blob: e4d36b6f7efca46121d1b090284d33b796837af2 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
|
ppc: 0.770
graphic: 0.749
performance: 0.722
network: 0.716
device: 0.712
mistranslation: 0.709
semantic: 0.692
register: 0.664
vnc: 0.659
socket: 0.636
kernel: 0.615
architecture: 0.613
peripherals: 0.560
files: 0.558
PID: 0.547
arm: 0.543
risc-v: 0.532
x86: 0.532
permissions: 0.525
VMM: 0.525
debug: 0.519
hypervisor: 0.512
TCG: 0.509
i386: 0.493
boot: 0.487
user-level: 0.444
KVM: 0.422
assembly: 0.342
virtual: 0.306
Could this cause OOB bug ?
In function megasas_handle_scsi(hw/scsi/megasas.c):
```c
static int megasas_handle_scsi(MegasasState *s, MegasasCmd *cmd,
int frame_cmd)
{
............................................................................
cdb = cmd->frame->pass.cdb;
target_id = cmd->frame->header.target_id;
lun_id = cmd->frame->header.lun_id;
cdb_len = cmd->frame->header.cdb_len;
............................................................................
if (cdb_len > 16) {
trace_megasas_scsi_invalid_cdb_len(
mfi_frame_desc[frame_cmd], is_logical,
target_id, lun_id, cdb_len);
megasas_write_sense(cmd, SENSE_CODE(INVALID_OPCODE));
cmd->frame->header.scsi_status = CHECK_CONDITION;
s->event_count++;
return MFI_STAT_SCSI_DONE_WITH_ERROR;
}
}
```
Two variables, frame_cmd and cdb_len, can be controlled by guest os. So can mfi_frame_desc[frame_cmd] cause OOB bug ?
QEMU emulator version 5.0.50 (v5.0.0-533-gdebe78ce14-dirty)
You must start the trace function of QEMU to trigger this BUG!
I think we should fix this anyway, even if it can only be triggered when trace functions are enabled
Fix has been included:
https://git.qemu.org/?p=qemu.git;a=commitdiff;h=ee760ac80ac1f1
|