[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [Bug 1435973] [NEW] Qemu crash when a guest linux issues sp
|
From: |
hiroaki |
|
Subject: |
[Qemu-devel] [Bug 1435973] [NEW] Qemu crash when a guest linux issues specific scsi command via ioctl(SG_IO) with SCSI disk emulation. |
|
Date: |
Tue, 24 Mar 2015 16:59:21 -0000 |
Public bug reported:
As of git revision 362ca922eea03240916287a8a6267801ab095d12, when guest
linux issues specifit scsi command, qemu crashes.
To reproduce.
1. launch qemu with scsi emulatoin
qemu-sysytem-i386.exe -kernel bzImage -drive file=rootfs.ext2,index=0,if=scsi
-append root=/dev/sda -drive file=\\.\PhysicalDrive1,index=1,if=scsi
2. issues scsi command via ioctl(SG_IO) on guest linux. like below.
-------------------------
struct request_sense sens;
struct sg_io_hdr sg;
unsigned char cdb[6];
unsigned char buf[127];
memset( &sens, 0, sizeof(sens) );
memset(&sg, 0, sizeof(sg));
memset(cdb, 0, sizeof(cdb));
memset(buf, 0, sizeof(buf));
// qemu crash!!!
cdb[0] = 0xff;
sg.dxferp = buf;
sg.dxfer_len = sizeof(buf);
sg.dxfer_direction = SG_DXFER_FROM_DEV;
sg.flags = 0;
sg.interface_id = 'S';
sg.cmdp = cdb;
sg.cmd_len = sizeof( cdb );
sg.sbp = (unsigned char*)&sens;
sg.mx_sb_len = sizeof( sens );
ioctl( fd, SG_IO, &sg );
-------------------------
I think cause is below code.
scsi-bus.c L1239
int scsi_req_parse_cdb(SCSIDevice *dev, SCSICommand *cmd, uint8_t *buf)
{
int rc;
cmd->lba = -1;
cmd->len = scsi_cdb_length(buf);
...
memcpy(cmd->buf, buf, cmd->len);
}
scsi_cdb_length(buf) returns -1 when buf[0] is unexpected value.
Then memcpy(cmd->buf, buf, 4294967295); is executed and crash.
Environment
Qemu: git revision 362ca922eea03240916287a8a6267801ab095d12
Guest: linux kernel 3.18.4 + buildroot
Host: Windows 7 64bit
Thanks,
hiroaki
** Affects: qemu
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1435973
Title:
Qemu crash when a guest linux issues specific scsi command via
ioctl(SG_IO) with SCSI disk emulation.
Status in QEMU:
New
Bug description:
As of git revision 362ca922eea03240916287a8a6267801ab095d12, when
guest linux issues specifit scsi command, qemu crashes.
To reproduce.
1. launch qemu with scsi emulatoin
qemu-sysytem-i386.exe -kernel bzImage -drive file=rootfs.ext2,index=0,if=scsi
-append root=/dev/sda -drive file=\\.\PhysicalDrive1,index=1,if=scsi
2. issues scsi command via ioctl(SG_IO) on guest linux. like below.
-------------------------
struct request_sense sens;
struct sg_io_hdr sg;
unsigned char cdb[6];
unsigned char buf[127];
memset( &sens, 0, sizeof(sens) );
memset(&sg, 0, sizeof(sg));
memset(cdb, 0, sizeof(cdb));
memset(buf, 0, sizeof(buf));
// qemu crash!!!
cdb[0] = 0xff;
sg.dxferp = buf;
sg.dxfer_len = sizeof(buf);
sg.dxfer_direction = SG_DXFER_FROM_DEV;
sg.flags = 0;
sg.interface_id = 'S';
sg.cmdp = cdb;
sg.cmd_len = sizeof( cdb );
sg.sbp = (unsigned char*)&sens;
sg.mx_sb_len = sizeof( sens );
ioctl( fd, SG_IO, &sg );
-------------------------
I think cause is below code.
scsi-bus.c L1239
int scsi_req_parse_cdb(SCSIDevice *dev, SCSICommand *cmd, uint8_t *buf)
{
int rc;
cmd->lba = -1;
cmd->len = scsi_cdb_length(buf);
...
memcpy(cmd->buf, buf, cmd->len);
}
scsi_cdb_length(buf) returns -1 when buf[0] is unexpected value.
Then memcpy(cmd->buf, buf, 4294967295); is executed and crash.
Environment
Qemu: git revision 362ca922eea03240916287a8a6267801ab095d12
Guest: linux kernel 3.18.4 + buildroot
Host: Windows 7 64bit
Thanks,
hiroaki
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1435973/+subscriptions
| [Prev in Thread] |
Current Thread |
[Next in Thread] |