| Message ID | 20210407195801.685-12-mark.cave-ayland@ilande.co.uk |
|---|---|
| State | New |
| Headers | show |
| Series | esp: fix asserts/segfaults discovered by fuzzer | expand |
On 4/7/21 9:58 PM, Mark Cave-Ayland wrote: > When a CDB has been received and is about to be submitted to the SCSI layer > via one of the ESP select commands, ensure that do_cmd is set to zero before > executing the command. > > Otherwise a guest executing 2 valid CDBs in quick sequence can invoke the SCSI > .transfer_data callback again before do_cmd is set to zero by the callback > function triggering an assert at the start of esp_transfer_data(). > > Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> > --- > hw/scsi/esp.c | 2 ++ > 1 file changed, 2 insertions(+) Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c index 3b9037e4f4..326643aa39 100644 --- a/hw/scsi/esp.c +++ b/hw/scsi/esp.c @@ -357,6 +357,7 @@ static void handle_satn(ESPState *s) cmdlen = get_cmd(s, ESP_CMDFIFO_SZ); if (cmdlen > 0) { s->cmdfifo_cdb_offset = 1; + s->do_cmd = 0; do_cmd(s); } else if (cmdlen == 0) { s->do_cmd = 1; @@ -390,6 +391,7 @@ static void handle_s_without_atn(ESPState *s) cmdlen = get_cmd(s, ESP_CMDFIFO_SZ); if (cmdlen > 0) { s->cmdfifo_cdb_offset = 0; + s->do_cmd = 0; do_busid_cmd(s, 0); } else if (cmdlen == 0) { s->do_cmd = 1;
When a CDB has been received and is about to be submitted to the SCSI layer via one of the ESP select commands, ensure that do_cmd is set to zero before executing the command. Otherwise a guest executing 2 valid CDBs in quick sequence can invoke the SCSI .transfer_data callback again before do_cmd is set to zero by the callback function triggering an assert at the start of esp_transfer_data(). Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> --- hw/scsi/esp.c | 2 ++ 1 file changed, 2 insertions(+)