thebeanogamer / rpms / qemu-kvm

Forked from rpms/qemu-kvm 5 months ago
Clone

Blame SOURCES/kvm-iscsi-Cap-block-count-from-GET-LBA-STATUS-CVE-2020-1.patch

22c213
From 1c508d56d154caf5fbf53e7dabafd707236cb16b Mon Sep 17 00:00:00 2001
22c213
From: jmaloy <jmaloy@redhat.com>
22c213
Date: Wed, 29 Jan 2020 13:45:18 +0000
22c213
Subject: [PATCH 06/15] iscsi: Cap block count from GET LBA STATUS
22c213
 (CVE-2020-1711)
22c213
MIME-Version: 1.0
22c213
Content-Type: text/plain; charset=UTF-8
22c213
Content-Transfer-Encoding: 8bit
22c213
22c213
RH-Author: jmaloy <jmaloy@redhat.com>
22c213
Message-id: <20200129134518.1293-2-jmaloy@redhat.com>
22c213
Patchwork-id: 93571
22c213
O-Subject: [RHEL-AV-8.2.0 qemu-kvm PATCH 1/1] iscsi: Cap block count from GET LBA STATUS (CVE-2020-1711)
22c213
Bugzilla: 1794503
22c213
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
22c213
RH-Acked-by: Kevin Wolf <kwolf@redhat.com>
22c213
RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
22c213
22c213
From: Felipe Franciosi <felipe@nutanix.com>
22c213
22c213
When querying an iSCSI server for the provisioning status of blocks (via
22c213
GET LBA STATUS), Qemu only validates that the response descriptor zero's
22c213
LBA matches the one requested. Given the SCSI spec allows servers to
22c213
respond with the status of blocks beyond the end of the LUN, Qemu may
22c213
have its heap corrupted by clearing/setting too many bits at the end of
22c213
its allocmap for the LUN.
22c213
22c213
A malicious guest in control of the iSCSI server could carefully program
22c213
Qemu's heap (by selectively setting the bitmap) and then smash it.
22c213
22c213
This limits the number of bits that iscsi_co_block_status() will try to
22c213
update in the allocmap so it can't overflow the bitmap.
22c213
22c213
Fixes: CVE-2020-1711
22c213
Cc: qemu-stable@nongnu.org
22c213
Signed-off-by: Felipe Franciosi <felipe@nutanix.com>
22c213
Signed-off-by: Peter Turschmid <peter.turschm@nutanix.com>
22c213
Signed-off-by: Raphael Norwitz <raphael.norwitz@nutanix.com>
22c213
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
22c213
(cherry picked from commit 693fd2acdf14dd86c0bf852610f1c2cca80a74dc)
22c213
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
22c213
Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
22c213
---
22c213
 block/iscsi.c | 5 +++--
22c213
 1 file changed, 3 insertions(+), 2 deletions(-)
22c213
22c213
diff --git a/block/iscsi.c b/block/iscsi.c
22c213
index 2aea7e3..cbd5729 100644
22c213
--- a/block/iscsi.c
22c213
+++ b/block/iscsi.c
22c213
@@ -701,7 +701,7 @@ static int coroutine_fn iscsi_co_block_status(BlockDriverState *bs,
22c213
     struct scsi_get_lba_status *lbas = NULL;
22c213
     struct scsi_lba_status_descriptor *lbasd = NULL;
22c213
     struct IscsiTask iTask;
22c213
-    uint64_t lba;
22c213
+    uint64_t lba, max_bytes;
22c213
     int ret;
22c213
 
22c213
     iscsi_co_init_iscsitask(iscsilun, &iTask);
22c213
@@ -721,6 +721,7 @@ static int coroutine_fn iscsi_co_block_status(BlockDriverState *bs,
22c213
     }
22c213
 
22c213
     lba = offset / iscsilun->block_size;
22c213
+    max_bytes = (iscsilun->num_blocks - lba) * iscsilun->block_size;
22c213
 
22c213
     qemu_mutex_lock(&iscsilun->mutex);
22c213
 retry:
22c213
@@ -764,7 +765,7 @@ retry:
22c213
         goto out_unlock;
22c213
     }
22c213
 
22c213
-    *pnum = (int64_t) lbasd->num_blocks * iscsilun->block_size;
22c213
+    *pnum = MIN((int64_t) lbasd->num_blocks * iscsilun->block_size, max_bytes);
22c213
 
22c213
     if (lbasd->provisioning == SCSI_PROVISIONING_TYPE_DEALLOCATED ||
22c213
         lbasd->provisioning == SCSI_PROVISIONING_TYPE_ANCHORED) {
22c213
-- 
22c213
1.8.3.1
22c213