Message ID | 20211105113729.530200-1-mcascell@redhat.com |
---|---|
State | New |
Headers | show |
Series | hw/scsi/scsi-disk: MODE_PAGE_ALLS not allowed in MODE SELECT commands | expand |
On 11/5/21 12:37, Mauro Matteo Cascella wrote: > MODE_PAGE_ALLS causes an off-by-one error in mode_sense_page() when accessing > the stack-allocated mode_sense_valid buffer. MODE_PAGE_ALLS is only valid for > MODE SENSE commands. Do not process it in MODE SELECT commands. > Cc: qemu-stable@nongnu.org > Fixes: CVE-2021-3930 > RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=2020588 > Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com> > Reported-by: Qiuhao Li <qiuhao.li@outlook.com> See also: https://lore.kernel.org/qemu-devel/20210204225041.1822673-1-philmd@redhat.com/ > --- > hw/scsi/scsi-disk.c | 6 ++++++ > 1 file changed, 6 insertions(+) > > diff --git a/hw/scsi/scsi-disk.c b/hw/scsi/scsi-disk.c > index e8a547dbb7..5852e8dcfd 100644 > --- a/hw/scsi/scsi-disk.c > +++ b/hw/scsi/scsi-disk.c > @@ -1087,6 +1087,7 @@ static int mode_sense_page(SCSIDiskState *s, int page, uint8_t **p_outbuf, > uint8_t *p = *p_outbuf + 2; > int length; > > + assert(page != MODE_PAGE_ALLS); > if ((mode_sense_valid[page] & (1 << s->qdev.type)) == 0) { > return -1; > } > @@ -1428,6 +1429,11 @@ static int scsi_disk_check_mode_select(SCSIDiskState *s, int page, > return -1; > } > > + /* MODE_PAGE_ALLS is only valid for MODE SENSE commands */ > + if (page == MODE_PAGE_ALLS) { > + return -1; > + } > + > p = mode_current; > memset(mode_current, 0, inlen + 2); > len = mode_sense_page(s, page, &p, 0); >
diff --git a/hw/scsi/scsi-disk.c b/hw/scsi/scsi-disk.c index e8a547dbb7..5852e8dcfd 100644 --- a/hw/scsi/scsi-disk.c +++ b/hw/scsi/scsi-disk.c @@ -1087,6 +1087,7 @@ static int mode_sense_page(SCSIDiskState *s, int page, uint8_t **p_outbuf, uint8_t *p = *p_outbuf + 2; int length; + assert(page != MODE_PAGE_ALLS); if ((mode_sense_valid[page] & (1 << s->qdev.type)) == 0) { return -1; } @@ -1428,6 +1429,11 @@ static int scsi_disk_check_mode_select(SCSIDiskState *s, int page, return -1; } + /* MODE_PAGE_ALLS is only valid for MODE SENSE commands */ + if (page == MODE_PAGE_ALLS) { + return -1; + } + p = mode_current; memset(mode_current, 0, inlen + 2); len = mode_sense_page(s, page, &p, 0);
MODE_PAGE_ALLS causes an off-by-one error in mode_sense_page() when accessing the stack-allocated mode_sense_valid buffer. MODE_PAGE_ALLS is only valid for MODE SENSE commands. Do not process it in MODE SELECT commands. Fixes: CVE-2021-3930 RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=2020588 Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com> Reported-by: Qiuhao Li <qiuhao.li@outlook.com> --- hw/scsi/scsi-disk.c | 6 ++++++ 1 file changed, 6 insertions(+)