From: P J P <ppandit@redhat.com>
To: QEMU Developers <qemu-devel@nongnu.org>
Cc: Fam Zheng <fam@euphon.net>, Paolo Bonzini <pbonzini@redhat.com>,
Bugs SysSec <bugs-syssec@rub.de>,
Prasad J Pandit <pjp@fedoraproject.org>
Subject: [Qemu-devel] [PATCH] scsi: lsi: exit infinite loop while executing script (CVE-2019-12068)
Date: Thu, 8 Aug 2019 12:03:40 +0530 [thread overview]
Message-ID: <20190808063340.23833-1-ppandit@redhat.com> (raw)
From: Prasad J Pandit <pjp@fedoraproject.org>
When executing script in lsi_execute_script(), the LSI scsi
adapter emulator advances 's->dsp' index to read next opcode.
This can lead to an infinite loop if the next opcode is empty.
Exit such loop after reading 10k empty opcodes.
Reported-by: Bugs SysSec <bugs-syssec@rub.de>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
---
hw/scsi/lsi53c895a.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c
index 10468c1ec1..c23a40525e 100644
--- a/hw/scsi/lsi53c895a.c
+++ b/hw/scsi/lsi53c895a.c
@@ -1132,7 +1132,10 @@ static void lsi_execute_script(LSIState *s)
s->istat1 |= LSI_ISTAT1_SRUN;
again:
- insn_processed++;
+ if (++insn_processed > 10000) {
+ s->waiting = LSI_NOWAIT;
+ goto exitloop;
+ }
insn = read_dword(s, s->dsp);
if (!insn) {
/* If we receive an empty opcode increment the DSP by 4 bytes
@@ -1569,6 +1572,7 @@ again:
}
}
}
+exitloop:
if (insn_processed > 10000 && s->waiting == LSI_NOWAIT) {
/* Some windows drivers make the device spin waiting for a memory
location to change. If we have been executed a lot of code then
--
2.21.0
next reply other threads:[~2019-08-08 6:36 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-08-08 6:33 P J P [this message]
2019-08-08 8:20 ` [Qemu-devel] [PATCH] scsi: lsi: exit infinite loop while executing script (CVE-2019-12068) Stefano Garzarella
2019-08-08 9:35 ` P J P
2019-08-08 9:11 ` Paolo Bonzini
2019-08-08 9:48 ` P J P
2019-08-08 10:29 ` Philippe Mathieu-Daudé
2019-08-08 11:02 ` P J P
2019-08-08 10:42 ` Paolo Bonzini
2019-08-08 11:04 ` P J P
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190808063340.23833-1-ppandit@redhat.com \
--to=ppandit@redhat.com \
--cc=bugs-syssec@rub.de \
--cc=fam@euphon.net \
--cc=pbonzini@redhat.com \
--cc=pjp@fedoraproject.org \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).