qemu/esp-restrict-non-DMA-transfer-length-to-that-of-avai.patch

From 67f1bc4fc4d1864a55f6c626967defe5467f5134 Mon Sep 17 00:00:00 2001
From: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Date: Wed, 13 Sep 2023 21:44:09 +0100
Subject: [PATCH] esp: restrict non-DMA transfer length to that of available
 data (CVE-2024-24474)

In the case where a SCSI layer transfer is incorrectly terminated, it is
possible for a TI command to cause a SCSI buffer overflow due to the
expected transfer data length being less than the available data in the
FIFO. When this occurs the unsigned async_len variable underflows and
becomes a large offset which writes past the end of the allocated SCSI
buffer.

Restrict the non-DMA transfer length to be the smallest of the expected
transfer length and the available FIFO data to ensure that it is no longer
possible for the SCSI buffer overflow to occur.

Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1810
Reviewed-by: Thomas Huth <thuth@redhat.com>
Message-ID: <20230913204410.65650-3-mark.cave-ayland@ilande.co.uk>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
 hw/scsi/esp.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
index f38231f8cd..435a81bbfd 100644
--- a/hw/scsi/esp.c
+++ b/hw/scsi/esp.c
@@ -754,7 +754,8 @@ static void esp_do_nodma(ESPState *s)
     }
 
     if (to_device) {
-        len = MIN(fifo8_num_used(&s->fifo), ESP_FIFO_SZ);
+        len = MIN(s->async_len, ESP_FIFO_SZ);
+        len = MIN(len, fifo8_num_used(&s->fifo));
         esp_fifo_pop_buf(&s->fifo, s->async_buf, len);
         s->async_buf += len;
         s->async_len -= len;
-- 
2.27.0
QEMU update to version 6.2.0-89 - qga-win: Fix guest-get-fsinfo multi-disks collection - hw/timer: fix systick trace message - virtio-net: correctly copy vnet header when flushing TX (CVE-2023-6693) - ui/clipboard: mark type as not available when there is no data (CVE-2023-6683) - esp: restrict non-DMA transfer length to that of available data (CVE-2024-24474) - hw/scsi/lsi53c895a: add missing decrement of reentrancy counter - hw/scsi/lsi53c895a: Fix reentrancy issues in the LSI controller (CVE-2023-0330) - net: Update MemReentrancyGuard for NIC (CVE-2023-3019) - net: Provide MemReentrancyGuard * to qemu_new_nic() Signed-off-by: Jiabo Feng <fengjiabo1@huawei.com> 2024-03-09 14:37:51 +08:00			`From 67f1bc4fc4d1864a55f6c626967defe5467f5134 Mon Sep 17 00:00:00 2001`
			`From: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>`
			`Date: Wed, 13 Sep 2023 21:44:09 +0100`
			`Subject: [PATCH] esp: restrict non-DMA transfer length to that of available`
			`data (CVE-2024-24474)`

			`In the case where a SCSI layer transfer is incorrectly terminated, it is`
			`possible for a TI command to cause a SCSI buffer overflow due to the`
			`expected transfer data length being less than the available data in the`
			`FIFO. When this occurs the unsigned async_len variable underflows and`
			`becomes a large offset which writes past the end of the allocated SCSI`
			`buffer.`

			`Restrict the non-DMA transfer length to be the smallest of the expected`
			`transfer length and the available FIFO data to ensure that it is no longer`
			`possible for the SCSI buffer overflow to occur.`

			`Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>`
			`Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1810`
			`Reviewed-by: Thomas Huth <thuth@redhat.com>`
			`Message-ID: <20230913204410.65650-3-mark.cave-ayland@ilande.co.uk>`
			`Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>`
			`---`
			`hw/scsi/esp.c \| 3 ++-`
			`1 file changed, 2 insertions(+), 1 deletion(-)`

			`diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c`
			`index f38231f8cd..435a81bbfd 100644`
			`--- a/hw/scsi/esp.c`
			`+++ b/hw/scsi/esp.c`
			`@@ -754,7 +754,8 @@ static void esp_do_nodma(ESPState *s)`
			`}`

			`if (to_device) {`
			`- len = MIN(fifo8_num_used(&s->fifo), ESP_FIFO_SZ);`
			`+ len = MIN(s->async_len, ESP_FIFO_SZ);`
			`+ len = MIN(len, fifo8_num_used(&s->fifo));`
			`esp_fifo_pop_buf(&s->fifo, s->async_buf, len);`
			`s->async_buf += len;`
			`s->async_len -= len;`
			`--`
			`2.27.0`