| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 6 Jul 2020 12:09:28 -0400
From: Andres Beltran <lkmlabelt@...il.com>
To: kys@...rosoft.com, haiyangz@...rosoft.com, sthemmin@...rosoft.com,
wei.liu@...nel.org
Cc: linux-hyperv@...r.kernel.org, linux-kernel@...r.kernel.org,
mikelley@...rosoft.com, parri.andrea@...il.com,
skarade@...rosoft.com, Andres Beltran <lkmlabelt@...il.com>,
"James E . J . Bottomley" <jejb@...ux.ibm.com>,
"Martin K . Petersen" <martin.petersen@...cle.com>,
linux-scsi@...r.kernel.org
Subject: [PATCH] scsi: storvsc: Add validation for untrusted Hyper-V values
For additional robustness in the face of Hyper-V errors or malicious
behavior, validate all values that originate from packets that
Hyper-V has sent to the guest. Ensure that invalid values cannot
cause data being copied out of the bounds of the source buffer
when calling memcpy. Ensure that outgoing packets do not have any
leftover guest memory that has not been zeroed out.
Cc: James E.J. Bottomley <jejb@...ux.ibm.com>
Cc: Martin K. Petersen <martin.petersen@...cle.com>
Cc: linux-scsi@...r.kernel.org
Signed-off-by: Andres Beltran <lkmlabelt@...il.com>
---
drivers/scsi/storvsc_drv.c | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/drivers/scsi/storvsc_drv.c b/drivers/scsi/storvsc_drv.c
index 6d2df1f0fe6d..5fcc555a67a4 100644
--- a/drivers/scsi/storvsc_drv.c
+++ b/drivers/scsi/storvsc_drv.c
@@ -1133,6 +1133,10 @@ static void storvsc_command_completion(struct storvsc_cmd_request *cmd_request,
data_transfer_length = 0;
}
+ /* Validate data_transfer_length (from Hyper-V) */
+ if (data_transfer_length > cmd_request->payload->range.len)
+ data_transfer_length = cmd_request->payload->range.len;
+
scsi_set_resid(scmnd,
cmd_request->payload->range.len - data_transfer_length);
@@ -1173,6 +1177,11 @@ static void storvsc_on_io_completion(struct storvsc_device *stor_device,
/* Copy over the status...etc */
stor_pkt->vm_srb.scsi_status = vstor_packet->vm_srb.scsi_status;
stor_pkt->vm_srb.srb_status = vstor_packet->vm_srb.srb_status;
+
+ /* Validate sense_info_length (from Hyper-V) */
+ if (vstor_packet->vm_srb.sense_info_length > sense_buffer_size)
+ vstor_packet->vm_srb.sense_info_length = sense_buffer_size;
+
stor_pkt->vm_srb.sense_info_length =
vstor_packet->vm_srb.sense_info_length;
@@ -1623,6 +1632,7 @@ static int storvsc_host_reset_handler(struct scsi_cmnd *scmnd)
request = &stor_device->reset_request;
vstor_packet = &request->vstor_packet;
+ memset(vstor_packet, 0, sizeof(struct vstor_packet));
init_completion(&request->wait_event);
@@ -1736,6 +1746,7 @@ static int storvsc_queuecommand(struct Scsi_Host *host, struct scsi_cmnd *scmnd)
/* Setup the cmd request */
cmd_request->cmd = scmnd;
+ memset(&cmd_request->vstor_packet, 0, sizeof(struct vstor_packet));
vm_srb = &cmd_request->vstor_packet.vm_srb;
vm_srb->win8_extension.time_out_value = 60;
--
2.25.1
Powered by blists - more mailing lists