From nobody Mon Feb  9 20:32:43 2026
Delivered-To: importer@patchew.org
Received-SPF: pass (zoho.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Authentication-Results: mx.zohomail.com;
	dkim=fail;
	spf=pass (zoho.com: domain of gnu.org designates 209.51.188.17 as permitted
 sender)  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org;
	dmarc=fail(p=none dis=none)  header.from=redhat.com
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (209.51.188.17 [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1549307077949379.87259734814836;
 Mon, 4 Feb 2019 11:04:37 -0800 (PST)
Received: from localhost ([127.0.0.1]:47651 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <qemu-devel-bounces+importer=patchew.org@nongnu.org>)
	id 1gqjXj-0002Ih-U6
	for importer@patchew.org; Mon, 04 Feb 2019 14:04:31 -0500
Received: from eggs.gnu.org ([209.51.188.92]:59749)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <paolo.bonzini@gmail.com>) id 1gqj7I-0005Vi-S1
	for qemu-devel@nongnu.org; Mon, 04 Feb 2019 13:37:15 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <paolo.bonzini@gmail.com>) id 1gqj7G-0003oA-My
	for qemu-devel@nongnu.org; Mon, 04 Feb 2019 13:37:12 -0500
Received: from mail-wr1-x42f.google.com ([2a00:1450:4864:20::42f]:46400)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <paolo.bonzini@gmail.com>)
	id 1gqj7C-0003lM-Rm
	for qemu-devel@nongnu.org; Mon, 04 Feb 2019 13:37:08 -0500
Received: by mail-wr1-x42f.google.com with SMTP id l9so900123wrt.13
	for <qemu-devel@nongnu.org>; Mon, 04 Feb 2019 10:37:04 -0800 (PST)
Received: from 640k.lan ([93.56.166.5]) by smtp.gmail.com with ESMTPSA id
	s132sm8836236wmf.28.2019.02.04.10.37.02 for <qemu-devel@nongnu.org>
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Mon, 04 Feb 2019 10:37:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
	h=sender:from:to:subject:date:message-id:in-reply-to:references;
	bh=Q4q/94jj+z0ypX5AER6s+SzJaldmbQ9+tU9nQ4E88ko=;
	b=YR/TY65ajXjF4L70SVT/Lb50he021VO5DUgdG2xJyvSzIFOHQn3JH0L0f11z6BaJah
	EQbPnz9kbqkHV7LH4Z/YpnERtt90C3TzxvO+JrEkPPXVasKfxs6qLTDoPizZBbO6pz1B
	xrcrJaJkc0MhpQdrzXN6HxQKGdM/OXZHnRiwBUsFiulROz/ZmYTMY6gkhpsUZnUCA1+D
	TFC0D656pubj0BD1pqMSMS/65zxmajLqt42DWDO8YTPuuaxSzLy7xafY99ucMa1ZlQTJ
	oi3u57Jhc8w1cPmNDpzJgsbAO2hBOSl/u61eoxLcKKyQAFunVDdaRMWKyYTLQ2aRD+8t
	P32A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:sender:from:to:subject:date:message-id
	:in-reply-to:references;
	bh=Q4q/94jj+z0ypX5AER6s+SzJaldmbQ9+tU9nQ4E88ko=;
	b=KqcfdgaWhbz76nvwYakA2+kYQQp6dPy+QFRUoLxPON3E7Jspzi9YZFZy8+ewf6FtPM
	+CAb4VDsF4d+kQsEyQ6Tv7LgN13GSI/4wi0EJ0KhOVEniG+ugB8+0Bz1hjgiAvh1ErtK
	wNeK8IkEBiPsaXV+e/SPXH1u3Dlz/ZwYqsCoTOSAzTmWDJcqJrnE1QWUkUbqogmbVj5V
	+zQkiWdzC0ZGFZoZn/QsBbZWeS+OUMeXULbowooonQ/aYVkTwmxwFvsXGWkDKiYG+W4n
	JHrBkqyyCnRyDPvdAJQzV0jhFWPK5SbV8dKpTYym0Ru4aetEAVBWLBNsstu4ByPb0tBK
	EMsg==
X-Gm-Message-State: AHQUAubsFyvl+5VI8rys+qVdIVPzAJKfLyqb8WA8d7fnWAELLw0AuBih
	BKxndY0NFM0IV5zcKbgbKVN9njZ6
X-Google-Smtp-Source: 
 AHgI3IaSwCJ0cK3VF/hyQHvP/WEfTGqC4GgvgOm86hJ+3EMCn2SzH6T/YlD9obbwBQ2ONtfatkPD+Q==
X-Received: by 2002:adf:80cf:: with SMTP id 73mr564706wrl.57.1549305423310;
	Mon, 04 Feb 2019 10:37:03 -0800 (PST)
From: Paolo Bonzini <pbonzini@redhat.com>
To: qemu-devel@nongnu.org
Date: Mon,  4 Feb 2019 19:35:45 +0100
Message-Id: <1549305379-51117-44-git-send-email-pbonzini@redhat.com>
X-Mailer: git-send-email 1.8.3.1
In-Reply-To: <1549305379-51117-1-git-send-email-pbonzini@redhat.com>
References: <1549305379-51117-1-git-send-email-pbonzini@redhat.com>
X-detected-operating-system: by eggs.gnu.org: Genre and OS details not
	recognized.
X-Received-From: 2a00:1450:4864:20::42f
Subject: [Qemu-devel] [PULL 43/77] scsi-generic: avoid possible
 out-of-bounds access to r->buf
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel/>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: "Qemu-devel" <qemu-devel-bounces+importer=patchew.org@nongnu.org>
X-ZohoMail-DKIM: fail (Header signature does not verify)
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"

Whenever the allocation length of a SCSI request is shorter than the size o=
f the
VPD page list, page_idx is used blindly to index into r->buf.  Even though
the stores in the insertion sort are protected against overflows, the same =
is not
true of the reads and the final store of 0xb0.

This basically does the same thing as commit 57dbb58d80 ("scsi-generic: avo=
id
out-of-bounds access to VPD page list", 2018-11-06), except that here the
allocation length can be chosen by the guest.  Note that according to the S=
CSI
standard, the contents of the PAGE LENGTH field are not altered based
on the allocation length.

The code was introduced by commit 6c219fc8a1 ("scsi-generic: keep VPD
page list sorted", 2018-11-06) but the overflow was already possible before.

Reported-by: Kevin Wolf <kwolf@redhat.com>
Fixes: a71c775b24ebc664129eb1d9b4c360590353efd5
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
 hw/scsi/scsi-generic.c | 18 ++++++++++--------
 1 file changed, 10 insertions(+), 8 deletions(-)

diff --git a/hw/scsi/scsi-generic.c b/hw/scsi/scsi-generic.c
index 7237b41..42700e8 100644
--- a/hw/scsi/scsi-generic.c
+++ b/hw/scsi/scsi-generic.c
@@ -182,7 +182,7 @@ static void scsi_handle_inquiry_reply(SCSIGenericReq *r=
, SCSIDevice *s)
             /* Also take care of the opt xfer len. */
             stl_be_p(&r->buf[12],
                     MIN_NON_ZERO(max_transfer, ldl_be_p(&r->buf[12])));
-        } else if (s->needs_vpd_bl_emulation && page =3D=3D 0x00) {
+        } else if (s->needs_vpd_bl_emulation && page =3D=3D 0x00 && r->buf=
len >=3D 4) {
             /*
              * Now we're capable of supplying the VPD Block Limits
              * response if the hardware can't. Add it in the INQUIRY
@@ -193,18 +193,20 @@ static void scsi_handle_inquiry_reply(SCSIGenericReq =
*r, SCSIDevice *s)
              * and will use it to proper setup the SCSI device.
              *
              * VPD page numbers must be sorted, so insert 0xb0 at the
-             * right place with an in-place insert.  After the initializat=
ion
-             * part of the for loop is executed, the device response is
-             * at r[0] to r[page_idx - 1].
+             * right place with an in-place insert.  When the while loop
+             * begins the device response is at r[0] to r[page_idx - 1].
              */
-            for (page_idx =3D lduw_be_p(r->buf + 2) + 4;
-                 page_idx > 4 && r->buf[page_idx - 1] >=3D 0xb0;
-                 page_idx--) {
+            page_idx =3D lduw_be_p(r->buf + 2) + 4;
+            page_idx =3D MIN(page_idx, r->buflen);
+            while (page_idx > 4 && r->buf[page_idx - 1] >=3D 0xb0) {
                 if (page_idx < r->buflen) {
                     r->buf[page_idx] =3D r->buf[page_idx - 1];
                 }
+                page_idx--;
+            }
+            if (page_idx < r->buflen) {
+                r->buf[page_idx] =3D 0xb0;
             }
-            r->buf[page_idx] =3D 0xb0;
             stw_be_p(r->buf + 2, lduw_be_p(r->buf + 2) + 1);
         }
     }
--=20
1.8.3.1