[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PATCH v3 08/11] esp: don't overflow cmdfifo in get_cmd()
From: |
Mark Cave-Ayland |
Subject: |
[PATCH v3 08/11] esp: don't overflow cmdfifo in get_cmd() |
Date: |
Thu, 1 Apr 2021 08:49:30 +0100 |
If the guest tries to read a CDB using DMA and cmdfifo is not empty then it is
possible to overflow cmdfifo.
Since this can only occur by issuing deliberately incorrect instruction
sequences, ensure that the maximum length of the CDB transferred to cmdfifo is
limited to the available free space within cmdfifo.
Buglink: https://bugs.launchpad.net/qemu/+bug/1909247
Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
---
hw/scsi/esp.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
index 7f49522e1d..c547c60395 100644
--- a/hw/scsi/esp.c
+++ b/hw/scsi/esp.c
@@ -243,6 +243,7 @@ static uint32_t get_cmd(ESPState *s, uint32_t maxlen)
}
if (s->dma_memory_read) {
s->dma_memory_read(s->dma_opaque, buf, dmalen);
+ dmalen = MIN(fifo8_num_free(&s->fifo), dmalen);
fifo8_push_all(&s->cmdfifo, buf, dmalen);
} else {
if (esp_select(s) < 0) {
--
2.20.1
- Re: [PATCH v3 04/11] esp: consolidate esp_cmdfifo_pop() into esp_fifo_pop(), (continued)
- [PATCH v3 06/11] esp: ensure cmdfifo is not empty and current_dev is non-NULL, Mark Cave-Ayland, 2021/04/01
- [PATCH v3 07/11] esp: don't underflow cmdfifo in do_cmd(), Mark Cave-Ayland, 2021/04/01
- [PATCH v3 08/11] esp: don't overflow cmdfifo in get_cmd(),
Mark Cave-Ayland <=
- [PATCH v3 09/11] esp: don't overflow cmdfifo if TC is larger than the cmdfifo size, Mark Cave-Ayland, 2021/04/01
- [PATCH v3 10/11] esp: don't reset async_len directly in esp_select() if cancelling request, Mark Cave-Ayland, 2021/04/01
- [PATCH v3 11/11] tests/qtest: add tests for am53c974 device, Mark Cave-Ayland, 2021/04/01
- Re: [PATCH v3 00/11] esp: fix asserts/segfaults discovered by fuzzer, Alexander Bulekov, 2021/04/01