|
 |
8b1478 |
From 899dabfb59004f7d69d244f836c250590c3574cd Mon Sep 17 00:00:00 2001
|
|
|
8b1478 |
From: jmaloy <jmaloy@redhat.com>
|
|
|
8b1478 |
Date: Wed, 29 Jan 2020 18:47:15 +0100
|
|
|
8b1478 |
Subject: [PATCH 2/2] iscsi: Cap block count from GET LBA STATUS
|
|
|
8b1478 |
(CVE-2020-1711)
|
|
|
8b1478 |
MIME-Version: 1.0
|
|
|
8b1478 |
Content-Type: text/plain; charset=UTF-8
|
|
|
8b1478 |
Content-Transfer-Encoding: 8bit
|
|
|
8b1478 |
|
|
|
8b1478 |
RH-Author: jmaloy <jmaloy@redhat.com>
|
|
|
8b1478 |
Message-id: <20200129184715.18876-3-jmaloy@redhat.com>
|
|
|
8b1478 |
Patchwork-id: 93576
|
|
|
8b1478 |
O-Subject: [RHEL-7.8 qemu-kvm-rhev PATCH 2/2] iscsi: Cap block count from GET LBA STATUS (CVE-2020-1711)
|
|
|
8b1478 |
Bugzilla: 1794499 1794505
|
|
|
8b1478 |
RH-Acked-by: Kevin Wolf <kwolf@redhat.com>
|
|
|
8b1478 |
RH-Acked-by: Eduardo Habkost <ehabkost@redhat.com>
|
|
|
8b1478 |
RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
|
|
|
8b1478 |
|
|
|
8b1478 |
From: Felipe Franciosi <felipe@nutanix.com>
|
|
|
8b1478 |
|
|
|
8b1478 |
When querying an iSCSI server for the provisioning status of blocks (via
|
|
|
8b1478 |
GET LBA STATUS), Qemu only validates that the response descriptor zero's
|
|
|
8b1478 |
LBA matches the one requested. Given the SCSI spec allows servers to
|
|
|
8b1478 |
respond with the status of blocks beyond the end of the LUN, Qemu may
|
|
|
8b1478 |
have its heap corrupted by clearing/setting too many bits at the end of
|
|
|
8b1478 |
its allocmap for the LUN.
|
|
|
8b1478 |
|
|
|
8b1478 |
A malicious guest in control of the iSCSI server could carefully program
|
|
|
8b1478 |
Qemu's heap (by selectively setting the bitmap) and then smash it.
|
|
|
8b1478 |
|
|
|
8b1478 |
This limits the number of bits that iscsi_co_block_status() will try to
|
|
|
8b1478 |
update in the allocmap so it can't overflow the bitmap.
|
|
|
8b1478 |
|
|
|
8b1478 |
Fixes: CVE-2020-1711
|
|
|
8b1478 |
Cc: qemu-stable@nongnu.org
|
|
|
8b1478 |
Signed-off-by: Felipe Franciosi <felipe@nutanix.com>
|
|
|
8b1478 |
Signed-off-by: Peter Turschmid <peter.turschm@nutanix.com>
|
|
|
8b1478 |
Signed-off-by: Raphael Norwitz <raphael.norwitz@nutanix.com>
|
|
|
8b1478 |
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
|
|
|
8b1478 |
(cherry picked from commit 693fd2acdf14dd86c0bf852610f1c2cca80a74dc)
|
|
|
8b1478 |
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
|
|
|
8b1478 |
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
|
|
|
8b1478 |
---
|
|
|
8b1478 |
block/iscsi.c | 5 +++--
|
|
|
8b1478 |
1 file changed, 3 insertions(+), 2 deletions(-)
|
|
|
8b1478 |
|
|
|
8b1478 |
diff --git a/block/iscsi.c b/block/iscsi.c
|
|
|
8b1478 |
index 336ce49..8ec97ab 100644
|
|
|
8b1478 |
--- a/block/iscsi.c
|
|
|
8b1478 |
+++ b/block/iscsi.c
|
|
|
8b1478 |
@@ -671,7 +671,7 @@ static int coroutine_fn iscsi_co_block_status(BlockDriverState *bs,
|
|
|
8b1478 |
struct scsi_get_lba_status *lbas = NULL;
|
|
|
8b1478 |
struct scsi_lba_status_descriptor *lbasd = NULL;
|
|
|
8b1478 |
struct IscsiTask iTask;
|
|
|
8b1478 |
- uint64_t lba;
|
|
|
8b1478 |
+ uint64_t lba, max_bytes;
|
|
|
8b1478 |
int ret;
|
|
|
8b1478 |
|
|
|
8b1478 |
iscsi_co_init_iscsitask(iscsilun, &iTask);
|
|
|
8b1478 |
@@ -691,6 +691,7 @@ static int coroutine_fn iscsi_co_block_status(BlockDriverState *bs,
|
|
|
8b1478 |
}
|
|
|
8b1478 |
|
|
|
8b1478 |
lba = offset / iscsilun->block_size;
|
|
|
8b1478 |
+ max_bytes = (iscsilun->num_blocks - lba) * iscsilun->block_size;
|
|
|
8b1478 |
|
|
|
8b1478 |
qemu_mutex_lock(&iscsilun->mutex);
|
|
|
8b1478 |
retry:
|
|
|
8b1478 |
@@ -734,7 +735,7 @@ retry:
|
|
|
8b1478 |
goto out_unlock;
|
|
|
8b1478 |
}
|
|
|
8b1478 |
|
|
|
8b1478 |
- *pnum = (int64_t) lbasd->num_blocks * iscsilun->block_size;
|
|
|
8b1478 |
+ *pnum = MIN((int64_t) lbasd->num_blocks * iscsilun->block_size, max_bytes);
|
|
|
8b1478 |
|
|
|
8b1478 |
if (lbasd->provisioning == SCSI_PROVISIONING_TYPE_DEALLOCATED ||
|
|
|
8b1478 |
lbasd->provisioning == SCSI_PROVISIONING_TYPE_ANCHORED) {
|
|
|
8b1478 |
--
|
|
|
8b1478 |
1.8.3.1
|
|
|
8b1478 |
|