qemu-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] iscsi: Cap block count from GET LBA STATUS (CVE-2020-1711)


From: Kevin Wolf
Subject: Re: [PATCH] iscsi: Cap block count from GET LBA STATUS (CVE-2020-1711)
Date: Thu, 23 Jan 2020 17:59:55 +0100
User-agent: Mutt/1.12.1 (2019-06-15)

Am 23.01.2020 um 13:44 hat Felipe Franciosi geschrieben:
> When querying an iSCSI server for the provisioning status of blocks (via
> GET LBA STATUS), Qemu only validates that the response descriptor zero's
> LBA matches the one requested. Given the SCSI spec allows servers to
> respond with the status of blocks beyond the end of the LUN, Qemu may
> have its heap corrupted by clearing/setting too many bits at the end of
> its allocmap for the LUN.
> 
> A malicious guest in control of the iSCSI server could carefully program
> Qemu's heap (by selectively setting the bitmap) and then smash it.
> 
> This limits the number of bits that iscsi_co_block_status() will try to
> update in the allocmap so it can't overflow the bitmap.
> 
> Signed-off-by: Felipe Franciosi <address@hidden>
> Signed-off-by: Peter Turschmid <address@hidden>
> Signed-off-by: Raphael Norwitz <address@hidden>

Thanks, applied to the block branch.

Kevin




reply via email to

[Prev in Thread] Current Thread [Next in Thread]