Message ID | 1324651143-5247-1-git-send-email-pbonzini@redhat.com |
---|---|
State | New |
Headers | show |
On Fri, Dec 23, 2011 at 03:39:03PM +0100, Paolo Bonzini wrote: > QEMU does have a "scsi" option (to be used like -device > virtio-blk-pci,drive=foo,scsi=off). However, it only > masks the feature bit, and does not reject the command > if a malicious guest disregards the feature bits and > issues a request. > > Without this patch, using scsi=off does not protect you > from CVE-2011-4127. > > Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> > --- > hw/virtio-blk.c | 6 ++++++ > 1 files changed, 6 insertions(+), 0 deletions(-) I checked that guest_features cannot have SCSI enabled when the host wishes to prohibit SCSI. Reviewed-by: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>
On 12/23/2011 03:39 PM, Paolo Bonzini wrote: > QEMU does have a "scsi" option (to be used like -device > virtio-blk-pci,drive=foo,scsi=off). However, it only > masks the feature bit, and does not reject the command > if a malicious guest disregards the feature bits and > issues a request. > > Without this patch, using scsi=off does not protect you > from CVE-2011-4127. > > Signed-off-by: Paolo Bonzini<pbonzini@redhat.com> > --- > hw/virtio-blk.c | 6 ++++++ > 1 files changed, 6 insertions(+), 0 deletions(-) > > diff --git a/hw/virtio-blk.c b/hw/virtio-blk.c > index b70d116..6cd3164 100644 > --- a/hw/virtio-blk.c > +++ b/hw/virtio-blk.c > @@ -153,6 +153,12 @@ static void virtio_blk_handle_scsi(VirtIOBlockReq *req) > int status; > int i; > > + if ((req->dev->vdev.guest_features& (1<< VIRTIO_BLK_F_SCSI)) == 0) { > + virtio_blk_req_complete(req, VIRTIO_BLK_S_UNSUPP); > + g_free(req); > + return; > + } > + > /* > * We require at least one output segment each for the virtio_blk_outhdr > * and the SCSI command block. Ping. Paolo
On 01/05/2012 11:05 AM, Paolo Bonzini wrote: > On 12/23/2011 03:39 PM, Paolo Bonzini wrote: >> QEMU does have a "scsi" option (to be used like -device >> virtio-blk-pci,drive=foo,scsi=off). However, it only >> masks the feature bit, and does not reject the command >> if a malicious guest disregards the feature bits and >> issues a request. >> >> Without this patch, using scsi=off does not protect you >> from CVE-2011-4127. >> >> Signed-off-by: Paolo Bonzini<pbonzini@redhat.com> >> --- >> hw/virtio-blk.c | 6 ++++++ >> 1 files changed, 6 insertions(+), 0 deletions(-) >> >> diff --git a/hw/virtio-blk.c b/hw/virtio-blk.c >> index b70d116..6cd3164 100644 >> --- a/hw/virtio-blk.c >> +++ b/hw/virtio-blk.c >> @@ -153,6 +153,12 @@ static void virtio_blk_handle_scsi(VirtIOBlockReq >> *req) >> int status; >> int i; >> >> + if ((req->dev->vdev.guest_features& (1<< VIRTIO_BLK_F_SCSI)) == 0) { >> + virtio_blk_req_complete(req, VIRTIO_BLK_S_UNSUPP); >> + g_free(req); >> + return; >> + } >> + >> /* >> * We require at least one output segment each for the virtio_blk_outhdr >> * and the SCSI command block. > > Ping. Ping^2 Paolo
On 12/23/2011 08:39 AM, Paolo Bonzini wrote: > QEMU does have a "scsi" option (to be used like -device > virtio-blk-pci,drive=foo,scsi=off). However, it only > masks the feature bit, and does not reject the command > if a malicious guest disregards the feature bits and > issues a request. > > Without this patch, using scsi=off does not protect you > from CVE-2011-4127. > > Signed-off-by: Paolo Bonzini<pbonzini@redhat.com> Applied. Thanks. Regards, Anthony Liguori > --- > hw/virtio-blk.c | 6 ++++++ > 1 files changed, 6 insertions(+), 0 deletions(-) > > diff --git a/hw/virtio-blk.c b/hw/virtio-blk.c > index b70d116..6cd3164 100644 > --- a/hw/virtio-blk.c > +++ b/hw/virtio-blk.c > @@ -153,6 +153,12 @@ static void virtio_blk_handle_scsi(VirtIOBlockReq *req) > int status; > int i; > > + if ((req->dev->vdev.guest_features& (1<< VIRTIO_BLK_F_SCSI)) == 0) { > + virtio_blk_req_complete(req, VIRTIO_BLK_S_UNSUPP); > + g_free(req); > + return; > + } > + > /* > * We require at least one output segment each for the virtio_blk_outhdr > * and the SCSI command block.
diff --git a/hw/virtio-blk.c b/hw/virtio-blk.c index b70d116..6cd3164 100644 --- a/hw/virtio-blk.c +++ b/hw/virtio-blk.c @@ -153,6 +153,12 @@ static void virtio_blk_handle_scsi(VirtIOBlockReq *req) int status; int i; + if ((req->dev->vdev.guest_features & (1 << VIRTIO_BLK_F_SCSI)) == 0) { + virtio_blk_req_complete(req, VIRTIO_BLK_S_UNSUPP); + g_free(req); + return; + } + /* * We require at least one output segment each for the virtio_blk_outhdr * and the SCSI command block.
QEMU does have a "scsi" option (to be used like -device virtio-blk-pci,drive=foo,scsi=off). However, it only masks the feature bit, and does not reject the command if a malicious guest disregards the feature bits and issues a request. Without this patch, using scsi=off does not protect you from CVE-2011-4127. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> --- hw/virtio-blk.c | 6 ++++++ 1 files changed, 6 insertions(+), 0 deletions(-)