Blame virtio-blk_refuse_SG_IO_requests_with_scsi_off.patch

Justin M. Forbes 45e84a
From qemu-stable-bounces+jmforbes=linuxtx.org@nongnu.org  Wed Jan 11 03:51:20 2012
Justin M. Forbes 45e84a
Return-Path: <qemu-stable-bounces+jmforbes=linuxtx.org@nongnu.org>
Justin M. Forbes 45e84a
Received: from citysiren.linuxtx.org (localhost [127.0.0.1])
Justin M. Forbes 45e84a
	by citysiren.linuxtx.org (8.14.4/8.14.4) with ESMTP id q0B9pIjw017454
Justin M. Forbes 45e84a
	for <jmfmail@localhost>; Wed, 11 Jan 2012 03:51:20 -0600
Justin M. Forbes 45e84a
Delivered-To: jmforbes@linuxtx.org
Justin M. Forbes 45e84a
Received: from gmail-pop.l.google.com [74.125.81.108]
Justin M. Forbes 45e84a
	by citysiren.linuxtx.org with POP3 (fetchmail-6.3.20)
Justin M. Forbes 45e84a
	for <jmfmail@localhost> (single-drop); Wed, 11 Jan 2012 03:51:20 -0600 (CST)
Justin M. Forbes 45e84a
Received: by 10.180.102.100 with SMTP id fn4cs34060wib;
Justin M. Forbes 45e84a
        Wed, 11 Jan 2012 01:48:56 -0800 (PST)
Justin M. Forbes 45e84a
Received: by 10.224.182.2 with SMTP id ca2mr28967033qab.57.1326275334564;
Justin M. Forbes 45e84a
        Wed, 11 Jan 2012 01:48:54 -0800 (PST)
Justin M. Forbes 45e84a
Received: from lists.gnu.org (lists.gnu.org. [140.186.70.17])
Justin M. Forbes 45e84a
        by mx.google.com with ESMTPS id gc3si782557qab.44.2012.01.11.01.48.54
Justin M. Forbes 45e84a
        (version=TLSv1/SSLv3 cipher=OTHER);
Justin M. Forbes 45e84a
        Wed, 11 Jan 2012 01:48:54 -0800 (PST)
Justin M. Forbes 45e84a
Received-SPF: pass (google.com: domain of qemu-stable-bounces+jmforbes=linuxtx.org@nongnu.org designates 140.186.70.17 as permitted sender) client-ip=140.186.70.17;
Justin M. Forbes 45e84a
Authentication-Results: mx.google.com; spf=pass (google.com: domain of qemu-stable-bounces+jmforbes=linuxtx.org@nongnu.org designates 140.186.70.17 as permitted sender) smtp.mail=qemu-stable-bounces+jmforbes=linuxtx.org@nongnu.org
Justin M. Forbes 45e84a
Received: from localhost ([::1]:48473 helo=lists.gnu.org)
Justin M. Forbes 45e84a
	by lists.gnu.org with esmtp (Exim 4.71)
Justin M. Forbes 45e84a
	(envelope-from <qemu-stable-bounces+jmforbes=linuxtx.org@nongnu.org>)
Justin M. Forbes 45e84a
	id 1Rkund-0003iT-UQ
Justin M. Forbes 45e84a
	for jmforbes@linuxtx.org; Wed, 11 Jan 2012 04:48:53 -0500
Justin M. Forbes 45e84a
Received: from eggs.gnu.org ([140.186.70.92]:40037)
Justin M. Forbes 45e84a
	by lists.gnu.org with esmtp (Exim 4.71)
Justin M. Forbes 45e84a
	(envelope-from <pbonzini@redhat.com>) id 1RkunV-0003fY-Vl
Justin M. Forbes 45e84a
	for qemu-stable@nongnu.org; Wed, 11 Jan 2012 04:48:53 -0500
Justin M. Forbes 45e84a
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
Justin M. Forbes 45e84a
	(envelope-from <pbonzini@redhat.com>) id 1RkunQ-0004zL-Nl
Justin M. Forbes 45e84a
	for qemu-stable@nongnu.org; Wed, 11 Jan 2012 04:48:45 -0500
Justin M. Forbes 45e84a
Received: from mx1.redhat.com ([209.132.183.28]:23781)
Justin M. Forbes 45e84a
	by eggs.gnu.org with esmtp (Exim 4.71)
Justin M. Forbes 45e84a
	(envelope-from <pbonzini@redhat.com>) id 1RkunQ-0004vY-3c
Justin M. Forbes 45e84a
	for qemu-stable@nongnu.org; Wed, 11 Jan 2012 04:48:40 -0500
Justin M. Forbes 45e84a
Received: from int-mx11.intmail.prod.int.phx2.redhat.com
Justin M. Forbes 45e84a
	(int-mx11.intmail.prod.int.phx2.redhat.com [10.5.11.24])
Justin M. Forbes 45e84a
	by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id q0B9mcYI005348
Justin M. Forbes 45e84a
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK)
Justin M. Forbes 45e84a
	for <qemu-stable@nongnu.org>; Wed, 11 Jan 2012 04:48:38 -0500
Justin M. Forbes 45e84a
Received: from yakj.usersys.redhat.com (ovpn-112-23.ams2.redhat.com
Justin M. Forbes 45e84a
	[10.36.112.23])
Justin M. Forbes 45e84a
	by int-mx11.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP
Justin M. Forbes 45e84a
	id q0B9magG031084
Justin M. Forbes 45e84a
	for <qemu-stable@nongnu.org>; Wed, 11 Jan 2012 04:48:37 -0500
Justin M. Forbes 45e84a
From: Paolo Bonzini <pbonzini@redhat.com>
Justin M. Forbes 45e84a
To: qemu-stable@nongnu.org
Justin M. Forbes 45e84a
Date: Wed, 11 Jan 2012 10:48:33 +0100
Justin M. Forbes 45e84a
Message-Id: <1326275313-15635-1-git-send-email-pbonzini@redhat.com>
Justin M. Forbes 45e84a
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.24
Justin M. Forbes 45e84a
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 3)
Justin M. Forbes 45e84a
X-Received-From: 209.132.183.28
Justin M. Forbes 45e84a
Subject: [Qemu-stable] [PATCH] virtio-blk: refuse SG_IO requests with
Justin M. Forbes 45e84a
	scsi=off
Justin M. Forbes 45e84a
X-BeenThere: qemu-stable@nongnu.org
Justin M. Forbes 45e84a
X-Mailman-Version: 2.1.14
Justin M. Forbes 45e84a
Precedence: list
Justin M. Forbes 45e84a
List-Id: <qemu-stable.nongnu.org>
Justin M. Forbes 45e84a
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-stable>,
Justin M. Forbes 45e84a
	<mailto:qemu-stable-request@nongnu.org?subject=unsubscribe>
Justin M. Forbes 45e84a
List-Archive: <http://lists.nongnu.org/archive/html/qemu-stable>
Justin M. Forbes 45e84a
List-Post: <mailto:qemu-stable@nongnu.org>
Justin M. Forbes 45e84a
List-Help: <mailto:qemu-stable-request@nongnu.org?subject=help>
Justin M. Forbes 45e84a
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-stable>,
Justin M. Forbes 45e84a
	<mailto:qemu-stable-request@nongnu.org?subject=subscribe>
Justin M. Forbes 45e84a
Errors-To: qemu-stable-bounces+jmforbes=linuxtx.org@nongnu.org
Justin M. Forbes 45e84a
Sender: qemu-stable-bounces+jmforbes=linuxtx.org@nongnu.org
Justin M. Forbes 45e84a
X-UID: 32                                                 
Justin M. Forbes 45e84a
Status: RO
Justin M. Forbes 45e84a
Content-Length: 1003
Justin M. Forbes 45e84a
Lines: 38
Justin M. Forbes 45e84a
Justin M. Forbes 45e84a
QEMU does have a "scsi" option (to be used like -device
Justin M. Forbes 45e84a
virtio-blk-pci,drive=foo,scsi=off).  However, it only
Justin M. Forbes 45e84a
masks the feature bit, and does not reject the command
Justin M. Forbes 45e84a
if a malicious guest disregards the feature bits and
Justin M. Forbes 45e84a
issues a request.
Justin M. Forbes 45e84a
Justin M. Forbes 45e84a
Without this patch, using scsi=off does not protect you
Justin M. Forbes 45e84a
from CVE-2011-4127.
Justin M. Forbes 45e84a
Justin M. Forbes 45e84a
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Justin M. Forbes 45e84a
---
Justin M. Forbes 45e84a
 hw/virtio-blk.c |    6 ++++++
Justin M. Forbes 45e84a
 1 files changed, 6 insertions(+), 0 deletions(-)
Justin M. Forbes 45e84a
Justin M. Forbes 45e84a
diff --git a/hw/virtio-blk.c b/hw/virtio-blk.c
Justin M. Forbes 45e84a
index b70d116..6cd3164 100644
Justin M. Forbes 45e84a
--- a/hw/virtio-blk.c
Justin M. Forbes 45e84a
+++ b/hw/virtio-blk.c
Justin M. Forbes 45e84a
@@ -153,6 +153,12 @@ static void virtio_blk_handle_scsi(VirtIOBlockReq *req)
Justin M. Forbes 45e84a
     int status;
Justin M. Forbes 45e84a
     int i;
Justin M. Forbes 45e84a
 
Justin M. Forbes 45e84a
+    if ((req->dev->vdev.guest_features & (1 << VIRTIO_BLK_F_SCSI)) == 0) {
Justin M. Forbes 45e84a
+        virtio_blk_req_complete(req, VIRTIO_BLK_S_UNSUPP);
Justin M. Forbes 45e84a
+        g_free(req);
Justin M. Forbes 45e84a
+        return;
Justin M. Forbes 45e84a
+    }
Justin M. Forbes 45e84a
+
Justin M. Forbes 45e84a
     /*
Justin M. Forbes 45e84a
      * We require at least one output segment each for the virtio_blk_outhdr
Justin M. Forbes 45e84a
      * and the SCSI command block.
Justin M. Forbes 45e84a
-- 
Justin M. Forbes 45e84a
1.7.7.1
Justin M. Forbes 45e84a
Justin M. Forbes 45e84a
Justin M. Forbes 45e84a
Justin M. Forbes 45e84a
Justin M. Forbes 45e84a
Justin M. Forbes 45e84a