[PATCH v2 11/16] esp.c: don't overflow cmdfifo if cmdfifo_cdb

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PATCH v2 11/16] esp.c: don't overflow cmdfifo if cmdfifo_cdb_offset >=

From:	Mark Cave-Ayland
Subject:	[PATCH v2 11/16] esp.c: don't overflow cmdfifo if cmdfifo_cdb_offset >= ESP_CMDFIFO_SZ
Date:	Wed, 13 Mar 2024 08:58:05 +0000

If cmdfifo contains ESP_CMDFIFO_SZ bytes and cmdfifo_cdb_offset is also
ESP_CMDFIFO_SZ then if the guest issues an ESP command sequence that invokes
esp_cdb_length(), scsi_cdb_length() can read one byte beyond the end of the
FIFO buffer.

Add an extra length check to esp_cdb_length() to prevent reading past the
end of the cmdfifo data in this case.

Reported-by: Chuhong Yuan <hslester96@gmail.com>
Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
---
 hw/scsi/esp.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
index 0050493e18..05784b3f77 100644
--- a/hw/scsi/esp.c
+++ b/hw/scsi/esp.c
@@ -431,7 +431,8 @@ static int esp_cdb_length(ESPState *s)
     int cmdlen, len;
 
     cmdlen = fifo8_num_used(&s->cmdfifo);
-    if (cmdlen == 0 || cmdlen < s->cmdfifo_cdb_offset) {
+    if (cmdlen == 0 || cmdlen < s->cmdfifo_cdb_offset ||
+            cmdlen >= ESP_CMDFIFO_SZ) {
         return 0;
     }
 
-- 
2.39.2

[Prev in Thread]

Current Thread

[Next in Thread]

Re: [PATCH v2 06/16] esp.c: use esp_fifo_push() instead of fifo8_push(), (continued)
- [PATCH v2 07/16] esp.c: change esp_fifo_pop_buf() to take ESPState, Mark Cave-Ayland, 2024/03/13
  - Re: [PATCH v2 07/16] esp.c: change esp_fifo_pop_buf() to take ESPState, Philippe Mathieu-Daudé, 2024/03/13
- [PATCH v2 08/16] esp.c: introduce esp_fifo_push_buf() function for pushing to the FIFO, Mark Cave-Ayland, 2024/03/13
  - Re: [PATCH v2 08/16] esp.c: introduce esp_fifo_push_buf() function for pushing to the FIFO, Philippe Mathieu-Daudé, 2024/03/13
- [PATCH v2 09/16] esp.c: don't assert() if FIFO empty when executing non-DMA SELATNS, Mark Cave-Ayland, 2024/03/13
  - Re: [PATCH v2 09/16] esp.c: don't assert() if FIFO empty when executing non-DMA SELATNS, Philippe Mathieu-Daudé, 2024/03/13
- [PATCH v2 10/16] esp.c: don't assert() if FIFO empty when executing esp_cdb_length(), Mark Cave-Ayland, 2024/03/13
- [PATCH v2 12/16] esp.c: move esp_set_phase() and esp_get_phase() towards the beginning of the file, Mark Cave-Ayland, 2024/03/13
  - Re: [PATCH v2 12/16] esp.c: move esp_set_phase() and esp_get_phase() towards the beginning of the file, Philippe Mathieu-Daudé, 2024/03/13
- [PATCH v2 11/16] esp.c: don't overflow cmdfifo if cmdfifo_cdb_offset >= ESP_CMDFIFO_SZ, Mark Cave-Ayland <=
- [PATCH v2 14/16] esp.c: update esp_fifo_{push, pop}() to call esp_update_drq(), Mark Cave-Ayland, 2024/03/13
  - Re: [PATCH v2 14/16] esp.c: update esp_fifo_{push, pop}() to call esp_update_drq(), Philippe Mathieu-Daudé, 2024/03/13
- [PATCH v2 15/16] esp.c: ensure esp_pdma_write() always calls esp_fifo_push(), Mark Cave-Ayland, 2024/03/13
  - Re: [PATCH v2 15/16] esp.c: ensure esp_pdma_write() always calls esp_fifo_push(), Philippe Mathieu-Daudé, 2024/03/13
- [PATCH v2 13/16] esp.c: introduce esp_update_drq() and update esp_fifo_{push, pop}_buf() to use it, Mark Cave-Ayland, 2024/03/13
  - Re: [PATCH v2 13/16] esp.c: introduce esp_update_drq() and update esp_fifo_{push, pop}_buf() to use it, Philippe Mathieu-Daudé, 2024/03/13
- [PATCH v2 16/16] esp.c: remove explicit setting of DRQ within ESP state machine, Mark Cave-Ayland, 2024/03/13
  - Re: [PATCH v2 16/16] esp.c: remove explicit setting of DRQ within ESP state machine, Philippe Mathieu-Daudé, 2024/03/13

Prev by Date: [PATCH v2 12/16] esp.c: move esp_set_phase() and esp_get_phase() towards the beginning of the file
Next by Date: [PATCH v2 14/16] esp.c: update esp_fifo_{push, pop}() to call esp_update_drq()
Previous by thread: Re: [PATCH v2 12/16] esp.c: move esp_set_phase() and esp_get_phase() towards the beginning of the file
Next by thread: [PATCH v2 14/16] esp.c: update esp_fifo_{push, pop}() to call esp_update_drq()
Index(es):
- Date
- Thread