git.ipfire.org Git - thirdparty/qemu.git/commit

author	Michael S. Tsirkin <mst@redhat.com>
	Thu, 3 Apr 2014 16:52:17 +0000 (19:52 +0300)
committer	Michael Roth <mdroth@linux.vnet.ibm.com>
	Thu, 26 Jun 2014 19:21:30 +0000 (14:21 -0500)
commit	a7fcb4c5e0ef930e102efba44cb04a8d8182b321
tree	b3c231454176b0d38ac0a4ef70a232abcff9f1c3	tree
parent	8d948a000d4963fe5ef20ba8478a0119b659c4ad	commit \| diff

virtio-scsi: fix buffer overrun on invalid state load

CVE-2013-4542

hw/scsi/scsi-bus.c invokes load_request.

virtio_scsi_load_request does:
    qemu_get_buffer(f, (unsigned char *)&req->elem, sizeof(req->elem));

this probably can make elem invalid, for example,
make in_num or out_num huge, then:

    virtio_scsi_parse_req(s, vs->cmd_vqs[n], req);

will do:

    if (req->elem.out_num > 1) {
        qemu_sgl_init_external(req, &req->elem.out_sg[1],
                               &req->elem.out_addr[1],
                               req->elem.out_num - 1);
    } else {
        qemu_sgl_init_external(req, &req->elem.in_sg[1],
                               &req->elem.in_addr[1],
                               req->elem.in_num - 1);
    }

and this will access out of array bounds.

Note: this adds security checks within assert calls since
SCSIBusInfo's load_request cannot fail.
For now simply disable builds with NDEBUG - there seems
to be little value in supporting these.

Cc: Andreas Färber <afaerber@suse.de>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit 3c3ce981423e0d6c18af82ee62f1850c2cda5976)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>