From: Kevin Wolf <kwolf@redhat.com>
To: Stefan Hajnoczi <stefanha@redhat.com>
Cc: qemu-devel@nongnu.org, qemu-block@nongnu.org,
qemu-stable@nongnu.org, "Michael S. Tsirkin" <mst@redhat.com>,
Paolo Bonzini <pbonzini@redhat.com>,
Hanna Reitz <hreitz@redhat.com>, Feifan Qian <bea1e@proton.me>
Subject: Re: [PATCH] virtio-blk: add missing VIRTIO_BLK_T_SCSI_CMD size check (CVE-2026-48914)
Date: Fri, 29 May 2026 16:02:16 +0200 [thread overview]
Message-ID: <ahmcaMGgT0HfpK1Y@redhat.com> (raw)
In-Reply-To: <20260526154957.1741622-1-stefanha@redhat.com>
Am 26.05.2026 um 17:49 hat Stefan Hajnoczi geschrieben:
> Check that the iovec containing struct virtio_scsi_inhdr is large enough
> before storing an error value there.
>
> Feifan Qian <bea1e@proton.me> pointed out that this can be used to
> corrupt heap memory when the descriptor uses an MMIO address and a
> length of 1, forcing QEMU to allocate a 1-byte heap bounce buffer.
> virtio_stl_p() stores 4 bytes and therefore corrupts whatever is beyond
> the bounce buffer.
>
> Fixes: CVE-2026-48914
> Fixes: f34e73cd69bd ("virtio-blk: report non-zero status when failing SG_IO requests")
> Reported-by: Feifan Qian <bea1e@proton.me>
> Cc: Paolo Bonzini <pbonzini@redhat.com>
> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Kevin Wolf <kwolf@redhat.com>
> diff --git a/hw/block/virtio-blk.c b/hw/block/virtio-blk.c
> index 9cb9f1fb2b..6b92066aff 100644
> --- a/hw/block/virtio-blk.c
> +++ b/hw/block/virtio-blk.c
> @@ -199,10 +199,16 @@ static void virtio_blk_handle_scsi(VirtIOBlockReq *req)
>
> /*
> * The scsi inhdr is placed in the second-to-last input segment, just
> - * before the regular inhdr.
> + * before the regular inhdr. VIRTIO implementations normally do not rely on
> + * the precise message framing, but legacy implementations did and so we do
> + * too for the legacy virtio-blk SCSI request type.
> *
> * Just put anything nonzero so that the ioctl fails in the guest.
> */
> + if (elem->in_sg[elem->in_num - 2].iov_len != sizeof(*scsi)) {
> + status = VIRTIO_BLK_S_IOERR;
> + goto fail;
> + }
> scsi = (void *)elem->in_sg[elem->in_num - 2].iov_base;
> virtio_stl_p(vdev, &scsi->errors, 255);
> status = VIRTIO_BLK_S_UNSUPP;
What would the guest do if we didn't update scsi->errors, but just
return VIRTIO_BLK_S_UNSUPP (i.e. remove this whole function)? Shouldn't
that result in an error, too?
Kevin
prev parent reply other threads:[~2026-05-29 14:02 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-26 15:49 [PATCH] virtio-blk: add missing VIRTIO_BLK_T_SCSI_CMD size check (CVE-2026-48914) Stefan Hajnoczi
2026-05-28 16:36 ` Paolo Bonzini
2026-05-29 14:02 ` Kevin Wolf [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ahmcaMGgT0HfpK1Y@redhat.com \
--to=kwolf@redhat.com \
--cc=bea1e@proton.me \
--cc=hreitz@redhat.com \
--cc=mst@redhat.com \
--cc=pbonzini@redhat.com \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
--cc=qemu-stable@nongnu.org \
--cc=stefanha@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.