Commit 20701190e0 for qemu.org
commit 20701190e023216d0213a107a491402ce2cc501e
Author: Christian Borntraeger <borntraeger@linux.ibm.com>
Date: Thu Jul 9 16:29:05 2026 +0200
s390x/sclp: prevent re-reading the sclp header
We verify the sccb length and then allocate based on that length. The
following access re-reads the sccb again. This can race against other
vCPUs overwriting the length field.
sclp_service_call_protected does not need a change as the ultravisor
provides a consistent snapshot.
Fixes: c1db53a5910f ("s390/sclp: read sccb from mem based on provided length")
Cc: qemu-stable@nongnu.org
Signed-off-by: Christian Borntraeger <borntraeger@linux.ibm.com>
Reviewed-by: Matthew Rosato <mjrosato@linux.ibm.com>
Reviewed-by: Eric Farman <farman@linux.ibm.com>
Reviewed-by: Collin Walling <walling@linux.ibm.com>
Message-ID: <20260709142906.197474-2-borntraeger@linux.ibm.com>
Signed-off-by: Cornelia Huck <cohuck@redhat.com>
diff --git a/hw/s390x/sclp.c b/hw/s390x/sclp.c
index 2d2cde7803..3c8cb16488 100644
--- a/hw/s390x/sclp.c
+++ b/hw/s390x/sclp.c
@@ -329,7 +329,8 @@ int sclp_service_call(S390CPU *cpu, uint64_t sccb, uint32_t code)
/*
* we want to work on a private copy of the sccb, to prevent guests
* from playing dirty tricks by modifying the memory content after
- * the host has checked the values
+ * the host has checked the values.
+ * Reuse the previously fetched header
*/
work_sccb = g_malloc0(be16_to_cpu(header.length));
ret = address_space_read(as, sccb, attrs,
@@ -337,6 +338,7 @@ int sclp_service_call(S390CPU *cpu, uint64_t sccb, uint32_t code)
if (ret != MEMTX_OK) {
return -PGM_ADDRESSING;
}
+ work_sccb->h = header;
if (!sclp_command_code_valid(code)) {
work_sccb->h.response_code = cpu_to_be16(SCLP_RC_INVALID_SCLP_COMMAND);