[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug 1882065] [NEW] Could this cause OOB bug ?
From: |
r1ng0hacking |
Subject: |
[Bug 1882065] [NEW] Could this cause OOB bug ? |
Date: |
Thu, 04 Jun 2020 10:22:46 -0000 |
Public bug reported:
In function megasas_handle_scsi(hw/scsi/megasas.c):
```c
static int megasas_handle_scsi(MegasasState *s, MegasasCmd *cmd,
int frame_cmd)
{
............................................................................
cdb = cmd->frame->pass.cdb;
target_id = cmd->frame->header.target_id;
lun_id = cmd->frame->header.lun_id;
cdb_len = cmd->frame->header.cdb_len;
............................................................................
if (cdb_len > 16) {
trace_megasas_scsi_invalid_cdb_len(
mfi_frame_desc[frame_cmd], is_logical,
target_id, lun_id, cdb_len);
megasas_write_sense(cmd, SENSE_CODE(INVALID_OPCODE));
cmd->frame->header.scsi_status = CHECK_CONDITION;
s->event_count++;
return MFI_STAT_SCSI_DONE_WITH_ERROR;
}
}
```
Two variables, frame_cmd and cdb_len, can be controlled by guest os. So
can mfi_frame_desc[frame_cmd] cause OOB bug ?
** Affects: qemu
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1882065
Title:
Could this cause OOB bug ?
Status in QEMU:
New
Bug description:
In function megasas_handle_scsi(hw/scsi/megasas.c):
```c
static int megasas_handle_scsi(MegasasState *s, MegasasCmd *cmd,
int frame_cmd)
{
............................................................................
cdb = cmd->frame->pass.cdb;
target_id = cmd->frame->header.target_id;
lun_id = cmd->frame->header.lun_id;
cdb_len = cmd->frame->header.cdb_len;
............................................................................
if (cdb_len > 16) {
trace_megasas_scsi_invalid_cdb_len(
mfi_frame_desc[frame_cmd], is_logical,
target_id, lun_id, cdb_len);
megasas_write_sense(cmd, SENSE_CODE(INVALID_OPCODE));
cmd->frame->header.scsi_status = CHECK_CONDITION;
s->event_count++;
return MFI_STAT_SCSI_DONE_WITH_ERROR;
}
}
```
Two variables, frame_cmd and cdb_len, can be controlled by guest os.
So can mfi_frame_desc[frame_cmd] cause OOB bug ?
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1882065/+subscriptions
- [Bug 1882065] [NEW] Could this cause OOB bug ?,
r1ng0hacking <=
- [Bug 1882065] Re: Could this cause OOB bug ?, r1ng0hacking, 2020/06/04
- [Bug 1882065] Re: Could this cause OOB bug ?, r1ng0hacking, 2020/06/10
- [Bug 1882065] Re: Could this cause OOB bug ?, r1ng0hacking, 2020/06/10
- [Bug 1882065] Re: Could this cause OOB bug ?, Thomas Huth, 2020/06/13
- [Bug 1882065] Re: Could this cause OOB bug ?, Thomas Huth, 2020/06/29