From: Paolo Bonzini <pbonzini@redhat.com>
To: P J P <ppandit@redhat.com>, QEMU Developers <qemu-devel@nongnu.org>
Cc: Fam Zheng <fam@euphon.net>, Bugs SysSec <bugs-syssec@rub.de>,
Prasad J Pandit <pjp@fedoraproject.org>
Subject: Re: [Qemu-devel] [PATCH] scsi: lsi: exit infinite loop while executing script (CVE-2019-12068)
Date: Thu, 8 Aug 2019 11:11:20 +0200 [thread overview]
Message-ID: <aa654255-8124-8a76-56c8-47c8bdf19a08@redhat.com> (raw)
In-Reply-To: <20190808063340.23833-1-ppandit@redhat.com>
On 08/08/19 08:33, P J P wrote:
> From: Prasad J Pandit <pjp@fedoraproject.org>
>
> When executing script in lsi_execute_script(), the LSI scsi
> adapter emulator advances 's->dsp' index to read next opcode.
> This can lead to an infinite loop if the next opcode is empty.
> Exit such loop after reading 10k empty opcodes.
>
> Reported-by: Bugs SysSec <bugs-syssec@rub.de>
> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
> ---
> hw/scsi/lsi53c895a.c | 6 +++++-
> 1 file changed, 5 insertions(+), 1 deletion(-)
>
> diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c
> index 10468c1ec1..c23a40525e 100644
> --- a/hw/scsi/lsi53c895a.c
> +++ b/hw/scsi/lsi53c895a.c
> @@ -1132,7 +1132,10 @@ static void lsi_execute_script(LSIState *s)
>
> s->istat1 |= LSI_ISTAT1_SRUN;
> again:
> - insn_processed++;
> + if (++insn_processed > 10000) {
> + s->waiting = LSI_NOWAIT;
> + goto exitloop;
> + }
> insn = read_dword(s, s->dsp);
> if (!insn) {
> /* If we receive an empty opcode increment the DSP by 4 bytes
> @@ -1569,6 +1572,7 @@ again:
> }
> }
> }
> +exitloop:
> if (insn_processed > 10000 && s->waiting == LSI_NOWAIT) {
> /* Some windows drivers make the device spin waiting for a memory
> location to change. If we have been executed a lot of code then
>
I am not sure this is worth a CVE. The kernel can cause QEMU to break,
but is there a practical case in which an unprivileged user can do that?
Paolo
next prev parent reply other threads:[~2019-08-08 9:11 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-08-08 6:33 [Qemu-devel] [PATCH] scsi: lsi: exit infinite loop while executing script (CVE-2019-12068) P J P
2019-08-08 8:20 ` Stefano Garzarella
2019-08-08 9:35 ` P J P
2019-08-08 9:11 ` Paolo Bonzini [this message]
2019-08-08 9:48 ` P J P
2019-08-08 10:29 ` Philippe Mathieu-Daudé
2019-08-08 11:02 ` P J P
2019-08-08 10:42 ` Paolo Bonzini
2019-08-08 11:04 ` P J P
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aa654255-8124-8a76-56c8-47c8bdf19a08@redhat.com \
--to=pbonzini@redhat.com \
--cc=bugs-syssec@rub.de \
--cc=fam@euphon.net \
--cc=pjp@fedoraproject.org \
--cc=ppandit@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).