[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug 1882065] Re: Could this cause OOB bug ?
From: |
Thomas Huth |
Subject: |
[Bug 1882065] Re: Could this cause OOB bug ? |
Date: |
Sat, 13 Jun 2020 09:36:58 -0000 |
I think we should fix this anyway, even if it can only be triggered when
trace functions are enabled
** Description changed:
- close!!!!!
+
+ In function megasas_handle_scsi(hw/scsi/megasas.c):
+
+ ```c
+ static int megasas_handle_scsi(MegasasState *s, MegasasCmd *cmd,
+ int frame_cmd)
+ {
+
............................................................................
+ cdb = cmd->frame->pass.cdb;
+ target_id = cmd->frame->header.target_id;
+ lun_id = cmd->frame->header.lun_id;
+ cdb_len = cmd->frame->header.cdb_len;
+
............................................................................
+ if (cdb_len > 16) {
+ trace_megasas_scsi_invalid_cdb_len(
+ mfi_frame_desc[frame_cmd], is_logical,
+ target_id, lun_id, cdb_len);
+ megasas_write_sense(cmd, SENSE_CODE(INVALID_OPCODE));
+ cmd->frame->header.scsi_status = CHECK_CONDITION;
+ s->event_count++;
+ return MFI_STAT_SCSI_DONE_WITH_ERROR;
+ }
+ }
+ ```
+
+ Two variables, frame_cmd and cdb_len, can be controlled by guest os. So
+ can mfi_frame_desc[frame_cmd] cause OOB bug ?
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1882065
Title:
Could this cause OOB bug ?
Status in QEMU:
New
Bug description:
In function megasas_handle_scsi(hw/scsi/megasas.c):
```c
static int megasas_handle_scsi(MegasasState *s, MegasasCmd *cmd,
int frame_cmd)
{
............................................................................
cdb = cmd->frame->pass.cdb;
target_id = cmd->frame->header.target_id;
lun_id = cmd->frame->header.lun_id;
cdb_len = cmd->frame->header.cdb_len;
............................................................................
if (cdb_len > 16) {
trace_megasas_scsi_invalid_cdb_len(
mfi_frame_desc[frame_cmd], is_logical,
target_id, lun_id, cdb_len);
megasas_write_sense(cmd, SENSE_CODE(INVALID_OPCODE));
cmd->frame->header.scsi_status = CHECK_CONDITION;
s->event_count++;
return MFI_STAT_SCSI_DONE_WITH_ERROR;
}
}
```
Two variables, frame_cmd and cdb_len, can be controlled by guest os.
So can mfi_frame_desc[frame_cmd] cause OOB bug ?
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1882065/+subscriptions