[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Stable-8.1.2 44/45] esp: restrict non-DMA transfer length to that of av
From: |
Michael Tokarev |
Subject: |
[Stable-8.1.2 44/45] esp: restrict non-DMA transfer length to that of available data |
Date: |
Wed, 4 Oct 2023 11:02:05 +0300 |
From: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
In the case where a SCSI layer transfer is incorrectly terminated, it is
possible for a TI command to cause a SCSI buffer overflow due to the
expected transfer data length being less than the available data in the
FIFO. When this occurs the unsigned async_len variable underflows and
becomes a large offset which writes past the end of the allocated SCSI
buffer.
Restrict the non-DMA transfer length to be the smallest of the expected
transfer length and the available FIFO data to ensure that it is no longer
possible for the SCSI buffer overflow to occur.
Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1810
Reviewed-by: Thomas Huth <thuth@redhat.com>
Message-ID: <20230913204410.65650-3-mark.cave-ayland@ilande.co.uk>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 77668e4b9bca03a856c27ba899a2513ddf52bb52)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
index 4218a6a960..9b11d8c573 100644
--- a/hw/scsi/esp.c
+++ b/hw/scsi/esp.c
@@ -759,7 +759,8 @@ static void esp_do_nodma(ESPState *s)
}
if (to_device) {
- len = MIN(fifo8_num_used(&s->fifo), ESP_FIFO_SZ);
+ len = MIN(s->async_len, ESP_FIFO_SZ);
+ len = MIN(len, fifo8_num_used(&s->fifo));
esp_fifo_pop_buf(&s->fifo, s->async_buf, len);
s->async_buf += len;
s->async_len -= len;
--
2.39.2
- [Stable-8.1.2 35/45] accel/tcg: Avoid load of icount_decr if unused, (continued)
- [Stable-8.1.2 35/45] accel/tcg: Avoid load of icount_decr if unused, Michael Tokarev, 2023/10/04
- [Stable-8.1.2 39/45] accel/tcg: Always set CF_LAST_IO with CF_NOIRQ, Michael Tokarev, 2023/10/04
- [Stable-8.1.2 40/45] accel/tcg: Always require can_do_io, Michael Tokarev, 2023/10/04
- [Stable-8.1.2 43/45] esp: use correct type for esp_dma_enable() in sysbus_esp_gpio_demux(), Michael Tokarev, 2023/10/04
- [Stable-8.1.2 41/45] target/tricore: Fix RCPW/RRPW_INSERT insns for width = 0, Michael Tokarev, 2023/10/04
- [Stable-8.1.2 38/45] accel/tcg: Improve setting of can_do_io at start of TB, Michael Tokarev, 2023/10/04
- [Stable-8.1.2 37/45] accel/tcg: Track current value of can_do_io in the TB, Michael Tokarev, 2023/10/04
- [Stable-8.1.2 42/45] optionrom: Remove build-id section, Michael Tokarev, 2023/10/04
- [Stable-8.1.2 36/45] accel/tcg: Hoist CF_MEMI_ONLY check outside translation loop, Michael Tokarev, 2023/10/04
- [Stable-8.1.2 45/45] scsi-disk: ensure that FORMAT UNIT commands are terminated, Michael Tokarev, 2023/10/04
- [Stable-8.1.2 44/45] esp: restrict non-DMA transfer length to that of available data,
Michael Tokarev <=
- Re: [Stable-8.1.2 00/45] Patch Round-up for stable 8.1.2, freeze on 2023-10-14, Olaf Hering, 2023/10/04