From: Paolo Bonzini <pbonzini@redhat.com>
To: qemu-devel@nongnu.org
Cc: Wenxiang Qian <leonwxqian@gmail.com>,
Prasad J Pandit <pjp@fedoraproject.org>
Subject: [PULL 07/31] ide: atapi: check logical block address and read size (CVE-2020-29443)
Date: Sat, 23 Jan 2021 09:31:04 -0500 [thread overview]
Message-ID: <20210123143128.1167797-8-pbonzini@redhat.com> (raw)
In-Reply-To: <20210123143128.1167797-1-pbonzini@redhat.com>
From: Prasad J Pandit <pjp@fedoraproject.org>
While processing ATAPI cmd_read/cmd_read_cd commands,
Logical Block Address (LBA) maybe invalid OR closer to the last block,
leading to an OOB access issues. Add range check to avoid it.
Fixes: CVE-2020-29443
Reported-by: Wenxiang Qian <leonwxqian@gmail.com>
Suggested-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-Id: <20210118115130.457044-1-ppandit@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
hw/ide/atapi.c | 30 ++++++++++++++++++++++++------
1 file changed, 24 insertions(+), 6 deletions(-)
diff --git a/hw/ide/atapi.c b/hw/ide/atapi.c
index e79157863f..b626199e3d 100644
--- a/hw/ide/atapi.c
+++ b/hw/ide/atapi.c
@@ -322,6 +322,8 @@ static void ide_atapi_cmd_reply(IDEState *s, int size, int max_size)
static void ide_atapi_cmd_read_pio(IDEState *s, int lba, int nb_sectors,
int sector_size)
{
+ assert(0 <= lba && lba < (s->nb_sectors >> 2));
+
s->lba = lba;
s->packet_transfer_size = nb_sectors * sector_size;
s->elementary_transfer_size = 0;
@@ -420,6 +422,8 @@ eot:
static void ide_atapi_cmd_read_dma(IDEState *s, int lba, int nb_sectors,
int sector_size)
{
+ assert(0 <= lba && lba < (s->nb_sectors >> 2));
+
s->lba = lba;
s->packet_transfer_size = nb_sectors * sector_size;
s->io_buffer_size = 0;
@@ -973,35 +977,49 @@ static void cmd_prevent_allow_medium_removal(IDEState *s, uint8_t* buf)
static void cmd_read(IDEState *s, uint8_t* buf)
{
- int nb_sectors, lba;
+ unsigned int nb_sectors, lba;
+
+ /* Total logical sectors of ATAPI_SECTOR_SIZE(=2048) bytes */
+ uint64_t total_sectors = s->nb_sectors >> 2;
if (buf[0] == GPCMD_READ_10) {
nb_sectors = lduw_be_p(buf + 7);
} else {
nb_sectors = ldl_be_p(buf + 6);
}
-
- lba = ldl_be_p(buf + 2);
if (nb_sectors == 0) {
ide_atapi_cmd_ok(s);
return;
}
+ lba = ldl_be_p(buf + 2);
+ if (lba >= total_sectors || lba + nb_sectors - 1 >= total_sectors) {
+ ide_atapi_cmd_error(s, ILLEGAL_REQUEST, ASC_LOGICAL_BLOCK_OOR);
+ return;
+ }
+
ide_atapi_cmd_read(s, lba, nb_sectors, 2048);
}
static void cmd_read_cd(IDEState *s, uint8_t* buf)
{
- int nb_sectors, lba, transfer_request;
+ unsigned int nb_sectors, lba, transfer_request;
- nb_sectors = (buf[6] << 16) | (buf[7] << 8) | buf[8];
- lba = ldl_be_p(buf + 2);
+ /* Total logical sectors of ATAPI_SECTOR_SIZE(=2048) bytes */
+ uint64_t total_sectors = s->nb_sectors >> 2;
+ nb_sectors = (buf[6] << 16) | (buf[7] << 8) | buf[8];
if (nb_sectors == 0) {
ide_atapi_cmd_ok(s);
return;
}
+ lba = ldl_be_p(buf + 2);
+ if (lba >= total_sectors || lba + nb_sectors - 1 >= total_sectors) {
+ ide_atapi_cmd_error(s, ILLEGAL_REQUEST, ASC_LOGICAL_BLOCK_OOR);
+ return;
+ }
+
transfer_request = buf[9] & 0xf8;
if (transfer_request == 0x00) {
/* nothing */
--
2.26.2
next prev parent reply other threads:[~2021-01-23 14:33 UTC|newest]
Thread overview: 53+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-01-23 14:30 [PULL 00/31] Misc patches for 2020-01-21 Paolo Bonzini
2021-01-23 14:30 ` [PULL 01/31] runstate: cleanup reboot and panic actions Paolo Bonzini
2021-01-23 14:30 ` [PULL 02/31] configure: MinGW respect --bindir argument Paolo Bonzini
2021-01-23 14:31 ` [PULL 03/31] x86/cpu: Use max host physical address if -cpu max option is applied Paolo Bonzini
2021-01-23 14:31 ` [PULL 04/31] build-system: clean up TCG/TCI configury Paolo Bonzini
2021-02-06 18:01 ` Philippe Mathieu-Daudé
2021-02-06 19:08 ` Philippe Mathieu-Daudé
2021-01-23 14:31 ` [PULL 05/31] util/cacheflush: Fix error generated by clang Paolo Bonzini
2021-01-23 14:31 ` [PULL 06/31] softmmu/physmem: Silence GCC 10 maybe-uninitialized error Paolo Bonzini
2021-01-23 14:31 ` Paolo Bonzini [this message]
2021-01-23 14:31 ` [PULL 08/31] build-sys: remove unused LIBS Paolo Bonzini
2021-01-23 14:31 ` [PULL 09/31] build-sys: set global arguments for cflags/ldflags Paolo Bonzini
2021-01-23 14:31 ` [PULL 10/31] build-sys: add libvhost-user missing dependencies Paolo Bonzini
2021-01-23 14:31 ` [PULL 11/31] slirp: update to git master Paolo Bonzini
2021-01-23 14:31 ` [PULL 12/31] meson: Declare have_virtfs_proxy_helper in main meson.build Paolo Bonzini
2021-01-23 14:31 ` [PULL 13/31] nsis: adjust for new MinGW paths Paolo Bonzini
2021-01-23 14:31 ` [PULL 14/31] meson: convert wixl detection to Meson Paolo Bonzini
2021-01-23 14:31 ` [PULL 15/31] meson: Summarize information related to directories first Paolo Bonzini
2021-01-23 14:31 ` [PULL 16/31] meson: Display host binaries information altogether Paolo Bonzini
2021-01-23 14:31 ` [PULL 17/31] meson: Summarize overall features altogether Paolo Bonzini
2021-01-23 14:31 ` [PULL 18/31] meson: Summarize compilation-related information altogether Paolo Bonzini
2021-01-23 14:31 ` [PULL 19/31] meson: Display accelerators and selected targets altogether Paolo Bonzini
2021-01-23 14:31 ` [PULL 20/31] meson: Display block layer information altogether Paolo Bonzini
2021-01-23 14:31 ` [PULL 21/31] meson: Display crypto-related " Paolo Bonzini
2021-01-23 14:31 ` [PULL 22/31] meson: Add a section header for library dependencies Paolo Bonzini
2021-01-23 14:31 ` [PULL 23/31] meson.build: Declare global edk2_targets / install_edk2_blobs variables Paolo Bonzini
2021-01-23 14:31 ` [PULL 24/31] meson.build: Detect bzip2 program Paolo Bonzini
2021-01-23 14:31 ` [PULL 25/31] acceptance: switch to QMP change-vnc-password command Paolo Bonzini
2021-01-23 14:31 ` [PULL 26/31] hmp: remove "change vnc TARGET" command Paolo Bonzini
2021-01-23 14:31 ` [PULL 27/31] qmp: remove deprecated "change" command Paolo Bonzini
2021-01-23 14:31 ` [PULL 28/31] vnc: support "-vnc help" Paolo Bonzini
2021-01-23 14:31 ` [PULL 29/31] qemu-option: clean up id vs. list->merge_lists Paolo Bonzini
2021-01-25 7:42 ` Markus Armbruster
2021-01-25 7:58 ` Paolo Bonzini
2021-01-23 14:31 ` [PULL 30/31] qemu-option: move help handling to get_opt_name_value Paolo Bonzini
2021-01-23 14:31 ` [PULL 31/31] qemu-option: warn for short-form boolean options Paolo Bonzini
2021-02-15 19:56 ` Peter Maydell
2021-02-15 23:14 ` Paolo Bonzini
2021-02-16 9:58 ` Peter Maydell
2021-02-16 10:43 ` Paolo Bonzini
2021-02-16 11:04 ` Peter Maydell
2021-02-16 11:23 ` Paolo Bonzini
2021-02-16 11:58 ` Peter Maydell
2021-02-16 13:30 ` Paolo Bonzini
2021-02-16 13:36 ` Peter Maydell
2021-02-16 13:43 ` Paolo Bonzini
2021-02-16 14:11 ` Peter Maydell
2021-02-16 14:45 ` Paolo Bonzini
2021-02-16 14:51 ` Peter Maydell
2021-02-16 14:58 ` Paolo Bonzini
2021-02-16 13:53 ` Daniel P. Berrangé
2021-01-23 14:57 ` [PULL 00/31] Misc patches for 2020-01-21 no-reply
2021-01-23 19:52 ` Peter Maydell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210123143128.1167797-8-pbonzini@redhat.com \
--to=pbonzini@redhat.com \
--cc=leonwxqian@gmail.com \
--cc=pjp@fedoraproject.org \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.