hw/scsi/megasas: Out-of-bounds access while processing scsi cmd

qemu-security
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
hw/scsi/megasas: Out-of-bounds access while processing scsi cmd

From:	Philippe Mathieu-Daudé
Subject:	hw/scsi/megasas: Out-of-bounds access while processing scsi cmd
Date:	Tue, 24 Nov 2020 17:51:48 +0100
User-agent:	Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.4.0
As of QEMU v5.2-rc3, using:

-- >8 --
diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
index 1a5fc5857db..793bce0b669 100644
--- a/hw/scsi/megasas.c
+++ b/hw/scsi/megasas.c
@@ -1675,6 +1675,7 @@ static int megasas_handle_scsi(MegasasState *s,
MegasasCmd *cmd,
     target_id = cmd->frame->header.target_id;
     lun_id = cmd->frame->header.lun_id;
     cdb_len = cmd->frame->header.cdb_len;
+    assert(cdb_len > 0);

     if (is_logical) {
         if (target_id >= MFI_MAX_LD || lun_id != 0) {
---

$ cat > qtest_reproducer << 'EOF'
outl 0xcf8 0x80001011
outb 0xcfc 0xbb
outl 0xcf8 0x80001002
outl 0xcfc 0xf3ff2966
write 0x4608 0x8 0x033e00ff00000060
write 0x4600 0x8 0x033e00ff00000060
write 0x4610 0x7f0
0x033e00ff00000060fffeff3e001751000dea46155a5affaa140200eb00ffff2e3e00ff00000060fffeff3e001751000dea46155a5affaa140200eb00ffff593e00ff00000060fffeff3e001751000dea46155a5affaa140200eb00ffff843e00ff00000060fffeff3e001751000dea46155a5affaa140200eb00ffffaf3e00ff00000060fffeff3e001751000dea46155a5affaa140200eb00ffffda3e00ff00000060fffeff3e001751000dea46155a5affaa140200eb00ffff053e00ff00000060fffeff3e001751000dea46155a5affaa140200eb00ffff303e00ff00000060fffeff3e001751000dea46155a5affaa140200eb00ffff5b3e00ff00000060fffeff3e001751000dea46155a5affaa140200eb00ffff863e00ff00000060fffeff3e001751000dea46155a5affaa140200eb00ffffb13e00ff00000060fffeff3e001751000dea46155a5affaa140200eb00ffffdc3e00ff00000060fffeff3e001751000dea46155a5affaa140200eb00ffff073e00ff00000060fffeff3e001751000dea46155a5affaa140200eb00ffff323e00ff00000060fffeff3e001751000dea46155a5affaa140200eb00ffff5d3e00ff00000060fffeff3e001751000dea46155a5affaa140200eb00ffff883e00ff00000060fffeff3e001751000dea46155a5affaa140200eb00ffffb33e00ff00000060fffeff3e001751000dea46155a5affaa140200eb00ffffde3e00ff00000060fffeff3e001751000dea46155a5affaa140200eb00ffff093e00ff00000060fffeff3e001751000dea46155a5affaa140200eb00ffff343e00ff00000060fffeff3e001751000dea46155a5affaa140200eb00ffff5f3e00ff00000060fffeff3e001751000dea46155a5affaa140200eb00ffff8a3e00ff00000060fffeff3e001751000dea46155a5affaa140200eb00ffffb53e00ff00000060fffeff3e001751000dea46155a5affaa140200eb00ffffe03e00ff00000060fffeff3e001751000dea46155a5affaa140200eb00ffff0b3e00ff00000060fffeff3e001751000dea46155a5affaa140200eb00ffff363e00ff00000060fffeff3e001751000dea46155a5affaa140200eb00ffff613e00ff00000060fffeff3e001751000dea46155a5affaa140200eb00ffff8c3e00ff00000060fffeff3e001751000dea46155a5affaa140200eb00ffffb73e00ff00000060fffeff3e001751000dea46155a5affaa140200eb00ffffe23e00ff00000060fffeff3e001751000dea46155a5affaa140200eb00ffff0d3e00ff00000060fffeff3e001751000dea46155a5affaa140200eb00ffff383e00ff00000060fffeff3e001751000dea46155a5affaa140200eb00ffff633e00ff00000060fffeff3e001751000dea46155a5affaa140200eb00ffff8e3e00ff00000060fffeff3e001751000dea46155a5affaa140200eb00ffffb93e00ff00000060fffeff3e001751000dea46155a5affaa140200eb00ffffe43e00ff00000060fffeff3e001751000dea46155a5affaa140200eb00ffff0f3e00ff00000060fffeff3e001751000dea46155a5affaa140200eb00ffff3a3e00ff00000060fffeff3e001751000dea46155a5affaa140200eb00ffff653e00ff00000060fffeff3e001751000dea46155a5affaa140200eb00ffff903e00ff00000060fffeff3e001751000dea46155a5affaa140200eb00ffffbb3e00ff00000060fffeff3e001751000dea46155a5affaa140200eb00ffffe63e00ff00000060fffeff3e001751000dea46155a5affaa140200eb00ffff113e00ff00000060fffeff3e001751000dea46155a5affaa140200eb00ffff3c3e00ff00000060fffeff3e001751000dea46155a5affaa140200eb00ffff673e00ff00000060fffeff3e001751000dea46155a5affaa140200eb00ffff923e00ff00000060fffeff3e001751000dea46155a5affaa140200eb00ffffbd3e00ff00000060fffeff3e001751000dea46155a5affaa140200eb00ffffe83e00ff00000060fffeff3e001751000dea46155a5affaa140200eb00ffff133e00ff00000060fffeff3e001751000dea46155a5affaa140200eb00ffff3e3e00ff00000060fffeff3e001751000dea46155a5affaa140200eb00ffff693e00ff00000060fffeff3e001751000dea46155a5affaa140200eb00ffff943e00ff00000060fffeff3e001751000dea46155a5affaa140200eb00ffffbf3e00ff00000060fffeff3e001751000dea46155a5affaa140200eb00ffffea3e00ff00000060fffeff3e001751000dea46155a5affaa140200eb00ffff153e00ff00000060fffeff3e001751000dea46155a5affaa140200eb00ffff403e00ff00000060fffeff3e001751000dea46155a5affaa140200eb00ffff6b3e00ff00000060fffeff3e001751000dea46155a5affaa140200eb00ffff963e00ff00000060fffeff3e001751000dea46155a5affaa140200eb00ffffc13e00ff00000060fffeff3e001751000dea46155a5affaa140200eb00ffffec3e00ff00000060fffeff3e001751000dea46155a5affaa140200eb00ffff173e00ff00000060fffeff3e001751000dea46155a5affaa140200eb00ffff423e00ff00000060fffeff3e001751000dea46155a5affaa140200eb00ffff6d3e00ff00000060fffeff3e001751000dea46155a5affaa140200eb00ffff983e00ff00000060fffeff3e001751000dea46155a5affaa140200eb00ffffc33e00ff00000060fffeff3e001751000dea46155a5affaa140200eb00ffffee3e00ff00000060fffeff3e001751000d
outw 0xbb40 0x460b
EOF

$ qemu-system-x86_64 -M pc -device megasas-gen2 \
  -device scsi-cd,drive=null0 \
  -blockdev driver=null-co,read-zeroes=on,node-name=null0 \
  -nodefaults -machine accel=qtest -trace \*mega\* \
  -qtest stdio < qtest_reproducer
485026:megasas_init Using 80 sges, 1008 cmds, raid mode
568849:scsi_device_set_ua target 0 lun 0 key 0x06 asc 0x29 ascq 0x00
568864:megasas_reset firmware state 0xb0000000
602850:megasas_mmio_writel reg MFI_IQP: 0x460b
602882:megasas_qf_new frame 0x0 addr 0x4600
602904:megasas_qf_enqueue frame 0x0 count 5 context 0xff003e03 head 0x0
tail 0x0 busy 1
qemu-system-x86_64: hw/scsi/megasas.c:1678: megasas_handle_scsi:
Assertion `cdb_len > 0' failed.
Aborted (core dumped)

(gdb) bt
#0  0x00007fcf6310f9e5 in raise () at /lib64/libc.so.6
#1  0x00007fcf630f8895 in abort () at /lib64/libc.so.6
#2  0x00007fcf630f8769 in _nl_load_domain.cold () at /lib64/libc.so.6
#3  0x00007fcf63107e76 in annobin_assert.c_end () at /lib64/libc.so.6
#4  0x0000558676517001 in megasas_handle_scsi (s=0x5586788d7c50,
cmd=0x5586788d88a0, frame_cmd=3) at hw/scsi/megasas.c:1678
#5  0x0000558676517cd5 in megasas_handle_frame (s=0x5586788d7c50,
frame_addr=17920, frame_count=5) at hw/scsi/megasas.c:1975
#6  0x0000558676518362 in megasas_mmio_write (opaque=0x5586788d7c50,
addr=64, val=17931, size=4) at hw/scsi/megasas.c:2132
#7  0x00005586765184f6 in megasas_port_write (opaque=0x5586788d7c50,
addr=64, val=17931, size=4) at hw/scsi/megasas.c:2183

Regards,

Phil.
[Prev in Thread]
Current Thread
[Next in Thread]
hw/scsi/megasas: Out-of-bounds access while processing scsi cmd, Philippe Mathieu-Daudé <=
Index(es):
- Date
- Thread