lsi53c895a: check message length value is valid

While writing a message in 'lsi_do_msgin', message length value in 'msg_len' could be invalid due to an invalid migration stream. Add an assertion to avoid an out of bounds access, and reject the incoming migration data if it contains an invalid message length. Discovered by Deja vu Security. Reported by Oracle. Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> Message-Id: <20181026194314.18663-1-ppandit@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> (cherry picked from commit e58ccf0396) *CVE-2018-18849 *avoid context dep. on c921370b22 Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
2018-10-27 01:13:14 +05:30 · 2018-10-27 01:13:14 +05:30 · bd6dd4eaa6
parent f43a6b314a
commit bd6dd4eaa6
1 changed files with 17 additions and 2 deletions
--- a/hw/scsi/lsi53c895a.c
+++ b/hw/scsi/lsi53c895a.c
@ -865,10 +865,11 @@ static void lsi_do_status(LSIState *s)

 static void lsi_do_msgin(LSIState *s)
 {
-    int len;
+    uint8_t len;
    DPRINTF("Message in len=%d/%d\n", s->dbc, s->msg_len);
    s->sfbr = s->msg[0];
    len = s->msg_len;
+    assert(len > 0 && len <= LSI_MAX_MSGIN_LEN);
    if (len > s->dbc)
        len = s->dbc;
    pci_dma_write(PCI_DEVICE(s), s->dnad, s->msg, len);
@ -1703,8 +1704,10 @@ static uint8_t lsi_reg_readb(LSIState *s, int offset)
        break;
    case 0x58: /* SBDL */
        /* Some drivers peek at the data bus during the MSG IN phase.  */
-        if ((s->sstat1 & PHASE_MASK) == PHASE_MI)
+        if ((s->sstat1 & PHASE_MASK) == PHASE_MI) {
+            assert(s->msg_len > 0);
            return s->msg[0];
+        }
        ret = 0;
        break;
    case 0x59: /* SBDL high */
@ -2096,11 +2099,23 @@ static int lsi_pre_save(void *opaque)
    return 0;
 }

+static int lsi_post_load(void *opaque, int version_id)
+{
+    LSIState *s = opaque;
+
+    if (s->msg_len < 0 || s->msg_len > LSI_MAX_MSGIN_LEN) {
+        return -EINVAL;
+    }
+
+    return 0;
+}
+
 static const VMStateDescription vmstate_lsi_scsi = {
    .name = "lsiscsi",
    .version_id = 0,
    .minimum_version_id = 0,
    .pre_save = lsi_pre_save,
+    .post_load = lsi_post_load,
    .fields = (VMStateField[]) {
        VMSTATE_PCI_DEVICE(parent_obj, LSIState),