fadd50
------------------------------------------------------------------------
fadd50
*From*: 	Paolo Bonzini
fadd50
*Subject*: 	Re: [Qemu-devel] [PATCH] scsi: check buffer length before
fadd50
reading scsi command
fadd50
*Date*: 	Wed, 1 Jun 2016 15:10:16 +0200
fadd50
*User-agent*: 	Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101
fadd50
Thunderbird/45.1.0
fadd50
fadd50
------------------------------------------------------------------------
fadd50
fadd50
fadd50
On 31/05/2016 19:53, P J P wrote:
fadd50
>/ From: Prasad J Pandit <address@hidden>/
fadd50
>/ /
fadd50
>/ The 53C9X Fast SCSI Controller(FSC) comes with an internal 16-byte/
fadd50
>/ FIFO buffer. It is used to handle command and data transfer./
fadd50
>/ Routine get_cmd() in non-DMA mode, uses 'ti_size' to read scsi/
fadd50
>/ command into a buffer. Add check to validate command length against/
fadd50
>/ buffer size to avoid any overrun./
fadd50
>/ /
fadd50
>/ Reported-by: Li Qiang <address@hidden>/
fadd50
>/ Signed-off-by: Prasad J Pandit <address@hidden>/
fadd50
>/ ---/
fadd50
>/  hw/scsi/esp.c | 3 +++/
fadd50
>/  1 file changed, 3 insertions(+)/
fadd50
>/ /
fadd50
>/ diff --git a/tools/qemu-xen-traditional/hw/esp.c b/tools/qemu-xen-traditional/hw/esp.c/
fadd50
>/ index 60c1b28..953027a 100644/
fadd50
>/ --- a/tools/qemu-xen-traditional/hw/esp.c/
fadd50
>/ +++ b/tools/qemu-xen-traditional/hw/esp.c/
fadd50
>/ @@ -98,6 +98,9 @@ static uint32_t get_cmd(ESPState *s, uint8_t *buf, uint8_t /
fadd50
>/ buflen)/
fadd50
>/          s->dma_memory_read(s->dma_opaque, buf, dmalen);/
fadd50
>/      } else {/
fadd50
>/          dmalen = s->ti_size;/
fadd50
>/ +        if (dmalen > TI_BUFSZ) {/
fadd50
>/ +            return 0;/
fadd50
>/ +        }/
fadd50
>/          memcpy(buf, s->ti_buf, dmalen);/
fadd50
>/          buf[0] = buf[2] >> 5;/
fadd50
>/      }/
fadd50
>/ /
fadd50
fadd50
In theory this shouldn't happen, but I agree that it is better to be
fadd50
defensive.  I'm queuing this patch.
fadd50
fadd50
At least the following patch is needed to ensure that ti_size always
fadd50
matches ti_rptr/ti_wptr (Hervé, what do you think about it? should I
fadd50
resubmit it formally?).  Also, things are more complicated than
fadd50
necessary due to ti_size being used for both DMA and FIFO transfers.
fadd50
fadd50
diff --git a/tools/qemu-xen-traditional/hw/esp.c b/tools/qemu-xen-traditional/hw/esp.c
fadd50
index c2f6f8f..6407844 100644
fadd50
--- a/tools/qemu-xen-traditional/hw/esp.c
fadd50
+++ b/tools/qemu-xen-traditional/hw/esp.c
fadd50
@@ -222,7 +222,7 @@ static void write_response(ESPState *s)
fadd50
     } else {
fadd50
         s->ti_size = 2;
fadd50
         s->ti_rptr = 0;
fadd50
-        s->ti_wptr = 0;
fadd50
+        s->ti_wptr = 2;
fadd50
         s->rregs[ESP_RFLAGS] = 2;
fadd50
     }
fadd50
     esp_raise_irq(s);
fadd50