thebeanogamer / rpms / qemu-kvm

Forked from rpms/qemu-kvm 5 months ago
Clone

Blame SOURCES/kvm-iscsi-Cap-block-count-from-GET-LBA-STATUS-CVE-2020-1.patch

902636
From 1c508d56d154caf5fbf53e7dabafd707236cb16b Mon Sep 17 00:00:00 2001
d8ab4a
From: jmaloy <jmaloy@redhat.com>
902636
Date: Wed, 29 Jan 2020 13:45:18 +0000
902636
Subject: [PATCH 06/15] iscsi: Cap block count from GET LBA STATUS
d8ab4a
 (CVE-2020-1711)
d8ab4a
MIME-Version: 1.0
d8ab4a
Content-Type: text/plain; charset=UTF-8
d8ab4a
Content-Transfer-Encoding: 8bit
d8ab4a
d8ab4a
RH-Author: jmaloy <jmaloy@redhat.com>
902636
Message-id: <20200129134518.1293-2-jmaloy@redhat.com>
902636
Patchwork-id: 93571
902636
O-Subject: [RHEL-AV-8.2.0 qemu-kvm PATCH 1/1] iscsi: Cap block count from GET LBA STATUS (CVE-2020-1711)
902636
Bugzilla: 1794503
d8ab4a
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
d8ab4a
RH-Acked-by: Kevin Wolf <kwolf@redhat.com>
d8ab4a
RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
d8ab4a
d8ab4a
From: Felipe Franciosi <felipe@nutanix.com>
d8ab4a
d8ab4a
When querying an iSCSI server for the provisioning status of blocks (via
d8ab4a
GET LBA STATUS), Qemu only validates that the response descriptor zero's
d8ab4a
LBA matches the one requested. Given the SCSI spec allows servers to
d8ab4a
respond with the status of blocks beyond the end of the LUN, Qemu may
d8ab4a
have its heap corrupted by clearing/setting too many bits at the end of
d8ab4a
its allocmap for the LUN.
d8ab4a
d8ab4a
A malicious guest in control of the iSCSI server could carefully program
d8ab4a
Qemu's heap (by selectively setting the bitmap) and then smash it.
d8ab4a
d8ab4a
This limits the number of bits that iscsi_co_block_status() will try to
d8ab4a
update in the allocmap so it can't overflow the bitmap.
d8ab4a
d8ab4a
Fixes: CVE-2020-1711
d8ab4a
Cc: qemu-stable@nongnu.org
d8ab4a
Signed-off-by: Felipe Franciosi <felipe@nutanix.com>
d8ab4a
Signed-off-by: Peter Turschmid <peter.turschm@nutanix.com>
d8ab4a
Signed-off-by: Raphael Norwitz <raphael.norwitz@nutanix.com>
d8ab4a
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
d8ab4a
(cherry picked from commit 693fd2acdf14dd86c0bf852610f1c2cca80a74dc)
d8ab4a
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
d8ab4a
Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
d8ab4a
---
d8ab4a
 block/iscsi.c | 5 +++--
d8ab4a
 1 file changed, 3 insertions(+), 2 deletions(-)
d8ab4a
d8ab4a
diff --git a/block/iscsi.c b/block/iscsi.c
902636
index 2aea7e3..cbd5729 100644
d8ab4a
--- a/block/iscsi.c
d8ab4a
+++ b/block/iscsi.c
902636
@@ -701,7 +701,7 @@ static int coroutine_fn iscsi_co_block_status(BlockDriverState *bs,
d8ab4a
     struct scsi_get_lba_status *lbas = NULL;
d8ab4a
     struct scsi_lba_status_descriptor *lbasd = NULL;
d8ab4a
     struct IscsiTask iTask;
d8ab4a
-    uint64_t lba;
d8ab4a
+    uint64_t lba, max_bytes;
d8ab4a
     int ret;
d8ab4a
 
d8ab4a
     iscsi_co_init_iscsitask(iscsilun, &iTask);
902636
@@ -721,6 +721,7 @@ static int coroutine_fn iscsi_co_block_status(BlockDriverState *bs,
d8ab4a
     }
d8ab4a
 
d8ab4a
     lba = offset / iscsilun->block_size;
d8ab4a
+    max_bytes = (iscsilun->num_blocks - lba) * iscsilun->block_size;
d8ab4a
 
d8ab4a
     qemu_mutex_lock(&iscsilun->mutex);
d8ab4a
 retry:
902636
@@ -764,7 +765,7 @@ retry:
d8ab4a
         goto out_unlock;
d8ab4a
     }
d8ab4a
 
d8ab4a
-    *pnum = (int64_t) lbasd->num_blocks * iscsilun->block_size;
d8ab4a
+    *pnum = MIN((int64_t) lbasd->num_blocks * iscsilun->block_size, max_bytes);
d8ab4a
 
d8ab4a
     if (lbasd->provisioning == SCSI_PROVISIONING_TYPE_DEALLOCATED ||
d8ab4a
         lbasd->provisioning == SCSI_PROVISIONING_TYPE_ANCHORED) {
d8ab4a
-- 
d8ab4a
1.8.3.1
d8ab4a