From nobody Thu Nov 6 12:12:20 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1540929615069936.2258031741592; Tue, 30 Oct 2018 13:00:15 -0700 (PDT) Received: from localhost ([::1]:55255 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gHaBS-00083o-2J for importer@patchew.org; Tue, 30 Oct 2018 16:00:14 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:48313) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gHa2B-00084D-Cg for qemu-devel@nongnu.org; Tue, 30 Oct 2018 15:50:40 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1gHa2A-0002NV-HE for qemu-devel@nongnu.org; Tue, 30 Oct 2018 15:50:39 -0400 Received: from mail-wr1-x444.google.com ([2a00:1450:4864:20::444]:33605) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1gHa2A-0002MN-7e for qemu-devel@nongnu.org; Tue, 30 Oct 2018 15:50:38 -0400 Received: by mail-wr1-x444.google.com with SMTP id u1-v6so14003950wrn.0 for ; Tue, 30 Oct 2018 12:50:38 -0700 (PDT) Received: from 640k.lan ([93.56.166.5]) by smtp.gmail.com with ESMTPSA id g76-v6sm17480094wmd.25.2018.10.30.12.50.35 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 30 Oct 2018 12:50:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:from:to:cc:subject:date:message-id:in-reply-to:references; bh=OaEiRFoorDQ9iC1MAXlZbRKhGaEH4QOy9SLDxZ4Pcq8=; b=SQiCKn8+vHR+vRCahXmlKJ/fIgk/reCNlp1r697cP+dahfhH30UuiWdqNxkh09EnEo iVZRNTkuhBwQv5OYG/IEL8q7vWyUQMEVuK1D6t+L0JkIuUcYXX6WQ4SnbeqORvKjoQuk Q/Ong4T6cihzVePdGKD9T+gv9bRHzmqstBtZMAAdfO6ntdyQUtTvaweX+HQcGvBMK4rC qla3qc0kEulPKsFmn0y9JvlH5nJjkk3O4XldlIZbjTYQYo6jSXGcwwMFRUL/kN7fmYLX 6TA2gLqphbyyAf3EzCmQ3Yt5BEVBt+HyRL2OvyZ+LTEETdSoXbiYe6f7GW92lEqxoAXG olBw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:from:to:cc:subject:date:message-id :in-reply-to:references; bh=OaEiRFoorDQ9iC1MAXlZbRKhGaEH4QOy9SLDxZ4Pcq8=; b=I3PYuVg9RFYkMX0NvX9pXubbndggS9fpdaCjg9Iu/IzLSgzoXGSXmmG4YKVE7n/Qg1 g+kvwjg/wIKOQEjvYfOhCtbbBrsK9vYaEA58pPknQ55zBSKT4Hq5rOfXFOUEr6TQ7LRE S7NqTLugJXHt/2le3kDtWo0ZegfvJIPo7yx2NZeyjv7RXgKnnfM1cTbn9fHXLnNrX2JF d9zc7vB29SlXGgyKxqEAJfAi3Sqjf9g2bAKtpuK7md0aYxasVoz7x9+AOLSfdZYbT+Q9 64Uonfg/LciiQrqV7pwRos+fT/6HvaebWdCgH6vJzEV/y/v6LdmExjnYDuN4MqFvf65S 4ZWA== X-Gm-Message-State: AGRZ1gIYPx0HSiVQFzwkxPFaPLQ26RDbL/SESP3LlCrHd6lCZymjqbkV yPW5eHAHRYQVi+Bpv6N9Cjj6us8y X-Google-Smtp-Source: AJdET5eUetUAnct/GBzqI9N4kL9DrtX5zy3AwAkdTfNFsok0Hp+QemR4uVKS1WfCCN9eQ0HBmJEWiA== X-Received: by 2002:a5d:4b4c:: with SMTP id w12-v6mr69903wrs.85.1540929036822; Tue, 30 Oct 2018 12:50:36 -0700 (PDT) From: Paolo Bonzini To: qemu-devel@nongnu.org Date: Tue, 30 Oct 2018 20:50:11 +0100 Message-Id: <1540929011-19894-11-git-send-email-pbonzini@redhat.com> X-Mailer: git-send-email 1.8.3.1 In-Reply-To: <1540929011-19894-1-git-send-email-pbonzini@redhat.com> References: <1540929011-19894-1-git-send-email-pbonzini@redhat.com> X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 2a00:1450:4864:20::444 Subject: [Qemu-devel] [PULL 10/10] lsi53c895a: check message length value is valid X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Prasad J Pandit Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail-DKIM: fail (Header signature does not verify) Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" From: Prasad J Pandit While writing a message in 'lsi_do_msgin', message length value in 'msg_len' could be invalid due to an invalid migration stream. Add an assertion to avoid an out of bounds access, and reject the incoming migration data if it contains an invalid message length. Discovered by Deja vu Security. Reported by Oracle. Signed-off-by: Prasad J Pandit Message-Id: <20181026194314.18663-1-ppandit@redhat.com> Signed-off-by: Paolo Bonzini --- hw/scsi/lsi53c895a.c | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c index d1e6534..3f207f6 100644 --- a/hw/scsi/lsi53c895a.c +++ b/hw/scsi/lsi53c895a.c @@ -861,10 +861,11 @@ static void lsi_do_status(LSIState *s) =20 static void lsi_do_msgin(LSIState *s) { - int len; + uint8_t len; trace_lsi_do_msgin(s->dbc, s->msg_len); s->sfbr =3D s->msg[0]; len =3D s->msg_len; + assert(len > 0 && len <=3D LSI_MAX_MSGIN_LEN); if (len > s->dbc) len =3D s->dbc; pci_dma_write(PCI_DEVICE(s), s->dnad, s->msg, len); @@ -1705,8 +1706,10 @@ static uint8_t lsi_reg_readb(LSIState *s, int offset) break; case 0x58: /* SBDL */ /* Some drivers peek at the data bus during the MSG IN phase. */ - if ((s->sstat1 & PHASE_MASK) =3D=3D PHASE_MI) + if ((s->sstat1 & PHASE_MASK) =3D=3D PHASE_MI) { + assert(s->msg_len > 0); return s->msg[0]; + } ret =3D 0; break; case 0x59: /* SBDL high */ @@ -2103,11 +2106,23 @@ static int lsi_pre_save(void *opaque) return 0; } =20 +static int lsi_post_load(void *opaque, int version_id) +{ + LSIState *s =3D opaque; + + if (s->msg_len < 0 || s->msg_len > LSI_MAX_MSGIN_LEN) { + return -EINVAL; + } + + return 0; +} + static const VMStateDescription vmstate_lsi_scsi =3D { .name =3D "lsiscsi", .version_id =3D 0, .minimum_version_id =3D 0, .pre_save =3D lsi_pre_save, + .post_load =3D lsi_post_load, .fields =3D (VMStateField[]) { VMSTATE_PCI_DEVICE(parent_obj, LSIState), =20 --=20 1.8.3.1