File CVE-2019-12068-qemut-lsi53c895a-infinite-loop-w... of Package xen

Overview Repositories Revisions Requests Users Attributes Meta

File CVE-2019-12068-qemut-lsi53c895a-infinite-loop-while-executing-script.patch of Package xen (Revision 32c66e2a7e6b1648f2747f3d0ae55290)

Currently displaying revision 32c66e2a7e6b1648f2747f3d0ae55290 , Show latest

References: bsc#1146874 CVE-2019-12068

Subject: scsi: lsi: exit infinite loop while executing script (CVE-2019-12068)
From: Paolo Bonzini pbonzini@redhat.com Wed Aug 14 17:35:21 2019 +0530
Date: Tue Aug 20 20:00:52 2019 +0200:
Git: de594e47659029316bbf9391efb79da0a1a08e08

When executing script in lsi_execute_script(), the LSI scsi adapter
emulator advances 's->dsp' index to read next opcode. This can lead
to an infinite loop if the next opcode is empty. Move the existing
loop exit after 10k iterations so that it covers no-op opcodes as
well.

Reported-by: Bugs SysSec <bugs-syssec@rub.de>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

Index: xen-4.9.4-testing/tools/qemu-xen-traditional-dir-remote/hw/lsi53c895a.c
===================================================================
--- xen-4.9.4-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/lsi53c895a.c
+++ xen-4.9.4-testing/tools/qemu-xen-traditional-dir-remote/hw/lsi53c895a.c
@@ -167,6 +167,9 @@ do { fprintf(stderr, "lsi_scsi: error: "
 /* Flag set if this is a tagged command.  */
 #define LSI_TAG_VALID     (1 << 16)
 
+/* Maximum instructions to process. */
+#define LSI_MAX_INSN    10000
+
 typedef struct {
     uint32_t tag;
     uint32_t pending;
@@ -885,7 +888,20 @@ static void lsi_execute_script(LSIState
 
     s->istat1 |= LSI_ISTAT1_SRUN;
 again:
-    insn_processed++;
+    if (++insn_processed > LSI_MAX_INSN) {
+        /* Some windows drivers make the device spin waiting for a memory
+           location to change.  If we have been executed a lot of code then
+           assume this is the case and force an unexpected device disconnect.
+           This is apparently sufficient to beat the drivers into submission.
+         */
+        if (!(s->sien0 & LSI_SIST0_UDC)) {
+            fprintf(stderr, "lsi_scsi: inf. loop with UDC masked\n");
+        }
+        lsi_script_scsi_interrupt(s, LSI_SIST0_UDC, 0);
+        lsi_disconnect(s);
+        DPRINTF("SCRIPTS execution stopped\n");
+        return;
+    }
     insn = read_dword(s, s->dsp);
     if (!insn) {
         /* If we receive an empty opcode increment the DSP by 4 bytes
@@ -1294,17 +1310,7 @@ again:
             }
         }
     }
-    if (insn_processed > 10000 && !s->waiting) {
-        /* Some windows drivers make the device spin waiting for a memory
-           location to change.  If we have been executed a lot of code then
-           assume this is the case and force an unexpected device disconnect.
-           This is apparently sufficient to beat the drivers into submission.
-         */
-        if (!(s->sien0 & LSI_SIST0_UDC))
-            fprintf(stderr, "inf. loop with UDC masked\n");
-        lsi_script_scsi_interrupt(s, LSI_SIST0_UDC, 0);
-        lsi_disconnect(s);
-    } else if (s->istat1 & LSI_ISTAT1_SRUN && !s->waiting) {
+    if (s->istat1 & LSI_ISTAT1_SRUN && !s->waiting) {
         if (s->dcntl & LSI_DCNTL_SSM) {
             lsi_script_dma_interrupt(s, LSI_DSTAT_SSI);
         } else {
@@ -1609,6 +1615,10 @@ static void lsi_reg_writeb(LSIState *s,
     case 0x2f: /* DSP[24:31] */
         s->dsp &= 0x00ffffff;
         s->dsp |= val << 24;
+        /*
+         * FIXME: if s->waiting != LSI_NOWAIT, this will only execute one
+         * instruction.  Is this correct?
+         */
         if ((s->dmode & LSI_DMODE_MAN) == 0
             && (s->istat1 & LSI_ISTAT1_SRUN) == 0)
             lsi_execute_script(s);
@@ -1627,6 +1637,10 @@ static void lsi_reg_writeb(LSIState *s,
         break;
     case 0x3b: /* DCNTL */
         s->dcntl = val & ~(LSI_DCNTL_PFF | LSI_DCNTL_STD);
+        /*
+         * FIXME: if s->waiting != LSI_NOWAIT, this will only execute one
+         * instruction.  Is this correct?
+         */
         if ((val & LSI_DCNTL_STD) && (s->istat1 & LSI_ISTAT1_SRUN) == 0)
             lsi_execute_script(s);
         break;

Places

File CVE-2019-12068-qemut-lsi53c895a-infinite-loop-while-executing-script.patch of Package xen (Revision 32c66e2a7e6b1648f2747f3d0ae55290)

Places