* [PATCH 0/4] esp: fix asserts/segfaults discovered by fuzzer @ 2021-03-16 23:30 Mark Cave-Ayland 2021-03-16 23:30 ` [PATCH 1/4] esp: don't underflow cmdfifo if no message out/command data is present Mark Cave-Ayland ` (5 more replies) 0 siblings, 6 replies; 14+ messages in thread From: Mark Cave-Ayland @ 2021-03-16 23:30 UTC (permalink / raw) To: qemu-devel, alxndr Recently there have been a number of issues raised on Launchpad as a result of fuzzing the am53c974 (ESP) device. I spent some time over the past couple of days checking to see if anything had improved since my last patchset: from what I can tell the issues are still present, but the cmdfifo related failures now assert rather than corrupting memory. This patchset applied to master passes my local tests using the qtest fuzz test cases added by Alexander for the following Launchpad bugs: https://bugs.launchpad.net/qemu/+bug/1919035 https://bugs.launchpad.net/qemu/+bug/1919036 https://bugs.launchpad.net/qemu/+bug/1910723 https://bugs.launchpad.net/qemu/+bug/1909247 I'm posting this now just before soft freeze since I see that some of the issues have recently been allocated CVEs and so it could be argued that even though they have existed for some time, it is worth fixing them for 6.0. Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> Mark Cave-Ayland (4): esp: don't underflow cmdfifo if no message out/command data is present esp: don't overflow cmdfifo if TC is larger than the cmdfifo size esp: ensure cmdfifo is not empty and current_dev is non-NULL esp: always check current_req is not NULL before use in DMA callbacks hw/scsi/esp.c | 56 +++++++++++++++++++++++++++++++++------------------ 1 file changed, 36 insertions(+), 20 deletions(-) -- 2.20.1 ^ permalink raw reply [flat|nested] 14+ messages in thread
* [PATCH 1/4] esp: don't underflow cmdfifo if no message out/command data is present 2021-03-16 23:30 [PATCH 0/4] esp: fix asserts/segfaults discovered by fuzzer Mark Cave-Ayland @ 2021-03-16 23:30 ` Mark Cave-Ayland 2021-03-17 15:14 ` Alexander Bulekov 2021-03-17 15:37 ` Alexander Bulekov 2021-03-16 23:30 ` [PATCH 2/4] esp: don't overflow cmdfifo if TC is larger than the cmdfifo size Mark Cave-Ayland ` (4 subsequent siblings) 5 siblings, 2 replies; 14+ messages in thread From: Mark Cave-Ayland @ 2021-03-16 23:30 UTC (permalink / raw) To: qemu-devel, alxndr If a guest sends a TI (Transfer Information) command without previously sending any message out/command phase data then cmdfifo will underflow triggering an assert reading the IDENTIFY byte. Buglink: https://bugs.launchpad.net/qemu/+bug/1919035 Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> --- hw/scsi/esp.c | 22 ++++++++++++++-------- 1 file changed, 14 insertions(+), 8 deletions(-) diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c index 507ab363bc..5d3f1ccbc8 100644 --- a/hw/scsi/esp.c +++ b/hw/scsi/esp.c @@ -318,18 +318,24 @@ static void do_busid_cmd(ESPState *s, uint8_t busid) static void do_cmd(ESPState *s) { - uint8_t busid = fifo8_pop(&s->cmdfifo); + uint8_t busid; uint32_t n; - s->cmdfifo_cdb_offset--; + if (fifo8_num_used(&s->cmdfifo)) { + busid = fifo8_pop(&s->cmdfifo); - /* Ignore extended messages for now */ - if (s->cmdfifo_cdb_offset) { - fifo8_pop_buf(&s->cmdfifo, s->cmdfifo_cdb_offset, &n); - s->cmdfifo_cdb_offset = 0; - } + if (s->cmdfifo_cdb_offset) { + s->cmdfifo_cdb_offset--; + + /* Ignore extended messages for now */ + if (s->cmdfifo_cdb_offset) { + fifo8_pop_buf(&s->cmdfifo, s->cmdfifo_cdb_offset, &n); + s->cmdfifo_cdb_offset = 0; + } + } - do_busid_cmd(s, busid); + do_busid_cmd(s, busid); + } } static void satn_pdma_cb(ESPState *s) -- 2.20.1 ^ permalink raw reply related [flat|nested] 14+ messages in thread
* Re: [PATCH 1/4] esp: don't underflow cmdfifo if no message out/command data is present 2021-03-16 23:30 ` [PATCH 1/4] esp: don't underflow cmdfifo if no message out/command data is present Mark Cave-Ayland @ 2021-03-17 15:14 ` Alexander Bulekov 2021-03-17 16:07 ` Alexander Bulekov 2021-03-17 15:37 ` Alexander Bulekov 1 sibling, 1 reply; 14+ messages in thread From: Alexander Bulekov @ 2021-03-17 15:14 UTC (permalink / raw) To: Mark Cave-Ayland; +Cc: qemu-devel On 210316 2330, Mark Cave-Ayland wrote: > If a guest sends a TI (Transfer Information) command without previously sending > any message out/command phase data then cmdfifo will underflow triggering an > assert reading the IDENTIFY byte. > > Buglink: https://bugs.launchpad.net/qemu/+bug/1919035 > Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> > --- > hw/scsi/esp.c | 22 ++++++++++++++-------- > 1 file changed, 14 insertions(+), 8 deletions(-) Tested-by: Alexander Bulekov <alxndr@bu.edu> ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH 1/4] esp: don't underflow cmdfifo if no message out/command data is present 2021-03-17 15:14 ` Alexander Bulekov @ 2021-03-17 16:07 ` Alexander Bulekov 0 siblings, 0 replies; 14+ messages in thread From: Alexander Bulekov @ 2021-03-17 16:07 UTC (permalink / raw) To: Mark Cave-Ayland; +Cc: qemu-devel On 210317 1114, Alexander Bulekov wrote: > On 210316 2330, Mark Cave-Ayland wrote: > > If a guest sends a TI (Transfer Information) command without previously sending > > any message out/command phase data then cmdfifo will underflow triggering an > > assert reading the IDENTIFY byte. > > > > Buglink: https://bugs.launchpad.net/qemu/+bug/1919035 > > Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> > > --- > > hw/scsi/esp.c | 22 ++++++++++++++-------- > > 1 file changed, 14 insertions(+), 8 deletions(-) > > Tested-by: Alexander Bulekov <alxndr@bu.edu> Oops please disregard this. It was meant for PATCH 2/4 ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH 1/4] esp: don't underflow cmdfifo if no message out/command data is present 2021-03-16 23:30 ` [PATCH 1/4] esp: don't underflow cmdfifo if no message out/command data is present Mark Cave-Ayland 2021-03-17 15:14 ` Alexander Bulekov @ 2021-03-17 15:37 ` Alexander Bulekov 1 sibling, 0 replies; 14+ messages in thread From: Alexander Bulekov @ 2021-03-17 15:37 UTC (permalink / raw) To: Mark Cave-Ayland; +Cc: qemu-devel On 210316 2330, Mark Cave-Ayland wrote: > If a guest sends a TI (Transfer Information) command without previously sending > any message out/command phase data then cmdfifo will underflow triggering an > assert reading the IDENTIFY byte. > > Buglink: https://bugs.launchpad.net/qemu/+bug/1919035 > Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> Hi Mark, The original reproducer no longer asserts, but I ran through the fuzz corpus, and there is another one, that still seems to trigger the same bug: cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, \ -m 512M -device am53c974,id=scsi -device scsi-hd,drive=disk0 -drive \ id=disk0,if=none,file=null-co://,format=raw -nodefaults -qtest stdio outl 0xcf8 0x80001010 outl 0xcfc 0xc000 outl 0xcf8 0x80001004 outw 0xcfc 0x01 outl 0xc008 0x0a outl 0xc009 0x41000000 outl 0xc009 0x41000000 outl 0xc00b 0x1000 EOF C Code testcase below. Thanks -Alex /* * Autogenerated Fuzzer Test Case * * Copyright (c) 2021 <name of author> * * This work is licensed under the terms of the GNU GPL, version 2 or * later. See the COPYING file in the top-level directory. */ #include "qemu/osdep.h" #include "libqos/libqtest.h" /* * cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, \ * -m 512M -device am53c974,id=scsi -device scsi-hd,drive=disk0 -drive \ * id=disk0,if=none,file=null-co://,format=raw -nodefaults -qtest stdio * outl 0xcf8 0x80001010 * outl 0xcfc 0xc000 * outl 0xcf8 0x80001004 * outw 0xcfc 0x01 * outl 0xc008 0x0a * outl 0xc009 0x41000000 * outl 0xc009 0x41000000 * outl 0xc00b 0x1000 * EOF */ static void test_fuzz(void) { QTestState *s = qtest_init( "-display none , -m 512M -device am53c974,id=scsi -device " "scsi-hd,drive=disk0 -drive " "id=disk0,if=none,file=null-co://,format=raw -nodefaults "); qtest_outl(s, 0xcf8, 0x80001010); qtest_outl(s, 0xcfc, 0xc000); qtest_outl(s, 0xcf8, 0x80001004); qtest_outw(s, 0xcfc, 0x01); qtest_outl(s, 0xc008, 0x0a); qtest_outl(s, 0xc009, 0x41000000); qtest_outl(s, 0xc009, 0x41000000); qtest_outl(s, 0xc00b, 0x1000); qtest_quit(s); } int main(int argc, char **argv) { const char *arch = qtest_get_arch(); g_test_init(&argc, &argv, NULL); if (strcmp(arch, "i386") == 0) { qtest_add_func("fuzz/test_fuzz", test_fuzz); } return g_test_run(); } ^ permalink raw reply [flat|nested] 14+ messages in thread
* [PATCH 2/4] esp: don't overflow cmdfifo if TC is larger than the cmdfifo size 2021-03-16 23:30 [PATCH 0/4] esp: fix asserts/segfaults discovered by fuzzer Mark Cave-Ayland 2021-03-16 23:30 ` [PATCH 1/4] esp: don't underflow cmdfifo if no message out/command data is present Mark Cave-Ayland @ 2021-03-16 23:30 ` Mark Cave-Ayland 2021-03-17 0:19 ` Philippe Mathieu-Daudé 2021-03-17 16:07 ` Alexander Bulekov 2021-03-16 23:30 ` [PATCH 3/4] esp: ensure cmdfifo is not empty and current_dev is non-NULL Mark Cave-Ayland ` (3 subsequent siblings) 5 siblings, 2 replies; 14+ messages in thread From: Mark Cave-Ayland @ 2021-03-16 23:30 UTC (permalink / raw) To: qemu-devel, alxndr If a guest transfers the message out/command phase data using DMA with a TC that is larger than the cmdfifo size then the cmdfifo overflows triggering an assert. Limit the size of the transfer to the free space available in cmdfifo. Buglink: https://bugs.launchpad.net/qemu/+bug/1919036 Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> --- hw/scsi/esp.c | 1 + 1 file changed, 1 insertion(+) diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c index 5d3f1ccbc8..bbcbfa4a91 100644 --- a/hw/scsi/esp.c +++ b/hw/scsi/esp.c @@ -579,6 +579,7 @@ static void esp_do_dma(ESPState *s) cmdlen = fifo8_num_used(&s->cmdfifo); trace_esp_do_dma(cmdlen, len); if (s->dma_memory_read) { + len = MIN(len, fifo8_num_free(&s->cmdfifo)); s->dma_memory_read(s->dma_opaque, buf, len); fifo8_push_all(&s->cmdfifo, buf, len); } else { -- 2.20.1 ^ permalink raw reply related [flat|nested] 14+ messages in thread
* Re: [PATCH 2/4] esp: don't overflow cmdfifo if TC is larger than the cmdfifo size 2021-03-16 23:30 ` [PATCH 2/4] esp: don't overflow cmdfifo if TC is larger than the cmdfifo size Mark Cave-Ayland @ 2021-03-17 0:19 ` Philippe Mathieu-Daudé 2021-03-17 16:07 ` Alexander Bulekov 1 sibling, 0 replies; 14+ messages in thread From: Philippe Mathieu-Daudé @ 2021-03-17 0:19 UTC (permalink / raw) To: Mark Cave-Ayland, qemu-devel, alxndr On 3/17/21 12:30 AM, Mark Cave-Ayland wrote: > If a guest transfers the message out/command phase data using DMA with a TC > that is larger than the cmdfifo size then the cmdfifo overflows triggering > an assert. Limit the size of the transfer to the free space available in > cmdfifo. > > Buglink: https://bugs.launchpad.net/qemu/+bug/1919036 > Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> > --- > hw/scsi/esp.c | 1 + > 1 file changed, 1 insertion(+) Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH 2/4] esp: don't overflow cmdfifo if TC is larger than the cmdfifo size 2021-03-16 23:30 ` [PATCH 2/4] esp: don't overflow cmdfifo if TC is larger than the cmdfifo size Mark Cave-Ayland 2021-03-17 0:19 ` Philippe Mathieu-Daudé @ 2021-03-17 16:07 ` Alexander Bulekov 1 sibling, 0 replies; 14+ messages in thread From: Alexander Bulekov @ 2021-03-17 16:07 UTC (permalink / raw) To: Mark Cave-Ayland; +Cc: qemu-devel On 210316 2330, Mark Cave-Ayland wrote: > If a guest transfers the message out/command phase data using DMA with a TC > that is larger than the cmdfifo size then the cmdfifo overflows triggering > an assert. Limit the size of the transfer to the free space available in > cmdfifo. > > Buglink: https://bugs.launchpad.net/qemu/+bug/1919036 > Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> > --- > hw/scsi/esp.c | 1 + > 1 file changed, 1 insertion(+) Tested-by: Alexander Bulekov <alxndr@bu.edu> ^ permalink raw reply [flat|nested] 14+ messages in thread
* [PATCH 3/4] esp: ensure cmdfifo is not empty and current_dev is non-NULL 2021-03-16 23:30 [PATCH 0/4] esp: fix asserts/segfaults discovered by fuzzer Mark Cave-Ayland 2021-03-16 23:30 ` [PATCH 1/4] esp: don't underflow cmdfifo if no message out/command data is present Mark Cave-Ayland 2021-03-16 23:30 ` [PATCH 2/4] esp: don't overflow cmdfifo if TC is larger than the cmdfifo size Mark Cave-Ayland @ 2021-03-16 23:30 ` Mark Cave-Ayland 2021-03-17 0:18 ` Philippe Mathieu-Daudé 2021-03-17 15:47 ` Alexander Bulekov 2021-03-16 23:30 ` [PATCH 4/4] esp: always check current_req is not NULL before use in DMA callbacks Mark Cave-Ayland ` (2 subsequent siblings) 5 siblings, 2 replies; 14+ messages in thread From: Mark Cave-Ayland @ 2021-03-16 23:30 UTC (permalink / raw) To: qemu-devel, alxndr When about to execute a SCSI command, ensure that cmdfifo is not empty and current_dev is non-NULL. This can happen if the guest tries to execute a TI (Transfer Information) command without issuing one of the select commands first. Buglink: https://bugs.launchpad.net/qemu/+bug/1910723 Buglink: https://bugs.launchpad.net/qemu/+bug/1909247 Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> --- hw/scsi/esp.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c index bbcbfa4a91..ae362c9dfb 100644 --- a/hw/scsi/esp.c +++ b/hw/scsi/esp.c @@ -286,6 +286,9 @@ static void do_busid_cmd(ESPState *s, uint8_t busid) trace_esp_do_busid_cmd(busid); lun = busid & 7; cmdlen = fifo8_num_used(&s->cmdfifo); + if (!cmdlen || !s->current_dev) { + return; + } buf = (uint8_t *)fifo8_pop_buf(&s->cmdfifo, cmdlen, &n); current_lun = scsi_device_find(&s->bus, 0, s->current_dev->id, lun); -- 2.20.1 ^ permalink raw reply related [flat|nested] 14+ messages in thread
* Re: [PATCH 3/4] esp: ensure cmdfifo is not empty and current_dev is non-NULL 2021-03-16 23:30 ` [PATCH 3/4] esp: ensure cmdfifo is not empty and current_dev is non-NULL Mark Cave-Ayland @ 2021-03-17 0:18 ` Philippe Mathieu-Daudé 2021-03-17 15:47 ` Alexander Bulekov 1 sibling, 0 replies; 14+ messages in thread From: Philippe Mathieu-Daudé @ 2021-03-17 0:18 UTC (permalink / raw) To: Mark Cave-Ayland, qemu-devel, alxndr On 3/17/21 12:30 AM, Mark Cave-Ayland wrote: > When about to execute a SCSI command, ensure that cmdfifo is not empty and > current_dev is non-NULL. This can happen if the guest tries to execute a TI > (Transfer Information) command without issuing one of the select commands > first. > > Buglink: https://bugs.launchpad.net/qemu/+bug/1910723 > Buglink: https://bugs.launchpad.net/qemu/+bug/1909247 > Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> > --- > hw/scsi/esp.c | 3 +++ > 1 file changed, 3 insertions(+) Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH 3/4] esp: ensure cmdfifo is not empty and current_dev is non-NULL 2021-03-16 23:30 ` [PATCH 3/4] esp: ensure cmdfifo is not empty and current_dev is non-NULL Mark Cave-Ayland 2021-03-17 0:18 ` Philippe Mathieu-Daudé @ 2021-03-17 15:47 ` Alexander Bulekov 1 sibling, 0 replies; 14+ messages in thread From: Alexander Bulekov @ 2021-03-17 15:47 UTC (permalink / raw) To: Mark Cave-Ayland; +Cc: qemu-devel Hi Mark, On 210316 2330, Mark Cave-Ayland wrote: > When about to execute a SCSI command, ensure that cmdfifo is not empty and > current_dev is non-NULL. This can happen if the guest tries to execute a TI > (Transfer Information) command without issuing one of the select commands > first. > > Buglink: https://bugs.launchpad.net/qemu/+bug/1910723 ^ Can't reproduce this one anymore > Buglink: https://bugs.launchpad.net/qemu/+bug/1909247 However, this still seems to cause a UAF: https://bugs.launchpad.net/qemu/+bug/1909247/comments/6 -Alex > Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> > --- > hw/scsi/esp.c | 3 +++ > 1 file changed, 3 insertions(+) ^ permalink raw reply [flat|nested] 14+ messages in thread
* [PATCH 4/4] esp: always check current_req is not NULL before use in DMA callbacks 2021-03-16 23:30 [PATCH 0/4] esp: fix asserts/segfaults discovered by fuzzer Mark Cave-Ayland ` (2 preceding siblings ...) 2021-03-16 23:30 ` [PATCH 3/4] esp: ensure cmdfifo is not empty and current_dev is non-NULL Mark Cave-Ayland @ 2021-03-16 23:30 ` Mark Cave-Ayland 2021-03-17 0:20 ` [PATCH 0/4] esp: fix asserts/segfaults discovered by fuzzer Philippe Mathieu-Daudé 2021-03-17 7:59 ` Paolo Bonzini 5 siblings, 0 replies; 14+ messages in thread From: Mark Cave-Ayland @ 2021-03-16 23:30 UTC (permalink / raw) To: qemu-devel, alxndr After issuing a SCSI command the SCSI layer can call the SCSIBusInfo .cancel callback which resets both current_req and current_dev to NULL. If any data is left in the transfer buffer (async_len != 0) then the next TI (Transfer Information) command will attempt to reference the NULL pointer causing a segfault. Buglink: https://bugs.launchpad.net/qemu/+bug/1910723 Buglink: https://bugs.launchpad.net/qemu/+bug/1909247 Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> --- hw/scsi/esp.c | 30 ++++++++++++++++++------------ 1 file changed, 18 insertions(+), 12 deletions(-) diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c index ae362c9dfb..7216903ce0 100644 --- a/hw/scsi/esp.c +++ b/hw/scsi/esp.c @@ -524,7 +524,9 @@ static void do_dma_pdma_cb(ESPState *s) } if (s->async_len == 0) { - scsi_req_continue(s->current_req); + if (s->current_req) { + scsi_req_continue(s->current_req); + } return; } @@ -674,14 +676,16 @@ static void esp_do_dma(ESPState *s) s->ti_size -= len; } if (s->async_len == 0) { - scsi_req_continue(s->current_req); - /* - * If there is still data to be read from the device then - * complete the DMA operation immediately. Otherwise defer - * until the scsi layer has completed. - */ - if (to_device || esp_get_tc(s) != 0 || s->ti_size == 0) { - return; + if (s->current_req) { + scsi_req_continue(s->current_req); + /* + * If there is still data to be read from the device then + * complete the DMA operation immediately. Otherwise defer + * until the scsi layer has completed. + */ + if (to_device || esp_get_tc(s) != 0 || s->ti_size == 0) { + return; + } } } @@ -744,10 +748,12 @@ static void esp_do_nodma(ESPState *s) } if (s->async_len == 0) { - scsi_req_continue(s->current_req); + if (s->current_req) { + scsi_req_continue(s->current_req); - if (to_device || s->ti_size == 0) { - return; + if (to_device || s->ti_size == 0) { + return; + } } } -- 2.20.1 ^ permalink raw reply related [flat|nested] 14+ messages in thread
* Re: [PATCH 0/4] esp: fix asserts/segfaults discovered by fuzzer 2021-03-16 23:30 [PATCH 0/4] esp: fix asserts/segfaults discovered by fuzzer Mark Cave-Ayland ` (3 preceding siblings ...) 2021-03-16 23:30 ` [PATCH 4/4] esp: always check current_req is not NULL before use in DMA callbacks Mark Cave-Ayland @ 2021-03-17 0:20 ` Philippe Mathieu-Daudé 2021-03-17 7:59 ` Paolo Bonzini 5 siblings, 0 replies; 14+ messages in thread From: Philippe Mathieu-Daudé @ 2021-03-17 0:20 UTC (permalink / raw) To: Mark Cave-Ayland, qemu-devel, alxndr; +Cc: Laurent Vivier +Laurent for 1 & 4. On 3/17/21 12:30 AM, Mark Cave-Ayland wrote: > Recently there have been a number of issues raised on Launchpad as a result of > fuzzing the am53c974 (ESP) device. I spent some time over the past couple of > days checking to see if anything had improved since my last patchset: from > what I can tell the issues are still present, but the cmdfifo related failures > now assert rather than corrupting memory. > > This patchset applied to master passes my local tests using the qtest fuzz test > cases added by Alexander for the following Launchpad bugs: > > https://bugs.launchpad.net/qemu/+bug/1919035 > https://bugs.launchpad.net/qemu/+bug/1919036 > https://bugs.launchpad.net/qemu/+bug/1910723 > https://bugs.launchpad.net/qemu/+bug/1909247 > > I'm posting this now just before soft freeze since I see that some of the issues > have recently been allocated CVEs and so it could be argued that even though > they have existed for some time, it is worth fixing them for 6.0. > > Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> > > > Mark Cave-Ayland (4): > esp: don't underflow cmdfifo if no message out/command data is present > esp: don't overflow cmdfifo if TC is larger than the cmdfifo size > esp: ensure cmdfifo is not empty and current_dev is non-NULL > esp: always check current_req is not NULL before use in DMA callbacks > > hw/scsi/esp.c | 56 +++++++++++++++++++++++++++++++++------------------ > 1 file changed, 36 insertions(+), 20 deletions(-) > ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH 0/4] esp: fix asserts/segfaults discovered by fuzzer 2021-03-16 23:30 [PATCH 0/4] esp: fix asserts/segfaults discovered by fuzzer Mark Cave-Ayland ` (4 preceding siblings ...) 2021-03-17 0:20 ` [PATCH 0/4] esp: fix asserts/segfaults discovered by fuzzer Philippe Mathieu-Daudé @ 2021-03-17 7:59 ` Paolo Bonzini 5 siblings, 0 replies; 14+ messages in thread From: Paolo Bonzini @ 2021-03-17 7:59 UTC (permalink / raw) To: Mark Cave-Ayland, qemu-devel, alxndr On 17/03/21 00:30, Mark Cave-Ayland wrote: > Recently there have been a number of issues raised on Launchpad as a result of > fuzzing the am53c974 (ESP) device. I spent some time over the past couple of > days checking to see if anything had improved since my last patchset: from > what I can tell the issues are still present, but the cmdfifo related failures > now assert rather than corrupting memory. > > This patchset applied to master passes my local tests using the qtest fuzz test > cases added by Alexander for the following Launchpad bugs: > > https://bugs.launchpad.net/qemu/+bug/1919035 > https://bugs.launchpad.net/qemu/+bug/1919036 > https://bugs.launchpad.net/qemu/+bug/1910723 > https://bugs.launchpad.net/qemu/+bug/1909247 > > I'm posting this now just before soft freeze since I see that some of the issues > have recently been allocated CVEs and so it could be argued that even though > they have existed for some time, it is worth fixing them for 6.0. > > Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> They are certainly something that we can fix for 6.0. However, please include the testcases even if they are ugly, they can be cleaned up later or (if never cleaned up) they still count as regression tests. Paolo ^ permalink raw reply [flat|nested] 14+ messages in thread
end of thread, other threads:[~2021-03-17 16:44 UTC | newest] Thread overview: 14+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2021-03-16 23:30 [PATCH 0/4] esp: fix asserts/segfaults discovered by fuzzer Mark Cave-Ayland 2021-03-16 23:30 ` [PATCH 1/4] esp: don't underflow cmdfifo if no message out/command data is present Mark Cave-Ayland 2021-03-17 15:14 ` Alexander Bulekov 2021-03-17 16:07 ` Alexander Bulekov 2021-03-17 15:37 ` Alexander Bulekov 2021-03-16 23:30 ` [PATCH 2/4] esp: don't overflow cmdfifo if TC is larger than the cmdfifo size Mark Cave-Ayland 2021-03-17 0:19 ` Philippe Mathieu-Daudé 2021-03-17 16:07 ` Alexander Bulekov 2021-03-16 23:30 ` [PATCH 3/4] esp: ensure cmdfifo is not empty and current_dev is non-NULL Mark Cave-Ayland 2021-03-17 0:18 ` Philippe Mathieu-Daudé 2021-03-17 15:47 ` Alexander Bulekov 2021-03-16 23:30 ` [PATCH 4/4] esp: always check current_req is not NULL before use in DMA callbacks Mark Cave-Ayland 2021-03-17 0:20 ` [PATCH 0/4] esp: fix asserts/segfaults discovered by fuzzer Philippe Mathieu-Daudé 2021-03-17 7:59 ` Paolo Bonzini
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).