[Qemu-devel] [PATCH] scsi: fix buffer overflow in scsi_req_parse_cdb (CVE-2015-5158)

[Qemu-devel] [PATCH] scsi: fix buffer overflow in scsi_req_parse_cdb (CVE-2015-5158)

[Paolo Bonzini]

This is a guest-triggerable buffer overflow present in QEMU 2.2.0
and newer.  scsi_cdb_length returns -1 as an error value, but the
caller does not check it.

Luckily, the massive overflow means that QEMU will just SIGSEGV,
making the impact much smaller.

Reported-by: Zhu Donghai (朱东海) <donghai.zdh@alibaba-inc.com>
Fixes: 1894df02811f6b79ea3ffbf1084599d96f316173
Cc: qemu-stable@nongnu.org
---
 hw/scsi/scsi-bus.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/hw/scsi/scsi-bus.c b/hw/scsi/scsi-bus.c
index f50b2f0..f0ae462 100644
--- a/hw/scsi/scsi-bus.c
+++ b/hw/scsi/scsi-bus.c
@@ -1239,10 +1239,15 @@ int scsi_cdb_length(uint8_t *buf) {
 int scsi_req_parse_cdb(SCSIDevice *dev, SCSICommand *cmd, uint8_t *buf)
 {
     int rc;
+    int len;
 
     cmd->lba = -1;
-    cmd->len = scsi_cdb_length(buf);
+    len = scsi_cdb_length(buf);
+    if (len < 0) {
+        return -1;
+    }
 
+    cmd->len = len;
     switch (dev->type) {
     case TYPE_TAPE:
         rc = scsi_req_stream_xfer(cmd, dev, buf);
-- 
2.4.3

Re: [Qemu-devel] [PATCH] scsi: fix buffer overflow in scsi_req_parse_cdb (CVE-2015-5158)

[Daniel P. Berrange]

On Wed, Jul 22, 2015 at 04:18:00PM +0200, Paolo Bonzini wrote:
> This is a guest-triggerable buffer overflow present in QEMU 2.2.0
> and newer.  scsi_cdb_length returns -1 as an error value, but the
> caller does not check it.
> 
> Luckily, the massive overflow means that QEMU will just SIGSEGV,
> making the impact much smaller.

FWIW, would be nice to mention which disk frontends could trigger
this bug. eg was it all of the devices in hw/scsi/ or just a subset ?

> 
> Reported-by: Zhu Donghai (朱东海) <donghai.zdh@alibaba-inc.com>
> Fixes: 1894df02811f6b79ea3ffbf1084599d96f316173
> Cc: qemu-stable@nongnu.org
> ---
>  hw/scsi/scsi-bus.c | 7 ++++++-
>  1 file changed, 6 insertions(+), 1 deletion(-)
> 
> diff --git a/hw/scsi/scsi-bus.c b/hw/scsi/scsi-bus.c
> index f50b2f0..f0ae462 100644
> --- a/hw/scsi/scsi-bus.c
> +++ b/hw/scsi/scsi-bus.c
> @@ -1239,10 +1239,15 @@ int scsi_cdb_length(uint8_t *buf) {
>  int scsi_req_parse_cdb(SCSIDevice *dev, SCSICommand *cmd, uint8_t *buf)
>  {
>      int rc;
> +    int len;
>  
>      cmd->lba = -1;
> -    cmd->len = scsi_cdb_length(buf);
> +    len = scsi_cdb_length(buf);
> +    if (len < 0) {
> +        return -1;
> +    }
>  
> +    cmd->len = len;
>      switch (dev->type) {
>      case TYPE_TAPE:
>          rc = scsi_req_stream_xfer(cmd, dev, buf);


Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|

Re: [Qemu-devel] [PATCH] scsi: fix buffer overflow in scsi_req_parse_cdb (CVE-2015-5158)

[Paolo Bonzini]

On 22/07/2015 16:27, Daniel P. Berrange wrote:
> On Wed, Jul 22, 2015 at 04:18:00PM +0200, Paolo Bonzini wrote:
> > This is a guest-triggerable buffer overflow present in QEMU 2.2.0
> > and newer.  scsi_cdb_length returns -1 as an error value, but the
> > caller does not check it.
> > 
> > Luckily, the massive overflow means that QEMU will just SIGSEGV,
> > making the impact much smaller.
>
> FWIW, would be nice to mention which disk frontends could trigger
> this bug. eg was it all of the devices in hw/scsi/ or just a subset ?

All of them.

Paolo

Re: [Qemu-devel] [PATCH] scsi: fix buffer overflow in scsi_req_parse_cdb (CVE-2015-5158)

[Fam Zheng]

On Wed, 07/22 16:18, Paolo Bonzini wrote:
> This is a guest-triggerable buffer overflow present in QEMU 2.2.0
> and newer.  scsi_cdb_length returns -1 as an error value, but the
> caller does not check it.
> 
> Luckily, the massive overflow means that QEMU will just SIGSEGV,
> making the impact much smaller.
> 
> Reported-by: Zhu Donghai (朱东海) <donghai.zdh@alibaba-inc.com>
> Fixes: 1894df02811f6b79ea3ffbf1084599d96f316173
> Cc: qemu-stable@nongnu.org
> ---
>  hw/scsi/scsi-bus.c | 7 ++++++-
>  1 file changed, 6 insertions(+), 1 deletion(-)
> 
> diff --git a/hw/scsi/scsi-bus.c b/hw/scsi/scsi-bus.c
> index f50b2f0..f0ae462 100644
> --- a/hw/scsi/scsi-bus.c
> +++ b/hw/scsi/scsi-bus.c
> @@ -1239,10 +1239,15 @@ int scsi_cdb_length(uint8_t *buf) {
>  int scsi_req_parse_cdb(SCSIDevice *dev, SCSICommand *cmd, uint8_t *buf)
>  {
>      int rc;
> +    int len;
>  
>      cmd->lba = -1;
> -    cmd->len = scsi_cdb_length(buf);
> +    len = scsi_cdb_length(buf);
> +    if (len < 0) {
> +        return -1;
> +    }
>  
> +    cmd->len = len;
>      switch (dev->type) {
>      case TYPE_TAPE:
>          rc = scsi_req_stream_xfer(cmd, dev, buf);
> -- 
> 2.4.3
> 
> 

Reviewed-by: Fam Zheng <famz@redhat.com>