[Bug 1882065] [NEW] Could this cause OOB bug ?

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug 1882065] [NEW] Could this cause OOB bug ?

From:	r1ng0hacking
Subject:	[Bug 1882065] [NEW] Could this cause OOB bug ?
Date:	Thu, 04 Jun 2020 10:22:46 -0000

Public bug reported:

In function megasas_handle_scsi(hw/scsi/megasas.c):

```c
static int megasas_handle_scsi(MegasasState *s, MegasasCmd *cmd,
                               int frame_cmd)
{
    ............................................................................
    cdb = cmd->frame->pass.cdb;
    target_id = cmd->frame->header.target_id;
    lun_id = cmd->frame->header.lun_id;
    cdb_len = cmd->frame->header.cdb_len;
    ............................................................................
    if (cdb_len > 16) {
        trace_megasas_scsi_invalid_cdb_len(
                mfi_frame_desc[frame_cmd], is_logical,
                target_id, lun_id, cdb_len);
        megasas_write_sense(cmd, SENSE_CODE(INVALID_OPCODE));
        cmd->frame->header.scsi_status = CHECK_CONDITION;
        s->event_count++;
        return MFI_STAT_SCSI_DONE_WITH_ERROR;
    }
}
```

Two variables, frame_cmd and cdb_len, can be controlled by guest os. So
can mfi_frame_desc[frame_cmd] cause OOB bug ?

** Affects: qemu
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1882065

Title:
  Could this cause OOB bug ?

Status in QEMU:
  New

Bug description:
  In function megasas_handle_scsi(hw/scsi/megasas.c):

  ```c
  static int megasas_handle_scsi(MegasasState *s, MegasasCmd *cmd,
                                 int frame_cmd)
  {
      
............................................................................
      cdb = cmd->frame->pass.cdb;
      target_id = cmd->frame->header.target_id;
      lun_id = cmd->frame->header.lun_id;
      cdb_len = cmd->frame->header.cdb_len;
      
............................................................................
      if (cdb_len > 16) {
          trace_megasas_scsi_invalid_cdb_len(
                  mfi_frame_desc[frame_cmd], is_logical,
                  target_id, lun_id, cdb_len);
          megasas_write_sense(cmd, SENSE_CODE(INVALID_OPCODE));
          cmd->frame->header.scsi_status = CHECK_CONDITION;
          s->event_count++;
          return MFI_STAT_SCSI_DONE_WITH_ERROR;
      }
  }
  ```

  Two variables, frame_cmd and cdb_len, can be controlled by guest os.
  So can mfi_frame_desc[frame_cmd] cause OOB bug ?

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1882065/+subscriptions

[Prev in Thread]

Current Thread

[Next in Thread]

[Bug 1882065] [NEW] Could this cause OOB bug ?, r1ng0hacking <=
- [Bug 1882065] Re: Could this cause OOB bug ?, r1ng0hacking, 2020/06/04
- [Bug 1882065] Re: Could this cause OOB bug ?, r1ng0hacking, 2020/06/10
- [Bug 1882065] Re: Could this cause OOB bug ?, r1ng0hacking, 2020/06/10
- [Bug 1882065] Re: Could this cause OOB bug ?, Thomas Huth, 2020/06/13
- [Bug 1882065] Re: Could this cause OOB bug ?, Thomas Huth, 2020/06/29

Prev by Date: [Bug 1882065] Re: Could this cause OOB bug ?
Next by Date: Re: [RFC v3 7/8] vhost-vdpa: introduce vhost-vdpa backend
Previous by thread: Re: [PATCH v4 2/3] hw/acpi/nvdimm: add a helper to augment SRAT generation
Next by thread: [Bug 1882065] Re: Could this cause OOB bug ?
Index(es):
- Date
- Thread