git.ipfire.org Git - thirdparty/qemu.git/commit

author	Felipe Franciosi <felipe@nutanix.com>
	Thu, 23 Jan 2020 12:44:59 +0000 (12:44 +0000)
committer	Michael Roth <mdroth@linux.vnet.ibm.com>
	Mon, 22 Jun 2020 17:14:48 +0000 (12:14 -0500)
commit	4e98c388d6b07a7b8b760491b07bcfd887c35e23
tree	2de4c7f408cdd3e031f495b152cc009be4f4f67b	tree
parent	54bcaf08d66f9675e5662e061f5c4c0d8f3a2506	commit \| diff

iscsi: Cap block count from GET LBA STATUS (CVE-2020-1711)

When querying an iSCSI server for the provisioning status of blocks (via
GET LBA STATUS), Qemu only validates that the response descriptor zero's
LBA matches the one requested. Given the SCSI spec allows servers to
respond with the status of blocks beyond the end of the LUN, Qemu may
have its heap corrupted by clearing/setting too many bits at the end of
its allocmap for the LUN.

A malicious guest in control of the iSCSI server could carefully program
Qemu's heap (by selectively setting the bitmap) and then smash it.

This limits the number of bits that iscsi_co_block_status() will try to
update in the allocmap so it can't overflow the bitmap.

Fixes: CVE-2020-1711
Cc: qemu-stable@nongnu.org
Signed-off-by: Felipe Franciosi <felipe@nutanix.com>
Signed-off-by: Peter Turschmid <peter.turschm@nutanix.com>
Signed-off-by: Raphael Norwitz <raphael.norwitz@nutanix.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit 693fd2acdf14dd86c0bf852610f1c2cca80a74dc)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>