Overview

File CVE-2017-5856-qemuu-scsi-megasas-host-memory-leakage-in-megasas_handle_dcmd.patch of Package xen.11298

References: bsc#1024186 CVE-2017-5856

Subject: megasas: fix guest-triggered memory leak
From: Paolo Bonzini pbonzini@redhat.com Mon Jan 2 11:03:33 2017 +0100
Date: Mon Jan 16 17:52:34 2017 +0100:
Git: 765a707000e838c30b18d712fe6cb3dd8e0435f3

If the guest sets the sglist size to a value >=2GB, megasas_handle_dcmd
will return MFI_STAT_MEMORY_NOT_AVAILABLE without freeing the memory.
Avoid this by returning only the status from map_dcmd, and loading
cmd->iov_size in the caller.

Reported-by: Li Qiang <liqiang6-s@360.cn>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

Index: xen-4.5.5-testing/tools/qemu-xen-dir-remote/hw/scsi/megasas.c
===================================================================
--- xen-4.5.5-testing.orig/tools/qemu-xen-dir-remote/hw/scsi/megasas.c
+++ xen-4.5.5-testing/tools/qemu-xen-dir-remote/hw/scsi/megasas.c
@@ -640,14 +640,14 @@ static int megasas_map_dcmd(MegasasState
         trace_megasas_dcmd_invalid_sge(cmd->index,
                                        cmd->frame->header.sge_count);
         cmd->iov_size = 0;
-        return -1;
+        return -EINVAL;
     }
     iov_pa = megasas_sgl_get_addr(cmd, &cmd->frame->dcmd.sgl);
     iov_size = megasas_sgl_get_len(cmd, &cmd->frame->dcmd.sgl);
     pci_dma_sglist_init(&cmd->qsg, PCI_DEVICE(s), 1);
     qemu_sglist_add(&cmd->qsg, iov_pa, iov_size);
     cmd->iov_size = iov_size;
-    return cmd->iov_size;
+    return 0;
 }
 
 static void megasas_finish_dcmd(MegasasCmd *cmd, uint32_t iov_size)
@@ -1466,19 +1466,20 @@ static const struct dcmd_cmd_tbl_t {
 
 static int megasas_handle_dcmd(MegasasState *s, MegasasCmd *cmd)
 {
-    int opcode, len;
+    int opcode;
     int retval = 0;
+    size_t len;
     const struct dcmd_cmd_tbl_t *cmdptr = dcmd_cmd_tbl;
 
     opcode = le32_to_cpu(cmd->frame->dcmd.opcode);
     trace_megasas_handle_dcmd(cmd->index, opcode);
-    len = megasas_map_dcmd(s, cmd);
-    if (len < 0) {
+    if (megasas_map_dcmd(s, cmd) < 0) {
         return MFI_STAT_MEMORY_NOT_AVAILABLE;
     }
     while (cmdptr->opcode != -1 && cmdptr->opcode != opcode) {
         cmdptr++;
     }
+    len = cmd->iov_size;
     if (cmdptr->opcode == -1) {
         trace_megasas_dcmd_unhandled(cmd->index, opcode, len);
         retval = megasas_dcmd_dummy(s, cmd);
openSUSE Build Service is sponsored by
Places