From: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
To: peter.maydell@linaro.org, qemu-devel@nongnu.org
Subject: [PULL 12/17] esp.c: prevent cmdfifo overflow in esp_cdb_ready()
Date: Thu, 4 Apr 2024 15:25:34 +0100 [thread overview]
Message-ID: <20240404142539.711134-13-mark.cave-ayland@ilande.co.uk> (raw)
In-Reply-To: <20240404142539.711134-1-mark.cave-ayland@ilande.co.uk>
During normal use the cmdfifo will never wrap internally and cmdfifo_cdb_offset
will always indicate the start of the SCSI CDB. However it is possible that a
malicious guest could issue an invalid ESP command sequence such that cmdfifo
wraps internally and cmdfifo_cdb_offset could point beyond the end of the FIFO
data buffer.
Add an extra check to fifo8_peek_buf() to ensure that if the cmdfifo has wrapped
internally then esp_cdb_ready() will exit rather than allow scsi_cdb_length() to
access data outside the cmdfifo data buffer.
Reported-by: Chuhong Yuan <hslester96@gmail.com>
Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-Id: <20240324191707.623175-13-mark.cave-ayland@ilande.co.uk>
Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
---
hw/scsi/esp.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
index f47abc36d6..d8db33b921 100644
--- a/hw/scsi/esp.c
+++ b/hw/scsi/esp.c
@@ -429,13 +429,23 @@ static bool esp_cdb_ready(ESPState *s)
{
int len = fifo8_num_used(&s->cmdfifo) - s->cmdfifo_cdb_offset;
const uint8_t *pbuf;
+ uint32_t n;
int cdblen;
if (len <= 0) {
return false;
}
- pbuf = fifo8_peek_buf(&s->cmdfifo, len, NULL);
+ pbuf = fifo8_peek_buf(&s->cmdfifo, len, &n);
+ if (n < len) {
+ /*
+ * In normal use the cmdfifo should never wrap, but include this check
+ * to prevent a malicious guest from reading past the end of the
+ * cmdfifo data buffer below
+ */
+ return false;
+ }
+
cdblen = scsi_cdb_length((uint8_t *)&pbuf[s->cmdfifo_cdb_offset]);
return cdblen < 0 ? false : (len >= cdblen);
--
2.39.2
next prev parent reply other threads:[~2024-04-04 14:26 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-04-04 14:25 [PULL 00/17] qemu-sparc queue 20240404 Mark Cave-Ayland
2024-04-04 14:25 ` [PULL 01/17] esp.c: move esp_fifo_pop_buf() internals to new esp_fifo8_pop_buf() function Mark Cave-Ayland
2024-04-04 14:25 ` [PULL 02/17] esp.c: replace esp_fifo_pop_buf() with esp_fifo8_pop_buf() in do_command_phase() Mark Cave-Ayland
2024-04-04 14:25 ` [PULL 03/17] esp.c: replace esp_fifo_pop_buf() with esp_fifo8_pop_buf() in do_message_phase() Mark Cave-Ayland
2024-04-04 14:25 ` [PULL 04/17] esp.c: replace cmdfifo use of esp_fifo_pop() " Mark Cave-Ayland
2024-04-04 14:25 ` [PULL 05/17] esp.c: change esp_fifo_push() to take ESPState Mark Cave-Ayland
2024-04-04 14:25 ` [PULL 06/17] esp.c: change esp_fifo_pop() " Mark Cave-Ayland
2024-04-04 14:25 ` [PULL 07/17] esp.c: use esp_fifo_push() instead of fifo8_push() Mark Cave-Ayland
2024-04-04 14:25 ` [PULL 08/17] esp.c: change esp_fifo_pop_buf() to take ESPState Mark Cave-Ayland
2024-04-04 14:25 ` [PULL 09/17] esp.c: introduce esp_fifo_push_buf() function for pushing to the FIFO Mark Cave-Ayland
2024-04-04 14:25 ` [PULL 10/17] esp.c: don't assert() if FIFO empty when executing non-DMA SELATNS Mark Cave-Ayland
2024-04-04 14:25 ` [PULL 11/17] esp.c: rework esp_cdb_length() into esp_cdb_ready() Mark Cave-Ayland
2024-04-04 14:25 ` Mark Cave-Ayland [this message]
2024-04-04 14:25 ` [PULL 13/17] esp.c: move esp_set_phase() and esp_get_phase() towards the beginning of the file Mark Cave-Ayland
2024-04-04 14:25 ` [PULL 14/17] esp.c: introduce esp_update_drq() and update esp_fifo_{push, pop}_buf() to use it Mark Cave-Ayland
2024-04-04 14:25 ` [PULL 15/17] esp.c: update esp_fifo_{push, pop}() to call esp_update_drq() Mark Cave-Ayland
2024-04-04 14:25 ` [PULL 16/17] esp.c: ensure esp_pdma_write() always calls esp_fifo_push() Mark Cave-Ayland
2024-04-04 14:25 ` [PULL 17/17] esp.c: remove explicit setting of DRQ within ESP state machine Mark Cave-Ayland
2024-04-04 17:26 ` [PULL 00/17] qemu-sparc queue 20240404 Peter Maydell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240404142539.711134-13-mark.cave-ayland@ilande.co.uk \
--to=mark.cave-ayland@ilande.co.uk \
--cc=peter.maydell@linaro.org \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.