[PATCH 0/2] esp: fix for fuzzer issues on gitlab

[PATCH 0/2] esp: fix for fuzzer issues on gitlab

[Mark Cave-Ayland]

This patchset contains a simple fix for 2 ESP fuzzer issues reported on gitlab
as https://gitlab.com/qemu-project/qemu/-/issues/662 and
https://gitlab.com/qemu-project/qemu/-/issues/663.

The first patch contains the fix itself, whilst the second patch contains a
qtest based upon issue 663 (the qtest reproducer posted on issue 662 didn't
trigger the issue for me, however this fix does prevent the attached hyfuzz
image from triggering the assert).

Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>


Mark Cave-Ayland (2):
  esp: ensure in-flight SCSI requests are always cancelled
  qtest/am53c974-test: add test for cancelling in-flight requests

 hw/scsi/esp.c               | 10 +++++-----
 tests/qtest/am53c974-test.c | 36 ++++++++++++++++++++++++++++++++++++
 2 files changed, 41 insertions(+), 5 deletions(-)

-- 
2.20.1

[PATCH 1/2] esp: ensure in-flight SCSI requests are always cancelled

[Mark Cave-Ayland]

There is currently a check in esp_select() to cancel any in-flight SCSI requests
to ensure that issuing multiple select commands without continuing through the
rest of the ESP state machine ignores all but the last SCSI request. This is
also enforced through the addition of assert()s in esp_transfer_data() and
scsi_read_data().

The get_cmd() function does not call esp_select() when TC == 0 which means it is
possible for a fuzzer to trigger these assert()s by sending a select command when
TC == 0 immediately after a valid SCSI CDB has been submitted.

Since esp_select() is only called from get_cmd(), hoist the check to cancel
in-flight SCSI requests from esp_select() into get_cmd() to ensure it is always
called when executing a select command to initiate a new SCSI request.

Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Closes: https://gitlab.com/qemu-project/qemu/-/issues/662
Closes: https://gitlab.com/qemu-project/qemu/-/issues/663
---
 hw/scsi/esp.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
index 8454ed1773..84f935b549 100644
--- a/hw/scsi/esp.c
+++ b/hw/scsi/esp.c
@@ -204,11 +204,6 @@ static int esp_select(ESPState *s)
     s->ti_size = 0;
     fifo8_reset(&s->fifo);
 
-    if (s->current_req) {
-        /* Started a new command before the old one finished.  Cancel it.  */
-        scsi_req_cancel(s->current_req);
-    }
-
     s->current_dev = scsi_device_find(&s->bus, 0, target, 0);
     if (!s->current_dev) {
         /* No such drive */
@@ -235,6 +230,11 @@ static uint32_t get_cmd(ESPState *s, uint32_t maxlen)
     uint32_t dmalen, n;
     int target;
 
+    if (s->current_req) {
+        /* Started a new command before the old one finished.  Cancel it.  */
+        scsi_req_cancel(s->current_req);
+    }
+
     target = s->wregs[ESP_WBUSID] & BUSID_DID;
     if (s->dma) {
         dmalen = MIN(esp_get_tc(s), maxlen);
-- 
2.20.1

[PATCH 2/2] qtest/am53c974-test: add test for cancelling in-flight requests

[Mark Cave-Ayland]

Based upon the qtest reproducer posted to Gitlab issue #663 at
https://gitlab.com/qemu-project/qemu/-/issues/663.

Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
---
 tests/qtest/am53c974-test.c | 36 ++++++++++++++++++++++++++++++++++++
 1 file changed, 36 insertions(+)

diff --git a/tests/qtest/am53c974-test.c b/tests/qtest/am53c974-test.c
index d996866cd4..9b1e4211bd 100644
--- a/tests/qtest/am53c974-test.c
+++ b/tests/qtest/am53c974-test.c
@@ -189,6 +189,40 @@ static void test_cancelled_request_ok(void)
     qtest_quit(s);
 }
 
+static void test_inflight_cancel_ok(void)
+{
+    QTestState *s = qtest_init(
+        "-device am53c974,id=scsi "
+        "-device scsi-hd,drive=disk0 -drive "
+        "id=disk0,if=none,file=null-co://,format=raw -nodefaults");
+    qtest_outl(s, 0xcf8, 0x80001000);
+    qtest_inw(s, 0xcfc);
+    qtest_outl(s, 0xcf8, 0x80001010);
+    qtest_outl(s, 0xcfc, 0xffffffff);
+    qtest_outl(s, 0xcf8, 0x80001010);
+    qtest_inl(s, 0xcfc);
+    qtest_outl(s, 0xcf8, 0x80001010);
+    qtest_outl(s, 0xcfc, 0xc001);
+    qtest_outl(s, 0xcf8, 0x80001004);
+    qtest_inw(s, 0xcfc);
+    qtest_outl(s, 0xcf8, 0x80001004);
+    qtest_outw(s, 0xcfc, 0x7);
+    qtest_outl(s, 0xcf8, 0x80001004);
+    qtest_inw(s, 0xcfc);
+    qtest_inb(s, 0xc000);
+    qtest_outb(s, 0xc008, 0x8);
+    qtest_outw(s, 0xc00b, 0x4100);
+    qtest_outb(s, 0xc009, 0x0);
+    qtest_outb(s, 0xc009, 0x0);
+    qtest_outw(s, 0xc00b, 0xc212);
+    qtest_outl(s, 0xc042, 0x2c2c5a88);
+    qtest_outw(s, 0xc00b, 0xc212);
+    qtest_outw(s, 0xc00b, 0x415a);
+    qtest_outl(s, 0xc03f, 0x3060303);
+    qtest_outl(s, 0xc00b, 0x5afa9054);
+    qtest_quit(s);
+}
+
 int main(int argc, char **argv)
 {
     const char *arch = qtest_get_arch();
@@ -212,6 +246,8 @@ int main(int argc, char **argv)
                        test_fifo_underflow_on_write_ok);
         qtest_add_func("am53c974/test_cancelled_request_ok",
                        test_cancelled_request_ok);
+        qtest_add_func("am53c974/test_inflight_cancel_ok",
+                       test_inflight_cancel_ok);
     }
 
     return g_test_run();
-- 
2.20.1

Re: [PATCH 2/2] qtest/am53c974-test: add test for cancelling in-flight requests

[Philippe Mathieu-Daudé]

On 11/1/21 19:35, Mark Cave-Ayland wrote:
> Based upon the qtest reproducer posted to Gitlab issue #663 at
> https://gitlab.com/qemu-project/qemu/-/issues/663.
> 
> Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
> ---
>  tests/qtest/am53c974-test.c | 36 ++++++++++++++++++++++++++++++++++++
>  1 file changed, 36 insertions(+)

Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>

Re: [PATCH 2/2] qtest/am53c974-test: add test for cancelling in-flight requests

[Paolo Bonzini]

On 01/11/21 19:35, Mark Cave-Ayland wrote:
> Based upon the qtest reproducer posted to Gitlab issue #663 at
> https://gitlab.com/qemu-project/qemu/-/issues/663.
> 
> Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
> ---
>   tests/qtest/am53c974-test.c | 36 ++++++++++++++++++++++++++++++++++++
>   1 file changed, 36 insertions(+)
> 
> diff --git a/tests/qtest/am53c974-test.c b/tests/qtest/am53c974-test.c
> index d996866cd4..9b1e4211bd 100644
> --- a/tests/qtest/am53c974-test.c
> +++ b/tests/qtest/am53c974-test.c
> @@ -189,6 +189,40 @@ static void test_cancelled_request_ok(void)
>       qtest_quit(s);
>   }
>   
> +static void test_inflight_cancel_ok(void)
> +{
> +    QTestState *s = qtest_init(
> +        "-device am53c974,id=scsi "
> +        "-device scsi-hd,drive=disk0 -drive "
> +        "id=disk0,if=none,file=null-co://,format=raw -nodefaults");
> +    qtest_outl(s, 0xcf8, 0x80001000);
> +    qtest_inw(s, 0xcfc);
> +    qtest_outl(s, 0xcf8, 0x80001010);
> +    qtest_outl(s, 0xcfc, 0xffffffff);
> +    qtest_outl(s, 0xcf8, 0x80001010);
> +    qtest_inl(s, 0xcfc);
> +    qtest_outl(s, 0xcf8, 0x80001010);
> +    qtest_outl(s, 0xcfc, 0xc001);
> +    qtest_outl(s, 0xcf8, 0x80001004);
> +    qtest_inw(s, 0xcfc);
> +    qtest_outl(s, 0xcf8, 0x80001004);
> +    qtest_outw(s, 0xcfc, 0x7);
> +    qtest_outl(s, 0xcf8, 0x80001004);
> +    qtest_inw(s, 0xcfc);
> +    qtest_inb(s, 0xc000);
> +    qtest_outb(s, 0xc008, 0x8);
> +    qtest_outw(s, 0xc00b, 0x4100);
> +    qtest_outb(s, 0xc009, 0x0);
> +    qtest_outb(s, 0xc009, 0x0);
> +    qtest_outw(s, 0xc00b, 0xc212);
> +    qtest_outl(s, 0xc042, 0x2c2c5a88);
> +    qtest_outw(s, 0xc00b, 0xc212);
> +    qtest_outw(s, 0xc00b, 0x415a);
> +    qtest_outl(s, 0xc03f, 0x3060303);
> +    qtest_outl(s, 0xc00b, 0x5afa9054);
> +    qtest_quit(s);
> +}
> +
>   int main(int argc, char **argv)
>   {
>       const char *arch = qtest_get_arch();
> @@ -212,6 +246,8 @@ int main(int argc, char **argv)
>                          test_fifo_underflow_on_write_ok);
>           qtest_add_func("am53c974/test_cancelled_request_ok",
>                          test_cancelled_request_ok);
> +        qtest_add_func("am53c974/test_inflight_cancel_ok",
> +                       test_inflight_cancel_ok);
>       }
>   
>       return g_test_run();
> 

Queued both, thanks.

Paolo