qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed
From: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
To: qemu-devel@nongnu.org, alxndr@bu.edu, laurent@vivier.eu,
	pbonzini@redhat.com
Subject: [PATCH v3 08/11] esp: don't overflow cmdfifo in get_cmd()
Date: Thu,  1 Apr 2021 08:49:30 +0100	[thread overview]
Message-ID: <20210401074933.9923-9-mark.cave-ayland@ilande.co.uk> (raw)
In-Reply-To: <20210401074933.9923-1-mark.cave-ayland@ilande.co.uk>

If the guest tries to read a CDB using DMA and cmdfifo is not empty then it is
possible to overflow cmdfifo.

Since this can only occur by issuing deliberately incorrect instruction
sequences, ensure that the maximum length of the CDB transferred to cmdfifo is
limited to the available free space within cmdfifo.

Buglink: https://bugs.launchpad.net/qemu/+bug/1909247
Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
---
 hw/scsi/esp.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
index 7f49522e1d..c547c60395 100644
--- a/hw/scsi/esp.c
+++ b/hw/scsi/esp.c
@@ -243,6 +243,7 @@ static uint32_t get_cmd(ESPState *s, uint32_t maxlen)
         }
         if (s->dma_memory_read) {
             s->dma_memory_read(s->dma_opaque, buf, dmalen);
+            dmalen = MIN(fifo8_num_free(&s->fifo), dmalen);
             fifo8_push_all(&s->cmdfifo, buf, dmalen);
         } else {
             if (esp_select(s) < 0) {
-- 
2.20.1



  parent reply	other threads:[~2021-04-01  7:59 UTC|newest]

Thread overview: 35+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-04-01  7:49 [PATCH v3 00/11] esp: fix asserts/segfaults discovered by fuzzer Mark Cave-Ayland
2021-04-01  7:49 ` [PATCH v3 01/11] esp: always check current_req is not NULL before use in DMA callbacks Mark Cave-Ayland
2021-04-01  7:49 ` [PATCH v3 02/11] esp: rework write_response() to avoid using the FIFO for DMA transactions Mark Cave-Ayland
2021-04-01  8:26   ` Philippe Mathieu-Daudé
2021-04-01  7:49 ` [PATCH v3 03/11] esp: consolidate esp_cmdfifo_push() into esp_fifo_push() Mark Cave-Ayland
2021-04-01  8:15   ` Philippe Mathieu-Daudé
2021-04-01  8:50     ` Mark Cave-Ayland
2021-04-01  9:16       ` Philippe Mathieu-Daudé
2021-04-01  7:49 ` [PATCH v3 04/11] esp: consolidate esp_cmdfifo_pop() into esp_fifo_pop() Mark Cave-Ayland
2021-04-01  8:15   ` Philippe Mathieu-Daudé
2021-04-01  7:49 ` [PATCH v3 05/11] esp: introduce esp_fifo_pop_buf() and use it instead of fifo8_pop_buf() Mark Cave-Ayland
2021-04-01  9:34   ` Philippe Mathieu-Daudé
2021-04-01 10:51     ` Mark Cave-Ayland
2021-04-01 18:05       ` Philippe Mathieu-Daudé
2021-04-01  7:49 ` [PATCH v3 06/11] esp: ensure cmdfifo is not empty and current_dev is non-NULL Mark Cave-Ayland
2021-04-01  8:17   ` Philippe Mathieu-Daudé
2021-04-01  7:49 ` [PATCH v3 07/11] esp: don't underflow cmdfifo in do_cmd() Mark Cave-Ayland
2021-04-01  8:19   ` Philippe Mathieu-Daudé
2021-04-01  8:51     ` Mark Cave-Ayland
2021-04-01  7:49 ` Mark Cave-Ayland [this message]
2021-04-01  8:19   ` [PATCH v3 08/11] esp: don't overflow cmdfifo in get_cmd() Philippe Mathieu-Daudé
2021-04-01  8:56     ` Mark Cave-Ayland
2021-04-01  7:49 ` [PATCH v3 09/11] esp: don't overflow cmdfifo if TC is larger than the cmdfifo size Mark Cave-Ayland
2021-04-01  7:49 ` [PATCH v3 10/11] esp: don't reset async_len directly in esp_select() if cancelling request Mark Cave-Ayland
2021-04-01  7:49 ` [PATCH v3 11/11] tests/qtest: add tests for am53c974 device Mark Cave-Ayland
2021-04-01 16:55   ` Alexander Bulekov
2021-04-02  7:29     ` Mark Cave-Ayland
2021-04-01 17:00 ` [PATCH v3 00/11] esp: fix asserts/segfaults discovered by fuzzer Alexander Bulekov
2021-04-02  7:35   ` Mark Cave-Ayland
2021-04-02 16:20     ` [PATCH] tests/qtest: add one more test for the am53c974 Alexander Bulekov
2021-04-03 14:38       ` Mark Cave-Ayland
2021-04-07 12:08         ` Mark Cave-Ayland
2021-04-07 13:04       ` Mark Cave-Ayland
2021-04-07 14:49         ` Alexander Bulekov
2021-04-07 15:11           ` Mark Cave-Ayland

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210401074933.9923-9-mark.cave-ayland@ilande.co.uk \
    --to=mark.cave-ayland@ilande.co.uk \
    --cc=alxndr@bu.edu \
    --cc=laurent@vivier.eu \
    --cc=pbonzini@redhat.com \
    --cc=qemu-devel@nongnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).