5a0f88db96
Fix CVE-2013-4148 (bnc#864812), CVE-2013-4149 (bnc#864649), CVE-2013-4150 (bnc#864650), CVE-2013-4151 (bnc#864653), CVE-2013-4526 (bnc#864671), CVE-2013-4527 (bnc#864673), CVE-2013-4529 (bnc#864678), CVE-2013-4530 (bnc#864682), CVE-2013-4531 (bnc#864796), CVE-2013-4533 (bnc#864655), CVE-2013-4534 (bnc#864811), CVE-2013-4535 / CVE-2013-4536 (bnc#864665), CVE-2013-4537 (bnc#864391), CVE-2013-4538 (bnc#864769), CVE-2013-4539 (bnc#864805), CVE-2013-4540 (bnc#864801), CVE-2013-4541 (bnc#864802), CVE-2013-4542 (bnc#864804), CVE-2013-6399 (bnc#864814), CVE-2014-0182 (bnc#874788) OBS-URL: https://build.opensuse.org/request/show/235280 OBS-URL: https://build.opensuse.org/package/show/Virtualization/qemu?expand=0&rev=211
70 lines
2.4 KiB
Diff
70 lines
2.4 KiB
Diff
From 2f55ce6ce26c16796443a7765a7d5fad157340ed Mon Sep 17 00:00:00 2001
|
|
From: "Michael S. Tsirkin" <mst@redhat.com>
|
|
Date: Thu, 3 Apr 2014 19:52:17 +0300
|
|
Subject: [PATCH] virtio-scsi: fix buffer overrun on invalid state load
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
CVE-2013-4542
|
|
|
|
hw/scsi/scsi-bus.c invokes load_request.
|
|
|
|
virtio_scsi_load_request does:
|
|
qemu_get_buffer(f, (unsigned char *)&req->elem, sizeof(req->elem));
|
|
|
|
this probably can make elem invalid, for example,
|
|
make in_num or out_num huge, then:
|
|
|
|
virtio_scsi_parse_req(s, vs->cmd_vqs[n], req);
|
|
|
|
will do:
|
|
|
|
if (req->elem.out_num > 1) {
|
|
qemu_sgl_init_external(req, &req->elem.out_sg[1],
|
|
&req->elem.out_addr[1],
|
|
req->elem.out_num - 1);
|
|
} else {
|
|
qemu_sgl_init_external(req, &req->elem.in_sg[1],
|
|
&req->elem.in_addr[1],
|
|
req->elem.in_num - 1);
|
|
}
|
|
|
|
and this will access out of array bounds.
|
|
|
|
Note: this adds security checks within assert calls since
|
|
SCSIBusInfo's load_request cannot fail.
|
|
For now simply disable builds with NDEBUG - there seems
|
|
to be little value in supporting these.
|
|
|
|
Cc: Andreas Färber <afaerber@suse.de>
|
|
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
|
|
Signed-off-by: Juan Quintela <quintela@redhat.com>
|
|
(cherry picked from commit 3c3ce981423e0d6c18af82ee62f1850c2cda5976)
|
|
[AF: BNC#864804]
|
|
Signed-off-by: Andreas Färber <afaerber@suse.de>
|
|
---
|
|
hw/scsi/virtio-scsi.c | 9 +++++++++
|
|
1 file changed, 9 insertions(+)
|
|
|
|
diff --git a/hw/scsi/virtio-scsi.c b/hw/scsi/virtio-scsi.c
|
|
index b0d7517..1752193 100644
|
|
--- a/hw/scsi/virtio-scsi.c
|
|
+++ b/hw/scsi/virtio-scsi.c
|
|
@@ -147,6 +147,15 @@ static void *virtio_scsi_load_request(QEMUFile *f, SCSIRequest *sreq)
|
|
qemu_get_be32s(f, &n);
|
|
assert(n < vs->conf.num_queues);
|
|
qemu_get_buffer(f, (unsigned char *)&req->elem, sizeof(req->elem));
|
|
+ /* TODO: add a way for SCSIBusInfo's load_request to fail,
|
|
+ * and fail migration instead of asserting here.
|
|
+ * When we do, we might be able to re-enable NDEBUG below.
|
|
+ */
|
|
+#ifdef NDEBUG
|
|
+#error building with NDEBUG is not supported
|
|
+#endif
|
|
+ assert(req->elem.in_num <= ARRAY_SIZE(req->elem.in_sg));
|
|
+ assert(req->elem.out_num <= ARRAY_SIZE(req->elem.out_sg));
|
|
virtio_scsi_parse_req(s, vs->cmd_vqs[n], req);
|
|
|
|
scsi_req_ref(sreq);
|