diff options
| author | Felipe Franciosi <felipe@nutanix.com> | 2020-01-23 12:44:59 +0000 |
|---|---|---|
| committer | Kevin Wolf <kwolf@redhat.com> | 2020-01-27 17:19:53 +0100 |
| commit | 693fd2acdf14dd86c0bf852610f1c2cca80a74dc (patch) | |
| tree | a9460655995949ae229bab4c755c48e9852d38ed /hw | |
| parent | fb574de81bfdd71fdb0315105a3a7761efb68395 (diff) | |
iscsi: Cap block count from GET LBA STATUS (CVE-2020-1711)
When querying an iSCSI server for the provisioning status of blocks (via
GET LBA STATUS), Qemu only validates that the response descriptor zero's
LBA matches the one requested. Given the SCSI spec allows servers to
respond with the status of blocks beyond the end of the LUN, Qemu may
have its heap corrupted by clearing/setting too many bits at the end of
its allocmap for the LUN.
A malicious guest in control of the iSCSI server could carefully program
Qemu's heap (by selectively setting the bitmap) and then smash it.
This limits the number of bits that iscsi_co_block_status() will try to
update in the allocmap so it can't overflow the bitmap.
Fixes: CVE-2020-1711
Cc: qemu-stable@nongnu.org
Signed-off-by: Felipe Franciosi <felipe@nutanix.com>
Signed-off-by: Peter Turschmid <peter.turschm@nutanix.com>
Signed-off-by: Raphael Norwitz <raphael.norwitz@nutanix.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Diffstat (limited to 'hw')
0 files changed, 0 insertions, 0 deletions