scsi: storvsc: Add validation for untrusted Hyper-V values

For additional robustness in the face of Hyper-V errors or malicious behavior, validate all values that originate from packets that Hyper-V has sent to the guest. Ensure that invalid values cannot cause data being copied out of the bounds of the source buffer when calling memcpy. Ensure that outgoing packets do not have any leftover guest memory that has not been zeroed out. Link: https://lore.kernel.org/r/20200706160928.53049-1-lkmlabelt@gmail.com Cc: James E.J. Bottomley <jejb@linux.ibm.com> Cc: Martin K. Petersen <martin.petersen@oracle.com> Cc: linux-scsi@vger.kernel.org Reviewed-by: Michael Kelley <mikelley@microsoft.com> Signed-off-by: Andres Beltran <lkmlabelt@gmail.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>

scsi: storvsc: Add validation for untrusted Hyper-V values
For additional robustness in the face of Hyper-V errors or malicious behavior, validate all values that originate from packets that Hyper-V has sent to the guest. Ensure that invalid values cannot cause data being copied out of the bounds of the source buffer when calling memcpy. Ensure that outgoing packets do not have any leftover guest memory that has not been zeroed out. Link: https://lore.kernel.org/r/20200706160928.53049-1-lkmlabelt@gmail.com Cc: James E.J. Bottomley <jejb@linux.ibm.com> Cc: Martin K. Petersen <martin.petersen@oracle.com> Cc: linux-scsi@vger.kernel.org Reviewed-by: Michael Kelley <mikelley@microsoft.com> Signed-off-by: Andres Beltran <lkmlabelt@gmail.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
0a765665 · Andres Beltran · Martin K. Petersen · 3010dfb0 · 0a765665
Commit 0a765665 authored Jul 06, 2020 by Andres Beltran Committed by Martin K. Petersen Jul 08, 2020
Hide whitespace changes
Inline Side-by-side

Showing with 11 additions and 0 deletions

drivers/scsi/storvsc_drv.c drivers/scsi/storvsc_drv.c +11 -0

No files found.
--- a/drivers/scsi/storvsc_drv.c
+++ b/drivers/scsi/storvsc_drv.c
@@ -1100,6 +1100,10 @@ static void storvsc_command_completion(struct storvsc_cmd_request *cmd_request,
 			data_transfer_length = 0;
 	}

+	/* Validate data_transfer_length (from Hyper-V) */
+	if (data_transfer_length > cmd_request->payload->range.len)
+		data_transfer_length = cmd_request->payload->range.len;
+
 	scsi_set_resid(scmnd,
 		cmd_request->payload->range.len - data_transfer_length);

@@ -1140,6 +1144,11 @@ static void storvsc_on_io_completion(struct storvsc_device *stor_device,
 	/* Copy over the status...etc */
 	stor_pkt->vm_srb.scsi_status = vstor_packet->vm_srb.scsi_status;
 	stor_pkt->vm_srb.srb_status = vstor_packet->vm_srb.srb_status;
+
+	/* Validate sense_info_length (from Hyper-V) */
+	if (vstor_packet->vm_srb.sense_info_length > sense_buffer_size)
+		vstor_packet->vm_srb.sense_info_length = sense_buffer_size;
+
 	stor_pkt->vm_srb.sense_info_length =
 	vstor_packet->vm_srb.sense_info_length;

@@ -1565,6 +1574,7 @@ static int storvsc_host_reset_handler(struct scsi_cmnd *scmnd)

 	request = &stor_device->reset_request;
 	vstor_packet = &request->vstor_packet;
+	memset(vstor_packet, 0, sizeof(struct vstor_packet));

 	init_completion(&request->wait_event);

@@ -1668,6 +1678,7 @@ static int storvsc_queuecommand(struct Scsi_Host *host, struct scsi_cmnd *scmnd)
 	/* Setup the cmd request */
 	cmd_request->cmd = scmnd;

+	memset(&cmd_request->vstor_packet, 0, sizeof(struct vstor_packet));
 	vm_srb = &cmd_request->vstor_packet.vm_srb;
 	vm_srb->win8_extension.time_out_value = 60;