[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [RFC PATCH] ide: atapi: assert that the buffer pointer is in range
From: |
Kevin Wolf |
Subject: |
Re: [RFC PATCH] ide: atapi: assert that the buffer pointer is in range |
Date: |
Tue, 1 Dec 2020 16:17:29 +0100 |
Am 01.12.2020 um 13:09 hat Paolo Bonzini geschrieben:
> A case was reported where s->io_buffer_index can be out of range.
> The report skimped on the details but it seems to be triggered
> by s->lba == -1 on the READ/READ CD paths (e.g. by sending an
> ATAPI command with LBA = 0xFFFFFFFF). For now paper over it
> with assertions. The first one ensures that there is no overflow
> when incrementing s->io_buffer_index, the second checks for the
> buffer overrun.
>
> Note that the buffer overrun is only a read, so I am not sure
> if the assertion failure is actually less harmful than the overrun.
>
> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
I don't think reading LBA 0xFFFFFFFF from a CD image would ever be
valid (or at least I have never seen an 8 TB CD...), so it's probably a
malicious guest. Assertion failure seems okay to me, guests have already
enough ways to kill themselves, so it feels slightly preferable to an
information leak.
Reviewed-by: Kevin Wolf <kwolf@redhat.com>