From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 11AD392244 for ; Fri, 6 Oct 2023 13:02:27 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id D17C132A4C for ; Fri, 6 Oct 2023 13:01:56 +0200 (CEST) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS for ; Fri, 6 Oct 2023 13:01:54 +0200 (CEST) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id EF155448D3 for ; Fri, 6 Oct 2023 13:01:53 +0200 (CEST) From: Fiona Ebner To: pve-devel@lists.proxmox.com Date: Fri, 6 Oct 2023 13:01:48 +0200 Message-Id: <20231006110148.154914-10-f.ebner@proxmox.com> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20231006110148.154914-1-f.ebner@proxmox.com> References: <20231006110148.154914-1-f.ebner@proxmox.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL -0.082 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [gitlab.com] Subject: [pve-devel] [PATCH v2 qemu 9/9] add stable fix to avoid crash in SCSI when guest uses too small blocksize X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Oct 2023 11:02:27 -0000 Signed-off-by: Fiona Ebner --- New in v2. ...k-Disallow-block-sizes-smaller-than-.patch | 43 +++++++++++++++++++ debian/patches/series | 1 + 2 files changed, 44 insertions(+) create mode 100644 debian/patches/extra/0012-hw-scsi-scsi-disk-Disallow-block-sizes-smaller-than-.patch diff --git a/debian/patches/extra/0012-hw-scsi-scsi-disk-Disallow-block-sizes-smaller-than-.patch b/debian/patches/extra/0012-hw-scsi-scsi-disk-Disallow-block-sizes-smaller-than-.patch new file mode 100644 index 0000000..9d05c66 --- /dev/null +++ b/debian/patches/extra/0012-hw-scsi-scsi-disk-Disallow-block-sizes-smaller-than-.patch @@ -0,0 +1,43 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Thomas Huth +Date: Mon, 25 Sep 2023 11:18:54 +0200 +Subject: [PATCH] hw/scsi/scsi-disk: Disallow block sizes smaller than 512 + [CVE-2023-42467] + +We are doing things like + + nb_sectors /= (s->qdev.blocksize / BDRV_SECTOR_SIZE); + +in the code here (e.g. in scsi_disk_emulate_mode_sense()), so if +the blocksize is smaller than BDRV_SECTOR_SIZE (=512), this crashes +with a division by 0 exception. Thus disallow block sizes of 256 +bytes to avoid this situation. + +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1813 +CVE: 2023-42467 +Signed-off-by: Thomas Huth +Message-ID: <20230925091854.49198-1-thuth@redhat.com> +Signed-off-by: Paolo Bonzini +(cherry-picked from commit 7cfcc79b0ab800959716738aff9419f53fc68c9c) +Signed-off-by: Fiona Ebner +--- + hw/scsi/scsi-disk.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/hw/scsi/scsi-disk.c b/hw/scsi/scsi-disk.c +index e0d79c7966..477ee2bcd4 100644 +--- a/hw/scsi/scsi-disk.c ++++ b/hw/scsi/scsi-disk.c +@@ -1628,9 +1628,10 @@ static void scsi_disk_emulate_mode_select(SCSIDiskReq *r, uint8_t *inbuf) + * Since the existing code only checks/updates bits 8-15 of the block + * size, restrict ourselves to the same requirement for now to ensure + * that a block size set by a block descriptor and then read back by +- * a subsequent SCSI command will be the same ++ * a subsequent SCSI command will be the same. Also disallow a block ++ * size of 256 since we cannot handle anything below BDRV_SECTOR_SIZE. + */ +- if (bs && !(bs & ~0xff00) && bs != s->qdev.blocksize) { ++ if (bs && !(bs & ~0xfe00) && bs != s->qdev.blocksize) { + s->qdev.blocksize = bs; + trace_scsi_disk_mode_select_set_blocksize(s->qdev.blocksize); + } diff --git a/debian/patches/series b/debian/patches/series index 71f7e01..a661a9e 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -9,6 +9,7 @@ extra/0008-file-posix-Clear-bs-bl.zoned-on-error.patch extra/0009-file-posix-Check-bs-bl.zoned-for-zone-info.patch extra/0010-file-posix-Fix-zone-update-in-I-O-error-path.patch extra/0011-file-posix-Simplify-raw_co_prw-s-out-zone-code.patch +extra/0012-hw-scsi-scsi-disk-Disallow-block-sizes-smaller-than-.patch bitmap-mirror/0001-drive-mirror-add-support-for-sync-bitmap-mode-never.patch bitmap-mirror/0002-drive-mirror-add-support-for-conditional-and-always-.patch bitmap-mirror/0003-mirror-add-check-for-bitmap-mode-without-bitmap.patch -- 2.39.2