From: Paolo Bonzini <pbonzini@redhat.com>
To: qemu-devel@nongnu.org
Cc: Wenxiang Qian <leonwxqian@gmail.com>,
Prasad J Pandit <pjp@fedoraproject.org>
Subject: [PULL 07/31] ide: atapi: check logical block address and read size (CVE-2020-29443)
Date: Sat, 23 Jan 2021 09:31:04 -0500 [thread overview]
Message-ID: <20210123143128.1167797-8-pbonzini@redhat.com> (raw)
In-Reply-To: <20210123143128.1167797-1-pbonzini@redhat.com>
From: Prasad J Pandit <pjp@fedoraproject.org>
While processing ATAPI cmd_read/cmd_read_cd commands,
Logical Block Address (LBA) maybe invalid OR closer to the last block,
leading to an OOB access issues. Add range check to avoid it.
Fixes: CVE-2020-29443
Reported-by: Wenxiang Qian <leonwxqian@gmail.com>
Suggested-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-Id: <20210118115130.457044-1-ppandit@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
hw/ide/atapi.c | 30 ++++++++++++++++++++++++------
1 file changed, 24 insertions(+), 6 deletions(-)
diff --git a/hw/ide/atapi.c b/hw/ide/atapi.c
index e79157863f..b626199e3d 100644
--- a/hw/ide/atapi.c
+++ b/hw/ide/atapi.c
@@ -322,6 +322,8 @@ static void ide_atapi_cmd_reply(IDEState *s, int size, int max_size)
static void ide_atapi_cmd_read_pio(IDEState *s, int lba, int nb_sectors,
int sector_size)
{
+ assert(0 <= lba && lba < (s->nb_sectors >> 2));
+
s->lba = lba;
s->packet_transfer_size = nb_sectors * sector_size;
s->elementary_transfer_size = 0;
@@ -420,6 +422,8 @@ eot:
static void ide_atapi_cmd_read_dma(IDEState *s, int lba, int nb_sectors,
int sector_size)
{
+ assert(0 <= lba && lba < (s->nb_sectors >> 2));
+
s->lba = lba;
s->packet_transfer_size = nb_sectors * sector_size;
s->io_buffer_size = 0;
@@ -973,35 +977,49 @@ static void cmd_prevent_allow_medium_removal(IDEState *s, uint8_t* buf)
static void cmd_read(IDEState *s, uint8_t* buf)
{
- int nb_sectors, lba;
+ unsigned int nb_sectors, lba;
+
+ /* Total logical sectors of ATAPI_SECTOR_SIZE(=2048) bytes */
+ uint64_t total_sectors = s->nb_sectors >> 2;
if (buf[0] == GPCMD_READ_10) {
nb_sectors = lduw_be_p(buf + 7);
} else {
nb_sectors = ldl_be_p(buf + 6);
}
-
- lba = ldl_be_p(buf + 2);
if (nb_sectors == 0) {
ide_atapi_cmd_ok(s);
return;
}
+ lba = ldl_be_p(buf + 2);
+ if (lba >= total_sectors || lba + nb_sectors - 1 >= total_sectors) {
+ ide_atapi_cmd_error(s, ILLEGAL_REQUEST, ASC_LOGICAL_BLOCK_OOR);
+ return;
+ }
+
ide_atapi_cmd_read(s, lba, nb_sectors, 2048);
}
static void cmd_read_cd(IDEState *s, uint8_t* buf)
{
- int nb_sectors, lba, transfer_request;
+ unsigned int nb_sectors, lba, transfer_request;
- nb_sectors = (buf[6] << 16) | (buf[7] << 8) | buf[8];
- lba = ldl_be_p(buf + 2);
+ /* Total logical sectors of ATAPI_SECTOR_SIZE(=2048) bytes */
+ uint64_t total_sectors = s->nb_sectors >> 2;
+ nb_sectors = (buf[6] << 16) | (buf[7] << 8) | buf[8];
if (nb_sectors == 0) {
ide_atapi_cmd_ok(s);
return;
}
+ lba = ldl_be_p(buf + 2);
+ if (lba >= total_sectors || lba + nb_sectors - 1 >= total_sectors) {
+ ide_atapi_cmd_error(s, ILLEGAL_REQUEST, ASC_LOGICAL_BLOCK_OOR);
+ return;
+ }
+
transfer_request = buf[9] & 0xf8;
if (transfer_request == 0x00) {
/* nothing */
--
2.26.2
next prev parent reply other threads:[~2021-01-23 14:33 UTC|newest]
Thread overview: 53+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-01-23 14:30 [PULL 00/31] Misc patches for 2020-01-21 Paolo Bonzini
2021-01-23 14:30 ` [PULL 01/31] runstate: cleanup reboot and panic actions Paolo Bonzini
2021-01-23 14:30 ` [PULL 02/31] configure: MinGW respect --bindir argument Paolo Bonzini
2021-01-23 14:31 ` [PULL 03/31] x86/cpu: Use max host physical address if -cpu max option is applied Paolo Bonzini
2021-01-23 14:31 ` [PULL 04/31] build-system: clean up TCG/TCI configury Paolo Bonzini
2021-02-06 18:01 ` Philippe Mathieu-Daudé
2021-02-06 19:08 ` Philippe Mathieu-Daudé
2021-01-23 14:31 ` [PULL 05/31] util/cacheflush: Fix error generated by clang Paolo Bonzini
2021-01-23 14:31 ` [PULL 06/31] softmmu/physmem: Silence GCC 10 maybe-uninitialized error Paolo Bonzini
2021-01-23 14:31 ` Paolo Bonzini [this message]
2021-01-23 14:31 ` [PULL 08/31] build-sys: remove unused LIBS Paolo Bonzini
2021-01-23 14:31 ` [PULL 09/31] build-sys: set global arguments for cflags/ldflags Paolo Bonzini
2021-01-23 14:31 ` [PULL 10/31] build-sys: add libvhost-user missing dependencies Paolo Bonzini
2021-01-23 14:31 ` [PULL 11/31] slirp: update to git master Paolo Bonzini
2021-01-23 14:31 ` [PULL 12/31] meson: Declare have_virtfs_proxy_helper in main meson.build Paolo Bonzini
2021-01-23 14:31 ` [PULL 13/31] nsis: adjust for new MinGW paths Paolo Bonzini
2021-01-23 14:31 ` [PULL 14/31] meson: convert wixl detection to Meson Paolo Bonzini
2021-01-23 14:31 ` [PULL 15/31] meson: Summarize information related to directories first Paolo Bonzini
2021-01-23 14:31 ` [PULL 16/31] meson: Display host binaries information altogether Paolo Bonzini
2021-01-23 14:31 ` [PULL 17/31] meson: Summarize overall features altogether Paolo Bonzini
2021-01-23 14:31 ` [PULL 18/31] meson: Summarize compilation-related information altogether Paolo Bonzini
2021-01-23 14:31 ` [PULL 19/31] meson: Display accelerators and selected targets altogether Paolo Bonzini
2021-01-23 14:31 ` [PULL 20/31] meson: Display block layer information altogether Paolo Bonzini
2021-01-23 14:31 ` [PULL 21/31] meson: Display crypto-related " Paolo Bonzini
2021-01-23 14:31 ` [PULL 22/31] meson: Add a section header for library dependencies Paolo Bonzini
2021-01-23 14:31 ` [PULL 23/31] meson.build: Declare global edk2_targets / install_edk2_blobs variables Paolo Bonzini
2021-01-23 14:31 ` [PULL 24/31] meson.build: Detect bzip2 program Paolo Bonzini
2021-01-23 14:31 ` [PULL 25/31] acceptance: switch to QMP change-vnc-password command Paolo Bonzini
2021-01-23 14:31 ` [PULL 26/31] hmp: remove "change vnc TARGET" command Paolo Bonzini
2021-01-23 14:31 ` [PULL 27/31] qmp: remove deprecated "change" command Paolo Bonzini
2021-01-23 14:31 ` [PULL 28/31] vnc: support "-vnc help" Paolo Bonzini
2021-01-23 14:31 ` [PULL 29/31] qemu-option: clean up id vs. list->merge_lists Paolo Bonzini
2021-01-25 7:42 ` Markus Armbruster
2021-01-25 7:58 ` Paolo Bonzini
2021-01-23 14:31 ` [PULL 30/31] qemu-option: move help handling to get_opt_name_value Paolo Bonzini
2021-01-23 14:31 ` [PULL 31/31] qemu-option: warn for short-form boolean options Paolo Bonzini
2021-02-15 19:56 ` Peter Maydell
2021-02-15 23:14 ` Paolo Bonzini
2021-02-16 9:58 ` Peter Maydell
2021-02-16 10:43 ` Paolo Bonzini
2021-02-16 11:04 ` Peter Maydell
2021-02-16 11:23 ` Paolo Bonzini
2021-02-16 11:58 ` Peter Maydell
2021-02-16 13:30 ` Paolo Bonzini
2021-02-16 13:36 ` Peter Maydell
2021-02-16 13:43 ` Paolo Bonzini
2021-02-16 14:11 ` Peter Maydell
2021-02-16 14:45 ` Paolo Bonzini
2021-02-16 14:51 ` Peter Maydell
2021-02-16 14:58 ` Paolo Bonzini
2021-02-16 13:53 ` Daniel P. Berrangé
2021-01-23 14:57 ` [PULL 00/31] Misc patches for 2020-01-21 no-reply
2021-01-23 19:52 ` Peter Maydell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210123143128.1167797-8-pbonzini@redhat.com \
--to=pbonzini@redhat.com \
--cc=leonwxqian@gmail.com \
--cc=pjp@fedoraproject.org \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).