[pve-devel] [PATCH v2 qemu 9/9] add stable fix to avoid crash in SCSI when guest uses too small blocksize

[Fiona Ebner]

Signed-off-by: Fiona Ebner <f.ebner at proxmox.com>
---

New in v2.

 ...k-Disallow-block-sizes-smaller-than-.patch | 43 +++++++++++++++++++
 debian/patches/series                         |  1 +
 2 files changed, 44 insertions(+)
 create mode 100644 debian/patches/extra/0012-hw-scsi-scsi-disk-Disallow-block-sizes-smaller-than-.patch

diff --git a/debian/patches/extra/0012-hw-scsi-scsi-disk-Disallow-block-sizes-smaller-than-.patch b/debian/patches/extra/0012-hw-scsi-scsi-disk-Disallow-block-sizes-smaller-than-.patch
new file mode 100644
index 0000000..9d05c66
--- /dev/null
+++ b/debian/patches/extra/0012-hw-scsi-scsi-disk-Disallow-block-sizes-smaller-than-.patch
@@ -0,0 +1,43 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Thomas Huth <thuth at redhat.com>
+Date: Mon, 25 Sep 2023 11:18:54 +0200
+Subject: [PATCH] hw/scsi/scsi-disk: Disallow block sizes smaller than 512
+ [CVE-2023-42467]
+
+We are doing things like
+
+    nb_sectors /= (s->qdev.blocksize / BDRV_SECTOR_SIZE);
+
+in the code here (e.g. in scsi_disk_emulate_mode_sense()), so if
+the blocksize is smaller than BDRV_SECTOR_SIZE (=512), this crashes
+with a division by 0 exception. Thus disallow block sizes of 256
+bytes to avoid this situation.
+
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1813
+CVE: 2023-42467
+Signed-off-by: Thomas Huth <thuth at redhat.com>
+Message-ID: <20230925091854.49198-1-thuth at redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
+(cherry-picked from commit 7cfcc79b0ab800959716738aff9419f53fc68c9c)
+Signed-off-by: Fiona Ebner <f.ebner at proxmox.com>
+---
+ hw/scsi/scsi-disk.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/hw/scsi/scsi-disk.c b/hw/scsi/scsi-disk.c
+index e0d79c7966..477ee2bcd4 100644
+--- a/hw/scsi/scsi-disk.c
++++ b/hw/scsi/scsi-disk.c
+@@ -1628,9 +1628,10 @@ static void scsi_disk_emulate_mode_select(SCSIDiskReq *r, uint8_t *inbuf)
+          * Since the existing code only checks/updates bits 8-15 of the block
+          * size, restrict ourselves to the same requirement for now to ensure
+          * that a block size set by a block descriptor and then read back by
+-         * a subsequent SCSI command will be the same
++         * a subsequent SCSI command will be the same. Also disallow a block
++         * size of 256 since we cannot handle anything below BDRV_SECTOR_SIZE.
+          */
+-        if (bs && !(bs & ~0xff00) && bs != s->qdev.blocksize) {
++        if (bs && !(bs & ~0xfe00) && bs != s->qdev.blocksize) {
+             s->qdev.blocksize = bs;
+             trace_scsi_disk_mode_select_set_blocksize(s->qdev.blocksize);
+         }
diff --git a/debian/patches/series b/debian/patches/series
index 71f7e01..a661a9e 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -9,6 +9,7 @@ extra/0008-file-posix-Clear-bs-bl.zoned-on-error.patch
 extra/0009-file-posix-Check-bs-bl.zoned-for-zone-info.patch
 extra/0010-file-posix-Fix-zone-update-in-I-O-error-path.patch
 extra/0011-file-posix-Simplify-raw_co_prw-s-out-zone-code.patch
+extra/0012-hw-scsi-scsi-disk-Disallow-block-sizes-smaller-than-.patch
 bitmap-mirror/0001-drive-mirror-add-support-for-sync-bitmap-mode-never.patch
 bitmap-mirror/0002-drive-mirror-add-support-for-conditional-and-always-.patch
 bitmap-mirror/0003-mirror-add-check-for-bitmap-mode-without-bitmap.patch
-- 
2.39.2