Message ID | 20210316233024.13560-4-mark.cave-ayland@ilande.co.uk |
---|---|
State | New |
Headers | show |
Series | esp: fix asserts/segfaults discovered by fuzzer | expand |
On 3/17/21 12:30 AM, Mark Cave-Ayland wrote: > When about to execute a SCSI command, ensure that cmdfifo is not empty and > current_dev is non-NULL. This can happen if the guest tries to execute a TI > (Transfer Information) command without issuing one of the select commands > first. > > Buglink: https://bugs.launchpad.net/qemu/+bug/1910723 > Buglink: https://bugs.launchpad.net/qemu/+bug/1909247 > Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> > --- > hw/scsi/esp.c | 3 +++ > 1 file changed, 3 insertions(+) Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Hi Mark, On 210316 2330, Mark Cave-Ayland wrote: > When about to execute a SCSI command, ensure that cmdfifo is not empty and > current_dev is non-NULL. This can happen if the guest tries to execute a TI > (Transfer Information) command without issuing one of the select commands > first. > > Buglink: https://bugs.launchpad.net/qemu/+bug/1910723 ^ Can't reproduce this one anymore > Buglink: https://bugs.launchpad.net/qemu/+bug/1909247 However, this still seems to cause a UAF: https://bugs.launchpad.net/qemu/+bug/1909247/comments/6 -Alex > Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> > --- > hw/scsi/esp.c | 3 +++ > 1 file changed, 3 insertions(+)
diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c index bbcbfa4a91..ae362c9dfb 100644 --- a/hw/scsi/esp.c +++ b/hw/scsi/esp.c @@ -286,6 +286,9 @@ static void do_busid_cmd(ESPState *s, uint8_t busid) trace_esp_do_busid_cmd(busid); lun = busid & 7; cmdlen = fifo8_num_used(&s->cmdfifo); + if (!cmdlen || !s->current_dev) { + return; + } buf = (uint8_t *)fifo8_pop_buf(&s->cmdfifo, cmdlen, &n); current_lun = scsi_device_find(&s->bus, 0, s->current_dev->id, lun);
When about to execute a SCSI command, ensure that cmdfifo is not empty and current_dev is non-NULL. This can happen if the guest tries to execute a TI (Transfer Information) command without issuing one of the select commands first. Buglink: https://bugs.launchpad.net/qemu/+bug/1910723 Buglink: https://bugs.launchpad.net/qemu/+bug/1909247 Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> --- hw/scsi/esp.c | 3 +++ 1 file changed, 3 insertions(+)