8.0.1 47/59] target/arm: Fix vd == vm overlap in sve_ldff1_z, Michael Tokarev, 2023/05/23
- [Stable-8.0.1 48/59] scsi-generic: fix buffer overflow on block limits inquiry,
Michael Tokarev <=
- [Stable-8.0.1 50/59] target/i386: fix avx2 instructions vzeroall and vpermdq, Michael Tokarev, 2023/05/23
- [Stable-8.0.1 51/59] vhost: fix possible wrap in SVQ descriptor ring, Michael Tokarev, 2023/05/23
- [Stable-8.0.1 52/59] hw/pci: Disable PCI_ERR_UNCOR_MASK register for machine type < 8.0, Michael Tokarev, 2023/05/23
- [Stable-8.0.1 49/59] target/i386: fix operand size for VCOMI/VUCOMI instructions, Michael Tokarev, 2023/05/23
- [Stable-8.0.1 53/59] virtio-net: not enable vq reset feature unconditionally, Michael Tokarev, 2023/05/23
- [Stable-8.0.1 54/59] virtio-crypto: fix NULL pointer dereference in virtio_crypto_free_request, Michael Tokarev, 2023/05/23
- [Stable-8.0.1 55/59] aio-posix: do not nest poll handlers, Michael Tokarev, 2023/05/23
- [Stable-8.0.1 56/59] tested: add test for nested aio_poll() in poll handlers, Michael Tokarev, 2023/05/23
- [Stable-8.0.1 57/59] block: compile out assert_bdrv_graph_readable() by default, Michael Tokarev, 2023/05/23
- [Stable-8.0.1 58/59] graph-lock: Disable locking for now, Michael Tokarev, 2023/05/23