[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] iscsi: Cap block count from GET LBA STATUS (CVE-2020-1711)

From: Philippe Mathieu-Daudé
Subject: Re: [PATCH] iscsi: Cap block count from GET LBA STATUS (CVE-2020-1711)
Date: Fri, 24 Jan 2020 11:04:29 +0100
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.2.2

On 1/23/20 11:58 PM, Peter Lieven wrote:
Am 23.01.2020 um 22:29 schrieb Felipe Franciosi <address@hidden>:
On Jan 23, 2020, at 5:46 PM, Philippe Mathieu-Daudé <address@hidden> wrote:
On 1/23/20 1:44 PM, Felipe Franciosi wrote:
When querying an iSCSI server for the provisioning status of blocks (via
GET LBA STATUS), Qemu only validates that the response descriptor zero's
LBA matches the one requested. Given the SCSI spec allows servers to
respond with the status of blocks beyond the end of the LUN, Qemu may
have its heap corrupted by clearing/setting too many bits at the end of
its allocmap for the LUN.
A malicious guest in control of the iSCSI server could carefully program
Qemu's heap (by selectively setting the bitmap) and then smash it.
This limits the number of bits that iscsi_co_block_status() will try to
update in the allocmap so it can't overflow the bitmap.

Please add:

Fixes: CVE-2020-1711 (title of CVE if possible)

I wasn't sure we had one yet. Kevin: can you do the needful in your branch?

Cc: address@hidden

Yeah, that's there.

Signed-off-by: Felipe Franciosi <address@hidden>
Signed-off-by: Peter Turschmid <address@hidden>
Signed-off-by: Raphael Norwitz <address@hidden>
block/iscsi.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/block/iscsi.c b/block/iscsi.c
index 2aea7e3f13..cbd57294ab 100644
--- a/block/iscsi.c
+++ b/block/iscsi.c
@@ -701,7 +701,7 @@ static int coroutine_fn 
iscsi_co_block_status(BlockDriverState *bs,
     struct scsi_get_lba_status *lbas = NULL;
     struct scsi_lba_status_descriptor *lbasd = NULL;
     struct IscsiTask iTask;
-    uint64_t lba;
+    uint64_t lba, max_bytes;
     int ret;
       iscsi_co_init_iscsitask(iscsilun, &iTask);
@@ -721,6 +721,7 @@ static int coroutine_fn 
iscsi_co_block_status(BlockDriverState *bs,
       lba = offset / iscsilun->block_size;
+    max_bytes = (iscsilun->num_blocks - lba) * iscsilun->block_size;
@@ -764,7 +765,7 @@ retry:
         goto out_unlock;
-    *pnum = (int64_t) lbasd->num_blocks * iscsilun->block_size;
+    *pnum = MIN((int64_t) lbasd->num_blocks * iscsilun->block_size, max_bytes);
       if (lbasd->provisioning == SCSI_PROVISIONING_TYPE_DEALLOCATED ||
         lbasd->provisioning == SCSI_PROVISIONING_TYPE_ANCHORED) {

What about this?

-- >8 --
diff --git a/block/iscsi.c b/block/iscsi.c
index 2aea7e3f13..25598accbb 100644
--- a/block/iscsi.c
+++ b/block/iscsi.c
@@ -506,6 +506,11 @@ iscsi_allocmap_update(IscsiLun *iscsilun, int64_t offset,
    /* shrink to touch only completely contained clusters */
    cl_num_shrunk = DIV_ROUND_UP(offset, iscsilun->cluster_size);
    nb_cls_shrunk = (offset + bytes) / iscsilun->cluster_size - cl_num_shrunk;
+    if (nb_cls_expanded >= iscsilun->allocmap_size
+        || nb_cls_shrunk >= iscsilun->allocmap_size) {
+        error_report("iSCSI invalid request: ..." /* TODO */);
+        return;
+    }
    if (allocated) {
        bitmap_set(iscsilun->allocmap, cl_num_expanded, nb_cls_expanded);
    } else {

I'm not sure the above is correct because (if I read this right)
nb_cls_* represents the number of clusters, not the last cluster.

Personally, I would have the checks (or "trim"s) closer to where they
were issued (to fail sooner) and assert()s closer to bitmap (as no oob
accesses should be happening at this point). There were also
discussions about using safer (higher level) bitmaps for this. I'm
always in favour of adding all reasonable checks. :)

I would add assertions that cl_num + nb_cls <= allocmap_size before every set 
and clear.

The description starts with "A malicious guest in control of the iSCSI server ..." so asserting (and killing the VM) doesn't seem correct... I suppose the iSCSI protocol has some error to return for invalid requests.

Also shouldn't we report some warning in case of such invalid request? So the management side can look at the 'malicious iSCSI server'?

reply via email to

[Prev in Thread] Current Thread [Next in Thread]