[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [RFC PATCH] ide: atapi: assert that the buffer pointer is in range
|
From: |
Peter Maydell |
|
Subject: |
Re: [RFC PATCH] ide: atapi: assert that the buffer pointer is in range |
|
Date: |
Tue, 1 Dec 2020 16:20:54 +0000 |
On Tue, 1 Dec 2020 at 15:17, Kevin Wolf <kwolf@redhat.com> wrote:
>
> Am 01.12.2020 um 13:09 hat Paolo Bonzini geschrieben:
> > A case was reported where s->io_buffer_index can be out of range.
> > The report skimped on the details but it seems to be triggered
> > by s->lba == -1 on the READ/READ CD paths (e.g. by sending an
> > ATAPI command with LBA = 0xFFFFFFFF). For now paper over it
> > with assertions. The first one ensures that there is no overflow
> > when incrementing s->io_buffer_index, the second checks for the
> > buffer overrun.
> >
> > Note that the buffer overrun is only a read, so I am not sure
> > if the assertion failure is actually less harmful than the overrun.
> >
> > Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
>
> I don't think reading LBA 0xFFFFFFFF from a CD image would ever be
> valid (or at least I have never seen an 8 TB CD...), so it's probably a
> malicious guest. Assertion failure seems okay to me, guests have already
> enough ways to kill themselves, so it feels slightly preferable to an
> information leak.
>
> Reviewed-by: Kevin Wolf <kwolf@redhat.com>
Thanks; applied to master for 5.2.
-- PMM