blob: 1c219b651f674b6238ef774bac2316a13dd4080e (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
|
Could this cause OOB bug ?
In function megasas_handle_scsi(hw/scsi/megasas.c):
```c
static int megasas_handle_scsi(MegasasState *s, MegasasCmd *cmd,
int frame_cmd)
{
............................................................................
cdb = cmd->frame->pass.cdb;
target_id = cmd->frame->header.target_id;
lun_id = cmd->frame->header.lun_id;
cdb_len = cmd->frame->header.cdb_len;
............................................................................
if (cdb_len > 16) {
trace_megasas_scsi_invalid_cdb_len(
mfi_frame_desc[frame_cmd], is_logical,
target_id, lun_id, cdb_len);
megasas_write_sense(cmd, SENSE_CODE(INVALID_OPCODE));
cmd->frame->header.scsi_status = CHECK_CONDITION;
s->event_count++;
return MFI_STAT_SCSI_DONE_WITH_ERROR;
}
}
```
Two variables, frame_cmd and cdb_len, can be controlled by guest os. So can mfi_frame_desc[frame_cmd] cause OOB bug ?
QEMU emulator version 5.0.50 (v5.0.0-533-gdebe78ce14-dirty)
You must start the trace function of QEMU to trigger this BUG!
I think we should fix this anyway, even if it can only be triggered when trace functions are enabled
Fix has been included:
https://git.qemu.org/?p=qemu.git;a=commitdiff;h=ee760ac80ac1f1
|