Recently there have been a number of issues raised on Launchpad as a result of
fuzzing the am53c974 (ESP) device. I spent some time over the past couple of
days checking to see if anything had improved since my last patchset: from
what I can tell the issues are still present, but the cmdfifo related failures
now assert rather than corrupting memory.
This patchset applied to master passes my local tests using the qtest fuzz test
cases added by Alexander for the following Launchpad bugs:
https://bugs.launchpad.net/qemu/+bug/1919035
https://bugs.launchpad.net/qemu/+bug/1919036
https://bugs.launchpad.net/qemu/+bug/1910723
https://bugs.launchpad.net/qemu/+bug/1909247
I'm posting this now just before soft freeze since I see that some of the issues
have recently been allocated CVEs and so it could be argued that even though
they have existed for some time, it is worth fixing them for 6.0.
Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
v2:
- Add Alexander's R-B tag for patch 2 and Phil's R-B for patch 3
- Add patch 4 for additional testcase provided in Alexander's patch 1 comment
- Move current_req NULL checks forward in DMA functions (fixes ASAN bug reported
at https://bugs.launchpad.net/qemu/+bug/1909247/comments/6) in patch 3
- Add qtest for am53c974 containing a basic set of regression tests using the
automatic test cases generated by the fuzzer as requested by Paolo
Mark Cave-Ayland (6):
esp: don't underflow cmdfifo if no message out/command data is present
esp: don't overflow cmdfifo if TC is larger than the cmdfifo size
esp: ensure cmdfifo is not empty and current_dev is non-NULL
esp: don't underflow fifo when writing to the device
esp: always check current_req is not NULL before use in DMA callbacks
tests/qtest: add tests for am53c974 device
hw/scsi/esp.c | 73 +++++++++++++--------
tests/qtest/am53c974-test.c | 122 ++++++++++++++++++++++++++++++++++++
tests/qtest/meson.build | 1 +
3 files changed, 171 insertions(+), 25 deletions(-)
create mode 100644 tests/qtest/am53c974-test.c