summaryrefslogtreecommitdiff
path: root/user/qemu/CVE-2020-1711.patch
diff options
context:
space:
mode:
authorMax Rees <maxcrees@me.com>2020-03-24 17:26:38 -0500
committerMax Rees <maxcrees@me.com>2020-03-24 17:26:38 -0500
commitffd6e687a5d0029a192bf16b220ccbfbb21bdd81 (patch)
tree32bdcf4f8e9d2cf14c865ac27df6ab028e420871 /user/qemu/CVE-2020-1711.patch
parent20f2af5a8c48426fd0ee30b6865942256a072274 (diff)
downloadpackages-ffd6e687a5d0029a192bf16b220ccbfbb21bdd81.tar.gz
packages-ffd6e687a5d0029a192bf16b220ccbfbb21bdd81.tar.bz2
packages-ffd6e687a5d0029a192bf16b220ccbfbb21bdd81.tar.xz
packages-ffd6e687a5d0029a192bf16b220ccbfbb21bdd81.zip
user/qemu: [CVE] bump to 4.2.0 (#121)
* SSH block device support is dropped until we ship libssh (upstream switched away from libssh2) * system-ppcemb target dropped upstream * Switched to user/libslirp (4.2.0) instead of vendored copy (4.1.0) which fixes several CVEs (included in these secfixes for this time only; future secfixes for libslirp should be in user/libslirp with a rebuild of qemu for the statically linked bits).
Diffstat (limited to 'user/qemu/CVE-2020-1711.patch')
-rw-r--r--user/qemu/CVE-2020-1711.patch61
1 files changed, 61 insertions, 0 deletions
diff --git a/user/qemu/CVE-2020-1711.patch b/user/qemu/CVE-2020-1711.patch
new file mode 100644
index 000000000..c57b5c984
--- /dev/null
+++ b/user/qemu/CVE-2020-1711.patch
@@ -0,0 +1,61 @@
+From 693fd2acdf14dd86c0bf852610f1c2cca80a74dc Mon Sep 17 00:00:00 2001
+From: Felipe Franciosi <felipe@nutanix.com>
+Date: Thu, 23 Jan 2020 12:44:59 +0000
+Subject: [PATCH] iscsi: Cap block count from GET LBA STATUS (CVE-2020-1711)
+
+When querying an iSCSI server for the provisioning status of blocks (via
+GET LBA STATUS), Qemu only validates that the response descriptor zero's
+LBA matches the one requested. Given the SCSI spec allows servers to
+respond with the status of blocks beyond the end of the LUN, Qemu may
+have its heap corrupted by clearing/setting too many bits at the end of
+its allocmap for the LUN.
+
+A malicious guest in control of the iSCSI server could carefully program
+Qemu's heap (by selectively setting the bitmap) and then smash it.
+
+This limits the number of bits that iscsi_co_block_status() will try to
+update in the allocmap so it can't overflow the bitmap.
+
+Fixes: CVE-2020-1711
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Felipe Franciosi <felipe@nutanix.com>
+Signed-off-by: Peter Turschmid <peter.turschm@nutanix.com>
+Signed-off-by: Raphael Norwitz <raphael.norwitz@nutanix.com>
+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
+---
+ block/iscsi.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/block/iscsi.c b/block/iscsi.c
+index 2aea7e3f13..cbd57294ab 100644
+--- a/block/iscsi.c
++++ b/block/iscsi.c
+@@ -701,7 +701,7 @@ static int coroutine_fn iscsi_co_block_status(BlockDriverState *bs,
+ struct scsi_get_lba_status *lbas = NULL;
+ struct scsi_lba_status_descriptor *lbasd = NULL;
+ struct IscsiTask iTask;
+- uint64_t lba;
++ uint64_t lba, max_bytes;
+ int ret;
+
+ iscsi_co_init_iscsitask(iscsilun, &iTask);
+@@ -721,6 +721,7 @@ static int coroutine_fn iscsi_co_block_status(BlockDriverState *bs,
+ }
+
+ lba = offset / iscsilun->block_size;
++ max_bytes = (iscsilun->num_blocks - lba) * iscsilun->block_size;
+
+ qemu_mutex_lock(&iscsilun->mutex);
+ retry:
+@@ -764,7 +765,7 @@ retry:
+ goto out_unlock;
+ }
+
+- *pnum = (int64_t) lbasd->num_blocks * iscsilun->block_size;
++ *pnum = MIN((int64_t) lbasd->num_blocks * iscsilun->block_size, max_bytes);
+
+ if (lbasd->provisioning == SCSI_PROVISIONING_TYPE_DEALLOCATED ||
+ lbasd->provisioning == SCSI_PROVISIONING_TYPE_ANCHORED) {
+--
+2.25.1
+