[Qemu-devel] [PATCH] scsi: do not overwrite memory on REQUEST SENSE commands with a large buffer

[Qemu-devel] [PATCH] scsi: do not overwrite memory on REQUEST SENSE commands with a large buffer

[Paolo Bonzini]

Other scsi_target_reqops commands were careful about not using r->cmd.xfer
directly, and instead always cap it to a fixed length.  This was not done
for REQUEST SENSE, and this patch fixes it.

Reported-by: Blue Swirl <blauwirdel@gmail.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
	The way you called REQUEST SENSE from OpenBIOS is correct, the
	bug is clearly in QEMU.  However, I would like to stress that
	you do not need to call it.  Sense data is automatically
	overwritten by the next command, but it is only reported after
	a command returned CHECK CONDITION.  So, REQUEST SENSE always
	gets you information too late.  That's why in your case what
	you want is TEST UNIT READY.  If you want, after each failed
	TEST UNIT READY command you _can_ REQUEST SENSE and check that
	indeed you're getting a unit attention and not another sense
	key, but that's not really necessary.

 hw/scsi-bus.c            |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

diff --git a/hw/scsi-bus.c b/hw/scsi-bus.c
index 559d5a4..80d6bf0 100644
--- a/hw/scsi-bus.c
+++ b/hw/scsi-bus.c
@@ -292,7 +292,8 @@ static int32_t scsi_target_send_command(SCSIRequest *req, uint8_t *buf)
         if (req->cmd.xfer < 4) {
             goto illegal_request;
         }
-        r->len = scsi_device_get_sense(r->req.dev, r->buf, req->cmd.xfer,
+        r->len = scsi_device_get_sense(r->req.dev, r->buf,
+                                       MIN(req->cmd.xfer, sizeof r->buf),
                                        (req->cmd.buf[1] & 1) == 0);
         break;
     default:
-- 
1.7.6

Re: [Qemu-devel] [PATCH] scsi: do not overwrite memory on REQUEST SENSE commands with a large buffer

[Blue Swirl]

Thanks, applied.

On Sun, Aug 14, 2011 at 9:05 PM, Paolo Bonzini <pbonzini@redhat.com> wrote:
> Other scsi_target_reqops commands were careful about not using r->cmd.xfer
> directly, and instead always cap it to a fixed length.  This was not done
> for REQUEST SENSE, and this patch fixes it.
>
> Reported-by: Blue Swirl <blauwirdel@gmail.com>
> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
> ---
>        The way you called REQUEST SENSE from OpenBIOS is correct, the
>        bug is clearly in QEMU.  However, I would like to stress that
>        you do not need to call it.  Sense data is automatically
>        overwritten by the next command, but it is only reported after
>        a command returned CHECK CONDITION.  So, REQUEST SENSE always
>        gets you information too late.  That's why in your case what
>        you want is TEST UNIT READY.  If you want, after each failed
>        TEST UNIT READY command you _can_ REQUEST SENSE and check that
>        indeed you're getting a unit attention and not another sense
>        key, but that's not really necessary.
>
>  hw/scsi-bus.c            |    3 ++-
>  1 files changed, 2 insertions(+), 1 deletions(-)
>
> diff --git a/hw/scsi-bus.c b/hw/scsi-bus.c
> index 559d5a4..80d6bf0 100644
> --- a/hw/scsi-bus.c
> +++ b/hw/scsi-bus.c
> @@ -292,7 +292,8 @@ static int32_t scsi_target_send_command(SCSIRequest *req, uint8_t *buf)
>         if (req->cmd.xfer < 4) {
>             goto illegal_request;
>         }
> -        r->len = scsi_device_get_sense(r->req.dev, r->buf, req->cmd.xfer,
> +        r->len = scsi_device_get_sense(r->req.dev, r->buf,
> +                                       MIN(req->cmd.xfer, sizeof r->buf),
>                                        (req->cmd.buf[1] & 1) == 0);
>         break;
>     default:
> --
> 1.7.6
>
>