From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:44501)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <peter.maydell@linaro.org>) id 1VnuZX-0002pP-8h
	for qemu-devel@nongnu.org; Tue, 03 Dec 2013 13:19:53 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <peter.maydell@linaro.org>) id 1VnuZR-0004Uv-9A
	for qemu-devel@nongnu.org; Tue, 03 Dec 2013 13:19:47 -0500
Received: from mail-pb0-f46.google.com ([209.85.160.46]:32852)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <peter.maydell@linaro.org>) id 1VnuZR-0004Un-2n
	for qemu-devel@nongnu.org; Tue, 03 Dec 2013 13:19:41 -0500
Received: by mail-pb0-f46.google.com with SMTP id md12so21725771pbc.33
	for <qemu-devel@nongnu.org>; Tue, 03 Dec 2013 10:19:40 -0800 (PST)
MIME-Version: 1.0
In-Reply-To: <1386087086-3691-23-git-send-email-mst@redhat.com>
References: <1386087086-3691-1-git-send-email-mst@redhat.com>
	<1386087086-3691-23-git-send-email-mst@redhat.com>
From: Peter Maydell <peter.maydell@linaro.org>
Date: Tue, 3 Dec 2013 18:19:18 +0000
Message-ID: <CAFEAcA8tOL2s550TAYKD-FSs1AOePcahS7oB8MiBCpqrTgt8sQ@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8
Subject: Re: [Qemu-devel] [PATCH 22/23] virtio-scsi: fix buffer overrun on
 invalid state load
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: "Michael S. Tsirkin" <mst@redhat.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>, QEMU Developers <qemu-devel@nongnu.org>, Anthony Liguori <aliguori@amazon.com>, qemu-stable <qemu-stable@nongnu.org>

On 3 December 2013 16:29, Michael S. Tsirkin <mst@redhat.com> wrote:
> CVE-2013-4542
>
> hw/scsi/scsi-bus.c invokes load_request.
>
>  virtio_scsi_load_request does:
>     qemu_get_buffer(f, (unsigned char *)&req->elem, sizeof(req->elem));
>
> this probably can make elem invalid, for example,
> make in_num or out_num huge, then:
>
>     virtio_scsi_parse_req(s, vs->cmd_vqs[n], req);
>
> will do:
>
>     if (req->elem.out_num > 1) {
>         qemu_sgl_init_external(req, &req->elem.out_sg[1],
>                                &req->elem.out_addr[1],
>                                req->elem.out_num - 1);
>     } else {
>         qemu_sgl_init_external(req, &req->elem.in_sg[1],
>                                &req->elem.in_addr[1],
>                                req->elem.in_num - 1);
>     }
>
> and this will access out of array bounds.
> suggested patch:
>
> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
> ---
>  hw/scsi/virtio-scsi.c | 2 ++
>  1 file changed, 2 insertions(+)
>
> diff --git a/hw/scsi/virtio-scsi.c b/hw/scsi/virtio-scsi.c
> index 26d95a1..51cc929 100644
> --- a/hw/scsi/virtio-scsi.c
> +++ b/hw/scsi/virtio-scsi.c
> @@ -147,6 +147,8 @@ static void *virtio_scsi_load_request(QEMUFile *f, SCSIRequest *sreq)
>      qemu_get_be32s(f, &n);
>      assert(n < vs->conf.num_queues);
>      qemu_get_buffer(f, (unsigned char *)&req->elem, sizeof(req->elem));
> +    assert(req->elem.in_num <= ARRAY_SIZE(req->elem.in_sg));
> +    assert(req->elem.out_num <= ARRAY_SIZE(req->elem.out_sg));

Wouldn't it be better to fail migration, as other patches in
this series do? "Silent security hole if you compile with
-DNDEBUG" is a little bit unfriendly...

thanks
-- PMM