| Message ID | 20181029173437.32559-3-pbonzini@redhat.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | scsi-generic: fixes for Block Limits emulation | expand |
On 29/10/18 18:34, Paolo Bonzini wrote: > A device can report an excessive number of VPD pages when asked for a > list; this can cause an out-of-bounds access to buf in > scsi_generic_set_vpd_bl_emulation. It should not happen, but > it is technically not incorrect so handle it: do not check any byte > past the allocation length that was sent to the INQUIRY command. > > Reported-by: Max Reitz <mreitz@redhat.com> > Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> > --- > hw/scsi/scsi-generic.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/hw/scsi/scsi-generic.c b/hw/scsi/scsi-generic.c > index aebb7cdd82..c5497bbea8 100644 > --- a/hw/scsi/scsi-generic.c > +++ b/hw/scsi/scsi-generic.c > @@ -538,7 +538,7 @@ static void scsi_generic_set_vpd_bl_emulation(SCSIDevice *s) > } > > page_len = buf[3]; > - for (i = 4; i < page_len + 4; i++) { > + for (i = 4; i < MIN(sizeof(buf), page_len + 4); i++) { > if (buf[i] == 0xb0) { > s->needs_vpd_bl_emulation = false; > return; >
On 29.10.18 18:34, Paolo Bonzini wrote: > A device can report an excessive number of VPD pages when asked for a > list; this can cause an out-of-bounds access to buf in > scsi_generic_set_vpd_bl_emulation. It should not happen, but > it is technically not incorrect so handle it: do not check any byte > past the allocation length that was sent to the INQUIRY command. (Minor note: Since the list must be kept in ascending order, it's fully correct to only check the first sizeof(buf) - 4 == 0xf6 bytes, because it actually has to be at index 0xb0 or before, if the device supports it.) > Reported-by: Max Reitz <mreitz@redhat.com> > Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> > --- > hw/scsi/scsi-generic.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/hw/scsi/scsi-generic.c b/hw/scsi/scsi-generic.c > index aebb7cdd82..c5497bbea8 100644 > --- a/hw/scsi/scsi-generic.c > +++ b/hw/scsi/scsi-generic.c > @@ -538,7 +538,7 @@ static void scsi_generic_set_vpd_bl_emulation(SCSIDevice *s) > } > > page_len = buf[3]; You lost your enthusiasm for fixing the accesses to be proper big-endian 16-bit accesses so quickly? :-) > - for (i = 4; i < page_len + 4; i++) { > + for (i = 4; i < MIN(sizeof(buf), page_len + 4); i++) { Reviewed-by: Max Reitz <mreitz@redhat.com> > if (buf[i] == 0xb0) { > s->needs_vpd_bl_emulation = false; > return; >
On 10/29/18 2:34 PM, Paolo Bonzini wrote: > A device can report an excessive number of VPD pages when asked for a > list; this can cause an out-of-bounds access to buf in > scsi_generic_set_vpd_bl_emulation. It should not happen, but > it is technically not incorrect so handle it: do not check any byte > past the allocation length that was sent to the INQUIRY command. > > Reported-by: Max Reitz <mreitz@redhat.com> > Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> > --- Reviewed-by: Daniel Henrique Barboza <danielhb413@gmail.com> > hw/scsi/scsi-generic.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/hw/scsi/scsi-generic.c b/hw/scsi/scsi-generic.c > index aebb7cdd82..c5497bbea8 100644 > --- a/hw/scsi/scsi-generic.c > +++ b/hw/scsi/scsi-generic.c > @@ -538,7 +538,7 @@ static void scsi_generic_set_vpd_bl_emulation(SCSIDevice *s) > } > > page_len = buf[3]; > - for (i = 4; i < page_len + 4; i++) { > + for (i = 4; i < MIN(sizeof(buf), page_len + 4); i++) { > if (buf[i] == 0xb0) { > s->needs_vpd_bl_emulation = false; > return;
diff --git a/hw/scsi/scsi-generic.c b/hw/scsi/scsi-generic.c index aebb7cdd82..c5497bbea8 100644 --- a/hw/scsi/scsi-generic.c +++ b/hw/scsi/scsi-generic.c @@ -538,7 +538,7 @@ static void scsi_generic_set_vpd_bl_emulation(SCSIDevice *s) } page_len = buf[3]; - for (i = 4; i < page_len + 4; i++) { + for (i = 4; i < MIN(sizeof(buf), page_len + 4); i++) { if (buf[i] == 0xb0) { s->needs_vpd_bl_emulation = false; return;
A device can report an excessive number of VPD pages when asked for a list; this can cause an out-of-bounds access to buf in scsi_generic_set_vpd_bl_emulation. It should not happen, but it is technically not incorrect so handle it: do not check any byte past the allocation length that was sent to the INQUIRY command. Reported-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> --- hw/scsi/scsi-generic.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)