scsi: Reject commands if the CDB length exceeds buf_len - bwlp/qemu.git - Experimental fork of QEMU with video encoding patches

diff options

author	John Millikin	2022-08-17 07:35:00 +0200
committer	Paolo Bonzini	2022-09-01 07:42:37 +0200
commit	6d1511cea0fb536f2df7b6c31bb745d80b98d82e (patch)
tree	62d61f3c402d6cb4a0da47c7862eeeeab713f699 /qapi/qapi-util.c
parent	scsi: Add buf_len parameter to scsi_req_new() (diff)
download	qemu-6d1511cea0fb536f2df7b6c31bb745d80b98d82e.tar.gz qemu-6d1511cea0fb536f2df7b6c31bb745d80b98d82e.tar.xz qemu-6d1511cea0fb536f2df7b6c31bb745d80b98d82e.zip

scsi: Reject commands if the CDB length exceeds buf_len

In scsi_req_parse_cdb(), if the CDB length implied by the command type exceeds the initialized portion of the command buffer, reject the request. Rejected requests are recorded by the `scsi_req_parse_bad` trace event. On example of a bug detected by this check is SunOS's use of interleaved DMA and non-DMA commands. This guest behavior currently causes QEMU to parse uninitialized memory as a SCSI command, with unpredictable outcomes. With the new check in place: * QEMU consistently creates a trace event and rejects the request. * SunOS retries the request(s) and is able to successfully boot from disk. Signed-off-by: John Millikin <john@john-millikin.com> Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1127 Message-Id: <20220817053458.698416-2-john@john-millikin.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

Diffstat (limited to 'qapi/qapi-util.c')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: