6ca2f341c2
- kvm-ppc-Deassert-the-external-interrupt-pin-in-KVM-on-re.patch [bz#1776638] - kvm-xics-Don-t-deassert-outputs.patch [bz#1776638] - kvm-ppc-Don-t-use-CPUPPCState-irq_input_state-with-moder.patch [bz#1776638] - kvm-trace-update-qemu-trace-stap-to-Python-3.patch [bz#1787395] - kvm-redhat-Remove-redundant-fix-for-qemu-trace-stap.patch [bz#1787395] - kvm-iscsi-Cap-block-count-from-GET-LBA-STATUS-CVE-2020-1.patch [bz#1794503] - kvm-tpm-ppi-page-align-PPI-RAM.patch [bz#1787444] - kvm-target-arm-kvm-trivial-Clean-up-header-documentation.patch [bz#1647366] - kvm-target-arm-kvm64-kvm64-cpus-have-timer-registers.patch [bz#1647366] - kvm-tests-arm-cpu-features-Check-feature-default-values.patch [bz#1647366] - kvm-target-arm-kvm-Implement-virtual-time-adjustment.patch [bz#1647366] - kvm-target-arm-cpu-Add-the-kvm-no-adjvtime-CPU-property.patch [bz#1647366] - kvm-migration-Define-VMSTATE_INSTANCE_ID_ANY.patch [bz#1529231] - kvm-migration-Change-SaveStateEntry.instance_id-into-uin.patch [bz#1529231] - kvm-apic-Use-32bit-APIC-ID-for-migration-instance-ID.patch [bz#1529231] - Resolves: bz#1529231 ([q35] VM hangs after migration with 200 vCPUs) - Resolves: bz#1647366 (aarch64: Add support for the kvm-no-adjvtime ARM CPU feature) - Resolves: bz#1776638 (Guest failed to boot up after system_reset 20 times) - Resolves: bz#1787395 (qemu-trace-stap list : TypeError: startswith first arg must be bytes or a tuple of bytes, not str) - Resolves: bz#1787444 (Broken postcopy migration with vTPM device) - Resolves: bz#1794503 (CVE-2020-1711 qemu-kvm: QEMU: block: iscsi: OOB heap access via an unexpected response of iSCSI Server [rhel-av-8.2.0])
80 lines
2.9 KiB
Diff
80 lines
2.9 KiB
Diff
From 1c508d56d154caf5fbf53e7dabafd707236cb16b Mon Sep 17 00:00:00 2001
|
|
From: jmaloy <jmaloy@redhat.com>
|
|
Date: Wed, 29 Jan 2020 13:45:18 +0000
|
|
Subject: [PATCH 06/15] iscsi: Cap block count from GET LBA STATUS
|
|
(CVE-2020-1711)
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
RH-Author: jmaloy <jmaloy@redhat.com>
|
|
Message-id: <20200129134518.1293-2-jmaloy@redhat.com>
|
|
Patchwork-id: 93571
|
|
O-Subject: [RHEL-AV-8.2.0 qemu-kvm PATCH 1/1] iscsi: Cap block count from GET LBA STATUS (CVE-2020-1711)
|
|
Bugzilla: 1794503
|
|
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
|
|
RH-Acked-by: Kevin Wolf <kwolf@redhat.com>
|
|
RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
|
|
|
|
From: Felipe Franciosi <felipe@nutanix.com>
|
|
|
|
When querying an iSCSI server for the provisioning status of blocks (via
|
|
GET LBA STATUS), Qemu only validates that the response descriptor zero's
|
|
LBA matches the one requested. Given the SCSI spec allows servers to
|
|
respond with the status of blocks beyond the end of the LUN, Qemu may
|
|
have its heap corrupted by clearing/setting too many bits at the end of
|
|
its allocmap for the LUN.
|
|
|
|
A malicious guest in control of the iSCSI server could carefully program
|
|
Qemu's heap (by selectively setting the bitmap) and then smash it.
|
|
|
|
This limits the number of bits that iscsi_co_block_status() will try to
|
|
update in the allocmap so it can't overflow the bitmap.
|
|
|
|
Fixes: CVE-2020-1711
|
|
Cc: qemu-stable@nongnu.org
|
|
Signed-off-by: Felipe Franciosi <felipe@nutanix.com>
|
|
Signed-off-by: Peter Turschmid <peter.turschm@nutanix.com>
|
|
Signed-off-by: Raphael Norwitz <raphael.norwitz@nutanix.com>
|
|
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
|
|
(cherry picked from commit 693fd2acdf14dd86c0bf852610f1c2cca80a74dc)
|
|
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
|
|
Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
|
|
---
|
|
block/iscsi.c | 5 +++--
|
|
1 file changed, 3 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/block/iscsi.c b/block/iscsi.c
|
|
index 2aea7e3..cbd5729 100644
|
|
--- a/block/iscsi.c
|
|
+++ b/block/iscsi.c
|
|
@@ -701,7 +701,7 @@ static int coroutine_fn iscsi_co_block_status(BlockDriverState *bs,
|
|
struct scsi_get_lba_status *lbas = NULL;
|
|
struct scsi_lba_status_descriptor *lbasd = NULL;
|
|
struct IscsiTask iTask;
|
|
- uint64_t lba;
|
|
+ uint64_t lba, max_bytes;
|
|
int ret;
|
|
|
|
iscsi_co_init_iscsitask(iscsilun, &iTask);
|
|
@@ -721,6 +721,7 @@ static int coroutine_fn iscsi_co_block_status(BlockDriverState *bs,
|
|
}
|
|
|
|
lba = offset / iscsilun->block_size;
|
|
+ max_bytes = (iscsilun->num_blocks - lba) * iscsilun->block_size;
|
|
|
|
qemu_mutex_lock(&iscsilun->mutex);
|
|
retry:
|
|
@@ -764,7 +765,7 @@ retry:
|
|
goto out_unlock;
|
|
}
|
|
|
|
- *pnum = (int64_t) lbasd->num_blocks * iscsilun->block_size;
|
|
+ *pnum = MIN((int64_t) lbasd->num_blocks * iscsilun->block_size, max_bytes);
|
|
|
|
if (lbasd->provisioning == SCSI_PROVISIONING_TYPE_DEALLOCATED ||
|
|
lbasd->provisioning == SCSI_PROVISIONING_TYPE_ANCHORED) {
|
|
--
|
|
1.8.3.1
|
|
|