[PATCH-for-6.2 0/2] hw/scsi/megasas: Avoid overflowing the SGL buffer

[PATCH-for-6.2 0/2] hw/scsi/megasas: Avoid overflowing the SGL buffer

[Philippe Mathieu-Daudé]

Fix issue #521 reported by Alex some months ago:
https://gitlab.com/qemu-project/qemu/-/issues/521

Philippe Mathieu-Daudé (2):
  hw/scsi/megasas: Fails command if SGL buffer overflows
  tests/qtest/fuzz-megasas-test: Add test for GitLab issue #521

 hw/scsi/megasas.c               |  1 +
 tests/qtest/fuzz-megasas-test.c | 30 ++++++++++++++++++++++++++++++
 2 files changed, 31 insertions(+)

-- 
2.31.1

[PATCH-for-6.2 1/2] hw/scsi/megasas: Fails command if SGL buffer overflows

[Philippe Mathieu-Daudé]

If we detect an overflow on the SGL buffer, do not
keep processing the command: discard it. TARGET_FAILURE
sense code will be returned (MFI_STAT_SCSI_DONE_WITH_ERROR).

Reported-by: Alexander Bulekov <alxndr@bu.edu>
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/521
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
---
No, I haven't looked at the datasheet.
---
 hw/scsi/megasas.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
index 4ff51221d4c..8f357841004 100644
--- a/hw/scsi/megasas.c
+++ b/hw/scsi/megasas.c
@@ -303,6 +303,7 @@ static int megasas_map_sgl(MegasasState *s, MegasasCmd *cmd, union mfi_sgl *sgl)
     }
     if (cmd->iov_size > iov_size) {
         trace_megasas_iovec_overflow(cmd->index, iov_size, cmd->iov_size);
+        goto unmap;
     } else if (cmd->iov_size < iov_size) {
         trace_megasas_iovec_underflow(cmd->index, iov_size, cmd->iov_size);
     }
-- 
2.31.1

[PATCH-for-6.2 2/2] tests/qtest/fuzz-megasas-test: Add test for GitLab issue #521

[Philippe Mathieu-Daudé]

Without the previous commit, this test triggers:

  $ make check-qtest-x86_64
  [...]
  Running test qtest-x86_64/fuzz-megasas-test
  qemu-system-x86_64: softmmu/physmem.c:3229: address_space_unmap: Assertion `mr != NULL' failed.
  Broken pipe
  ERROR qtest-x86_64/fuzz-megasas-test - too few tests run (expected 2, got 1)

Suggested-by: Alexander Bulekov <alxndr@bu.edu>
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
---
 tests/qtest/fuzz-megasas-test.c | 30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)

diff --git a/tests/qtest/fuzz-megasas-test.c b/tests/qtest/fuzz-megasas-test.c
index 940a76bf25a..e1141c58a4e 100644
--- a/tests/qtest/fuzz-megasas-test.c
+++ b/tests/qtest/fuzz-megasas-test.c
@@ -34,6 +34,34 @@ static void test_lp1878263_megasas_zero_iov_cnt(void)
     qtest_quit(s);
 }
 
+/*
+ * Overflow SGL buffer.
+ * https://gitlab.com/qemu-project/qemu/-/issues/521
+ */
+static void test_gitlab_issue521_megasas_sgl_ovf(void)
+{
+    QTestState *s = qtest_init("-display none -m 32M -machine q35 "
+                               "-nodefaults -device megasas "
+                               "-device scsi-cd,drive=null0 "
+                               "-blockdev "
+                               "driver=null-co,read-zeroes=on,node-name=null0");
+    qtest_outl(s, 0xcf8, 0x80000818);
+    qtest_outl(s, 0xcfc, 0xc000);
+    qtest_outl(s, 0xcf8, 0x80000804);
+    qtest_outw(s, 0xcfc, 0x05);
+    qtest_bufwrite(s, 0x0, "\x01", 0x1);
+    qtest_bufwrite(s, 0x7, "\x01", 0x1);
+    qtest_bufwrite(s, 0x10, "\x02", 0x1);
+    qtest_bufwrite(s, 0x16, "\x01", 0x1);
+    qtest_bufwrite(s, 0x28, "\x01", 0x1);
+    qtest_bufwrite(s, 0x33, "\x01", 0x1);
+    qtest_outb(s, 0xc040, 0x0);
+    qtest_outb(s, 0xc040, 0x20);
+    qtest_outl(s, 0xc040, 0x20000000);
+    qtest_outb(s, 0xc040, 0x20);
+    qtest_quit(s);
+}
+
 int main(int argc, char **argv)
 {
     const char *arch = qtest_get_arch();
@@ -43,6 +71,8 @@ int main(int argc, char **argv)
     if (strcmp(arch, "i386") == 0 || strcmp(arch, "x86_64") == 0) {
         qtest_add_func("fuzz/test_lp1878263_megasas_zero_iov_cnt",
                        test_lp1878263_megasas_zero_iov_cnt);
+        qtest_add_func("fuzz/gitlab_issue521_megasas_sgl_ovf",
+                       test_gitlab_issue521_megasas_sgl_ovf);
     }
 
     return g_test_run();
-- 
2.31.1

Re: [PATCH-for-6.2 0/2] hw/scsi/megasas: Avoid overflowing the SGL buffer

[Darren Kenny]

For the series:

Reviewed-by: Darren Kenny <darren.kenny@oracle.com>

Thanks,

Darren.

On Friday, 2021-11-19 at 21:11:39 +01, Philippe Mathieu-Daudé wrote:
> Fix issue #521 reported by Alex some months ago:
> https://gitlab.com/qemu-project/qemu/-/issues/521
>
> Philippe Mathieu-Daudé (2):
>   hw/scsi/megasas: Fails command if SGL buffer overflows
>   tests/qtest/fuzz-megasas-test: Add test for GitLab issue #521
>
>  hw/scsi/megasas.c               |  1 +
>  tests/qtest/fuzz-megasas-test.c | 30 ++++++++++++++++++++++++++++++
>  2 files changed, 31 insertions(+)
>
> -- 
> 2.31.1

Re: [PATCH-for-6.2 0/2] hw/scsi/megasas: Avoid overflowing the SGL buffer

[Philippe Mathieu-Daudé]

Too late for 6.2 now, so Cc'ing qemu-trivial (series reviewed).

On 11/19/21 21:11, Philippe Mathieu-Daudé wrote:
> Fix issue #521 reported by Alex some months ago:
> https://gitlab.com/qemu-project/qemu/-/issues/521
> 
> Philippe Mathieu-Daudé (2):
>   hw/scsi/megasas: Fails command if SGL buffer overflows
>   tests/qtest/fuzz-megasas-test: Add test for GitLab issue #521

Re: [PATCH-for-6.2 0/2] hw/scsi/megasas: Avoid overflowing the SGL buffer

[Philippe Mathieu-Daudé]

ping?

On 12/13/21 13:32, Philippe Mathieu-Daudé wrote:
> Too late for 6.2 now, so Cc'ing qemu-trivial (series reviewed).
> 
> On 11/19/21 21:11, Philippe Mathieu-Daudé wrote:
>> Fix issue #521 reported by Alex some months ago:
>> https://gitlab.com/qemu-project/qemu/-/issues/521
>>
>> Philippe Mathieu-Daudé (2):
>>   hw/scsi/megasas: Fails command if SGL buffer overflows
>>   tests/qtest/fuzz-megasas-test: Add test for GitLab issue #521

Re: [PATCH-for-6.2 0/2] hw/scsi/megasas: Avoid overflowing the SGL buffer

[Paolo Bonzini]

On 11/19/21 21:11, Philippe Mathieu-Daudé wrote:
> Fix issue #521 reported by Alex some months ago:
> https://gitlab.com/qemu-project/qemu/-/issues/521
> 
> Philippe Mathieu-Daudé (2):
>    hw/scsi/megasas: Fails command if SGL buffer overflows
>    tests/qtest/fuzz-megasas-test: Add test for GitLab issue #521
> 
>   hw/scsi/megasas.c               |  1 +
>   tests/qtest/fuzz-megasas-test.c | 30 ++++++++++++++++++++++++++++++
>   2 files changed, 31 insertions(+)
> 

Queued, thanks.

Paolo