From b047726c507a75de2b175cbe9f9dc53feb2b0828 Mon Sep 17 00:00:00 2001 From: Ying Fang Date: Mon, 9 Mar 2020 20:47:56 +0800 Subject: [PATCH] iscsi: Cap block count from GET LBA STATUS (CVE-2020-1711) Pick patch from upstream to fix CVE-2020-1711 upstream url: https://git.qemu.org/?p=qemu.git;a=commit;h=693fd2acdf14dd86c0bf852610f1c2cca80a74dc Signed-off-by: Ying Fang --- ...count-from-GET-LBA-STATUS-CVE-2020-1.patch | 58 +++++++++++++++++++ qemu.spec | 7 ++- 2 files changed, 64 insertions(+), 1 deletion(-) create mode 100644 iscsi-Cap-block-count-from-GET-LBA-STATUS-CVE-2020-1.patch diff --git a/iscsi-Cap-block-count-from-GET-LBA-STATUS-CVE-2020-1.patch b/iscsi-Cap-block-count-from-GET-LBA-STATUS-CVE-2020-1.patch new file mode 100644 index 0000000..e6abdf7 --- /dev/null +++ b/iscsi-Cap-block-count-from-GET-LBA-STATUS-CVE-2020-1.patch @@ -0,0 +1,58 @@ +From 693fd2acdf14dd86c0bf852610f1c2cca80a74dc Mon Sep 17 00:00:00 2001 +From: Felipe Franciosi +Date: Thu, 23 Jan 2020 12:44:59 +0000 +Subject: [PATCH] iscsi: Cap block count from GET LBA STATUS (CVE-2020-1711) + +When querying an iSCSI server for the provisioning status of blocks (via +GET LBA STATUS), Qemu only validates that the response descriptor zero's +LBA matches the one requested. Given the SCSI spec allows servers to +respond with the status of blocks beyond the end of the LUN, Qemu may +have its heap corrupted by clearing/setting too many bits at the end of +its allocmap for the LUN. + +A malicious guest in control of the iSCSI server could carefully program +Qemu's heap (by selectively setting the bitmap) and then smash it. + +This limits the number of bits that iscsi_co_block_status() will try to +update in the allocmap so it can't overflow the bitmap. + +Fixes: CVE-2020-1711 +Cc: qemu-stable@nongnu.org +Signed-off-by: Felipe Franciosi +Signed-off-by: Peter Turschmid +Signed-off-by: Raphael Norwitz +Signed-off-by: Kevin Wolf + +diff --git a/block/iscsi.c b/block/iscsi.c +index 2aea7e3f13..cbd57294ab 100644 +--- a/block/iscsi.c ++++ b/block/iscsi.c +@@ -701,7 +701,7 @@ static int coroutine_fn iscsi_co_block_status(BlockDriverState *bs, + struct scsi_get_lba_status *lbas = NULL; + struct scsi_lba_status_descriptor *lbasd = NULL; + struct IscsiTask iTask; +- uint64_t lba; ++ uint64_t lba, max_bytes; + int ret; + + iscsi_co_init_iscsitask(iscsilun, &iTask); +@@ -721,6 +721,7 @@ static int coroutine_fn iscsi_co_block_status(BlockDriverState *bs, + } + + lba = offset / iscsilun->block_size; ++ max_bytes = (iscsilun->num_blocks - lba) * iscsilun->block_size; + + qemu_mutex_lock(&iscsilun->mutex); + retry: +@@ -764,7 +765,7 @@ retry: + goto out_unlock; + } + +- *pnum = (int64_t) lbasd->num_blocks * iscsilun->block_size; ++ *pnum = MIN((int64_t) lbasd->num_blocks * iscsilun->block_size, max_bytes); + + if (lbasd->provisioning == SCSI_PROVISIONING_TYPE_DEALLOCATED || + lbasd->provisioning == SCSI_PROVISIONING_TYPE_ANCHORED) { +-- +2.21.1 (Apple Git-122.3) + diff --git a/qemu.spec b/qemu.spec index 0f2214b..add9f38 100644 --- a/qemu.spec +++ b/qemu.spec @@ -1,6 +1,6 @@ Name: qemu Version: 4.0.1 -Release: 7 +Release: 8 Epoch: 2 Summary: QEMU is a generic and open source machine emulator and virtualizer License: GPLv2 and BSD and MIT and CC-BY @@ -42,6 +42,7 @@ Patch0076: arm-translate-a64-fix-uninitialized-variable-warning.patch Patch0077: nbd-fix-uninitialized-variable-warning.patch Patch0078: xhci-Fix-memory-leak-in-xhci_kick_epctx-when-poweroff.patch Patch0079: block-fix-memleaks-in-bdrv_refresh_filename.patch +Patch0080: iscsi-Cap-block-count-from-GET-LBA-STATUS-CVE-2020-1.patch BuildRequires: flex BuildRequires: bison @@ -375,6 +376,10 @@ getent passwd qemu >/dev/null || \ %endif %changelog +* Mon Mar 9 2020 backport from qemu upstream +- iscsi: Cap block count from GET LBA STATUS (CVE-2020-1711) + + * Thu Feb 6 2020 Huawei Technologies Co., Ltd. - spec: remove fno-inline option for configure