From: "Daniel P. Berrangé" <berrange@redhat.com>
To: Chen Qun <kuhn.chenqun@huawei.com>
Cc: qemu-devel@nongnu.org, qemu-trivial@nongnu.org,
Kevin Wolf <kwolf@redhat.com>,
zhang.zhanghailiang@huawei.com, qemu-block@nongnu.org,
"Michael S . Tsirkin" <mst@redhat.com>, Peter Lieven <pl@kamp.de>,
Prasad J Pandit <ppandit@redhat.com>,
Paolo Bonzini <pbonzini@redhat.com>,
Stefan Hajnoczi <stefanha@redhat.com>,
Euler Robot <euler.robot@huawei.com>,
Max Reitz <mreitz@redhat.com>,
Ronnie Sahlberg <ronniesahlberg@gmail.com>
Subject: Re: [PATCH] block/iscsi:fix heap-buffer-overflow in iscsi_aio_ioctl_cb
Date: Mon, 20 Apr 2020 11:03:50 +0100 [thread overview]
Message-ID: <20200420100350.GL346737@redhat.com> (raw)
In-Reply-To: <20200418062602.10776-1-kuhn.chenqun@huawei.com>
On Sat, Apr 18, 2020 at 02:26:02PM +0800, Chen Qun wrote:
> There is an overflow, the source 'datain.data[2]' is 100 bytes,
> but the 'ss' is 252 bytes.This may cause a security issue because
> we can access a lot of unrelated memory data.
>
> The len for sbp copy data should take the minimum of mx_sb_len and
> sb_len_wr, not the maximum.
>
> If we use iscsi device for VM backend storage, ASAN show stack:
>
> READ of size 252 at 0xfffd149dcfc4 thread T0
> #0 0xaaad433d0d34 in __asan_memcpy (aarch64-softmmu/qemu-system-aarch64+0x2cb0d34)
> #1 0xaaad45f9d6d0 in iscsi_aio_ioctl_cb /qemu/block/iscsi.c:996:9
> #2 0xfffd1af0e2dc (/usr/lib64/iscsi/libiscsi.so.8+0xe2dc)
> #3 0xfffd1af0d174 (/usr/lib64/iscsi/libiscsi.so.8+0xd174)
> #4 0xfffd1af19fac (/usr/lib64/iscsi/libiscsi.so.8+0x19fac)
> #5 0xaaad45f9acc8 in iscsi_process_read /qemu/block/iscsi.c:403:5
> #6 0xaaad4623733c in aio_dispatch_handler /qemu/util/aio-posix.c:467:9
> #7 0xaaad4622f350 in aio_dispatch_handlers /qemu/util/aio-posix.c:510:20
> #8 0xaaad4622f350 in aio_dispatch /qemu/util/aio-posix.c:520
> #9 0xaaad46215944 in aio_ctx_dispatch /qemu/util/async.c:298:5
> #10 0xfffd1bed12f4 in g_main_context_dispatch (/lib64/libglib-2.0.so.0+0x512f4)
> #11 0xaaad46227de0 in glib_pollfds_poll /qemu/util/main-loop.c:219:9
> #12 0xaaad46227de0 in os_host_main_loop_wait /qemu/util/main-loop.c:242
> #13 0xaaad46227de0 in main_loop_wait /qemu/util/main-loop.c:518
> #14 0xaaad43d9d60c in qemu_main_loop /qemu/softmmu/vl.c:1662:9
> #15 0xaaad4607a5b0 in main /qemu/softmmu/main.c:49:5
> #16 0xfffd1a460b9c in __libc_start_main (/lib64/libc.so.6+0x20b9c)
> #17 0xaaad43320740 in _start (aarch64-softmmu/qemu-system-aarch64+0x2c00740)
>
> 0xfffd149dcfc4 is located 0 bytes to the right of 100-byte region [0xfffd149dcf60,0xfffd149dcfc4)
> allocated by thread T0 here:
> #0 0xaaad433d1e70 in __interceptor_malloc (aarch64-softmmu/qemu-system-aarch64+0x2cb1e70)
> #1 0xfffd1af0e254 (/usr/lib64/iscsi/libiscsi.so.8+0xe254)
> #2 0xfffd1af0d174 (/usr/lib64/iscsi/libiscsi.so.8+0xd174)
> #3 0xfffd1af19fac (/usr/lib64/iscsi/libiscsi.so.8+0x19fac)
> #4 0xaaad45f9acc8 in iscsi_process_read /qemu/block/iscsi.c:403:5
> #5 0xaaad4623733c in aio_dispatch_handler /qemu/util/aio-posix.c:467:9
> #6 0xaaad4622f350 in aio_dispatch_handlers /qemu/util/aio-posix.c:510:20
> #7 0xaaad4622f350 in aio_dispatch /qemu/util/aio-posix.c:520
> #8 0xaaad46215944 in aio_ctx_dispatch /qemu/util/async.c:298:5
> #9 0xfffd1bed12f4 in g_main_context_dispatch (/lib64/libglib-2.0.so.0+0x512f4)
> #10 0xaaad46227de0 in glib_pollfds_poll /qemu/util/main-loop.c:219:9
> #11 0xaaad46227de0 in os_host_main_loop_wait /qemu/util/main-loop.c:242
> #12 0xaaad46227de0 in main_loop_wait /qemu/util/main-loop.c:518
> #13 0xaaad43d9d60c in qemu_main_loop /qemu/softmmu/vl.c:1662:9
> #14 0xaaad4607a5b0 in main /qemu/softmmu/main.c:49:5
> #15 0xfffd1a460b9c in __libc_start_main (/lib64/libc.so.6+0x20b9c)
> #16 0xaaad43320740 in _start (aarch64-softmmu/qemu-system-aarch64+0x2c00740)
>
> Reported-by: Euler Robot <euler.robot@huawei.com>
> Signed-off-by: Chen Qun <kuhn.chenqun@huawei.com>
> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
> ---
> v1->v2:
> Use MIN() macro for mx_sb_len and sb_len_wr.
> (Base comments from Michael S. Tsirkin, Stefan Hajnoczi, Kevin Wolf)
>
> Cc: Stefan Hajnoczi <stefanha@redhat.com>
> Cc: Kevin Wolf <kwolf@redhat.com>
> Cc: Michael S. Tsirkin <mst@redhat.com>
> Cc: Prasad J Pandit <ppandit@redhat.com>
> Cc: Max Reitz <mreitz@redhat.com>
> Cc: Paolo Bonzini <pbonzini@redhat.com>
> Cc: Peter Lieven <pl@kamp.de>
> Cc: Ronnie Sahlberg <ronniesahlberg@gmail.com>
> Cc: qemu-block@nongnu.org
> ---
> block/iscsi.c | 3 +--
> 1 file changed, 1 insertion(+), 2 deletions(-)
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
I think it is resonable to include this in 5.0 too.
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
WARNING: multiple messages have this Message-ID (diff)
From: "Daniel P. Berrangé" <berrange@redhat.com>
To: Chen Qun <kuhn.chenqun@huawei.com>
Cc: Kevin Wolf <kwolf@redhat.com>,
zhang.zhanghailiang@huawei.com, qemu-block@nongnu.org,
"Michael S . Tsirkin" <mst@redhat.com>,
qemu-trivial@nongnu.org, Peter Lieven <pl@kamp.de>,
qemu-devel@nongnu.org, Prasad J Pandit <ppandit@redhat.com>,
Stefan Hajnoczi <stefanha@redhat.com>,
Euler Robot <euler.robot@huawei.com>,
Paolo Bonzini <pbonzini@redhat.com>,
Max Reitz <mreitz@redhat.com>,
Ronnie Sahlberg <ronniesahlberg@gmail.com>
Subject: Re: [PATCH] block/iscsi:fix heap-buffer-overflow in iscsi_aio_ioctl_cb
Date: Mon, 20 Apr 2020 11:03:50 +0100 [thread overview]
Message-ID: <20200420100350.GL346737@redhat.com> (raw)
In-Reply-To: <20200418062602.10776-1-kuhn.chenqun@huawei.com>
On Sat, Apr 18, 2020 at 02:26:02PM +0800, Chen Qun wrote:
> There is an overflow, the source 'datain.data[2]' is 100 bytes,
> but the 'ss' is 252 bytes.This may cause a security issue because
> we can access a lot of unrelated memory data.
>
> The len for sbp copy data should take the minimum of mx_sb_len and
> sb_len_wr, not the maximum.
>
> If we use iscsi device for VM backend storage, ASAN show stack:
>
> READ of size 252 at 0xfffd149dcfc4 thread T0
> #0 0xaaad433d0d34 in __asan_memcpy (aarch64-softmmu/qemu-system-aarch64+0x2cb0d34)
> #1 0xaaad45f9d6d0 in iscsi_aio_ioctl_cb /qemu/block/iscsi.c:996:9
> #2 0xfffd1af0e2dc (/usr/lib64/iscsi/libiscsi.so.8+0xe2dc)
> #3 0xfffd1af0d174 (/usr/lib64/iscsi/libiscsi.so.8+0xd174)
> #4 0xfffd1af19fac (/usr/lib64/iscsi/libiscsi.so.8+0x19fac)
> #5 0xaaad45f9acc8 in iscsi_process_read /qemu/block/iscsi.c:403:5
> #6 0xaaad4623733c in aio_dispatch_handler /qemu/util/aio-posix.c:467:9
> #7 0xaaad4622f350 in aio_dispatch_handlers /qemu/util/aio-posix.c:510:20
> #8 0xaaad4622f350 in aio_dispatch /qemu/util/aio-posix.c:520
> #9 0xaaad46215944 in aio_ctx_dispatch /qemu/util/async.c:298:5
> #10 0xfffd1bed12f4 in g_main_context_dispatch (/lib64/libglib-2.0.so.0+0x512f4)
> #11 0xaaad46227de0 in glib_pollfds_poll /qemu/util/main-loop.c:219:9
> #12 0xaaad46227de0 in os_host_main_loop_wait /qemu/util/main-loop.c:242
> #13 0xaaad46227de0 in main_loop_wait /qemu/util/main-loop.c:518
> #14 0xaaad43d9d60c in qemu_main_loop /qemu/softmmu/vl.c:1662:9
> #15 0xaaad4607a5b0 in main /qemu/softmmu/main.c:49:5
> #16 0xfffd1a460b9c in __libc_start_main (/lib64/libc.so.6+0x20b9c)
> #17 0xaaad43320740 in _start (aarch64-softmmu/qemu-system-aarch64+0x2c00740)
>
> 0xfffd149dcfc4 is located 0 bytes to the right of 100-byte region [0xfffd149dcf60,0xfffd149dcfc4)
> allocated by thread T0 here:
> #0 0xaaad433d1e70 in __interceptor_malloc (aarch64-softmmu/qemu-system-aarch64+0x2cb1e70)
> #1 0xfffd1af0e254 (/usr/lib64/iscsi/libiscsi.so.8+0xe254)
> #2 0xfffd1af0d174 (/usr/lib64/iscsi/libiscsi.so.8+0xd174)
> #3 0xfffd1af19fac (/usr/lib64/iscsi/libiscsi.so.8+0x19fac)
> #4 0xaaad45f9acc8 in iscsi_process_read /qemu/block/iscsi.c:403:5
> #5 0xaaad4623733c in aio_dispatch_handler /qemu/util/aio-posix.c:467:9
> #6 0xaaad4622f350 in aio_dispatch_handlers /qemu/util/aio-posix.c:510:20
> #7 0xaaad4622f350 in aio_dispatch /qemu/util/aio-posix.c:520
> #8 0xaaad46215944 in aio_ctx_dispatch /qemu/util/async.c:298:5
> #9 0xfffd1bed12f4 in g_main_context_dispatch (/lib64/libglib-2.0.so.0+0x512f4)
> #10 0xaaad46227de0 in glib_pollfds_poll /qemu/util/main-loop.c:219:9
> #11 0xaaad46227de0 in os_host_main_loop_wait /qemu/util/main-loop.c:242
> #12 0xaaad46227de0 in main_loop_wait /qemu/util/main-loop.c:518
> #13 0xaaad43d9d60c in qemu_main_loop /qemu/softmmu/vl.c:1662:9
> #14 0xaaad4607a5b0 in main /qemu/softmmu/main.c:49:5
> #15 0xfffd1a460b9c in __libc_start_main (/lib64/libc.so.6+0x20b9c)
> #16 0xaaad43320740 in _start (aarch64-softmmu/qemu-system-aarch64+0x2c00740)
>
> Reported-by: Euler Robot <euler.robot@huawei.com>
> Signed-off-by: Chen Qun <kuhn.chenqun@huawei.com>
> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
> ---
> v1->v2:
> Use MIN() macro for mx_sb_len and sb_len_wr.
> (Base comments from Michael S. Tsirkin, Stefan Hajnoczi, Kevin Wolf)
>
> Cc: Stefan Hajnoczi <stefanha@redhat.com>
> Cc: Kevin Wolf <kwolf@redhat.com>
> Cc: Michael S. Tsirkin <mst@redhat.com>
> Cc: Prasad J Pandit <ppandit@redhat.com>
> Cc: Max Reitz <mreitz@redhat.com>
> Cc: Paolo Bonzini <pbonzini@redhat.com>
> Cc: Peter Lieven <pl@kamp.de>
> Cc: Ronnie Sahlberg <ronniesahlberg@gmail.com>
> Cc: qemu-block@nongnu.org
> ---
> block/iscsi.c | 3 +--
> 1 file changed, 1 insertion(+), 2 deletions(-)
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
I think it is resonable to include this in 5.0 too.
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
next prev parent reply other threads:[~2020-04-20 10:04 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-04-18 6:26 [PATCH] block/iscsi:fix heap-buffer-overflow in iscsi_aio_ioctl_cb Chen Qun
2020-04-18 6:26 ` Chen Qun
2020-04-20 10:03 ` Daniel P. Berrangé [this message]
2020-04-20 10:03 ` Daniel P. Berrangé
2020-04-20 13:42 ` Peter Maydell
2020-04-20 13:42 ` Peter Maydell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200420100350.GL346737@redhat.com \
--to=berrange@redhat.com \
--cc=euler.robot@huawei.com \
--cc=kuhn.chenqun@huawei.com \
--cc=kwolf@redhat.com \
--cc=mreitz@redhat.com \
--cc=mst@redhat.com \
--cc=pbonzini@redhat.com \
--cc=pl@kamp.de \
--cc=ppandit@redhat.com \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
--cc=qemu-trivial@nongnu.org \
--cc=ronniesahlberg@gmail.com \
--cc=stefanha@redhat.com \
--cc=zhang.zhanghailiang@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.