[PULL 09/13] esp: don't overflow cmdfifo in get

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PULL 09/13] esp: don't overflow cmdfifo in get_cmd()

From:	Mark Cave-Ayland
Subject:	[PULL 09/13] esp: don't overflow cmdfifo in get_cmd()
Date:	Mon, 12 Apr 2021 23:20:44 +0100

If the guest tries to read a CDB using DMA and cmdfifo is not empty then it is
possible to overflow cmdfifo.

Since this can only occur by issuing deliberately incorrect instruction
sequences, ensure that the maximum length of the CDB transferred to cmdfifo is
limited to the available free space within cmdfifo.

Buglink: https://bugs.launchpad.net/qemu/+bug/1909247
Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Tested-by: Alexander Bulekov <alxndr@bu.edu>
Message-Id: <20210407195801.685-9-mark.cave-ayland@ilande.co.uk>
---
 hw/scsi/esp.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
index d3b105b703..9d3fdb4398 100644
--- a/hw/scsi/esp.c
+++ b/hw/scsi/esp.c
@@ -243,6 +243,7 @@ static uint32_t get_cmd(ESPState *s, uint32_t maxlen)
         }
         if (s->dma_memory_read) {
             s->dma_memory_read(s->dma_opaque, buf, dmalen);
+            dmalen = MIN(fifo8_num_free(&s->cmdfifo), dmalen);
             fifo8_push_all(&s->cmdfifo, buf, dmalen);
         } else {
             if (esp_select(s) < 0) {
@@ -262,6 +263,7 @@ static uint32_t get_cmd(ESPState *s, uint32_t maxlen)
         if (n >= 3) {
             buf[0] = buf[2] >> 5;
         }
+        n = MIN(fifo8_num_free(&s->cmdfifo), n);
         fifo8_push_all(&s->cmdfifo, buf, n);
     }
     trace_esp_get_cmd(dmalen, target);
-- 
2.20.1

[Prev in Thread]

Current Thread

[Next in Thread]

[PULL 00/13] qemu-sparc queue 20210412, Mark Cave-Ayland, 2021/04/12
- [PULL 03/13] esp: rework write_response() to avoid using the FIFO for DMA transactions, Mark Cave-Ayland, 2021/04/12
- [PULL 02/13] esp: always check current_req is not NULL before use in DMA callbacks, Mark Cave-Ayland, 2021/04/12
- [PULL 01/13] esp: fix setting of ESPState mig_version_id when launching QEMU with -S option, Mark Cave-Ayland, 2021/04/12
- [PULL 04/13] esp: consolidate esp_cmdfifo_push() into esp_fifo_push(), Mark Cave-Ayland, 2021/04/12
- [PULL 05/13] esp: consolidate esp_cmdfifo_pop() into esp_fifo_pop(), Mark Cave-Ayland, 2021/04/12
- [PULL 06/13] esp: introduce esp_fifo_pop_buf() and use it instead of fifo8_pop_buf(), Mark Cave-Ayland, 2021/04/12
- [PULL 07/13] esp: ensure cmdfifo is not empty and current_dev is non-NULL, Mark Cave-Ayland, 2021/04/12
- [PULL 08/13] esp: don't underflow cmdfifo in do_cmd(), Mark Cave-Ayland, 2021/04/12
- [PULL 09/13] esp: don't overflow cmdfifo in get_cmd(), Mark Cave-Ayland <=
- [PULL 11/13] esp: don't reset async_len directly in esp_select() if cancelling request, Mark Cave-Ayland, 2021/04/12
- [PULL 10/13] esp: don't overflow cmdfifo if TC is larger than the cmdfifo size, Mark Cave-Ayland, 2021/04/12
- [PULL 12/13] esp: ensure that do_cmd is set to zero before submitting an ESP select command, Mark Cave-Ayland, 2021/04/12
- [PULL 13/13] tests/qtest: add tests for am53c974 device, Mark Cave-Ayland, 2021/04/12
- Re: [PULL 00/13] qemu-sparc queue 20210412, Peter Maydell, 2021/04/13

Prev by Date: [PULL 08/13] esp: don't underflow cmdfifo in do_cmd()
Next by Date: [PULL 11/13] esp: don't reset async_len directly in esp_select() if cancelling request
Previous by thread: [PULL 08/13] esp: don't underflow cmdfifo in do_cmd()
Next by thread: [PULL 11/13] esp: don't reset async_len directly in esp_select() if cancelling request
Index(es):
- Date
- Thread