Blame SOURCES/kvm-iscsi-Cap-block-count-from-GET-LBA-STATUS-CVE-2020-1.patch

12991f
From 899dabfb59004f7d69d244f836c250590c3574cd Mon Sep 17 00:00:00 2001
12991f
From: jmaloy <jmaloy@redhat.com>
12991f
Date: Wed, 29 Jan 2020 18:47:15 +0100
12991f
Subject: [PATCH 2/2] iscsi: Cap block count from GET LBA STATUS
12991f
 (CVE-2020-1711)
12991f
MIME-Version: 1.0
12991f
Content-Type: text/plain; charset=UTF-8
12991f
Content-Transfer-Encoding: 8bit
12991f
12991f
RH-Author: jmaloy <jmaloy@redhat.com>
12991f
Message-id: <20200129184715.18876-3-jmaloy@redhat.com>
12991f
Patchwork-id: 93576
12991f
O-Subject: [RHEL-7.8 qemu-kvm-rhev PATCH 2/2] iscsi: Cap block count from GET LBA STATUS (CVE-2020-1711)
12991f
Bugzilla: 1794499 1794505
12991f
RH-Acked-by: Kevin Wolf <kwolf@redhat.com>
12991f
RH-Acked-by: Eduardo Habkost <ehabkost@redhat.com>
12991f
RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
12991f
12991f
From: Felipe Franciosi <felipe@nutanix.com>
12991f
12991f
When querying an iSCSI server for the provisioning status of blocks (via
12991f
GET LBA STATUS), Qemu only validates that the response descriptor zero's
12991f
LBA matches the one requested. Given the SCSI spec allows servers to
12991f
respond with the status of blocks beyond the end of the LUN, Qemu may
12991f
have its heap corrupted by clearing/setting too many bits at the end of
12991f
its allocmap for the LUN.
12991f
12991f
A malicious guest in control of the iSCSI server could carefully program
12991f
Qemu's heap (by selectively setting the bitmap) and then smash it.
12991f
12991f
This limits the number of bits that iscsi_co_block_status() will try to
12991f
update in the allocmap so it can't overflow the bitmap.
12991f
12991f
Fixes: CVE-2020-1711
12991f
Cc: qemu-stable@nongnu.org
12991f
Signed-off-by: Felipe Franciosi <felipe@nutanix.com>
12991f
Signed-off-by: Peter Turschmid <peter.turschm@nutanix.com>
12991f
Signed-off-by: Raphael Norwitz <raphael.norwitz@nutanix.com>
12991f
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
12991f
(cherry picked from commit 693fd2acdf14dd86c0bf852610f1c2cca80a74dc)
12991f
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
12991f
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
12991f
---
12991f
 block/iscsi.c | 5 +++--
12991f
 1 file changed, 3 insertions(+), 2 deletions(-)
12991f
12991f
diff --git a/block/iscsi.c b/block/iscsi.c
12991f
index 336ce49..8ec97ab 100644
12991f
--- a/block/iscsi.c
12991f
+++ b/block/iscsi.c
12991f
@@ -671,7 +671,7 @@ static int coroutine_fn iscsi_co_block_status(BlockDriverState *bs,
12991f
     struct scsi_get_lba_status *lbas = NULL;
12991f
     struct scsi_lba_status_descriptor *lbasd = NULL;
12991f
     struct IscsiTask iTask;
12991f
-    uint64_t lba;
12991f
+    uint64_t lba, max_bytes;
12991f
     int ret;
12991f
 
12991f
     iscsi_co_init_iscsitask(iscsilun, &iTask);
12991f
@@ -691,6 +691,7 @@ static int coroutine_fn iscsi_co_block_status(BlockDriverState *bs,
12991f
     }
12991f
 
12991f
     lba = offset / iscsilun->block_size;
12991f
+    max_bytes = (iscsilun->num_blocks - lba) * iscsilun->block_size;
12991f
 
12991f
     qemu_mutex_lock(&iscsilun->mutex);
12991f
 retry:
12991f
@@ -734,7 +735,7 @@ retry:
12991f
         goto out_unlock;
12991f
     }
12991f
 
12991f
-    *pnum = (int64_t) lbasd->num_blocks * iscsilun->block_size;
12991f
+    *pnum = MIN((int64_t) lbasd->num_blocks * iscsilun->block_size, max_bytes);
12991f
 
12991f
     if (lbasd->provisioning == SCSI_PROVISIONING_TYPE_DEALLOCATED ||
12991f
         lbasd->provisioning == SCSI_PROVISIONING_TYPE_ANCHORED) {
12991f
-- 
12991f
1.8.3.1
12991f