From qemu-stable-bounces+jmforbes=linuxtx.org@nongnu.org Wed Jan 11 03:51:20 2012 Return-Path: Received: from citysiren.linuxtx.org (localhost [127.0.0.1]) by citysiren.linuxtx.org (8.14.4/8.14.4) with ESMTP id q0B9pIjw017454 for ; Wed, 11 Jan 2012 03:51:20 -0600 Delivered-To: jmforbes@linuxtx.org Received: from gmail-pop.l.google.com [74.125.81.108] by citysiren.linuxtx.org with POP3 (fetchmail-6.3.20) for (single-drop); Wed, 11 Jan 2012 03:51:20 -0600 (CST) Received: by 10.180.102.100 with SMTP id fn4cs34060wib; Wed, 11 Jan 2012 01:48:56 -0800 (PST) Received: by 10.224.182.2 with SMTP id ca2mr28967033qab.57.1326275334564; Wed, 11 Jan 2012 01:48:54 -0800 (PST) Received: from lists.gnu.org (lists.gnu.org. [140.186.70.17]) by mx.google.com with ESMTPS id gc3si782557qab.44.2012.01.11.01.48.54 (version=TLSv1/SSLv3 cipher=OTHER); Wed, 11 Jan 2012 01:48:54 -0800 (PST) Received-SPF: pass (google.com: domain of qemu-stable-bounces+jmforbes=linuxtx.org@nongnu.org designates 140.186.70.17 as permitted sender) client-ip=140.186.70.17; Authentication-Results: mx.google.com; spf=pass (google.com: domain of qemu-stable-bounces+jmforbes=linuxtx.org@nongnu.org designates 140.186.70.17 as permitted sender) smtp.mail=qemu-stable-bounces+jmforbes=linuxtx.org@nongnu.org Received: from localhost ([::1]:48473 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Rkund-0003iT-UQ for jmforbes@linuxtx.org; Wed, 11 Jan 2012 04:48:53 -0500 Received: from eggs.gnu.org ([140.186.70.92]:40037) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1RkunV-0003fY-Vl for qemu-stable@nongnu.org; Wed, 11 Jan 2012 04:48:53 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1RkunQ-0004zL-Nl for qemu-stable@nongnu.org; Wed, 11 Jan 2012 04:48:45 -0500 Received: from mx1.redhat.com ([209.132.183.28]:23781) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1RkunQ-0004vY-3c for qemu-stable@nongnu.org; Wed, 11 Jan 2012 04:48:40 -0500 Received: from int-mx11.intmail.prod.int.phx2.redhat.com (int-mx11.intmail.prod.int.phx2.redhat.com [10.5.11.24]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id q0B9mcYI005348 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for ; Wed, 11 Jan 2012 04:48:38 -0500 Received: from yakj.usersys.redhat.com (ovpn-112-23.ams2.redhat.com [10.36.112.23]) by int-mx11.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id q0B9magG031084 for ; Wed, 11 Jan 2012 04:48:37 -0500 From: Paolo Bonzini To: qemu-stable@nongnu.org Date: Wed, 11 Jan 2012 10:48:33 +0100 Message-Id: <1326275313-15635-1-git-send-email-pbonzini@redhat.com> X-Scanned-By: MIMEDefang 2.68 on 10.5.11.24 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 3) X-Received-From: 209.132.183.28 Subject: [Qemu-stable] [PATCH] virtio-blk: refuse SG_IO requests with scsi=off X-BeenThere: qemu-stable@nongnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-stable-bounces+jmforbes=linuxtx.org@nongnu.org Sender: qemu-stable-bounces+jmforbes=linuxtx.org@nongnu.org X-UID: 32 Status: RO Content-Length: 1003 Lines: 38 QEMU does have a "scsi" option (to be used like -device virtio-blk-pci,drive=foo,scsi=off). However, it only masks the feature bit, and does not reject the command if a malicious guest disregards the feature bits and issues a request. Without this patch, using scsi=off does not protect you from CVE-2011-4127. Signed-off-by: Paolo Bonzini --- hw/virtio-blk.c | 6 ++++++ 1 files changed, 6 insertions(+), 0 deletions(-) diff --git a/hw/virtio-blk.c b/hw/virtio-blk.c index b70d116..6cd3164 100644 --- a/hw/virtio-blk.c +++ b/hw/virtio-blk.c @@ -153,6 +153,12 @@ static void virtio_blk_handle_scsi(VirtIOBlockReq *req) int status; int i; + if ((req->dev->vdev.guest_features & (1 << VIRTIO_BLK_F_SCSI)) == 0) { + virtio_blk_req_complete(req, VIRTIO_BLK_S_UNSUPP); + g_free(req); + return; + } + /* * We require at least one output segment each for the virtio_blk_outhdr * and the SCSI command block. -- 1.7.7.1