virtio-blk: refuse SG_IO requests with scsi=off

QEMU does have a "scsi" option (to be used like -device virtio-blk-pci,drive=foo,scsi=off). However, it only masks the feature bit, and does not reject the command if a malicious guest disregards the feature bits and issues a request. Without this patch, using scsi=off does not protect you from CVE-2011-4127. Reviewed-by: N Stefan Hajnoczi <stefanha@linux.vnet.ibm.com> Signed-off-by: N Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: N Anthony Liguori <aliguori@us.ibm.com>

virtio-blk: refuse SG_IO requests with scsi=off
QEMU does have a "scsi" option (to be used like -device virtio-blk-pci,drive=foo,scsi=off). However, it only masks the feature bit, and does not reject the command if a malicious guest disregards the feature bits and issues a request. Without this patch, using scsi=off does not protect you from CVE-2011-4127. Reviewed-by: N Stefan Hajnoczi <stefanha@linux.vnet.ibm.com> Signed-off-by: N Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: N Anthony Liguori <aliguori@us.ibm.com>
1ba1f2e3 · Paolo Bonzini · Anthony Liguori · 701a8f76 · 1ba1f2e3
隐藏空白更改
内联并排

Showing with 6 addition and 0 deletion

hw/virtio-blk.c hw/virtio-blk.c +6 -0

未找到文件。
--- a/hw/virtio-blk.c
+++ b/hw/virtio-blk.c
@@ -153,6 +153,12 @@ static void virtio_blk_handle_scsi(VirtIOBlockReq *req)
    int status;
    int i;

+    if ((req->dev->vdev.guest_features & (1 << VIRTIO_BLK_F_SCSI)) == 0) {
+        virtio_blk_req_complete(req, VIRTIO_BLK_S_UNSUPP);
+        g_free(req);
+        return;
+    }
+
    /*
     * We require at least one output segment each for the virtio_blk_outhdr
     * and the SCSI command block.