projects / qemu.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: fb574de) | patch
iscsi: Cap block count from GET LBA STATUS (CVE-2020-1711)
authorFelipe Franciosi <felipe@nutanix.com>
Thu, 23 Jan 2020 12:44:59 +0000 (12:44 +0000)
committerKevin Wolf <kwolf@redhat.com>
Mon, 27 Jan 2020 16:19:53 +0000 (17:19 +0100)
commit693fd2acdf14dd86c0bf852610f1c2cca80a74dc
treea9460655995949ae229bab4c755c48e9852d38edtree | snapshot
parentfb574de81bfdd71fdb0315105a3a7761efb68395commit | diff
iscsi: Cap block count from GET LBA STATUS (CVE-2020-1711)

When querying an iSCSI server for the provisioning status of blocks (via
GET LBA STATUS), Qemu only validates that the response descriptor zero's
LBA matches the one requested. Given the SCSI spec allows servers to
respond with the status of blocks beyond the end of the LUN, Qemu may
have its heap corrupted by clearing/setting too many bits at the end of
its allocmap for the LUN.

A malicious guest in control of the iSCSI server could carefully program
Qemu's heap (by selectively setting the bitmap) and then smash it.

This limits the number of bits that iscsi_co_block_status() will try to
update in the allocmap so it can't overflow the bitmap.

Fixes: CVE-2020-1711
Cc: qemu-stable@nongnu.org
Signed-off-by: Felipe Franciosi <felipe@nutanix.com>
Signed-off-by: Peter Turschmid <peter.turschm@nutanix.com>
Signed-off-by: Raphael Norwitz <raphael.norwitz@nutanix.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
block/iscsi.c diff | blob | history
Unnamed repository; edit this file 'description' to name the repository.