virtio-blk: refuse SG_IO requests with scsi=off

QEMU does have a "scsi" option (to be used like -device
virtio-blk-pci,drive=foo,scsi=off).  However, it only
masks the feature bit, and does not reject the command
if a malicious guest disregards the feature bits and
issues a request.

Without this patch, using scsi=off does not protect you
from CVE-2011-4127.

Reviewed-by: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>

diff --git a/hw/virtio-blk.c b/hw/virtio-blk.c
index 5e81f53e14e77827470b6d32bff192d06d747e89..5b416c36eea1d3bbba0bb20fb6bc9bb318daf1a5 100644 (file)
--- a/hw/virtio-blk.c
+++ b/hw/virtio-blk.c
@@ -153,6 +153,12 @@ static void virtio_blk_handle_scsi(VirtIOBlockReq *req)
     int status;
     int i;
 
+    if ((req->dev->vdev.guest_features & (1 << VIRTIO_BLK_F_SCSI)) == 0) {
+        virtio_blk_req_complete(req, VIRTIO_BLK_S_UNSUPP);
+        g_free(req);
+        return;
+    }
+
     /*
      * We require at least one output segment each for the virtio_blk_outhdr
      * and the SCSI command block.