[Qemu-devel] [PATCH 23/56] scsi: pvscsi: check command descriptor ring buffer size (CVE-2016-4952)

qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed

From: Michael Roth <mdroth@linux.vnet.ibm.com>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Prasad J Pandit <pjp@fedoraproject.org>,
	Paolo Bonzini <pbonzini@redhat.com>
Subject: [Qemu-devel] [PATCH 23/56] scsi: pvscsi: check command descriptor ring buffer size (CVE-2016-4952)
Date: Mon,  8 Aug 2016 16:03:54 -0500	[thread overview]
Message-ID: <1470690267-31454-24-git-send-email-mdroth@linux.vnet.ibm.com> (raw)
In-Reply-To: <1470690267-31454-1-git-send-email-mdroth@linux.vnet.ibm.com>

From: Prasad J Pandit <pjp@fedoraproject.org>

Vmware Paravirtual SCSI emulation uses command descriptors to
process SCSI commands. These descriptors come with their ring
buffers. A guest could set the ring buffer size to an arbitrary
value leading to OOB access issue. Add check to avoid it.

Reported-by: Li Qiang <liqiang6-s@360.cn>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Cc: qemu-stable@nongnu.org
Message-Id: <1464000485-27041-1-git-send-email-ppandit@redhat.com>
Reviewed-by: Shmulik Ladkani <shmulik.ladkani@ravellosystems.com>
Reviewed-by: Dmitry Fleytman <dmitry@daynix.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 3e831b40e015ba34dfb55ff11f767001839425ff)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/scsi/vmw_pvscsi.c | 24 ++++++++++++++++++++----
 1 file changed, 20 insertions(+), 4 deletions(-)

diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c
index e690b4e..e1d6d06 100644
--- a/hw/scsi/vmw_pvscsi.c
+++ b/hw/scsi/vmw_pvscsi.c
@@ -153,7 +153,7 @@ pvscsi_log2(uint32_t input)
     return log;
 }
 
-static void
+static int
 pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri)
 {
     int i;
@@ -161,6 +161,10 @@ pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri)
     uint32_t req_ring_size, cmp_ring_size;
     m->rs_pa = ri->ringsStatePPN << VMW_PAGE_SHIFT;
 
+    if ((ri->reqRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES)
+        || (ri->cmpRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES)) {
+        return -1;
+    }
     req_ring_size = ri->reqRingNumPages * PVSCSI_MAX_NUM_REQ_ENTRIES_PER_PAGE;
     cmp_ring_size = ri->cmpRingNumPages * PVSCSI_MAX_NUM_CMP_ENTRIES_PER_PAGE;
     txr_len_log2 = pvscsi_log2(req_ring_size - 1);
@@ -192,15 +196,20 @@ pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri)
 
     /* Flush ring state page changes */
     smp_wmb();
+
+    return 0;
 }
 
-static void
+static int
 pvscsi_ring_init_msg(PVSCSIRingInfo *m, PVSCSICmdDescSetupMsgRing *ri)
 {
     int i;
     uint32_t len_log2;
     uint32_t ring_size;
 
+    if (ri->numPages > PVSCSI_SETUP_MSG_RING_MAX_NUM_PAGES) {
+        return -1;
+    }
     ring_size = ri->numPages * PVSCSI_MAX_NUM_MSG_ENTRIES_PER_PAGE;
     len_log2 = pvscsi_log2(ring_size - 1);
 
@@ -220,6 +229,8 @@ pvscsi_ring_init_msg(PVSCSIRingInfo *m, PVSCSICmdDescSetupMsgRing *ri)
 
     /* Flush ring state page changes */
     smp_wmb();
+
+    return 0;
 }
 
 static void
@@ -770,7 +781,10 @@ pvscsi_on_cmd_setup_rings(PVSCSIState *s)
     trace_pvscsi_on_cmd_arrived("PVSCSI_CMD_SETUP_RINGS");
 
     pvscsi_dbg_dump_tx_rings_config(rc);
-    pvscsi_ring_init_data(&s->rings, rc);
+    if (pvscsi_ring_init_data(&s->rings, rc) < 0) {
+        return PVSCSI_COMMAND_PROCESSING_FAILED;
+    }
+
     s->rings_info_valid = TRUE;
     return PVSCSI_COMMAND_PROCESSING_SUCCEEDED;
 }
@@ -850,7 +864,9 @@ pvscsi_on_cmd_setup_msg_ring(PVSCSIState *s)
     }
 
     if (s->rings_info_valid) {
-        pvscsi_ring_init_msg(&s->rings, rc);
+        if (pvscsi_ring_init_msg(&s->rings, rc) < 0) {
+            return PVSCSI_COMMAND_PROCESSING_FAILED;
+        }
         s->msg_ring_info_valid = TRUE;
     }
     return sizeof(PVSCSICmdDescSetupMsgRing) / sizeof(uint32_t);
-- 
1.9.1

next prev parent reply	other threads:[~2016-08-08 21:05 UTC|newest]

Thread overview: 62+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-08-08 21:03 [Qemu-devel] [PATCH 00/56] Patch Round-up for stable 2.6.1, freeze on 2016-08-12 Michael Roth
2016-08-08 21:03 ` [Qemu-devel] [PATCH 01/56] i386: kvmvapic: initialise imm32 variable Michael Roth
2016-08-08 21:03 ` [Qemu-devel] [PATCH 02/56] spice/gl: add & use qemu_spice_gl_monitor_config Michael Roth
2016-08-08 21:03 ` [Qemu-devel] [PATCH 03/56] vl: change runstate only if new state is different from current state Michael Roth
2016-08-08 21:03 ` [Qemu-devel] [PATCH 04/56] tools: kvm_stat: Powerpc related fixes Michael Roth
2016-08-08 21:03 ` [Qemu-devel] [PATCH 05/56] exec.c: Ensure right alignment also for file backed ram Michael Roth
2016-08-08 21:03 ` [Qemu-devel] [PATCH 06/56] usb:xhci: no DMA on HC reset Michael Roth
2016-08-08 21:03 ` [Qemu-devel] [PATCH 07/56] target-mips: fix call to memset in soft reset code Michael Roth
2016-08-08 21:03 ` [Qemu-devel] [PATCH 08/56] target-i386: key sfence availability on CPUID_SSE, not CPUID_SSE2 Michael Roth
2016-08-08 21:03 ` [Qemu-devel] [PATCH 09/56] configure: Allow builds with extra warnings Michael Roth
2016-08-08 21:03 ` [Qemu-devel] [PATCH 10/56] migration: regain control of images when migration fails to complete Michael Roth
2016-08-08 21:03 ` [Qemu-devel] [PATCH 11/56] json-streamer: Don't leak tokens on incomplete parse Michael Roth
2016-08-08 21:03 ` [Qemu-devel] [PATCH 12/56] json-streamer: fix double-free on exiting during a parse Michael Roth
2016-08-08 21:03 ` [Qemu-devel] [PATCH 13/56] esp: check command buffer length before write(CVE-2016-4439) Michael Roth
2016-08-08 21:03 ` [Qemu-devel] [PATCH 14/56] esp: check dma length before reading scsi command(CVE-2016-4441) Michael Roth
2016-08-08 21:03 ` [Qemu-devel] [PATCH 15/56] block/nfs: refuse readahead if cache.direct is on Michael Roth
2016-08-08 21:03 ` [Qemu-devel] [PATCH 16/56] usb/ohci: Fix crash with when specifying too many num-ports Michael Roth
2016-08-08 21:03 ` [Qemu-devel] [PATCH 17/56] vga: add sr_vbe register set Michael Roth
2016-08-08 21:03 ` [Qemu-devel] [PATCH 18/56] vfio: Fix broken EEH Michael Roth
2016-08-08 21:03 ` [Qemu-devel] [PATCH 19/56] block/iscsi: avoid potential overflow of acb->task->cdb Michael Roth
2016-08-08 21:03 ` [Qemu-devel] [PATCH 20/56] nbd: Don't trim unrequested bytes Michael Roth
2016-08-08 21:03 ` [Qemu-devel] [PATCH 21/56] savevm: fail if migration blockers are present Michael Roth
2016-08-08 21:03 ` [Qemu-devel] [PATCH 22/56] Fix configure test for PBKDF2 in nettle Michael Roth
2016-08-08 21:03 ` Michael Roth [this message]
2016-08-08 21:03 ` [Qemu-devel] [PATCH 24/56] scsi: mptsas: infinite loop while fetching requests Michael Roth
2016-08-08 21:03 ` [Qemu-devel] [PATCH 25/56] block: Drop bdrv_ioctl_bh_cb Michael Roth
2016-08-08 21:03 ` [Qemu-devel] [PATCH 26/56] vmsvga: move fifo sanity checks to vmsvga_fifo_length Michael Roth
2016-08-08 21:03 ` [Qemu-devel] [PATCH 27/56] vmsvga: add more fifo checks Michael Roth
2016-08-08 21:03 ` [Qemu-devel] [PATCH 28/56] vmsvga: shadow fifo registers Michael Roth
2016-08-08 21:04 ` [Qemu-devel] [PATCH 29/56] vmsvga: don't process more than 1024 fifo commands at once Michael Roth
2016-08-08 21:04 ` [Qemu-devel] [PATCH 30/56] io: remove mistaken call to object_ref on QTask Michael Roth
2016-08-08 21:04 ` [Qemu-devel] [PATCH 31/56] ui: fix regression in printing VNC host/port on startup Michael Roth
2016-08-08 21:04 ` [Qemu-devel] [PATCH 32/56] net: fix qemu_announce_self not emitting packets Michael Roth
2016-08-08 21:04 ` [Qemu-devel] [PATCH 33/56] backup: Don't leak BackupBlockJob in error path Michael Roth
2016-08-08 21:04 ` [Qemu-devel] [PATCH 34/56] qcow2: Avoid making the L1 table too big Michael Roth
2016-08-08 21:04 ` [Qemu-devel] [PATCH 35/56] qapi: Fix crash on missing alternate member of QAPI struct Michael Roth
2016-08-08 21:04 ` [Qemu-devel] [PATCH 36/56] pci-assign: Move "Invalid ROM" error message to pci-assign-load-rom.c Michael Roth
2016-08-08 21:04 ` [Qemu-devel] [PATCH 37/56] vfio/pci: Fix VGA quirks Michael Roth
2016-08-08 21:04 ` [Qemu-devel] [PATCH 38/56] nbd: Allow larger requests Michael Roth
2016-08-08 21:04 ` [Qemu-devel] [PATCH 39/56] scsi-generic: Merge block max xfer len in INQUIRY response Michael Roth
2016-08-08 21:04 ` [Qemu-devel] [PATCH 40/56] scsi: Advertise limits by blocksize, not 512 Michael Roth
2016-08-08 21:04 ` [Qemu-devel] [PATCH 41/56] target-sparc: fix register corruption in ldstub if there is no write permission Michael Roth
2016-08-08 21:04 ` [Qemu-devel] [PATCH 42/56] virtio: set low features early on load Michael Roth
2016-08-08 21:04 ` [Qemu-devel] [PATCH 43/56] Revert "virtio-net: unbreak self announcement and guest offloads after migration" Michael Roth
2016-08-08 21:04 ` [Qemu-devel] [PATCH 44/56] s390x/ipl: fix reboots for migration from different bios Michael Roth
2016-08-08 21:04 ` [Qemu-devel] [PATCH 45/56] blockdev: Fix regression with the default naming of throttling groups Michael Roth
2016-08-08 21:04 ` [Qemu-devel] [PATCH 46/56] qemu-iotests: Test " Michael Roth
2016-08-08 21:04 ` [Qemu-devel] [PATCH 47/56] util: Fix MIN_NON_ZERO Michael Roth
2016-08-08 21:04 ` [Qemu-devel] [PATCH 48/56] block/iscsi: fix rounding in iscsi_allocationmap_set Michael Roth
2016-08-08 21:04 ` [Qemu-devel] [PATCH 49/56] Fix some typos found by codespell Michael Roth
2016-08-08 21:04 ` [Qemu-devel] [PATCH 50/56] nbd: More debug typo fixes, use correct formats Michael Roth
2016-08-08 21:04 ` [Qemu-devel] [PATCH 51/56] nbd: Don't use *_to_cpup() functions Michael Roth
2016-08-08 21:04 ` [Qemu-devel] [PATCH 52/56] nbd: Limit nbdflags to 16 bits Michael Roth
2016-08-08 21:04 ` [Qemu-devel] [PATCH 53/56] pcie: fix link active status bit migration Michael Roth
2016-08-08 21:04 ` [Qemu-devel] [PATCH 54/56] target-i386: fix typo in xsetbv implementation Michael Roth
2016-08-08 21:04 ` [Qemu-devel] [PATCH 55/56] virtio: error out if guest exceeds virtqueue size Michael Roth
2016-08-08 21:04 ` [Qemu-devel] [PATCH 56/56] ide: fix halted IO segfault at reset Michael Roth
2016-08-09 18:34   ` John Snow
2016-08-08 23:40 ` [Qemu-devel] [Qemu-stable] [PATCH 00/56] Patch Round-up for stable 2.6.1, freeze on 2016-08-12 Cole Robinson
2016-08-09 20:04 ` Michael Roth
2016-08-13  1:43   ` Gonglei
2016-08-09 20:12 ` [Qemu-devel] " Bruce Rogers

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:e690b4e dfblob:e1d6d06 )
 OR (
bs:"[Qemu-devel] [PATCH 23/56] scsi: pvscsi: check command descriptor ring buffer size (CVE-2016-4952)" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1470690267-31454-24-git-send-email-mdroth@linux.vnet.ibm.com \
    --to=mdroth@linux.vnet.ibm.com \
    --cc=pbonzini@redhat.com \
    --cc=pjp@fedoraproject.org \
    --cc=qemu-devel@nongnu.org \
    --cc=qemu-stable@nongnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).