!13 Fix-CVE-2020-1711

Merge pull request !13 from FangYing/fix-CVE-2020-1711
2020-03-10 11:07:38 +08:00 · 2020-03-10 11:07:38 +08:00 · a3315051ea
commit a3315051ea
parent a7a219f0e2 046e9d4f2c
2 changed files with 95 additions and 32 deletions
--- a/iscsi-Cap-block-count-from-GET-LBA-STATUS-CVE-2020-1.patch
+++ b/iscsi-Cap-block-count-from-GET-LBA-STATUS-CVE-2020-1.patch
@ -0,0 +1,58 @@
+From 693fd2acdf14dd86c0bf852610f1c2cca80a74dc Mon Sep 17 00:00:00 2001
+From: Felipe Franciosi <felipe@nutanix.com>
+Date: Thu, 23 Jan 2020 12:44:59 +0000
+Subject: [PATCH] iscsi: Cap block count from GET LBA STATUS (CVE-2020-1711)
+
+When querying an iSCSI server for the provisioning status of blocks (via
+GET LBA STATUS), Qemu only validates that the response descriptor zero's
+LBA matches the one requested. Given the SCSI spec allows servers to
+respond with the status of blocks beyond the end of the LUN, Qemu may
+have its heap corrupted by clearing/setting too many bits at the end of
+its allocmap for the LUN.
+
+A malicious guest in control of the iSCSI server could carefully program
+Qemu's heap (by selectively setting the bitmap) and then smash it.
+
+This limits the number of bits that iscsi_co_block_status() will try to
+update in the allocmap so it can't overflow the bitmap.
+
+Fixes: CVE-2020-1711
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Felipe Franciosi <felipe@nutanix.com>
+Signed-off-by: Peter Turschmid <peter.turschm@nutanix.com>
+Signed-off-by: Raphael Norwitz <raphael.norwitz@nutanix.com>
+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
+
+diff --git a/block/iscsi.c b/block/iscsi.c
+index 2aea7e3f13..cbd57294ab 100644
+--- a/block/iscsi.c
+++ b/block/iscsi.c
+@@ -701,7 +701,7 @@ static int coroutine_fn iscsi_co_block_status(BlockDriverState *bs,
+     struct scsi_get_lba_status *lbas = NULL;
+     struct scsi_lba_status_descriptor *lbasd = NULL;
+     struct IscsiTask iTask;
+-    uint64_t lba;
+    uint64_t lba, max_bytes;
+     int ret;
+ 
+     iscsi_co_init_iscsitask(iscsilun, &iTask);
+@@ -721,6 +721,7 @@ static int coroutine_fn iscsi_co_block_status(BlockDriverState *bs,
+     }
+ 
+     lba = offset / iscsilun->block_size;
+    max_bytes = (iscsilun->num_blocks - lba) * iscsilun->block_size;
+ 
+     qemu_mutex_lock(&iscsilun->mutex);
+ retry:
+@@ -764,7 +765,7 @@ retry:
+         goto out_unlock;
+     }
+ 
+-    *pnum = (int64_t) lbasd->num_blocks * iscsilun->block_size;
+    *pnum = MIN((int64_t) lbasd->num_blocks * iscsilun->block_size, max_bytes);
+ 
+     if (lbasd->provisioning == SCSI_PROVISIONING_TYPE_DEALLOCATED ||
+         lbasd->provisioning == SCSI_PROVISIONING_TYPE_ANCHORED) {
+-- 
+2.21.1 (Apple Git-122.3)
+
--- a/qemu.spec
+++ b/qemu.spec
@ -1,6 +1,6 @@
 Name: qemu
 Version: 4.0.1
-Release: 7
+Release: 8
 Epoch: 2
 Summary: QEMU is a generic and open source machine emulator and virtualizer
 License: GPLv2 and BSD and MIT and CC-BY
@ -11,37 +11,38 @@ Source2: 99-qemu-guest-agent.rules
 Source3: bridge.conf

 Patch0001: qxl-check-release-info-object.patch
-Patch0004: ARM64-record-vtimer-tick-when-cpu-is-stopped.patch
-Patch0005: pl011-reset-read-FIFO-when-UARTTIMSC-0-UARTICR-0xfff.patch
-Patch0006: pl031-support-rtc-timer-property-for-pl031.patch
-Patch0007: vhost-cancel-migration-when-vhost-user-restarted.patch
-Patch0008: qcow2-fix-memory-leak-in-qcow2_read_extensions.patch
-Patch0009: hw-arm-expose-host-CPU-frequency-info-to-guest.patch
-Patch0038: qemu-bridge-helper-restrict-interface-name-to-IFNAMS.patch
-Patch0039: qemu-bridge-helper-move-repeating-code-in-parse_acl.patch
-Patch0040: smbios-Add-missing-member-of-type-4-for-smbios-3.0.patch
-Patch0041: hw-arm-virt-Introduce-cpu-topology-support.patch
-Patch0042: hw-arm64-add-vcpu-cache-info-support.patch
-Patch0043: xhci-Fix-memory-leak-in-xhci_address_slot.patch
-Patch0044: xhci-Fix-memory-leak-in-xhci_kick_epctx.patch
-Patch0045: ehci-fix-queue-dev-null-ptr-dereference.patch
-Patch0046: memory-unref-the-memory-region-in-simplify-flatview.patch
-Patch0048: util-async-hold-AioContext-ref-to-prevent-use-after-free.patch
-Patch0049: vhost-user-scsi-prevent-using-uninitialized-vqs.patch
-Patch0050: cpu-add-Kunpeng-920-cpu-support.patch
-Patch0051: cpu-parse-feature-to-avoid-failure.patch
-Patch0052: cpu-add-Cortex-A72-processor-kvm-target-support.patch
-Patch0053: vnc-fix-memory-leak-when-vnc-disconnect.patch
-Patch0054: pcie-disable-the-PCI_EXP_LINKSTA_DLLA-cap.patch
-Patch0071: linux-headers-update-against-KVM-ARM-Fix-256-vcpus.patch
-Patch0072: intc-arm_gic-Support-IRQ-injection-for-more-than-256.patch
-Patch0073: ARM-KVM-Check-KVM_CAP_ARM_IRQ_LINE_LAYOUT_2-for-smp_.patch
-Patch0074: 9pfs-local-Fix-possible-memory-leak-in-local_link.patch
-Patch0075: scsi-disk-define-props-in-scsi_block_disk-to-avoid-memleaks.patch
-Patch0076: arm-translate-a64-fix-uninitialized-variable-warning.patch
-Patch0077: nbd-fix-uninitialized-variable-warning.patch
-Patch0078: xhci-Fix-memory-leak-in-xhci_kick_epctx-when-poweroff.patch
-Patch0079: block-fix-memleaks-in-bdrv_refresh_filename.patch
+Patch0002: ARM64-record-vtimer-tick-when-cpu-is-stopped.patch
+Patch0003: pl011-reset-read-FIFO-when-UARTTIMSC-0-UARTICR-0xfff.patch
+Patch0004: pl031-support-rtc-timer-property-for-pl031.patch
+Patch0005: vhost-cancel-migration-when-vhost-user-restarted.patch
+Patch0006: qcow2-fix-memory-leak-in-qcow2_read_extensions.patch
+Patch0007: hw-arm-expose-host-CPU-frequency-info-to-guest.patch
+Patch0008: qemu-bridge-helper-restrict-interface-name-to-IFNAMS.patch
+Patch0009: qemu-bridge-helper-move-repeating-code-in-parse_acl.patch
+Patch0010: smbios-Add-missing-member-of-type-4-for-smbios-3.0.patch
+Patch0011: hw-arm-virt-Introduce-cpu-topology-support.patch
+Patch0012: hw-arm64-add-vcpu-cache-info-support.patch
+Patch0013: xhci-Fix-memory-leak-in-xhci_address_slot.patch
+Patch0014: xhci-Fix-memory-leak-in-xhci_kick_epctx.patch
+Patch0015: ehci-fix-queue-dev-null-ptr-dereference.patch
+Patch0016: memory-unref-the-memory-region-in-simplify-flatview.patch
+Patch0017: util-async-hold-AioContext-ref-to-prevent-use-after-free.patch
+Patch0018: vhost-user-scsi-prevent-using-uninitialized-vqs.patch
+Patch0019: cpu-add-Kunpeng-920-cpu-support.patch
+Patch0020: cpu-parse-feature-to-avoid-failure.patch
+Patch0021: cpu-add-Cortex-A72-processor-kvm-target-support.patch
+Patch0022: vnc-fix-memory-leak-when-vnc-disconnect.patch
+Patch0023: pcie-disable-the-PCI_EXP_LINKSTA_DLLA-cap.patch
+Patch0024: linux-headers-update-against-KVM-ARM-Fix-256-vcpus.patch
+Patch0025: intc-arm_gic-Support-IRQ-injection-for-more-than-256.patch
+Patch0026: ARM-KVM-Check-KVM_CAP_ARM_IRQ_LINE_LAYOUT_2-for-smp_.patch
+Patch0027: 9pfs-local-Fix-possible-memory-leak-in-local_link.patch
+Patch0028: scsi-disk-define-props-in-scsi_block_disk-to-avoid-memleaks.patch
+Patch0029: arm-translate-a64-fix-uninitialized-variable-warning.patch
+Patch0030: nbd-fix-uninitialized-variable-warning.patch
+Patch0031: xhci-Fix-memory-leak-in-xhci_kick_epctx-when-poweroff.patch
+Patch0032: block-fix-memleaks-in-bdrv_refresh_filename.patch
+Patch0033: iscsi-Cap-block-count-from-GET-LBA-STATUS-CVE-2020-1.patch

 BuildRequires: flex
 BuildRequires: bison
@ -375,6 +376,10 @@ getent passwd qemu >/dev/null || \
 %endif

 %changelog
+* Mon Mar 9 2020 backport from qemu upstream
+- iscsi: Cap block count from GET LBA STATUS (CVE-2020-1711)
+
+
 * Thu Feb  6 2020 Huawei Technologies Co., Ltd. <zhang.zhanghailiang@huawei.com>
 - spec: remove fno-inline option for configure