* [Bug 1882065] [NEW] Could this cause OOB bug ?
@ 2020-06-04 10:22 r1ng0hacking
2020-06-04 10:27 ` [Bug 1882065] " r1ng0hacking
` (5 more replies)
0 siblings, 6 replies; 7+ messages in thread
From: r1ng0hacking @ 2020-06-04 10:22 UTC (permalink / raw)
To: qemu-devel
Public bug reported:
In function megasas_handle_scsi(hw/scsi/megasas.c):
```c
static int megasas_handle_scsi(MegasasState *s, MegasasCmd *cmd,
int frame_cmd)
{
............................................................................
cdb = cmd->frame->pass.cdb;
target_id = cmd->frame->header.target_id;
lun_id = cmd->frame->header.lun_id;
cdb_len = cmd->frame->header.cdb_len;
............................................................................
if (cdb_len > 16) {
trace_megasas_scsi_invalid_cdb_len(
mfi_frame_desc[frame_cmd], is_logical,
target_id, lun_id, cdb_len);
megasas_write_sense(cmd, SENSE_CODE(INVALID_OPCODE));
cmd->frame->header.scsi_status = CHECK_CONDITION;
s->event_count++;
return MFI_STAT_SCSI_DONE_WITH_ERROR;
}
}
```
Two variables, frame_cmd and cdb_len, can be controlled by guest os. So
can mfi_frame_desc[frame_cmd] cause OOB bug ?
** Affects: qemu
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1882065
Title:
Could this cause OOB bug ?
Status in QEMU:
New
Bug description:
In function megasas_handle_scsi(hw/scsi/megasas.c):
```c
static int megasas_handle_scsi(MegasasState *s, MegasasCmd *cmd,
int frame_cmd)
{
............................................................................
cdb = cmd->frame->pass.cdb;
target_id = cmd->frame->header.target_id;
lun_id = cmd->frame->header.lun_id;
cdb_len = cmd->frame->header.cdb_len;
............................................................................
if (cdb_len > 16) {
trace_megasas_scsi_invalid_cdb_len(
mfi_frame_desc[frame_cmd], is_logical,
target_id, lun_id, cdb_len);
megasas_write_sense(cmd, SENSE_CODE(INVALID_OPCODE));
cmd->frame->header.scsi_status = CHECK_CONDITION;
s->event_count++;
return MFI_STAT_SCSI_DONE_WITH_ERROR;
}
}
```
Two variables, frame_cmd and cdb_len, can be controlled by guest os.
So can mfi_frame_desc[frame_cmd] cause OOB bug ?
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1882065/+subscriptions
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug 1882065] Re: Could this cause OOB bug ?
2020-06-04 10:22 [Bug 1882065] [NEW] Could this cause OOB bug ? r1ng0hacking
@ 2020-06-04 10:27 ` r1ng0hacking
2020-06-10 7:18 ` r1ng0hacking
` (4 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: r1ng0hacking @ 2020-06-04 10:27 UTC (permalink / raw)
To: qemu-devel
QEMU emulator version 5.0.50 (v5.0.0-533-gdebe78ce14-dirty)
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1882065
Title:
Could this cause OOB bug ?
Status in QEMU:
New
Bug description:
In function megasas_handle_scsi(hw/scsi/megasas.c):
```c
static int megasas_handle_scsi(MegasasState *s, MegasasCmd *cmd,
int frame_cmd)
{
............................................................................
cdb = cmd->frame->pass.cdb;
target_id = cmd->frame->header.target_id;
lun_id = cmd->frame->header.lun_id;
cdb_len = cmd->frame->header.cdb_len;
............................................................................
if (cdb_len > 16) {
trace_megasas_scsi_invalid_cdb_len(
mfi_frame_desc[frame_cmd], is_logical,
target_id, lun_id, cdb_len);
megasas_write_sense(cmd, SENSE_CODE(INVALID_OPCODE));
cmd->frame->header.scsi_status = CHECK_CONDITION;
s->event_count++;
return MFI_STAT_SCSI_DONE_WITH_ERROR;
}
}
```
Two variables, frame_cmd and cdb_len, can be controlled by guest os.
So can mfi_frame_desc[frame_cmd] cause OOB bug ?
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1882065/+subscriptions
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug 1882065] Re: Could this cause OOB bug ?
2020-06-04 10:22 [Bug 1882065] [NEW] Could this cause OOB bug ? r1ng0hacking
2020-06-04 10:27 ` [Bug 1882065] " r1ng0hacking
@ 2020-06-10 7:18 ` r1ng0hacking
2020-06-10 7:27 ` r1ng0hacking
` (3 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: r1ng0hacking @ 2020-06-10 7:18 UTC (permalink / raw)
To: qemu-devel
You must start the trace function of QEMU to trigger this BUG!
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1882065
Title:
Could this cause OOB bug ?
Status in QEMU:
New
Bug description:
In function megasas_handle_scsi(hw/scsi/megasas.c):
```c
static int megasas_handle_scsi(MegasasState *s, MegasasCmd *cmd,
int frame_cmd)
{
............................................................................
cdb = cmd->frame->pass.cdb;
target_id = cmd->frame->header.target_id;
lun_id = cmd->frame->header.lun_id;
cdb_len = cmd->frame->header.cdb_len;
............................................................................
if (cdb_len > 16) {
trace_megasas_scsi_invalid_cdb_len(
mfi_frame_desc[frame_cmd], is_logical,
target_id, lun_id, cdb_len);
megasas_write_sense(cmd, SENSE_CODE(INVALID_OPCODE));
cmd->frame->header.scsi_status = CHECK_CONDITION;
s->event_count++;
return MFI_STAT_SCSI_DONE_WITH_ERROR;
}
}
```
Two variables, frame_cmd and cdb_len, can be controlled by guest os.
So can mfi_frame_desc[frame_cmd] cause OOB bug ?
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1882065/+subscriptions
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug 1882065] Re: Could this cause OOB bug ?
2020-06-04 10:22 [Bug 1882065] [NEW] Could this cause OOB bug ? r1ng0hacking
2020-06-04 10:27 ` [Bug 1882065] " r1ng0hacking
2020-06-10 7:18 ` r1ng0hacking
@ 2020-06-10 7:27 ` r1ng0hacking
2020-06-13 9:36 ` Thomas Huth
` (2 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: r1ng0hacking @ 2020-06-10 7:27 UTC (permalink / raw)
To: qemu-devel
** Description changed:
- In function megasas_handle_scsi(hw/scsi/megasas.c):
-
- ```c
- static int megasas_handle_scsi(MegasasState *s, MegasasCmd *cmd,
- int frame_cmd)
- {
- ............................................................................
- cdb = cmd->frame->pass.cdb;
- target_id = cmd->frame->header.target_id;
- lun_id = cmd->frame->header.lun_id;
- cdb_len = cmd->frame->header.cdb_len;
- ............................................................................
- if (cdb_len > 16) {
- trace_megasas_scsi_invalid_cdb_len(
- mfi_frame_desc[frame_cmd], is_logical,
- target_id, lun_id, cdb_len);
- megasas_write_sense(cmd, SENSE_CODE(INVALID_OPCODE));
- cmd->frame->header.scsi_status = CHECK_CONDITION;
- s->event_count++;
- return MFI_STAT_SCSI_DONE_WITH_ERROR;
- }
- }
- ```
-
- Two variables, frame_cmd and cdb_len, can be controlled by guest os. So
- can mfi_frame_desc[frame_cmd] cause OOB bug ?
+ close!!!!!
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1882065
Title:
Could this cause OOB bug ?
Status in QEMU:
New
Bug description:
close!!!!!
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1882065/+subscriptions
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug 1882065] Re: Could this cause OOB bug ?
2020-06-04 10:22 [Bug 1882065] [NEW] Could this cause OOB bug ? r1ng0hacking
` (2 preceding siblings ...)
2020-06-10 7:27 ` r1ng0hacking
@ 2020-06-13 9:36 ` Thomas Huth
2020-06-29 7:52 ` Thomas Huth
2020-08-20 15:11 ` Thomas Huth
5 siblings, 0 replies; 7+ messages in thread
From: Thomas Huth @ 2020-06-13 9:36 UTC (permalink / raw)
To: qemu-devel
I think we should fix this anyway, even if it can only be triggered when
trace functions are enabled
** Description changed:
- close!!!!!
+
+ In function megasas_handle_scsi(hw/scsi/megasas.c):
+
+ ```c
+ static int megasas_handle_scsi(MegasasState *s, MegasasCmd *cmd,
+ int frame_cmd)
+ {
+ ............................................................................
+ cdb = cmd->frame->pass.cdb;
+ target_id = cmd->frame->header.target_id;
+ lun_id = cmd->frame->header.lun_id;
+ cdb_len = cmd->frame->header.cdb_len;
+ ............................................................................
+ if (cdb_len > 16) {
+ trace_megasas_scsi_invalid_cdb_len(
+ mfi_frame_desc[frame_cmd], is_logical,
+ target_id, lun_id, cdb_len);
+ megasas_write_sense(cmd, SENSE_CODE(INVALID_OPCODE));
+ cmd->frame->header.scsi_status = CHECK_CONDITION;
+ s->event_count++;
+ return MFI_STAT_SCSI_DONE_WITH_ERROR;
+ }
+ }
+ ```
+
+ Two variables, frame_cmd and cdb_len, can be controlled by guest os. So
+ can mfi_frame_desc[frame_cmd] cause OOB bug ?
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1882065
Title:
Could this cause OOB bug ?
Status in QEMU:
New
Bug description:
In function megasas_handle_scsi(hw/scsi/megasas.c):
```c
static int megasas_handle_scsi(MegasasState *s, MegasasCmd *cmd,
int frame_cmd)
{
............................................................................
cdb = cmd->frame->pass.cdb;
target_id = cmd->frame->header.target_id;
lun_id = cmd->frame->header.lun_id;
cdb_len = cmd->frame->header.cdb_len;
............................................................................
if (cdb_len > 16) {
trace_megasas_scsi_invalid_cdb_len(
mfi_frame_desc[frame_cmd], is_logical,
target_id, lun_id, cdb_len);
megasas_write_sense(cmd, SENSE_CODE(INVALID_OPCODE));
cmd->frame->header.scsi_status = CHECK_CONDITION;
s->event_count++;
return MFI_STAT_SCSI_DONE_WITH_ERROR;
}
}
```
Two variables, frame_cmd and cdb_len, can be controlled by guest os.
So can mfi_frame_desc[frame_cmd] cause OOB bug ?
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1882065/+subscriptions
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug 1882065] Re: Could this cause OOB bug ?
2020-06-04 10:22 [Bug 1882065] [NEW] Could this cause OOB bug ? r1ng0hacking
` (3 preceding siblings ...)
2020-06-13 9:36 ` Thomas Huth
@ 2020-06-29 7:52 ` Thomas Huth
2020-08-20 15:11 ` Thomas Huth
5 siblings, 0 replies; 7+ messages in thread
From: Thomas Huth @ 2020-06-29 7:52 UTC (permalink / raw)
To: qemu-devel
Fix has been included:
https://git.qemu.org/?p=qemu.git;a=commitdiff;h=ee760ac80ac1f1
** Changed in: qemu
Status: New => Fix Committed
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1882065
Title:
Could this cause OOB bug ?
Status in QEMU:
Fix Committed
Bug description:
In function megasas_handle_scsi(hw/scsi/megasas.c):
```c
static int megasas_handle_scsi(MegasasState *s, MegasasCmd *cmd,
int frame_cmd)
{
............................................................................
cdb = cmd->frame->pass.cdb;
target_id = cmd->frame->header.target_id;
lun_id = cmd->frame->header.lun_id;
cdb_len = cmd->frame->header.cdb_len;
............................................................................
if (cdb_len > 16) {
trace_megasas_scsi_invalid_cdb_len(
mfi_frame_desc[frame_cmd], is_logical,
target_id, lun_id, cdb_len);
megasas_write_sense(cmd, SENSE_CODE(INVALID_OPCODE));
cmd->frame->header.scsi_status = CHECK_CONDITION;
s->event_count++;
return MFI_STAT_SCSI_DONE_WITH_ERROR;
}
}
```
Two variables, frame_cmd and cdb_len, can be controlled by guest os.
So can mfi_frame_desc[frame_cmd] cause OOB bug ?
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1882065/+subscriptions
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug 1882065] Re: Could this cause OOB bug ?
2020-06-04 10:22 [Bug 1882065] [NEW] Could this cause OOB bug ? r1ng0hacking
` (4 preceding siblings ...)
2020-06-29 7:52 ` Thomas Huth
@ 2020-08-20 15:11 ` Thomas Huth
5 siblings, 0 replies; 7+ messages in thread
From: Thomas Huth @ 2020-08-20 15:11 UTC (permalink / raw)
To: qemu-devel
** Changed in: qemu
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1882065
Title:
Could this cause OOB bug ?
Status in QEMU:
Fix Released
Bug description:
In function megasas_handle_scsi(hw/scsi/megasas.c):
```c
static int megasas_handle_scsi(MegasasState *s, MegasasCmd *cmd,
int frame_cmd)
{
............................................................................
cdb = cmd->frame->pass.cdb;
target_id = cmd->frame->header.target_id;
lun_id = cmd->frame->header.lun_id;
cdb_len = cmd->frame->header.cdb_len;
............................................................................
if (cdb_len > 16) {
trace_megasas_scsi_invalid_cdb_len(
mfi_frame_desc[frame_cmd], is_logical,
target_id, lun_id, cdb_len);
megasas_write_sense(cmd, SENSE_CODE(INVALID_OPCODE));
cmd->frame->header.scsi_status = CHECK_CONDITION;
s->event_count++;
return MFI_STAT_SCSI_DONE_WITH_ERROR;
}
}
```
Two variables, frame_cmd and cdb_len, can be controlled by guest os.
So can mfi_frame_desc[frame_cmd] cause OOB bug ?
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1882065/+subscriptions
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2020-08-20 15:24 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-06-04 10:22 [Bug 1882065] [NEW] Could this cause OOB bug ? r1ng0hacking
2020-06-04 10:27 ` [Bug 1882065] " r1ng0hacking
2020-06-10 7:18 ` r1ng0hacking
2020-06-10 7:27 ` r1ng0hacking
2020-06-13 9:36 ` Thomas Huth
2020-06-29 7:52 ` Thomas Huth
2020-08-20 15:11 ` Thomas Huth
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).