* [Qemu-devel] [PATCH] scsi: lsi: exit infinite loop while executing script (CVE-2019-12068)
@ 2019-08-08 6:33 P J P
2019-08-08 8:20 ` Stefano Garzarella
2019-08-08 9:11 ` Paolo Bonzini
0 siblings, 2 replies; 9+ messages in thread
From: P J P @ 2019-08-08 6:33 UTC (permalink / raw)
To: QEMU Developers; +Cc: Fam Zheng, Paolo Bonzini, Bugs SysSec, Prasad J Pandit
From: Prasad J Pandit <pjp@fedoraproject.org>
When executing script in lsi_execute_script(), the LSI scsi
adapter emulator advances 's->dsp' index to read next opcode.
This can lead to an infinite loop if the next opcode is empty.
Exit such loop after reading 10k empty opcodes.
Reported-by: Bugs SysSec <bugs-syssec@rub.de>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
---
hw/scsi/lsi53c895a.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c
index 10468c1ec1..c23a40525e 100644
--- a/hw/scsi/lsi53c895a.c
+++ b/hw/scsi/lsi53c895a.c
@@ -1132,7 +1132,10 @@ static void lsi_execute_script(LSIState *s)
s->istat1 |= LSI_ISTAT1_SRUN;
again:
- insn_processed++;
+ if (++insn_processed > 10000) {
+ s->waiting = LSI_NOWAIT;
+ goto exitloop;
+ }
insn = read_dword(s, s->dsp);
if (!insn) {
/* If we receive an empty opcode increment the DSP by 4 bytes
@@ -1569,6 +1572,7 @@ again:
}
}
}
+exitloop:
if (insn_processed > 10000 && s->waiting == LSI_NOWAIT) {
/* Some windows drivers make the device spin waiting for a memory
location to change. If we have been executed a lot of code then
--
2.21.0
^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [Qemu-devel] [PATCH] scsi: lsi: exit infinite loop while executing script (CVE-2019-12068)
2019-08-08 6:33 [Qemu-devel] [PATCH] scsi: lsi: exit infinite loop while executing script (CVE-2019-12068) P J P
@ 2019-08-08 8:20 ` Stefano Garzarella
2019-08-08 9:35 ` P J P
2019-08-08 9:11 ` Paolo Bonzini
1 sibling, 1 reply; 9+ messages in thread
From: Stefano Garzarella @ 2019-08-08 8:20 UTC (permalink / raw)
To: P J P
Cc: Fam Zheng, Paolo Bonzini, Bugs SysSec, QEMU Developers, Prasad J Pandit
On Thu, Aug 08, 2019 at 12:03:40PM +0530, P J P wrote:
> From: Prasad J Pandit <pjp@fedoraproject.org>
>
> When executing script in lsi_execute_script(), the LSI scsi
> adapter emulator advances 's->dsp' index to read next opcode.
> This can lead to an infinite loop if the next opcode is empty.
> Exit such loop after reading 10k empty opcodes.
>
> Reported-by: Bugs SysSec <bugs-syssec@rub.de>
> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
> ---
> hw/scsi/lsi53c895a.c | 6 +++++-
> 1 file changed, 5 insertions(+), 1 deletion(-)
>
> diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c
> index 10468c1ec1..c23a40525e 100644
> --- a/hw/scsi/lsi53c895a.c
> +++ b/hw/scsi/lsi53c895a.c
> @@ -1132,7 +1132,10 @@ static void lsi_execute_script(LSIState *s)
>
> s->istat1 |= LSI_ISTAT1_SRUN;
> again:
> - insn_processed++;
> + if (++insn_processed > 10000) {
^
Since we are using this "magic" number in several lines,
should we define a macro?
Thanks,
Stefano
> + s->waiting = LSI_NOWAIT;
> + goto exitloop;
> + }
> insn = read_dword(s, s->dsp);
> if (!insn) {
> /* If we receive an empty opcode increment the DSP by 4 bytes
> @@ -1569,6 +1572,7 @@ again:
> }
> }
> }
> +exitloop:
> if (insn_processed > 10000 && s->waiting == LSI_NOWAIT) {
> /* Some windows drivers make the device spin waiting for a memory
> location to change. If we have been executed a lot of code then
> --
> 2.21.0
>
>
--
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [Qemu-devel] [PATCH] scsi: lsi: exit infinite loop while executing script (CVE-2019-12068)
2019-08-08 6:33 [Qemu-devel] [PATCH] scsi: lsi: exit infinite loop while executing script (CVE-2019-12068) P J P
2019-08-08 8:20 ` Stefano Garzarella
@ 2019-08-08 9:11 ` Paolo Bonzini
2019-08-08 9:48 ` P J P
1 sibling, 1 reply; 9+ messages in thread
From: Paolo Bonzini @ 2019-08-08 9:11 UTC (permalink / raw)
To: P J P, QEMU Developers; +Cc: Fam Zheng, Bugs SysSec, Prasad J Pandit
On 08/08/19 08:33, P J P wrote:
> From: Prasad J Pandit <pjp@fedoraproject.org>
>
> When executing script in lsi_execute_script(), the LSI scsi
> adapter emulator advances 's->dsp' index to read next opcode.
> This can lead to an infinite loop if the next opcode is empty.
> Exit such loop after reading 10k empty opcodes.
>
> Reported-by: Bugs SysSec <bugs-syssec@rub.de>
> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
> ---
> hw/scsi/lsi53c895a.c | 6 +++++-
> 1 file changed, 5 insertions(+), 1 deletion(-)
>
> diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c
> index 10468c1ec1..c23a40525e 100644
> --- a/hw/scsi/lsi53c895a.c
> +++ b/hw/scsi/lsi53c895a.c
> @@ -1132,7 +1132,10 @@ static void lsi_execute_script(LSIState *s)
>
> s->istat1 |= LSI_ISTAT1_SRUN;
> again:
> - insn_processed++;
> + if (++insn_processed > 10000) {
> + s->waiting = LSI_NOWAIT;
> + goto exitloop;
> + }
> insn = read_dword(s, s->dsp);
> if (!insn) {
> /* If we receive an empty opcode increment the DSP by 4 bytes
> @@ -1569,6 +1572,7 @@ again:
> }
> }
> }
> +exitloop:
> if (insn_processed > 10000 && s->waiting == LSI_NOWAIT) {
> /* Some windows drivers make the device spin waiting for a memory
> location to change. If we have been executed a lot of code then
>
I am not sure this is worth a CVE. The kernel can cause QEMU to break,
but is there a practical case in which an unprivileged user can do that?
Paolo
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [Qemu-devel] [PATCH] scsi: lsi: exit infinite loop while executing script (CVE-2019-12068)
2019-08-08 8:20 ` Stefano Garzarella
@ 2019-08-08 9:35 ` P J P
0 siblings, 0 replies; 9+ messages in thread
From: P J P @ 2019-08-08 9:35 UTC (permalink / raw)
To: Stefano Garzarella; +Cc: Fam Zheng, Paolo Bonzini, Bugs SysSec, QEMU Developers
+-- On Thu, 8 Aug 2019, Stefano Garzarella wrote --+
| > + if (++insn_processed > 10000) {
| ^
| Since we are using this "magic" number in several lines,
| should we define a macro?
Sent patch v2. Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [Qemu-devel] [PATCH] scsi: lsi: exit infinite loop while executing script (CVE-2019-12068)
2019-08-08 9:11 ` Paolo Bonzini
@ 2019-08-08 9:48 ` P J P
2019-08-08 10:29 ` Philippe Mathieu-Daudé
2019-08-08 10:42 ` Paolo Bonzini
0 siblings, 2 replies; 9+ messages in thread
From: P J P @ 2019-08-08 9:48 UTC (permalink / raw)
To: Paolo Bonzini; +Cc: Fam Zheng, Bugs SysSec, QEMU Developers
+-- On Thu, 8 Aug 2019, Paolo Bonzini wrote --+
| I am not sure this is worth a CVE.
True, it is a low one, as QEMU consumes cycles on the host.
| The kernel can cause QEMU to break, but is there a practical case in which
| an unprivileged user can do that?
QEMU does not break, it keeps running in interruptible sleep 'S' state.
They've a reproducer wherein guest does mmio calls to trigger the issue.
Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [Qemu-devel] [PATCH] scsi: lsi: exit infinite loop while executing script (CVE-2019-12068)
2019-08-08 9:48 ` P J P
@ 2019-08-08 10:29 ` Philippe Mathieu-Daudé
2019-08-08 11:02 ` P J P
2019-08-08 10:42 ` Paolo Bonzini
1 sibling, 1 reply; 9+ messages in thread
From: Philippe Mathieu-Daudé @ 2019-08-08 10:29 UTC (permalink / raw)
To: P J P, Paolo Bonzini; +Cc: Fam Zheng, Bugs SysSec, QEMU Developers
On 8/8/19 11:48 AM, P J P wrote:
> +-- On Thu, 8 Aug 2019, Paolo Bonzini wrote --+
> | I am not sure this is worth a CVE.
>
> True, it is a low one, as QEMU consumes cycles on the host.
>
> | The kernel can cause QEMU to break, but is there a practical case in which
> | an unprivileged user can do that?
>
> QEMU does not break, it keeps running in interruptible sleep 'S' state.
> They've a reproducer wherein guest does mmio calls to trigger the issue.
From user-mode? As unprivileged user?
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [Qemu-devel] [PATCH] scsi: lsi: exit infinite loop while executing script (CVE-2019-12068)
2019-08-08 9:48 ` P J P
2019-08-08 10:29 ` Philippe Mathieu-Daudé
@ 2019-08-08 10:42 ` Paolo Bonzini
2019-08-08 11:04 ` P J P
1 sibling, 1 reply; 9+ messages in thread
From: Paolo Bonzini @ 2019-08-08 10:42 UTC (permalink / raw)
To: P J P; +Cc: Fam Zheng, Bugs SysSec, QEMU Developers
On 08/08/19 11:48, P J P wrote:
> +-- On Thu, 8 Aug 2019, Paolo Bonzini wrote --+
> | I am not sure this is worth a CVE.
>
> True, it is a low one, as QEMU consumes cycles on the host.
A guest that runs an infinite loop would be an easier way to do that. I
suppose this one also blocks the monitor, but then "kill -9" is always
your friend. :)
Paolo
> | The kernel can cause QEMU to break, but is there a practical case in which
> | an unprivileged user can do that?
>
> QEMU does not break, it keeps running in interruptible sleep 'S' state.
> They've a reproducer wherein guest does mmio calls to trigger the issue.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [Qemu-devel] [PATCH] scsi: lsi: exit infinite loop while executing script (CVE-2019-12068)
2019-08-08 10:29 ` Philippe Mathieu-Daudé
@ 2019-08-08 11:02 ` P J P
0 siblings, 0 replies; 9+ messages in thread
From: P J P @ 2019-08-08 11:02 UTC (permalink / raw)
To: Philippe Mathieu-Daudé
Cc: Fam Zheng, Paolo Bonzini, Bugs SysSec, QEMU Developers
+-- On Thu, 8 Aug 2019, Philippe Mathieu-Daudé wrote --+
| >From user-mode? As unprivileged user?
No, needs privileges inside guest.
--
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [Qemu-devel] [PATCH] scsi: lsi: exit infinite loop while executing script (CVE-2019-12068)
2019-08-08 10:42 ` Paolo Bonzini
@ 2019-08-08 11:04 ` P J P
0 siblings, 0 replies; 9+ messages in thread
From: P J P @ 2019-08-08 11:04 UTC (permalink / raw)
To: Paolo Bonzini; +Cc: Fam Zheng, Bugs SysSec, QEMU Developers
+-- On Thu, 8 Aug 2019, Paolo Bonzini wrote --+
| I suppose this one also blocks the monitor, but then "kill -9" is always
| your friend. :)
True. :)
--
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2019-08-08 11:04 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-08-08 6:33 [Qemu-devel] [PATCH] scsi: lsi: exit infinite loop while executing script (CVE-2019-12068) P J P
2019-08-08 8:20 ` Stefano Garzarella
2019-08-08 9:35 ` P J P
2019-08-08 9:11 ` Paolo Bonzini
2019-08-08 9:48 ` P J P
2019-08-08 10:29 ` Philippe Mathieu-Daudé
2019-08-08 11:02 ` P J P
2019-08-08 10:42 ` Paolo Bonzini
2019-08-08 11:04 ` P J P
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).