9803c6ed12
- hw/virtio/virtio-crypto: Protect from DMA re-entrancy bugs(CVE-2024-3446) - hw/char/virtio-serial-bus: Protect from DMA re-entrancy bugs(CVE-2024-3446) - hw/display/virtio-gpu: Protect from DMA re-entrancy bugs(CVE-2024-3446) - hw/virtio: Introduce virtio_bh_new_guarded() helper - hw: replace most qemu_bh_new calls with qemu_bh_new_guarded - checkpatch: add qemu_bh_new/aio_bh_new checks - async: avoid use-after-free on re-entrancy guard - async: Add an optional reentrancy guard to the BH API - hw/sd/sdhci: Do not update TRNMOD when Command Inhibit (DAT) is set(CVE-2024-3447) - rtl8139: Remove unused variable - tulip: Remove unused variable - virtio-mem: Fix the bitmap index of the section offset - virtio-mem: Fix the iterator variable in a vmem->rdl_list loop - system/memory: use ldn_he_p/stn_he_p - block: Fix crash when loading snapshot on inactive node - smmu: Clear SMMUPciBus pointer cache when system reset - block/mirror: Fix NULL s->job in active writes - amd_iommu: Fix APIC address check - virtio-crypto: fix NULL pointer dereference in virtio_crypto_free_reques - libqos/virtio.c: Correct 'flags' reading in qvirtqueue_kick cherry-pick from 66e411885a23c96ff73742d06b793fec3ceaebb7 - ivshmem-test.c: enable test_ivshmem_server for ppc64 arch - ivshmem.c: change endianness to LITTLE_ENDIAN - hw/ppc/mac.h: Remove MAX_CPUS macro - configure: remove dead variables - virtio-gpu: do not byteswap padding - hw/intc: clean-up error reporting for failed ITS cmd - qemu-iotests: Discard stderr when probing devices - linux-user: un-parent OBJECT(cpu) when closing thread - hw/net/rocker: Avoid undefined shifts with more than 31 ports - contrib/vhost-user-blk: Clean up deallocation of VuVirtqElement - scsi-disk: fix overflow when block size is not a multiple of BDRV_SECTOR_SIZE Signed-off-by: Jiabo Feng <fengjiabo1@huawei.com> (cherry picked from commit bf54b48c2963c869dfdc89977c57be4bd9e772aa)
60 lines
2.4 KiB
Diff
60 lines
2.4 KiB
Diff
From 53b627a98b78ac06e7cba29c3614464469e7c11f Mon Sep 17 00:00:00 2001
|
|
From: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
|
|
Date: Mon, 25 Mar 2024 08:14:12 +0000
|
|
Subject: [PATCH] scsi-disk: fix overflow when block size is not a multiple of BDRV_SECTOR_SIZE
|
|
mainline inclusion
|
|
commit 54a53a006ed9c1fe027fd89045d6de1e9128d7f4
|
|
category: bugfix
|
|
|
|
---------------------------------------------------------------
|
|
|
|
In scsi_disk_emulate_write_same() the number of host sectors to transfer is
|
|
calculated as (s->qdev.blocksize / BDRV_SECTOR_SIZE) which is then used to
|
|
copy data in block size chunks to the iov buffer.
|
|
|
|
Since the loop copying the data to the iov buffer uses a fixed increment of
|
|
s->qdev.blocksize then using a block size that isn't a multiple of
|
|
BDRV_SECTOR_SIZE introduces a rounding error in the iov buffer size calculation
|
|
such that the iov buffer copy overflows the space allocated.
|
|
|
|
Update the iov buffer copy for() loop so that it will use the smallest of either
|
|
the current block size or the remaining transfer count to prevent the overflow.
|
|
|
|
Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
|
|
Message-Id: <20220730122656.253448-2-mark.cave-ayland@ilande.co.uk>
|
|
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
|
|
|
Signed-off-by: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
|
|
---
|
|
hw/scsi/scsi-disk.c | 7 ++++---
|
|
1 file changed, 4 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/hw/scsi/scsi-disk.c b/hw/scsi/scsi-disk.c
|
|
index a66d2b0a98..edd2f895e7 100644
|
|
--- a/hw/scsi/scsi-disk.c
|
|
+++ b/hw/scsi/scsi-disk.c
|
|
@@ -1800,7 +1800,7 @@ static void scsi_disk_emulate_write_same(SCSIDiskReq *r, uint8_t *inbuf)
|
|
uint32_t nb_sectors = scsi_data_cdb_xfer(r->req.cmd.buf);
|
|
WriteSameCBData *data;
|
|
uint8_t *buf;
|
|
- int i;
|
|
+ int i, l;
|
|
|
|
/* Fail if PBDATA=1 or LBDATA=1 or ANCHOR=1. */
|
|
if (nb_sectors == 0 || (req->cmd.buf[1] & 0x16)) {
|
|
@@ -1842,8 +1842,9 @@ static void scsi_disk_emulate_write_same(SCSIDiskReq *r, uint8_t *inbuf)
|
|
data->iov.iov_len);
|
|
qemu_iovec_init_external(&data->qiov, &data->iov, 1);
|
|
|
|
- for (i = 0; i < data->iov.iov_len; i += s->qdev.blocksize) {
|
|
- memcpy(&buf[i], inbuf, s->qdev.blocksize);
|
|
+ for (i = 0; i < data->iov.iov_len; i += l) {
|
|
+ l = MIN(s->qdev.blocksize, data->iov.iov_len - i);
|
|
+ memcpy(&buf[i], inbuf, l);
|
|
}
|
|
|
|
scsi_req_ref(&r->req);
|
|
--
|
|
2.27.0
|
|
|