[Bug 1523811] Re: USB assert failure on dev-storage.c

[Gerd Hoffmann]

No, we can't.  csw.residue is non-zero if the request didn't complete yet 
(usb_msd_send_status clears it via memset).  We *really* should not be in 
USB_MSDM_CBW state with a non-zero residue.
We need to figure how we end up with this inconsistency.  Possibly via 
usb_msd_handle_reset().

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1523811

Title:
  USB assert failure on dev-storage.c

Status in QEMU:
  Confirmed

Bug description:
  On executing the attached python script in the guest OS, QEMU dies
  with assert failure:

  [run python script in guest root shell]
  # python a.py

  [host message]
  qemu-system-x86_64: hw/usb/dev-storage.c:445: usb_msd_handle_data: Assertion 
`le32_to_cpu(s->csw.residue) == 0' failed.
  Aborted (core dumped)

  When I detach the kernel driver and send CBW and reattach it again, without 
conforming to the command/data/status protocol, QEMU dies.
  I think this is due to misimplementation of Command/Data/Status protocol in 
Bulk-only transfer.
  This kind of assert failure can be misused by malwares to avoid being 
analyzed by terminating only in the virtual environments and still execute the 
malicious code in real machines.
  Before running python script, make sure to change a.py that it should points 
to usb mass storage's vid and pid.

  QEMU was running on these environment :
  [CPU model]    Intel(R) Core(TM) i5-4590 CPU @ 3.30GHz
  [qemu version] QEMU 2.5.0-rc2 (compiled from source, gcc 4.8.4)
  [host info]    Ubuntu 14.04.3, x86_64, 3.19.0-32-generic
  [guest info]   Ubuntu 14.04.3, x86_64, 3.19.0-28-generic
  [QEMU argument]
  x86_64-softmmu/qemu-system-x86_64 -hda /media/hdd/img/ubuntu1404.qcow2.5 \
   -m 512 \
   --usbdevice disk:format=qcow2:../usb.img.5 \
   --enable-kvm

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1523811/+subscriptions