1 files changed, 61 insertions, 0 deletions

diff --git a/results/classifier/accel-gemma3:12b/kvm/1435973 b/results/classifier/accel-gemma3:12b/kvm/1435973
new file mode 100644
index 00000000..3e0a8a27
--- /dev/null
+++ b/results/classifier/accel-gemma3:12b/kvm/1435973
@@ -0,0 +1,61 @@
+
+Qemu crash when a guest linux issues specific scsi command via ioctl(SG_IO) with SCSI disk emulation.
+
+As of git revision 362ca922eea03240916287a8a6267801ab095d12, when guest linux issues specifit scsi command, qemu crashes.
+
+To reproduce.
+
+1. launch qemu with scsi emulatoin
+qemu-sysytem-i386.exe -kernel bzImage -drive file=rootfs.ext2,index=0,if=scsi -append root=/dev/sda -drive file=\\.\PhysicalDrive1,index=1,if=scsi
+2. issues scsi command via ioctl(SG_IO) on guest linux. like below.
+
+-------------------------
+struct request_sense sens;
+struct sg_io_hdr sg;
+unsigned char cdb[6];
+unsigned char buf[127];
+
+memset( &sens, 0, sizeof(sens) );
+memset(&sg, 0, sizeof(sg));
+memset(cdb, 0, sizeof(cdb));
+memset(buf, 0, sizeof(buf));
+
+// qemu crash!!!
+cdb[0] = 0xff;
+
+sg.dxferp = buf;
+sg.dxfer_len = sizeof(buf);
+sg.dxfer_direction = SG_DXFER_FROM_DEV;
+sg.flags = 0;
+sg.interface_id = 'S';
+sg.cmdp = cdb;
+sg.cmd_len = sizeof( cdb );
+sg.sbp = (unsigned char*)&sens;
+sg.mx_sb_len = sizeof( sens );
+
+ioctl( fd, SG_IO, &sg );
+-------------------------
+
+I think cause is below code.
+
+scsi-bus.c L1239
+int scsi_req_parse_cdb(SCSIDevice *dev, SCSICommand *cmd, uint8_t *buf)
+{
+    int rc;
+
+    cmd->lba = -1;
+    cmd->len = scsi_cdb_length(buf);
+    ...
+    memcpy(cmd->buf, buf, cmd->len);
+}
+
+scsi_cdb_length(buf) returns -1 when buf[0] is unexpected value.
+Then memcpy(cmd->buf, buf, 4294967295); is executed and crash.
+
+Environment
+Qemu: git revision 362ca922eea03240916287a8a6267801ab095d12
+Guest: linux kernel 3.18.4 + buildroot
+Host: Windows 7 64bit
+
+Thanks,
+hiroaki
\ No newline at end of file