1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
|
Qemu crash when a guest linux issues specific scsi command via ioctl(SG_IO) with SCSI disk emulation.
As of git revision 362ca922eea03240916287a8a6267801ab095d12, when guest linux issues specifit scsi command, qemu crashes.
To reproduce.
1. launch qemu with scsi emulatoin
qemu-sysytem-i386.exe -kernel bzImage -drive file=rootfs.ext2,index=0,if=scsi -append root=/dev/sda -drive file=\\.\PhysicalDrive1,index=1,if=scsi
2. issues scsi command via ioctl(SG_IO) on guest linux. like below.
-------------------------
struct request_sense sens;
struct sg_io_hdr sg;
unsigned char cdb[6];
unsigned char buf[127];
memset( &sens, 0, sizeof(sens) );
memset(&sg, 0, sizeof(sg));
memset(cdb, 0, sizeof(cdb));
memset(buf, 0, sizeof(buf));
// qemu crash!!!
cdb[0] = 0xff;
sg.dxferp = buf;
sg.dxfer_len = sizeof(buf);
sg.dxfer_direction = SG_DXFER_FROM_DEV;
sg.flags = 0;
sg.interface_id = 'S';
sg.cmdp = cdb;
sg.cmd_len = sizeof( cdb );
sg.sbp = (unsigned char*)&sens;
sg.mx_sb_len = sizeof( sens );
ioctl( fd, SG_IO, &sg );
-------------------------
I think cause is below code.
scsi-bus.c L1239
int scsi_req_parse_cdb(SCSIDevice *dev, SCSICommand *cmd, uint8_t *buf)
{
int rc;
cmd->lba = -1;
cmd->len = scsi_cdb_length(buf);
...
memcpy(cmd->buf, buf, cmd->len);
}
scsi_cdb_length(buf) returns -1 when buf[0] is unexpected value.
Then memcpy(cmd->buf, buf, 4294967295); is executed and crash.
Environment
Qemu: git revision 362ca922eea03240916287a8a6267801ab095d12
Guest: linux kernel 3.18.4 + buildroot
Host: Windows 7 64bit
Thanks,
hiroaki
|