add mailinglist scraper results

1 files changed, 37 insertions, 0 deletions

diff --git a/mailinglist/output_launchpad/1882065 b/mailinglist/output_launchpad/1882065
new file mode 100644
index 00000000..1c219b65
--- /dev/null
+++ b/mailinglist/output_launchpad/1882065
@@ -0,0 +1,37 @@
+Could this cause OOB bug ?
+
+In function megasas_handle_scsi(hw/scsi/megasas.c):
+
+```c
+static int megasas_handle_scsi(MegasasState *s, MegasasCmd *cmd,
+                               int frame_cmd)
+{
+    ............................................................................
+    cdb = cmd->frame->pass.cdb;
+    target_id = cmd->frame->header.target_id;
+    lun_id = cmd->frame->header.lun_id;
+    cdb_len = cmd->frame->header.cdb_len;
+    ............................................................................
+    if (cdb_len > 16) {
+        trace_megasas_scsi_invalid_cdb_len(
+                mfi_frame_desc[frame_cmd], is_logical,
+                target_id, lun_id, cdb_len);
+        megasas_write_sense(cmd, SENSE_CODE(INVALID_OPCODE));
+        cmd->frame->header.scsi_status = CHECK_CONDITION;
+        s->event_count++;
+        return MFI_STAT_SCSI_DONE_WITH_ERROR;
+    }
+}
+```
+
+Two variables, frame_cmd and cdb_len, can be controlled by guest os. So can mfi_frame_desc[frame_cmd] cause OOB bug ?
+
+QEMU emulator version 5.0.50 (v5.0.0-533-gdebe78ce14-dirty)
+
+You must start the trace function of QEMU to trigger this BUG!
+
+I think we should fix this anyway, even if it can only be triggered when trace functions are enabled
+
+Fix has been included:
+https://git.qemu.org/?p=qemu.git;a=commitdiff;h=ee760ac80ac1f1
+