[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PATCH 1/3] scsi: megasas: use appropriate property buf

From: Alexander Graf
Subject: Re: [Qemu-devel] [PATCH 1/3] scsi: megasas: use appropriate property buffer size
Date: Wed, 25 May 2016 13:53:31 +0200
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0

On 05/25/2016 01:51 PM, P J P wrote:
   Hello Alex,

+-- On Wed, 25 May 2016, Alexander Graf wrote --+
| > -    dma_buf_write((uint8_t *)&info, cmd->iov_size, &cmd->qsg);
| > +    dma_buf_write((uint8_t *)&info, dcmd_size, &cmd->qsg);
| This looks odd - can dcmd_size be bigger than iov_size? Wouldn't we overwrite
| guest memory then? And where does dcmd_size come from? I don't see it in
| master.

   struct mfi_ctrl_props info;
   size_t dcmd_size = sizeof(info);
-> http://git.qemu.org/?p=qemu.git;a=blob;f=hw/scsi/megasas.c;h=a63a581550a328d0326ddee4f7fe1c4ffdecc194;hb=HEAD#l1439

'dcmd_size' is same as that of 'info' object.

Ok, then this patch is definitely bogus. The guest may receive less than the size of the info object. So we really want to have a MIN() between the maximum allowed transfer size (sizeof(info)) and the requested size (cmd->iov_size) here.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]