f25d5b2eaa
- hw/scsi/lsi53c895a: add missing decrement of reentrancy counter - hw/scsi/lsi53c895a: Fix reentrancy issues in the LSI controller (CVE-2023-0330) - net: Update MemReentrancyGuard for NIC - net: Provide MemReentrancyGuard * to qemu_new_nic() - memory: prevent dma-reentracy issues - softmmu/physmem: Introduce MemTxAttrs::memory field and MEMTX_ACCESS_ERROR - Fixed the early version of CVE-2022-4144 patch is not fully adapted Signed-off-by: Jiabo Feng <fengjiabo1@huawei.com>
73 lines
2.8 KiB
Diff
73 lines
2.8 KiB
Diff
From 08596c615608b03cd115b6d55ce76b4866e3adda Mon Sep 17 00:00:00 2001
|
|
From: Thomas Huth <thuth@redhat.com>
|
|
Date: Mon, 22 May 2023 11:10:11 +0200
|
|
Subject: [PATCH] hw/scsi/lsi53c895a: Fix reentrancy issues in the LSI
|
|
controller (CVE-2023-0330)
|
|
|
|
We cannot use the generic reentrancy guard in the LSI code, so
|
|
we have to manually prevent endless reentrancy here. The problematic
|
|
lsi_execute_script() function has already a way to detect whether
|
|
too many instructions have been executed - we just have to slightly
|
|
change the logic here that it also takes into account if the function
|
|
has been called too often in a reentrant way.
|
|
|
|
The code in fuzz-lsi53c895a-test.c has been taken from an earlier
|
|
patch by Mauro Matteo Cascella.
|
|
|
|
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1563
|
|
Message-Id: <20230522091011.1082574-1-thuth@redhat.com>
|
|
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
|
|
Reviewed-by: Alexander Bulekov <alxndr@bu.edu>
|
|
Signed-off-by: Thomas Huth <thuth@redhat.com>
|
|
---
|
|
hw/scsi/lsi53c895a.c | 23 +++++++++++++++++------
|
|
1 file changed, 17 insertions(+), 6 deletions(-)
|
|
|
|
diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c
|
|
index 88bccf2b4c..299e021fa1 100644
|
|
--- a/hw/scsi/lsi53c895a.c
|
|
+++ b/hw/scsi/lsi53c895a.c
|
|
@@ -1133,15 +1133,24 @@ static void lsi_execute_script(LSIState *s)
|
|
uint32_t addr, addr_high;
|
|
int opcode;
|
|
int insn_processed = 0;
|
|
+ static int reentrancy_level;
|
|
+
|
|
+ reentrancy_level++;
|
|
|
|
s->istat1 |= LSI_ISTAT1_SRUN;
|
|
again:
|
|
- if (++insn_processed > LSI_MAX_INSN) {
|
|
- /* Some windows drivers make the device spin waiting for a memory
|
|
- location to change. If we have been executed a lot of code then
|
|
- assume this is the case and force an unexpected device disconnect.
|
|
- This is apparently sufficient to beat the drivers into submission.
|
|
- */
|
|
+ /*
|
|
+ * Some windows drivers make the device spin waiting for a memory location
|
|
+ * to change. If we have executed more than LSI_MAX_INSN instructions then
|
|
+ * assume this is the case and force an unexpected device disconnect. This
|
|
+ * is apparently sufficient to beat the drivers into submission.
|
|
+ *
|
|
+ * Another issue (CVE-2023-0330) can occur if the script is programmed to
|
|
+ * trigger itself again and again. Avoid this problem by stopping after
|
|
+ * being called multiple times in a reentrant way (8 is an arbitrary value
|
|
+ * which should be enough for all valid use cases).
|
|
+ */
|
|
+ if (++insn_processed > LSI_MAX_INSN || reentrancy_level > 8) {
|
|
if (!(s->sien0 & LSI_SIST0_UDC)) {
|
|
qemu_log_mask(LOG_GUEST_ERROR,
|
|
"lsi_scsi: inf. loop with UDC masked");
|
|
@@ -1595,6 +1604,8 @@ again:
|
|
}
|
|
}
|
|
trace_lsi_execute_script_stop();
|
|
+
|
|
+ reentrancy_level--;
|
|
}
|
|
|
|
static uint8_t lsi_reg_readb(LSIState *s, int offset)
|
|
--
|
|
2.27.0
|
|
|