The first patch add a simple no-op qtest.  Patches 2-6 change the
device to only read from cmd->frame once, thus avoiding TOC-TOU
bugs and possible vulnerabilities.

The last patch fixes a NULL pointer dereference reported by PJP.
It has a dependency on patch 4, because megasas_abort_command now
needs an extra cmd->dcmd_opcode != -1 check (and cmd->dcmd_opcode is
added in patch 4).

Paolo

Paolo Bonzini (7):
  megasas: add qtest
  megasas: do not read sense length more than once from frame
  megasas: do not read iovec count more than once from frame
  megasas: do not read DCMD opcode more than once from frame
  megasas: do not read command more than once from frame
  megasas: do not read SCSI req parameters more than once from frame
  megasas: always store SCSIRequest* into MegasasCmd

 hw/scsi/megasas.c      | 175 ++++++++++++++++++++++---------------------------
 tests/Makefile.include |   3 +
 tests/megasas-test.c   |  86 ++++++++++++++++++++++++
 3 files changed, 168 insertions(+), 96 deletions(-)
 create mode 100644 tests/megasas-test.c

-- 
2.13.0

Hi,

This series seems to have some coding style problems. See output below for
more information:

Type: series
Message-id: 20170606121747.25356-1-pbonzini@redhat.com
Subject: [Qemu-devel] [PATCH 0/7] megasas: fix TOCTOU and segmentation fault bugs

=== TEST SCRIPT BEGIN ===
#!/bin/bash

BASE=base
n=1
total=$(git log --oneline $BASE.. | wc -l)
failed=0

git config --local diff.renamelimit 0
git config --local diff.renames True

commits="$(git log --format=%H --reverse $BASE..)"
for c in $commits; do
    echo "Checking PATCH $n/$total: $(git log -n 1 --format=%s $c)..."
    if ! git show $c --format=email | ./scripts/checkpatch.pl --mailback -; then
        failed=1
        echo
    fi
    n=$((n+1))
done

exit $failed
=== TEST SCRIPT END ===

Updating 3c8cf5a9c21ff8782164d1def7f44bd888713384
From https://github.com/patchew-project/qemu
 - [tag update]      patchew/149676554488.4134.16095044562334102742.stgit@bahia.lab.toulouse-stg.fr.ibm.com -> patchew/149676554488.4134.16095044562334102742.stgit@bahia.lab.toulouse-stg.fr.ibm.com
 * [new tag]         patchew/20170606162652.112122-1-vsementsov@virtuozzo.com -> patchew/20170606162652.112122-1-vsementsov@virtuozzo.com
Switched to a new branch 'test'
0b82e47 megasas: always store SCSIRequest* into MegasasCmd
2ce51ba megasas: do not read SCSI req parameters more than once from frame
61b5ec4 megasas: do not read command more than once from frame
54af167 megasas: do not read DCMD opcode more than once from frame
6b02091 megasas: do not read iovec count more than once from frame
48401c2 megasas: do not read sense length more than once from frame
9520472 megasas: add qtest

=== OUTPUT BEGIN ===
Checking PATCH 1/7: megasas: add qtest...
Checking PATCH 2/7: megasas: do not read sense length more than once from frame...
Checking PATCH 3/7: megasas: do not read iovec count more than once from frame...
Checking PATCH 4/7: megasas: do not read DCMD opcode more than once from frame...
Checking PATCH 5/7: megasas: do not read command more than once from frame...
Checking PATCH 6/7: megasas: do not read SCSI req parameters more than once from frame...
Checking PATCH 7/7: megasas: always store SCSIRequest* into MegasasCmd...
ERROR: space required after that ',' (ctx:VxV)
#139: FILE: tests/megasas-test.c:56:
+    dev = qpci_device_find(qs->pcibus, QPCI_DEVFN(4,0));
                                                    ^

total: 1 errors, 0 warnings, 140 lines checked

Your patch has style problems, please review.  If any of these errors
are false positives report them to the maintainer, see
CHECKPATCH in MAINTAINERS.

=== OUTPUT END ===

Test command exited with code: 1


---
Email generated automatically by Patchew [http://patchew.org/].
Please send your feedback to patchew-devel@freelists.org