[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH] iscsi: Cap block count from GET LBA STATUS (CVE-2020-1711)
From: |
Kevin Wolf |
Subject: |
Re: [PATCH] iscsi: Cap block count from GET LBA STATUS (CVE-2020-1711) |
Date: |
Thu, 23 Jan 2020 17:59:55 +0100 |
User-agent: |
Mutt/1.12.1 (2019-06-15) |
Am 23.01.2020 um 13:44 hat Felipe Franciosi geschrieben:
> When querying an iSCSI server for the provisioning status of blocks (via
> GET LBA STATUS), Qemu only validates that the response descriptor zero's
> LBA matches the one requested. Given the SCSI spec allows servers to
> respond with the status of blocks beyond the end of the LUN, Qemu may
> have its heap corrupted by clearing/setting too many bits at the end of
> its allocmap for the LUN.
>
> A malicious guest in control of the iSCSI server could carefully program
> Qemu's heap (by selectively setting the bitmap) and then smash it.
>
> This limits the number of bits that iscsi_co_block_status() will try to
> update in the allocmap so it can't overflow the bitmap.
>
> Signed-off-by: Felipe Franciosi <address@hidden>
> Signed-off-by: Peter Turschmid <address@hidden>
> Signed-off-by: Raphael Norwitz <address@hidden>
Thanks, applied to the block branch.
Kevin
- [PATCH] iscsi: Cap block count from GET LBA STATUS (CVE-2020-1711), Felipe Franciosi, 2020/01/23
- Re: [PATCH] iscsi: Cap block count from GET LBA STATUS (CVE-2020-1711),
Kevin Wolf <=
- Re: [PATCH] iscsi: Cap block count from GET LBA STATUS (CVE-2020-1711), Philippe Mathieu-Daudé, 2020/01/23
- Re: [PATCH] iscsi: Cap block count from GET LBA STATUS (CVE-2020-1711), Felipe Franciosi, 2020/01/23
- Re: [PATCH] iscsi: Cap block count from GET LBA STATUS (CVE-2020-1711), Peter Lieven, 2020/01/23
- Re: [PATCH] iscsi: Cap block count from GET LBA STATUS (CVE-2020-1711), Philippe Mathieu-Daudé, 2020/01/24
- Re: [PATCH] iscsi: Cap block count from GET LBA STATUS (CVE-2020-1711), Felipe Franciosi, 2020/01/24
- Re: [PATCH] iscsi: Cap block count from GET LBA STATUS (CVE-2020-1711), Kevin Wolf, 2020/01/24
- Re: [PATCH] iscsi: Cap block count from GET LBA STATUS (CVE-2020-1711), Philippe Mathieu-Daudé, 2020/01/24
- Re: [PATCH] iscsi: Cap block count from GET LBA STATUS (CVE-2020-1711), Kevin Wolf, 2020/01/24