[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-block] Overflow in Virtio-BLK and SCSI Requests?
From: |
Peter Lieven |
Subject: |
[Qemu-block] Overflow in Virtio-BLK and SCSI Requests? |
Date: |
Fri, 20 May 2016 11:27:02 +0200 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.4.0 |
Hi,
while working at the iSCSI code in Qemu I came across the following line in
iscsi_aio_ioctl
memcpy(&acb->task->cdb[0], acb->ioh->cmdp, acb->ioh->cmd_len);
Is there anything to ensure that the cmd_len is valid when the requests is e.g.
coming in via
virtio_blk_handle_scsi ?
It seems that virtio-scsi does not allow to pass ioctls directly from Guest,
but at least virtio-blk
does. And in virtio-blk it seems the data is blindly copied from
elem->out_sg[1]. So it would
be possible to overflow the acb->task->cdb. Or am I wrong here?
Peter
- [Qemu-block] Overflow in Virtio-BLK and SCSI Requests?,
Peter Lieven <=