Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-0330: [PATCH] scsi/lsi53c895a: restrict DMA engine to memory regions (CVE-2023

A vulnerability in the lsi53c895a device affects the latest version of qemu. A DMA-MMIO reentrancy problem may lead to memory corruption bugs like stack overflow or use-after-free.

CVE
#vulnerability#git

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

From:

Mauro Matteo Cascella

Subject:

[PATCH] scsi/lsi53c895a: restrict DMA engine to memory regions (CVE-2023-0330)

Date:

Mon, 16 Jan 2023 21:42:32 +0100

This prevents the well known DMA-MMIO reentrancy problem (upstream issue #556) leading to memory corruption bugs like stack overflow or use-after-free.

Fixes: CVE-2023-0330 Signed-off-by: Mauro Matteo Cascella [email protected] Reported-by: Zheyu Ma [email protected]


hw/scsi/lsi53c895a.c | 14 ++++++++±— tests/qtest/fuzz-lsi53c895a-test.c | 32 ++++++++++++++++++++++++++++++ 2 files changed, 42 insertions(+), 4 deletions(-)

diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c index af93557a9a…89c52594eb 100644 — a/hw/scsi/lsi53c895a.c +++ b/hw/scsi/lsi53c895a.c @@ -446,22 +446,28 @@ static void lsi_reselect(LSIState *s, lsi_request *p); static inline void lsi_mem_read(LSIState *s, dma_addr_t addr, void *buf, dma_addr_t len) {

  • const MemTxAttrs attrs = { .memory = true };
  • if (s->dmode & LSI_DMODE_SIOM) {
  •    address\_space\_read(&s->pci\_io\_as, addr, MEMTXATTRS\_UNSPECIFIED,
    
  •    address\_space\_read(&s->pci\_io\_as, addr, attrs,
                          buf, len);
    
    } else {
  •    pci\_dma\_read(PCI\_DEVICE(s), addr, buf, len);
    
  •    pci\_dma\_rw(PCI\_DEVICE(s), addr, buf, len,
    
  •                  DMA\_DIRECTION\_TO\_DEVICE, attrs);
    
    } }

static inline void lsi_mem_write(LSIState *s, dma_addr_t addr, const void *buf, dma_addr_t len) {

  • const MemTxAttrs attrs = { .memory = true };
  • if (s->dmode & LSI_DMODE_DIOM) {
  •    address\_space\_write(&s->pci\_io\_as, addr, MEMTXATTRS\_UNSPECIFIED,
    
  •    address\_space\_write(&s->pci\_io\_as, addr, attrs,
                           buf, len);
    
    } else {
  •    pci\_dma\_write(PCI\_DEVICE(s), addr, buf, len);
    
  •    pci\_dma\_rw(PCI\_DEVICE(s), addr, (void \*) buf, len,
    
  •                  DMA\_DIRECTION\_FROM\_DEVICE, attrs);
    
    } }

diff --git a/tests/qtest/fuzz-lsi53c895a-test.c b/tests/qtest/fuzz-lsi53c895a-test.c index 392a7ae7ed…35c02e89f3 100644 — a/tests/qtest/fuzz-lsi53c895a-test.c +++ b/tests/qtest/fuzz-lsi53c895a-test.c @@ -8,6 +8,35 @@ #include “qemu/osdep.h” #include “libqtest.h”

+/*

  • * This used to trigger a DMA reentrancy issue
  • * leading to memory corruption bugs like stack
  • * overflow or use-after-free
  • */ +static void test_lsi_dma_reentrancy(void) +{
  • QTestState *s;
  • s = qtest_init("-M q35 -m 512M -nodefaults "
  •               "-blockdev driver=null-co,node-name=null0 "
    
  •               "-device lsi53c810 -device scsi-cd,drive=null0");
    
  • qtest_outl(s, 0xcf8, 0x80000804); /* PCI Command Register */
  • qtest_outw(s, 0xcfc, 0x7); /* Enables accesses */
  • qtest_outl(s, 0xcf8, 0x80000814); /* Memory Bar 1 */
  • qtest_outl(s, 0xcfc, 0xff100000); /* Set MMIO Address*/
  • qtest_outl(s, 0xcf8, 0x80000818); /* Memory Bar 2 */
  • qtest_outl(s, 0xcfc, 0xff000000); /* Set RAM Address*/
  • qtest_writel(s, 0xff000000, 0xc0000024);
  • qtest_writel(s, 0xff000114, 0x00000080);
  • qtest_writel(s, 0xff00012c, 0xff000000);
  • qtest_writel(s, 0xff000004, 0xff000114);
  • qtest_writel(s, 0xff000008, 0xff100014);
  • qtest_writel(s, 0xff10002f, 0x000000ff);
  • qtest_quit(s); +}

/* * This used to trigger a UAF in lsi_do_msgout() * https://gitlab.com/qemu-project/qemu/-/issues/972 @@ -120,5 +149,8 @@ int main(int argc, char **argv) qtest_add_func("fuzz/lsi53c895a/lsi_do_msgout_cancel_req", test_lsi_do_msgout_cancel_req);

  • qtest_add_func("fuzz/lsi53c895a/lsi_dma_reentrancy",
  •               test\_lsi\_dma\_reentrancy);
    
  • return g_test_run(); } – 2.39.0
  • [PATCH] scsi/lsi53c895a: restrict DMA engine to memory regions (CVE-2023-0330), Mauro Matteo Cascella <=

    • Re: [PATCH] scsi/lsi53c895a: restrict DMA engine to memory regions (CVE-2023-0330), Mauro Matteo Cascella, 2023/01/16
  • Prev by Date: Re: [PATCH v14 01/11] s390x/cpu topology: adding s390 specificities to CPU topology

  • Next by Date: Re: [RFC PATCH for 8.0 10/13] virtio-net: Migrate vhost inflight descriptors

  • Previous by thread: Re: [PATCH trivial for 7.2 2/2] hw/virtio/virtio.c: spelling: suppoted

  • Next by thread: Re: [PATCH] scsi/lsi53c895a: restrict DMA engine to memory regions (CVE-2023-0330)

  • Index(es):

    • Date
    • Thread

Related news

CVE-2023-45085: Releases - HyperCloud Docs

An issue exists in SoftIron HyperCloud where compute nodes may come online immediately without following the correct initialization process.  In this instance, workloads may be scheduled on these nodes and deploy to a failed or erroneous state, which impacts the availability of these workloads that may be deployed during this time window. This issue impacts HyperCloud versions from 2.0.0 to before 2.0.3.

Ubuntu Security Notice USN-6167-1

Ubuntu Security Notice 6167-1 - It was discovered that QEMU did not properly manage the guest drivers when shared buffers are not allocated. A malicious guest driver could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 20.04 LTS, Ubuntu 22.04 LTS and Ubuntu 22.10. It was discovered that QEMU did not properly check the size of the structure pointed to by the guest physical address pqxl. A malicious guest attacker could use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS and Ubuntu 22.10.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907