From afb03b05279fbb6e405ca1815e419f8ec3650a2c Mon Sep 17 00:00:00 2001

From: John Snow <jsnow@redhat.com>

Date: Wed, 6 Feb 2019 18:42:16 +0100

Subject: [PATCH 10/33] scsi-generic: avoid possible out-of-bounds access to

 r->buf

RH-Author: John Snow <jsnow@redhat.com>

Message-id: <20190206184216.15861-2-jsnow@redhat.com>

Patchwork-id: 84258

O-Subject: [RHEL-7.7 qemu-kvm-rhev PATCH 1/1] scsi-generic: avoid possible out-of-bounds access to r->buf

Bugzilla: 1668999

CVE: CVE-2019-6501/20190111

RH-Acked-by: Max Reitz <mreitz@redhat.com>

RH-Acked-by: Kevin Wolf <kwolf@redhat.com>

RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>

From: Paolo Bonzini <pbonzini@redhat.com>

Whenever the allocation length of a SCSI request is shorter than the size of the

VPD page list, page_idx is used blindly to index into r->buf.  Even though

the stores in the insertion sort are protected against overflows, the same is not

true of the reads and the final store of 0xb0.

This basically does the same thing as commit 57dbb58d80 ("scsi-generic: avoid

out-of-bounds access to VPD page list", 2018-11-06), except that here the

allocation length can be chosen by the guest.  Note that according to the SCSI

standard, the contents of the PAGE LENGTH field are not altered based

on the allocation length.

The code was introduced by commit 6c219fc8a1 ("scsi-generic: keep VPD

page list sorted", 2018-11-06) but the overflow was already possible before.

Reported-by: Kevin Wolf <kwolf@redhat.com>

Reviewed-by: Kevin Wolf <kwolf@redhat.com>

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

Message-id: 20190111164506.15971-1-pbonzini@redhat.com

Fixes: a71c775b24ebc664129eb1d9b4c360590353efd5

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

Signed-off-by: John Snow <jsnow@redhat.com>

Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>

---

 hw/scsi/scsi-generic.c | 18 ++++++++++--------

 1 file changed, 10 insertions(+), 8 deletions(-)

diff --git a/hw/scsi/scsi-generic.c b/hw/scsi/scsi-generic.c

index 4ac53e4..e21adf9 100644

--- a/hw/scsi/scsi-generic.c

+++ b/hw/scsi/scsi-generic.c

@@ -183,7 +183,7 @@ static void scsi_handle_inquiry_reply(SCSIGenericReq *r, SCSIDevice *s)

             /* Also take care of the opt xfer len. */

             stl_be_p(&r->buf[12],

                     MIN_NON_ZERO(max_transfer, ldl_be_p(&r->buf[12])));

-        } else if (s->needs_vpd_bl_emulation && page == 0x00) {

+        } else if (s->needs_vpd_bl_emulation && page == 0x00 && r->buflen >= 4) {

             /*

              * Now we're capable of supplying the VPD Block Limits

              * response if the hardware can't. Add it in the INQUIRY

@@ -194,18 +194,20 @@ static void scsi_handle_inquiry_reply(SCSIGenericReq *r, SCSIDevice *s)

              * and will use it to proper setup the SCSI device.

              *

              * VPD page numbers must be sorted, so insert 0xb0 at the

-             * right place with an in-place insert.  After the initialization

-             * part of the for loop is executed, the device response is

-             * at r[0] to r[page_idx - 1].

+             * right place with an in-place insert.  When the while loop

+             * begins the device response is at r[0] to r[page_idx - 1].

              */

-            for (page_idx = lduw_be_p(r->buf + 2) + 4;

-                 page_idx > 4 && r->buf[page_idx - 1] >= 0xb0;

-                 page_idx--) {

+            page_idx = lduw_be_p(r->buf + 2) + 4;

+            page_idx = MIN(page_idx, r->buflen);

+            while (page_idx > 4 && r->buf[page_idx - 1] >= 0xb0) {

                 if (page_idx < r->buflen) {

                     r->buf[page_idx] = r->buf[page_idx - 1];

                 }

+                page_idx--;

+            }

+            if (page_idx < r->buflen) {

+                r->buf[page_idx] = 0xb0;

             }

-            r->buf[page_idx] = 0xb0;

             stw_be_p(r->buf + 2, lduw_be_p(r->buf + 2) + 1);

         }

     }

-- 

1.8.3.1