diff options
| author | John Millikin <john@john-millikin.com> | 2022-08-17 14:34:58 +0900 |
|---|---|---|
| committer | Paolo Bonzini <pbonzini@redhat.com> | 2022-09-01 07:42:37 +0200 |
| commit | fe9d8927e265fd723a6dc87cd6d220f4677dbe1f (patch) | |
| tree | 0e2d306704d29e6a06cc10b7a320afcbb31279a1 /hw/usb | |
| parent | c6e51f1bb28ed762d2039c063cbb71a8ad29762d (diff) | |
| download | focaccia-qemu-fe9d8927e265fd723a6dc87cd6d220f4677dbe1f.tar.gz focaccia-qemu-fe9d8927e265fd723a6dc87cd6d220f4677dbe1f.zip | |
scsi: Add buf_len parameter to scsi_req_new()
When a SCSI command is received from the guest, the CDB length implied by the first byte might exceed the number of bytes the guest sent. In this case scsi_req_new() will read uninitialized data, causing unpredictable behavior. Adds the buf_len parameter to scsi_req_new() and plumbs it through the call stack. Signed-off-by: John Millikin <john@john-millikin.com> Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1127 Message-Id: <20220817053458.698416-1-john@john-millikin.com> [Fill in correct length for adapters other than ESP. - Paolo] Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Diffstat (limited to 'hw/usb')
| -rw-r--r-- | hw/usb/dev-storage.c | 2 | ||||
| -rw-r--r-- | hw/usb/dev-uas.c | 5 |
2 files changed, 4 insertions, 3 deletions
diff --git a/hw/usb/dev-storage.c b/hw/usb/dev-storage.c index dca62d544f..98639696e6 100644 --- a/hw/usb/dev-storage.c +++ b/hw/usb/dev-storage.c @@ -415,7 +415,7 @@ static void usb_msd_handle_data(USBDevice *dev, USBPacket *p) cbw.cmd_len, s->data_len); assert(le32_to_cpu(s->csw.residue) == 0); s->scsi_len = 0; - s->req = scsi_req_new(scsi_dev, tag, cbw.lun, cbw.cmd, NULL); + s->req = scsi_req_new(scsi_dev, tag, cbw.lun, cbw.cmd, cbw.cmd_len, NULL); if (s->commandlog) { scsi_req_print(s->req); } diff --git a/hw/usb/dev-uas.c b/hw/usb/dev-uas.c index c9f295e7e4..5192b062d6 100644 --- a/hw/usb/dev-uas.c +++ b/hw/usb/dev-uas.c @@ -71,7 +71,7 @@ typedef struct { uint8_t reserved_2; uint64_t lun; uint8_t cdb[16]; - uint8_t add_cdb[1]; /* not supported by QEMU */ + uint8_t add_cdb[1]; } QEMU_PACKED uas_iu_command; typedef struct { @@ -699,6 +699,7 @@ static void usb_uas_command(UASDevice *uas, uas_iu *iu) UASRequest *req; uint32_t len; uint16_t tag = be16_to_cpu(iu->hdr.tag); + size_t cdb_len = sizeof(iu->command.cdb) + iu->command.add_cdb_length; if (iu->command.add_cdb_length > 0) { qemu_log_mask(LOG_UNIMP, "additional adb length not yet supported\n"); @@ -729,7 +730,7 @@ static void usb_uas_command(UASDevice *uas, uas_iu *iu) req->req = scsi_req_new(req->dev, req->tag, usb_uas_get_lun(req->lun), - iu->command.cdb, req); + iu->command.cdb, cdb_len, req); if (uas->requestlog) { scsi_req_print(req->req); } |