[PULL 27/45] hw/scsi/spapr_vscsi: Prevent buffer overflow

qemu-ppc

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PULL 27/45] hw/scsi/spapr_vscsi: Prevent buffer overflow

From:	David Gibson
Subject:	[PULL 27/45] hw/scsi/spapr_vscsi: Prevent buffer overflow
Date:	Tue, 17 Mar 2020 21:04:05 +1100

From: Philippe Mathieu-Daudé <address@hidden>

Depending on the length of sense data, vscsi_send_rsp() can
overrun the buffer size.
Do not copy more than SRP_MAX_IU_DATA_LEN bytes, and assert
that vscsi_send_iu() is always called with a size in range.

Reported-by: Paolo Bonzini <address@hidden>
Suggested-by: Paolo Bonzini <address@hidden>
Signed-off-by: Philippe Mathieu-Daudé <address@hidden>
Message-Id: <address@hidden>
Reviewed-by: Paolo Bonzini <address@hidden>
Signed-off-by: David Gibson <address@hidden>
---
 hw/scsi/spapr_vscsi.c | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/hw/scsi/spapr_vscsi.c b/hw/scsi/spapr_vscsi.c
index acf9bb50bc..c4c4f31170 100644
--- a/hw/scsi/spapr_vscsi.c
+++ b/hw/scsi/spapr_vscsi.c
@@ -55,6 +55,8 @@
 #define VSCSI_MAX_SECTORS       4096
 #define VSCSI_REQ_LIMIT         24
 
+/* Maximum size of a IU payload */
+#define SRP_MAX_IU_DATA_LEN     (SRP_MAX_IU_LEN - sizeof(union srp_iu))
 #define SRP_RSP_SENSE_DATA_LEN  18
 
 #define SRP_REPORT_LUNS_WLUN    0xc10100000000000ULL
@@ -181,6 +183,8 @@ static int vscsi_send_iu(VSCSIState *s, vscsi_req *req,
 {
     long rc, rc1;
 
+    assert(length <= SRP_MAX_IU_LEN);
+
     /* First copy the SRP */
     rc = spapr_vio_dma_write(&s->vdev, req->crq.s.IU_data_ptr,
                              &req->viosrp_iu_buf, length);
@@ -266,10 +270,12 @@ static int vscsi_send_rsp(VSCSIState *s, vscsi_req *req,
     if (status) {
         iu->srp.rsp.sol_not = (sol_not & 0x04) >> 2;
         if (req->senselen) {
+            int sense_data_len = MIN(req->senselen, SRP_MAX_IU_DATA_LEN);
+
             iu->srp.rsp.flags |= SRP_RSP_FLAG_SNSVALID;
-            iu->srp.rsp.sense_data_len = cpu_to_be32(req->senselen);
-            memcpy(iu->srp.rsp.data, req->sense, req->senselen);
-            total_len += req->senselen;
+            iu->srp.rsp.sense_data_len = cpu_to_be32(sense_data_len);
+            memcpy(iu->srp.rsp.data, req->sense, sense_data_len);
+            total_len += sense_data_len;
         }
     } else {
         iu->srp.rsp.sol_not = (sol_not & 0x02) >> 1;
@@ -896,6 +902,7 @@ static int vscsi_process_tsk_mgmt(VSCSIState *s, vscsi_req 
*req)
     }
 
     /* Compose the response here as  */
+    QEMU_BUILD_BUG_ON(SRP_MAX_IU_DATA_LEN < 4);
     memset(iu, 0, sizeof(struct srp_rsp) + 4);
     iu->srp.rsp.opcode = SRP_RSP;
     iu->srp.rsp.req_lim_delta = cpu_to_be32(1);
-- 
2.24.1

[Prev in Thread]

Current Thread

[Next in Thread]

[PULL 12/45] target/ppc: Use class fields to simplify LPCR masking, (continued)
- [PULL 12/45] target/ppc: Use class fields to simplify LPCR masking, David Gibson, 2020/03/17
- [PULL 09/45] target/ppc: Introduce ppc_hash64_use_vrma() helper, David Gibson, 2020/03/17
- [PULL 13/45] target/ppc: Streamline calculation of RMA limit from LPCR[RMLS], David Gibson, 2020/03/17
- [PULL 11/45] target/ppc: Remove RMOR register from POWER9 & POWER10, David Gibson, 2020/03/17
- [PULL 14/45] target/ppc: Correct RMLS table, David Gibson, 2020/03/17
- [PULL 23/45] hw/scsi/spapr_vscsi: Use SRP_MAX_IU_LEN instead of sizeof flexible array, David Gibson, 2020/03/17
- [PULL 15/45] target/ppc: Only calculate RMLS derived RMA limit on demand, David Gibson, 2020/03/17
- [PULL 18/45] spapr,ppc: Simplify signature of kvmppc_rma_size(), David Gibson, 2020/03/17
- [PULL 16/45] target/ppc: Don't store VRMA SLBE persistently, David Gibson, 2020/03/17
- [PULL 24/45] hw/scsi/spapr_vscsi: Simplify a bit, David Gibson, 2020/03/17
- [PULL 27/45] hw/scsi/spapr_vscsi: Prevent buffer overflow, David Gibson <=
- [PULL 20/45] spapr: Don't clamp RMA to 16GiB on new machine types, David Gibson, 2020/03/17
- [PULL 17/45] spapr: Don't use weird units for MIN_RMA_SLOF, David Gibson, 2020/03/17
- [PULL 19/45] spapr: Don't attempt to clamp RMA to VRMA constraint, David Gibson, 2020/03/17
- [PULL 31/45] ppc/spapr: Move GPRs setup to one place, David Gibson, 2020/03/17
- [PULL 21/45] spapr: Clean up RMA size calculation, David Gibson, 2020/03/17
- [PULL 01/45] pseries: Update SLOF firmware image, David Gibson, 2020/03/17
- [PULL 25/45] hw/scsi/spapr_vscsi: Introduce req_iu() helper, David Gibson, 2020/03/17
- [PULL 29/45] spapr/xive: use SPAPR_IRQ_IPI to define IPI ranges exposed to the guest, David Gibson, 2020/03/17
- [PULL 22/45] hw/scsi/viosrp: Add missing 'hw/scsi/srp.h' include, David Gibson, 2020/03/17
- [PULL 28/45] hw/scsi/spapr_vscsi: Convert debug fprintf() to trace event, David Gibson, 2020/03/17

Prev by Date: [PULL 24/45] hw/scsi/spapr_vscsi: Simplify a bit
Next by Date: [PULL 20/45] spapr: Don't clamp RMA to 16GiB on new machine types
Previous by thread: [PULL 24/45] hw/scsi/spapr_vscsi: Simplify a bit
Next by thread: [PULL 20/45] spapr: Don't clamp RMA to 16GiB on new machine types
Index(es):
- Date
- Thread