Am 23.01.2020 um 13:44 hat Felipe Franciosi geschrieben: > When querying an iSCSI server for the provisioning status of blocks (via > GET LBA STATUS), Qemu only validates that the response descriptor zero's > LBA matches the one requested. Given the SCSI spec allows servers to > respond with the status of blocks beyond the end of the LUN, Qemu may > have its heap corrupted by clearing/setting too many bits at the end of > its allocmap for the LUN. > > A malicious guest in control of the iSCSI server could carefully program > Qemu's heap (by selectively setting the bitmap) and then smash it. > > This limits the number of bits that iscsi_co_block_status() will try to > update in the allocmap so it can't overflow the bitmap. > > Signed-off-by: Felipe Franciosi <fel...@nutanix.com> > Signed-off-by: Peter Turschmid <peter.turs...@nutanix.com> > Signed-off-by: Raphael Norwitz <raphael.norw...@nutanix.com>
Thanks, applied to the block branch. Kevin
