From nobody Mon Nov 17 23:51:30 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 63.128.21.124 as permitted sender) client-ip=63.128.21.124; envelope-from=philmd@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 63.128.21.124 as permitted sender) smtp.mailfrom=philmd@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1606835614; cv=none; d=zohomail.com; s=zohoarc; b=EUoYqjyFuKLy4HVEAd8UdZ0jE44uO8ZG3holmw+TWeA5QS3JQ7nB8ewwMEtmO2Tfe4FiJ0eGNo30CmPv7RPXIZFlOdtFu1NDqVbVBgEfmJ2txlPebE5AtieLHLkqmLQqMQNlepxWYnLG9V6nyxhChmm6wNNIcc41hKitdBovh6E= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1606835614; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:To; bh=GBMWE92UpA/MREGGE/lR3Z6/ICPhJB9dxbylOkTivN8=; b=jyS6zwb28MjN/AIvCUCcQ6SxreaNeB2D7AJMZ06Mka6mslRzQ3QiKYGzugYW3t3/ELKiG5/lUm2FTt9gjqsDXvVqiE/TTN4MKbtjUbngHgeEMCUJ4bSRQX0DHPlQAbVdZoNrJ2jYljIIlEx87sIYukV8Qteopu9v2C4ZfBRywYM= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 63.128.21.124 as permitted sender) smtp.mailfrom=philmd@redhat.com; dmarc=pass header.from= (p=none dis=none) header.from= Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [63.128.21.124]) by mx.zohomail.com with SMTPS id 1606835614743572.65167840122; Tue, 1 Dec 2020 07:13:34 -0800 (PST) Received: from mail-wr1-f70.google.com (mail-wr1-f70.google.com [209.85.221.70]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-244-M1ncswH1MXi4NstPBuS5mg-1; Tue, 01 Dec 2020 10:13:29 -0500 Received: by mail-wr1-f70.google.com with SMTP id n1so1101330wro.22 for ; Tue, 01 Dec 2020 07:13:28 -0800 (PST) Return-Path: Return-Path: Received: from localhost.localdomain (111.red-88-21-205.staticip.rima-tde.net. [88.21.205.111]) by smtp.gmail.com with ESMTPSA id o67sm212079wmo.31.2020.12.01.07.13.26 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 01 Dec 2020 07:13:26 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1606835611; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=GBMWE92UpA/MREGGE/lR3Z6/ICPhJB9dxbylOkTivN8=; b=dEdhwoiGhkwv5q0qT8wFxh6u+FzVGLP0u3Lx9slzX6TrSzIm6ytqIPhek064Kq6WsS9l7C KLhRYx9sTdOqmXUK1rEifJVQao4dHDQhTlPPwdLEIWimyqLEDiJMESYuxukoq8icuiDhFJ Zm1rEbj9NsUrwNSEu4M5+138bBMgKOs= X-MC-Unique: M1ncswH1MXi4NstPBuS5mg-1 X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=GBMWE92UpA/MREGGE/lR3Z6/ICPhJB9dxbylOkTivN8=; b=LB+UvOlElVo/1vRPol7Lztywu4ajCdcrM0OVlZb3tTD8+LSiTmMqhJNcyEwxyyJoUK cosjLMQ/84RfALmLwVOI++hgasCzBtOrDMJNih9w0sQs2TM+W7TafMknimmBCKP9bX5S NuCAnGX3Sj7w6D9Pot+tdQjzHVr1H+ZocpVsumAc3bn/yEW8gbB9Bwzuir1zwxewLUor JkUAnMSk4XJM1VRa5GhTCVJ39DOomEAFFX0XLsxulCVsjeYmRGMEGZ3/2/EWBwpbDOIb KPj0UHRTORSyJuXGWK21vxk5Visn839NYDhVELT28lnaMh/tfO8DOHdtsgmmSMZtBq/y 3Qnw== X-Gm-Message-State: AOAM532VVVXhKxlNyJQjcYmvAs6/IcjlbaCLjdPspu322HHBxy8uG0xX MoOpP9qVIXjASFM2hDTPgMjQuggmmwCe6fV8D7u5Qrf5+3QR0BSgReG5KhOiWF3is41McFmYcjv eOBmTGrR+WH7hnQ== X-Received: by 2002:adf:eacb:: with SMTP id o11mr4426609wrn.208.1606835607598; Tue, 01 Dec 2020 07:13:27 -0800 (PST) X-Google-Smtp-Source: ABdhPJwKOXn8o2hegAhcCjBcpFFMTDbXDG9vUN/u4NeIjMJQeu1heThAalr7O09KkNISOWSQ+XQ95A== X-Received: by 2002:adf:eacb:: with SMTP id o11mr4426580wrn.208.1606835607407; Tue, 01 Dec 2020 07:13:27 -0800 (PST) From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Cc: qemu-block@nongnu.org, Alexander Bulekov , Fam Zheng , Thomas Huth , Paolo Bonzini , Laurent Vivier , Hannes Reinecke , Li Qiang , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= Subject: [PATCH 1/3] tests/qtest/fuzz-test: Quit test_lp1878642 once done Date: Tue, 1 Dec 2020 16:13:17 +0100 Message-Id: <20201201151319.2943325-2-philmd@redhat.com> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20201201151319.2943325-1-philmd@redhat.com> References: <20201201151319.2943325-1-philmd@redhat.com> MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=philmd@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) Missed in fd250172842 ("qtest: add a reproducer for LP#1878642"). Signed-off-by: Philippe Mathieu-Daud=C3=A9 Reviewed-by: Thomas Huth --- tests/qtest/fuzz-test.c | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/qtest/fuzz-test.c b/tests/qtest/fuzz-test.c index 9cb4c42bdea..87b72307a5b 100644 --- a/tests/qtest/fuzz-test.c +++ b/tests/qtest/fuzz-test.c @@ -45,6 +45,7 @@ static void test_lp1878642_pci_bus_get_irq_level_assert(v= oid) qtest_outl(s, 0xcf8, 0x8400f841); qtest_outl(s, 0xcfc, 0xebed205d); qtest_outl(s, 0x5d02, 0xebed205d); + qtest_quit(s); } =20 int main(int argc, char **argv) --=20 2.26.2 From nobody Mon Nov 17 23:51:30 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) client-ip=216.205.24.124; envelope-from=philmd@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) smtp.mailfrom=philmd@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1606835619; cv=none; d=zohomail.com; s=zohoarc; b=ZDiraPlB0BFSF6Vs0iP1tPVTsgxCwNPxtBoSipqMYJD/jIz9+tdmeOntCQyo+HrjGqfShm/lejbTlI6H6+7eDjUisOs1hocupfxITdcgsf3lliW5bftB5Bsrx2MpqbgRcSkgQRyNHy6B6O5O3/yWLz5y2rYE420maFmxHTRB+Sg= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1606835619; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:To; bh=Y2Y/F+4RWmi29xmowSVFcZoC2W07xO3cAdYECNpIE7A=; b=URPlJD8hITLs33ie6QMaGzhZQTKJNW8+hQxbVqOtev1fZ8CG963I/k8BGFtchYUWLvRNVQOEZNKjrxOxBre9RzjHdk7YhJWwf9glGtwEFt1iFMxvZrYOLd+Uymq34pr6ALVxL9r1bZRw7VM9vBpLJYmxqZxptI3xjf5/KkqWZLg= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) smtp.mailfrom=philmd@redhat.com; dmarc=pass header.from= (p=none dis=none) header.from= Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) by mx.zohomail.com with SMTPS id 1606835618913396.5623330914606; Tue, 1 Dec 2020 07:13:38 -0800 (PST) Received: from mail-wm1-f69.google.com (mail-wm1-f69.google.com [209.85.128.69]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-509-a0BAnQSTOhCCotlpzv92xw-1; Tue, 01 Dec 2020 10:13:34 -0500 Received: by mail-wm1-f69.google.com with SMTP id v5so1100602wmj.0 for ; Tue, 01 Dec 2020 07:13:34 -0800 (PST) Return-Path: Return-Path: Received: from localhost.localdomain (111.red-88-21-205.staticip.rima-tde.net. [88.21.205.111]) by smtp.gmail.com with ESMTPSA id a18sm3687510wrr.20.2020.12.01.07.13.31 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 01 Dec 2020 07:13:31 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1606835616; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=Y2Y/F+4RWmi29xmowSVFcZoC2W07xO3cAdYECNpIE7A=; b=cRzUkzAYUi33by1+MxBVZsywJhuCb769fx2bkx4VVO1SeJNrbRbwpembb3+T52/zRpdT9h Q32FWqELkbTUfM7jssnDb0I+o1MjfWVJN+Q+0Kosj7JeCSOAGYHfvj5PwCRDz8roYYu1zZ wgd73r9SlXYl8Dur5vXo49AGQ7PvU74= X-MC-Unique: a0BAnQSTOhCCotlpzv92xw-1 X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=Y2Y/F+4RWmi29xmowSVFcZoC2W07xO3cAdYECNpIE7A=; b=QHgcXibDNW5SZdAt8UG3GY5fZDDSkpgfT3TTumddB8YmUY8aGJ0Uuw8pA2qkEjvKcJ G8KfbS/yG3mENvQ5KVyKRAV6PKcxwomHxBj7ek+k7+UA8JwyD/AdN/XSiyIstwTKJnPG zk0OtGYRFxgjNUxHClI9pJ+uKIvoDHfJ67h6tqehyWCXk/ixTKkVTlalGPMskEi1P8Ct BwmWk5a7IyZoeO+dIVVP8wL3Pv3bJq/5FiDuLG1GsNHGTpZ004sJKB7ckykkkokR4Ii5 G8kpigokcITIRYR2h6zfb1z//ze1rQJn9fDj6jB1AmrbORS84w2w+fdpm8Eq0TIqZ8WC bK6g== X-Gm-Message-State: AOAM531bzYy829m8DjenCoCcKVLnwulCBNme5hkVsqU/2ktcr8c87eYW Z29dVH+dX9RDO38kM/wM0WHobYbXqShnLAQQgispvbD3PQortNtdNKReCe2MpGGQB5S4NirpBhp SHsX6G9vYXr6GJw== X-Received: by 2002:a1c:2c4:: with SMTP id 187mr1655268wmc.187.1606835612821; Tue, 01 Dec 2020 07:13:32 -0800 (PST) X-Google-Smtp-Source: ABdhPJyA3jgVlMyrdfmzo/yraTYLLwE995iVWcjpqpazvUyLZqn+N9IHiXfZnVQOhTrITtgV6vKrRg== X-Received: by 2002:a1c:2c4:: with SMTP id 187mr1655243wmc.187.1606835612499; Tue, 01 Dec 2020 07:13:32 -0800 (PST) From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Cc: qemu-block@nongnu.org, Alexander Bulekov , Fam Zheng , Thomas Huth , Paolo Bonzini , Laurent Vivier , Hannes Reinecke , Li Qiang , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= Subject: [PATCH 2/3] hw/scsi/megasas: Assert cdb_len is valid in megasas_handle_scsi() Date: Tue, 1 Dec 2020 16:13:18 +0100 Message-Id: <20201201151319.2943325-3-philmd@redhat.com> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20201201151319.2943325-1-philmd@redhat.com> References: <20201201151319.2943325-1-philmd@redhat.com> MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=philmd@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) cdb_len can not be zero... (or less than 6) here, else we have a out-of-bound read first in scsi_cdb_length(): 71 int scsi_cdb_length(uint8_t *buf) 72 { 73 int cdb_len; 74 75 switch (buf[0] >> 5) { 76 case 0: 77 cdb_len =3D 6; 78 break; Then another out-of-bound read when the size returned by scsi_cdb_length() is used. Add a reproducer which triggers: $ make check-qtest-x86_64 Running test qtest-x86_64/fuzz-test qemu-system-x86_64: hw/scsi/megasas.c:1679: megasas_handle_scsi: Assertio= n `cdb_len > 0 && scsi_cdb_length(cdb) >=3D cdb_len' failed. tests/qtest/libqtest.c:181: kill_qemu() detected QEMU death from signal 6= (Aborted) (core dumped) ERROR qtest-x86_64/fuzz-test - too few tests run (expected 1, got 0) Inspired-by: Alexander Bulekov Signed-off-by: Philippe Mathieu-Daud=C3=A9 --- hw/scsi/megasas.c | 1 + tests/qtest/fuzz-test.c | 196 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 197 insertions(+) diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c index 1a5fc5857db..28efd094111 100644 --- a/hw/scsi/megasas.c +++ b/hw/scsi/megasas.c @@ -1676,6 +1676,7 @@ static int megasas_handle_scsi(MegasasState *s, Megas= asCmd *cmd, lun_id =3D cmd->frame->header.lun_id; cdb_len =3D cmd->frame->header.cdb_len; =20 + assert(cdb_len > 0 && scsi_cdb_length(cdb) >=3D cdb_len); if (is_logical) { if (target_id >=3D MFI_MAX_LD || lun_id !=3D 0) { trace_megasas_scsi_target_not_present( diff --git a/tests/qtest/fuzz-test.c b/tests/qtest/fuzz-test.c index 87b72307a5b..42e88d761b8 100644 --- a/tests/qtest/fuzz-test.c +++ b/tests/qtest/fuzz-test.c @@ -48,6 +48,200 @@ static void test_lp1878642_pci_bus_get_irq_level_assert= (void) qtest_quit(s); } =20 +static void test_megasas_cdb_len_zero(void) +{ + static const unsigned char megasas_blob1[] =3D { + 0x03, 0x3e, 0x00, 0xff, 0x00, 0x00, 0x00, 0x60 + }, + megasas_blob2[] =3D { + 0x03, 0x3e, 0x00, 0xff, 0x00, 0x00, 0x00, 0x60, 0xff, 0xfe, 0xff, = 0x3e, + 0x00, 0x17, 0x51, 0x00, 0x0d, 0xea, 0x46, 0x15, 0x5a, 0x5a, 0xff, = 0xaa, + 0x14, 0x02, 0x00, 0xeb, 0x00, 0xff, 0xff, 0x2e, 0x3e, 0x00, 0xff, = 0x00, + 0x00, 0x00, 0x60, 0xff, 0xfe, 0xff, 0x3e, 0x00, 0x17, 0x51, 0x00, = 0x0d, + 0xea, 0x46, 0x15, 0x5a, 0x5a, 0xff, 0xaa, 0x14, 0x02, 0x00, 0xeb, = 0x00, + 0xff, 0xff, 0x59, 0x3e, 0x00, 0xff, 0x00, 0x00, 0x00, 0x60, 0xff, = 0xfe, + 0xff, 0x3e, 0x00, 0x17, 0x51, 0x00, 0x0d, 0xea, 0x46, 0x15, 0x5a, = 0x5a, + 0xff, 0xaa, 0x14, 0x02, 0x00, 0xeb, 0x00, 0xff, 0xff, 0x84, 0x3e, = 0x00, + 0xff, 0x00, 0x00, 0x00, 0x60, 0xff, 0xfe, 0xff, 0x3e, 0x00, 0x17, = 0x51, + 0x00, 0x0d, 0xea, 0x46, 0x15, 0x5a, 0x5a, 0xff, 0xaa, 0x14, 0x02, = 0x00, + 0xeb, 0x00, 0xff, 0xff, 0xaf, 0x3e, 0x00, 0xff, 0x00, 0x00, 0x00, = 0x60, + 0xff, 0xfe, 0xff, 0x3e, 0x00, 0x17, 0x51, 0x00, 0x0d, 0xea, 0x46, = 0x15, + 0x5a, 0x5a, 0xff, 0xaa, 0x14, 0x02, 0x00, 0xeb, 0x00, 0xff, 0xff, = 0xda, + 0x3e, 0x00, 0xff, 0x00, 0x00, 0x00, 0x60, 0xff, 0xfe, 0xff, 0x3e, = 0x00, + 0x17, 0x51, 0x00, 0x0d, 0xea, 0x46, 0x15, 0x5a, 0x5a, 0xff, 0xaa, = 0x14, + 0x02, 0x00, 0xeb, 0x00, 0xff, 0xff, 0x05, 0x3e, 0x00, 0xff, 0x00, = 0x00, + 0x00, 0x60, 0xff, 0xfe, 0xff, 0x3e, 0x00, 0x17, 0x51, 0x00, 0x0d, = 0xea, + 0x46, 0x15, 0x5a, 0x5a, 0xff, 0xaa, 0x14, 0x02, 0x00, 0xeb, 0x00, = 0xff, + 0xff, 0x30, 0x3e, 0x00, 0xff, 0x00, 0x00, 0x00, 0x60, 0xff, 0xfe, = 0xff, + 0x3e, 0x00, 0x17, 0x51, 0x00, 0x0d, 0xea, 0x46, 0x15, 0x5a, 0x5a, = 0xff, + 0xaa, 0x14, 0x02, 0x00, 0xeb, 0x00, 0xff, 0xff, 0x5b, 0x3e, 0x00, = 0xff, + 0x00, 0x00, 0x00, 0x60, 0xff, 0xfe, 0xff, 0x3e, 0x00, 0x17, 0x51, = 0x00, + 0x0d, 0xea, 0x46, 0x15, 0x5a, 0x5a, 0xff, 0xaa, 0x14, 0x02, 0x00, = 0xeb, + 0x00, 0xff, 0xff, 0x86, 0x3e, 0x00, 0xff, 0x00, 0x00, 0x00, 0x60, = 0xff, + 0xfe, 0xff, 0x3e, 0x00, 0x17, 0x51, 0x00, 0x0d, 0xea, 0x46, 0x15, = 0x5a, + 0x5a, 0xff, 0xaa, 0x14, 0x02, 0x00, 0xeb, 0x00, 0xff, 0xff, 0xb1, = 0x3e, + 0x00, 0xff, 0x00, 0x00, 0x00, 0x60, 0xff, 0xfe, 0xff, 0x3e, 0x00, = 0x17, + 0x51, 0x00, 0x0d, 0xea, 0x46, 0x15, 0x5a, 0x5a, 0xff, 0xaa, 0x14, = 0x02, + 0x00, 0xeb, 0x00, 0xff, 0xff, 0xdc, 0x3e, 0x00, 0xff, 0x00, 0x00, = 0x00, + 0x60, 0xff, 0xfe, 0xff, 0x3e, 0x00, 0x17, 0x51, 0x00, 0x0d, 0xea, = 0x46, + 0x15, 0x5a, 0x5a, 0xff, 0xaa, 0x14, 0x02, 0x00, 0xeb, 0x00, 0xff, = 0xff, + 0x07, 0x3e, 0x00, 0xff, 0x00, 0x00, 0x00, 0x60, 0xff, 0xfe, 0xff, = 0x3e, + 0x00, 0x17, 0x51, 0x00, 0x0d, 0xea, 0x46, 0x15, 0x5a, 0x5a, 0xff, = 0xaa, + 0x14, 0x02, 0x00, 0xeb, 0x00, 0xff, 0xff, 0x32, 0x3e, 0x00, 0xff, = 0x00, + 0x00, 0x00, 0x60, 0xff, 0xfe, 0xff, 0x3e, 0x00, 0x17, 0x51, 0x00, = 0x0d, + 0xea, 0x46, 0x15, 0x5a, 0x5a, 0xff, 0xaa, 0x14, 0x02, 0x00, 0xeb, = 0x00, + 0xff, 0xff, 0x5d, 0x3e, 0x00, 0xff, 0x00, 0x00, 0x00, 0x60, 0xff, = 0xfe, + 0xff, 0x3e, 0x00, 0x17, 0x51, 0x00, 0x0d, 0xea, 0x46, 0x15, 0x5a, = 0x5a, + 0xff, 0xaa, 0x14, 0x02, 0x00, 0xeb, 0x00, 0xff, 0xff, 0x88, 0x3e, = 0x00, + 0xff, 0x00, 0x00, 0x00, 0x60, 0xff, 0xfe, 0xff, 0x3e, 0x00, 0x17, = 0x51, + 0x00, 0x0d, 0xea, 0x46, 0x15, 0x5a, 0x5a, 0xff, 0xaa, 0x14, 0x02, = 0x00, + 0xeb, 0x00, 0xff, 0xff, 0xb3, 0x3e, 0x00, 0xff, 0x00, 0x00, 0x00, = 0x60, + 0xff, 0xfe, 0xff, 0x3e, 0x00, 0x17, 0x51, 0x00, 0x0d, 0xea, 0x46, = 0x15, + 0x5a, 0x5a, 0xff, 0xaa, 0x14, 0x02, 0x00, 0xeb, 0x00, 0xff, 0xff, = 0xde, + 0x3e, 0x00, 0xff, 0x00, 0x00, 0x00, 0x60, 0xff, 0xfe, 0xff, 0x3e, = 0x00, + 0x17, 0x51, 0x00, 0x0d, 0xea, 0x46, 0x15, 0x5a, 0x5a, 0xff, 0xaa, = 0x14, + 0x02, 0x00, 0xeb, 0x00, 0xff, 0xff, 0x09, 0x3e, 0x00, 0xff, 0x00, = 0x00, + 0x00, 0x60, 0xff, 0xfe, 0xff, 0x3e, 0x00, 0x17, 0x51, 0x00, 0x0d, = 0xea, + 0x46, 0x15, 0x5a, 0x5a, 0xff, 0xaa, 0x14, 0x02, 0x00, 0xeb, 0x00, = 0xff, + 0xff, 0x34, 0x3e, 0x00, 0xff, 0x00, 0x00, 0x00, 0x60, 0xff, 0xfe, = 0xff, + 0x3e, 0x00, 0x17, 0x51, 0x00, 0x0d, 0xea, 0x46, 0x15, 0x5a, 0x5a, = 0xff, + 0xaa, 0x14, 0x02, 0x00, 0xeb, 0x00, 0xff, 0xff, 0x5f, 0x3e, 0x00, = 0xff, + 0x00, 0x00, 0x00, 0x60, 0xff, 0xfe, 0xff, 0x3e, 0x00, 0x17, 0x51, = 0x00, + 0x0d, 0xea, 0x46, 0x15, 0x5a, 0x5a, 0xff, 0xaa, 0x14, 0x02, 0x00, = 0xeb, + 0x00, 0xff, 0xff, 0x8a, 0x3e, 0x00, 0xff, 0x00, 0x00, 0x00, 0x60, = 0xff, + 0xfe, 0xff, 0x3e, 0x00, 0x17, 0x51, 0x00, 0x0d, 0xea, 0x46, 0x15, = 0x5a, + 0x5a, 0xff, 0xaa, 0x14, 0x02, 0x00, 0xeb, 0x00, 0xff, 0xff, 0xb5, = 0x3e, + 0x00, 0xff, 0x00, 0x00, 0x00, 0x60, 0xff, 0xfe, 0xff, 0x3e, 0x00, = 0x17, + 0x51, 0x00, 0x0d, 0xea, 0x46, 0x15, 0x5a, 0x5a, 0xff, 0xaa, 0x14, = 0x02, + 0x00, 0xeb, 0x00, 0xff, 0xff, 0xe0, 0x3e, 0x00, 0xff, 0x00, 0x00, = 0x00, + 0x60, 0xff, 0xfe, 0xff, 0x3e, 0x00, 0x17, 0x51, 0x00, 0x0d, 0xea, = 0x46, + 0x15, 0x5a, 0x5a, 0xff, 0xaa, 0x14, 0x02, 0x00, 0xeb, 0x00, 0xff, = 0xff, + 0x0b, 0x3e, 0x00, 0xff, 0x00, 0x00, 0x00, 0x60, 0xff, 0xfe, 0xff, = 0x3e, + 0x00, 0x17, 0x51, 0x00, 0x0d, 0xea, 0x46, 0x15, 0x5a, 0x5a, 0xff, = 0xaa, + 0x14, 0x02, 0x00, 0xeb, 0x00, 0xff, 0xff, 0x36, 0x3e, 0x00, 0xff, = 0x00, + 0x00, 0x00, 0x60, 0xff, 0xfe, 0xff, 0x3e, 0x00, 0x17, 0x51, 0x00, = 0x0d, + 0xea, 0x46, 0x15, 0x5a, 0x5a, 0xff, 0xaa, 0x14, 0x02, 0x00, 0xeb, = 0x00, + 0xff, 0xff, 0x61, 0x3e, 0x00, 0xff, 0x00, 0x00, 0x00, 0x60, 0xff, = 0xfe, + 0xff, 0x3e, 0x00, 0x17, 0x51, 0x00, 0x0d, 0xea, 0x46, 0x15, 0x5a, = 0x5a, + 0xff, 0xaa, 0x14, 0x02, 0x00, 0xeb, 0x00, 0xff, 0xff, 0x8c, 0x3e, = 0x00, + 0xff, 0x00, 0x00, 0x00, 0x60, 0xff, 0xfe, 0xff, 0x3e, 0x00, 0x17, = 0x51, + 0x00, 0x0d, 0xea, 0x46, 0x15, 0x5a, 0x5a, 0xff, 0xaa, 0x14, 0x02, = 0x00, + 0xeb, 0x00, 0xff, 0xff, 0xb7, 0x3e, 0x00, 0xff, 0x00, 0x00, 0x00, = 0x60, + 0xff, 0xfe, 0xff, 0x3e, 0x00, 0x17, 0x51, 0x00, 0x0d, 0xea, 0x46, = 0x15, + 0x5a, 0x5a, 0xff, 0xaa, 0x14, 0x02, 0x00, 0xeb, 0x00, 0xff, 0xff, = 0xe2, + 0x3e, 0x00, 0xff, 0x00, 0x00, 0x00, 0x60, 0xff, 0xfe, 0xff, 0x3e, = 0x00, + 0x17, 0x51, 0x00, 0x0d, 0xea, 0x46, 0x15, 0x5a, 0x5a, 0xff, 0xaa, = 0x14, + 0x02, 0x00, 0xeb, 0x00, 0xff, 0xff, 0x0d, 0x3e, 0x00, 0xff, 0x00, = 0x00, + 0x00, 0x60, 0xff, 0xfe, 0xff, 0x3e, 0x00, 0x17, 0x51, 0x00, 0x0d, = 0xea, + 0x46, 0x15, 0x5a, 0x5a, 0xff, 0xaa, 0x14, 0x02, 0x00, 0xeb, 0x00, = 0xff, + 0xff, 0x38, 0x3e, 0x00, 0xff, 0x00, 0x00, 0x00, 0x60, 0xff, 0xfe, = 0xff, + 0x3e, 0x00, 0x17, 0x51, 0x00, 0x0d, 0xea, 0x46, 0x15, 0x5a, 0x5a, = 0xff, + 0xaa, 0x14, 0x02, 0x00, 0xeb, 0x00, 0xff, 0xff, 0x63, 0x3e, 0x00, = 0xff, + 0x00, 0x00, 0x00, 0x60, 0xff, 0xfe, 0xff, 0x3e, 0x00, 0x17, 0x51, = 0x00, + 0x0d, 0xea, 0x46, 0x15, 0x5a, 0x5a, 0xff, 0xaa, 0x14, 0x02, 0x00, = 0xeb, + 0x00, 0xff, 0xff, 0x8e, 0x3e, 0x00, 0xff, 0x00, 0x00, 0x00, 0x60, = 0xff, + 0xfe, 0xff, 0x3e, 0x00, 0x17, 0x51, 0x00, 0x0d, 0xea, 0x46, 0x15, = 0x5a, + 0x5a, 0xff, 0xaa, 0x14, 0x02, 0x00, 0xeb, 0x00, 0xff, 0xff, 0xb9, = 0x3e, + 0x00, 0xff, 0x00, 0x00, 0x00, 0x60, 0xff, 0xfe, 0xff, 0x3e, 0x00, = 0x17, + 0x51, 0x00, 0x0d, 0xea, 0x46, 0x15, 0x5a, 0x5a, 0xff, 0xaa, 0x14, = 0x02, + 0x00, 0xeb, 0x00, 0xff, 0xff, 0xe4, 0x3e, 0x00, 0xff, 0x00, 0x00, = 0x00, + 0x60, 0xff, 0xfe, 0xff, 0x3e, 0x00, 0x17, 0x51, 0x00, 0x0d, 0xea, = 0x46, + 0x15, 0x5a, 0x5a, 0xff, 0xaa, 0x14, 0x02, 0x00, 0xeb, 0x00, 0xff, = 0xff, + 0x0f, 0x3e, 0x00, 0xff, 0x00, 0x00, 0x00, 0x60, 0xff, 0xfe, 0xff, = 0x3e, + 0x00, 0x17, 0x51, 0x00, 0x0d, 0xea, 0x46, 0x15, 0x5a, 0x5a, 0xff, = 0xaa, + 0x14, 0x02, 0x00, 0xeb, 0x00, 0xff, 0xff, 0x3a, 0x3e, 0x00, 0xff, = 0x00, + 0x00, 0x00, 0x60, 0xff, 0xfe, 0xff, 0x3e, 0x00, 0x17, 0x51, 0x00, = 0x0d, + 0xea, 0x46, 0x15, 0x5a, 0x5a, 0xff, 0xaa, 0x14, 0x02, 0x00, 0xeb, = 0x00, + 0xff, 0xff, 0x65, 0x3e, 0x00, 0xff, 0x00, 0x00, 0x00, 0x60, 0xff, = 0xfe, + 0xff, 0x3e, 0x00, 0x17, 0x51, 0x00, 0x0d, 0xea, 0x46, 0x15, 0x5a, = 0x5a, + 0xff, 0xaa, 0x14, 0x02, 0x00, 0xeb, 0x00, 0xff, 0xff, 0x90, 0x3e, = 0x00, + 0xff, 0x00, 0x00, 0x00, 0x60, 0xff, 0xfe, 0xff, 0x3e, 0x00, 0x17, = 0x51, + 0x00, 0x0d, 0xea, 0x46, 0x15, 0x5a, 0x5a, 0xff, 0xaa, 0x14, 0x02, = 0x00, + 0xeb, 0x00, 0xff, 0xff, 0xbb, 0x3e, 0x00, 0xff, 0x00, 0x00, 0x00, = 0x60, + 0xff, 0xfe, 0xff, 0x3e, 0x00, 0x17, 0x51, 0x00, 0x0d, 0xea, 0x46, = 0x15, + 0x5a, 0x5a, 0xff, 0xaa, 0x14, 0x02, 0x00, 0xeb, 0x00, 0xff, 0xff, = 0xe6, + 0x3e, 0x00, 0xff, 0x00, 0x00, 0x00, 0x60, 0xff, 0xfe, 0xff, 0x3e, = 0x00, + 0x17, 0x51, 0x00, 0x0d, 0xea, 0x46, 0x15, 0x5a, 0x5a, 0xff, 0xaa, = 0x14, + 0x02, 0x00, 0xeb, 0x00, 0xff, 0xff, 0x11, 0x3e, 0x00, 0xff, 0x00, = 0x00, + 0x00, 0x60, 0xff, 0xfe, 0xff, 0x3e, 0x00, 0x17, 0x51, 0x00, 0x0d, = 0xea, + 0x46, 0x15, 0x5a, 0x5a, 0xff, 0xaa, 0x14, 0x02, 0x00, 0xeb, 0x00, = 0xff, + 0xff, 0x3c, 0x3e, 0x00, 0xff, 0x00, 0x00, 0x00, 0x60, 0xff, 0xfe, = 0xff, + 0x3e, 0x00, 0x17, 0x51, 0x00, 0x0d, 0xea, 0x46, 0x15, 0x5a, 0x5a, = 0xff, + 0xaa, 0x14, 0x02, 0x00, 0xeb, 0x00, 0xff, 0xff, 0x67, 0x3e, 0x00, = 0xff, + 0x00, 0x00, 0x00, 0x60, 0xff, 0xfe, 0xff, 0x3e, 0x00, 0x17, 0x51, = 0x00, + 0x0d, 0xea, 0x46, 0x15, 0x5a, 0x5a, 0xff, 0xaa, 0x14, 0x02, 0x00, = 0xeb, + 0x00, 0xff, 0xff, 0x92, 0x3e, 0x00, 0xff, 0x00, 0x00, 0x00, 0x60, = 0xff, + 0xfe, 0xff, 0x3e, 0x00, 0x17, 0x51, 0x00, 0x0d, 0xea, 0x46, 0x15, = 0x5a, + 0x5a, 0xff, 0xaa, 0x14, 0x02, 0x00, 0xeb, 0x00, 0xff, 0xff, 0xbd, = 0x3e, + 0x00, 0xff, 0x00, 0x00, 0x00, 0x60, 0xff, 0xfe, 0xff, 0x3e, 0x00, = 0x17, + 0x51, 0x00, 0x0d, 0xea, 0x46, 0x15, 0x5a, 0x5a, 0xff, 0xaa, 0x14, = 0x02, + 0x00, 0xeb, 0x00, 0xff, 0xff, 0xe8, 0x3e, 0x00, 0xff, 0x00, 0x00, = 0x00, + 0x60, 0xff, 0xfe, 0xff, 0x3e, 0x00, 0x17, 0x51, 0x00, 0x0d, 0xea, = 0x46, + 0x15, 0x5a, 0x5a, 0xff, 0xaa, 0x14, 0x02, 0x00, 0xeb, 0x00, 0xff, = 0xff, + 0x13, 0x3e, 0x00, 0xff, 0x00, 0x00, 0x00, 0x60, 0xff, 0xfe, 0xff, = 0x3e, + 0x00, 0x17, 0x51, 0x00, 0x0d, 0xea, 0x46, 0x15, 0x5a, 0x5a, 0xff, = 0xaa, + 0x14, 0x02, 0x00, 0xeb, 0x00, 0xff, 0xff, 0x3e, 0x3e, 0x00, 0xff, = 0x00, + 0x00, 0x00, 0x60, 0xff, 0xfe, 0xff, 0x3e, 0x00, 0x17, 0x51, 0x00, = 0x0d, + 0xea, 0x46, 0x15, 0x5a, 0x5a, 0xff, 0xaa, 0x14, 0x02, 0x00, 0xeb, = 0x00, + 0xff, 0xff, 0x69, 0x3e, 0x00, 0xff, 0x00, 0x00, 0x00, 0x60, 0xff, = 0xfe, + 0xff, 0x3e, 0x00, 0x17, 0x51, 0x00, 0x0d, 0xea, 0x46, 0x15, 0x5a, = 0x5a, + 0xff, 0xaa, 0x14, 0x02, 0x00, 0xeb, 0x00, 0xff, 0xff, 0x94, 0x3e, = 0x00, + 0xff, 0x00, 0x00, 0x00, 0x60, 0xff, 0xfe, 0xff, 0x3e, 0x00, 0x17, = 0x51, + 0x00, 0x0d, 0xea, 0x46, 0x15, 0x5a, 0x5a, 0xff, 0xaa, 0x14, 0x02, = 0x00, + 0xeb, 0x00, 0xff, 0xff, 0xbf, 0x3e, 0x00, 0xff, 0x00, 0x00, 0x00, = 0x60, + 0xff, 0xfe, 0xff, 0x3e, 0x00, 0x17, 0x51, 0x00, 0x0d, 0xea, 0x46, = 0x15, + 0x5a, 0x5a, 0xff, 0xaa, 0x14, 0x02, 0x00, 0xeb, 0x00, 0xff, 0xff, = 0xea, + 0x3e, 0x00, 0xff, 0x00, 0x00, 0x00, 0x60, 0xff, 0xfe, 0xff, 0x3e, = 0x00, + 0x17, 0x51, 0x00, 0x0d, 0xea, 0x46, 0x15, 0x5a, 0x5a, 0xff, 0xaa, = 0x14, + 0x02, 0x00, 0xeb, 0x00, 0xff, 0xff, 0x15, 0x3e, 0x00, 0xff, 0x00, = 0x00, + 0x00, 0x60, 0xff, 0xfe, 0xff, 0x3e, 0x00, 0x17, 0x51, 0x00, 0x0d, = 0xea, + 0x46, 0x15, 0x5a, 0x5a, 0xff, 0xaa, 0x14, 0x02, 0x00, 0xeb, 0x00, = 0xff, + 0xff, 0x40, 0x3e, 0x00, 0xff, 0x00, 0x00, 0x00, 0x60, 0xff, 0xfe, = 0xff, + 0x3e, 0x00, 0x17, 0x51, 0x00, 0x0d, 0xea, 0x46, 0x15, 0x5a, 0x5a, = 0xff, + 0xaa, 0x14, 0x02, 0x00, 0xeb, 0x00, 0xff, 0xff, 0x6b, 0x3e, 0x00, = 0xff, + 0x00, 0x00, 0x00, 0x60, 0xff, 0xfe, 0xff, 0x3e, 0x00, 0x17, 0x51, = 0x00, + 0x0d, 0xea, 0x46, 0x15, 0x5a, 0x5a, 0xff, 0xaa, 0x14, 0x02, 0x00, = 0xeb, + 0x00, 0xff, 0xff, 0x96, 0x3e, 0x00, 0xff, 0x00, 0x00, 0x00, 0x60, = 0xff, + 0xfe, 0xff, 0x3e, 0x00, 0x17, 0x51, 0x00, 0x0d, 0xea, 0x46, 0x15, = 0x5a, + 0x5a, 0xff, 0xaa, 0x14, 0x02, 0x00, 0xeb, 0x00, 0xff, 0xff, 0xc1, = 0x3e, + 0x00, 0xff, 0x00, 0x00, 0x00, 0x60, 0xff, 0xfe, 0xff, 0x3e, 0x00, = 0x17, + 0x51, 0x00, 0x0d, 0xea, 0x46, 0x15, 0x5a, 0x5a, 0xff, 0xaa, 0x14, = 0x02, + 0x00, 0xeb, 0x00, 0xff, 0xff, 0xec, 0x3e, 0x00, 0xff, 0x00, 0x00, = 0x00, + 0x60, 0xff, 0xfe, 0xff, 0x3e, 0x00, 0x17, 0x51, 0x00, 0x0d, 0xea, = 0x46, + 0x15, 0x5a, 0x5a, 0xff, 0xaa, 0x14, 0x02, 0x00, 0xeb, 0x00, 0xff, = 0xff, + 0x17, 0x3e, 0x00, 0xff, 0x00, 0x00, 0x00, 0x60, 0xff, 0xfe, 0xff, = 0x3e, + 0x00, 0x17, 0x51, 0x00, 0x0d, 0xea, 0x46, 0x15, 0x5a, 0x5a, 0xff, = 0xaa, + 0x14, 0x02, 0x00, 0xeb, 0x00, 0xff, 0xff, 0x42, 0x3e, 0x00, 0xff, = 0x00, + 0x00, 0x00, 0x60, 0xff, 0xfe, 0xff, 0x3e, 0x00, 0x17, 0x51, 0x00, = 0x0d, + 0xea, 0x46, 0x15, 0x5a, 0x5a, 0xff, 0xaa, 0x14, 0x02, 0x00, 0xeb, = 0x00, + 0xff, 0xff, 0x6d, 0x3e, 0x00, 0xff, 0x00, 0x00, 0x00, 0x60, 0xff, = 0xfe, + 0xff, 0x3e, 0x00, 0x17, 0x51, 0x00, 0x0d, 0xea, 0x46, 0x15, 0x5a, = 0x5a, + 0xff, 0xaa, 0x14, 0x02, 0x00, 0xeb, 0x00, 0xff, 0xff, 0x98, 0x3e, = 0x00, + 0xff, 0x00, 0x00, 0x00, 0x60, 0xff, 0xfe, 0xff, 0x3e, 0x00, 0x17, = 0x51, + 0x00, 0x0d, 0xea, 0x46, 0x15, 0x5a, 0x5a, 0xff, 0xaa, 0x14, 0x02, = 0x00, + 0xeb, 0x00, 0xff, 0xff, 0xc3, 0x3e, 0x00, 0xff, 0x00, 0x00, 0x00, = 0x60, + 0xff, 0xfe, 0xff, 0x3e, 0x00, 0x17, 0x51, 0x00, 0x0d, 0xea, 0x46, = 0x15, + 0x5a, 0x5a, 0xff, 0xaa, 0x14, 0x02, 0x00, 0xeb, 0x00, 0xff, 0xff, = 0xee, + 0x3e, 0x00, 0xff, 0x00, 0x00, 0x00, 0x60, 0xff, 0xfe, 0xff, 0x3e, = 0x00, + 0x17, 0x51, 0x00, 0x0d + }; + QTestState *s; + + s =3D qtest_init("-M pc -nodefaults " + "-device megasas-gen2 -device scsi-cd,drive=3Dnull0 " + "-blockdev driver=3Dnull-co,read-zeroes=3Don,node-name= =3Dnull0"); + + qtest_outl(s, 0xcf8, 0x80001011); + qtest_outb(s, 0xcfc, 0xbb); + qtest_outl(s, 0xcf8, 0x80001002); + qtest_outl(s, 0xcfc, 0xf3ff2966); + qtest_memwrite(s, 0x4608, megasas_blob1, sizeof(megasas_blob1)); + qtest_memwrite(s, 0x4600, megasas_blob1, sizeof(megasas_blob1)); + qtest_memwrite(s, 0x4610, megasas_blob2, sizeof(megasas_blob2)); + qtest_outw(s, 0xbb40, 0x460b); + qtest_quit(s); +} + int main(int argc, char **argv) { const char *arch =3D qtest_get_arch(); @@ -59,6 +253,8 @@ int main(int argc, char **argv) test_lp1878263_megasas_zero_iov_cnt); qtest_add_func("fuzz/test_lp1878642_pci_bus_get_irq_level_assert", test_lp1878642_pci_bus_get_irq_level_assert); + qtest_add_func("fuzz/test_megasas_cdb_len_zero", + test_megasas_cdb_len_zero); } =20 return g_test_run(); --=20 2.26.2 From nobody Mon Nov 17 23:51:30 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) client-ip=216.205.24.124; envelope-from=philmd@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) smtp.mailfrom=philmd@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1606835623; cv=none; d=zohomail.com; s=zohoarc; b=GtbFiPuMeaEwG+W/f7wml7g4HBTphmrmJtvd8DdzMWwsOKyGpQP9BHG9qCPsSUP37NRbBLhVmPz4ocZGmstw5R4kxIq31pbYADL83JvJnUnLBCJxn/4e3BIMWWW21ABzb4XFsX0Q8zPssdhA7+JebLRFkTa5ppqgsHQuhT1apxc= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1606835623; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:To; bh=qBFNmsAY0ghtrhw1W9KOeLTbVaGUVxqihitXlC5SVfI=; b=Mlfx9A0bVLI5YNieJGq8Hi9GVxc2Z80ebpOLavWhQJkszGveERvCuRBEwXjcm6TK/CJATVfqJtXJhRd4WrhwyoULt5N4HNUVHBVpNnRE3J4YQcqJI6ePj7E3QP0b49B8KTLPxnq0UuR+xD32zkZKQ5P7izB2xFdTSltt15GgUTI= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) smtp.mailfrom=philmd@redhat.com; dmarc=pass header.from= (p=none dis=none) header.from= Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) by mx.zohomail.com with SMTPS id 1606835623812992.0541083207261; Tue, 1 Dec 2020 07:13:43 -0800 (PST) Received: from mail-wr1-f71.google.com (mail-wr1-f71.google.com [209.85.221.71]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-367-W1cNqlvIPe23gQMXiSGFQg-1; Tue, 01 Dec 2020 10:13:40 -0500 Received: by mail-wr1-f71.google.com with SMTP id b1so1129117wrc.14 for ; Tue, 01 Dec 2020 07:13:38 -0800 (PST) Return-Path: Return-Path: Received: from localhost.localdomain (111.red-88-21-205.staticip.rima-tde.net. [88.21.205.111]) by smtp.gmail.com with ESMTPSA id w3sm279594wma.3.2020.12.01.07.13.36 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 01 Dec 2020 07:13:36 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1606835621; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=qBFNmsAY0ghtrhw1W9KOeLTbVaGUVxqihitXlC5SVfI=; b=F9lkRV+n5QEsV2l5E+O7nNDtvDS9wYNOqiGTAW17VX665KUgxMuxsjenSawKkaMBNEK08f DS46h3FDNRST7ZeDTT9CZUoft4081yiR+HdLPpGPmsRNxID7SKldsCyTj1HpO8uXDns1PJ YMb9ZneZ01fzpr7U3uC5lwoPMN7OwXY= X-MC-Unique: W1cNqlvIPe23gQMXiSGFQg-1 X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=qBFNmsAY0ghtrhw1W9KOeLTbVaGUVxqihitXlC5SVfI=; b=kn5hzyb0qxhB+ctrE1akDaylf5uKXLtVWSKioUnxx5HeFQEOH90zqJkrRokV2JS9+f qVfaO3uGPdAxQp0aTTJDExm9aJ/MCUQJ2CzIozcTvE+n8T0RUthTkWTOhk32LLytZXQc hEEZx2zktch5zUa9fH0QZlFPyn7URbvTH7ABufMrXF7hkwqFrMie/+qmMkZ7S8pmwkjF NQG/UqTB+JIXISj0eopCnKwNAyBNQB3q70PSykRq8dWtwUItk+EQWvNTA9SCz5xa9/LE EK/awHs9M6wFCWs3sMeo/zF3ucEJVK5gTA/nM9NXoGDFDq45xX6K6yAw86qp7mX5xdEC CSfQ== X-Gm-Message-State: AOAM530GwUUliAUla+xe8t+TeA2SHTlMHvSTQ3tNjhliLM79EGB8/548 OK2vJHH1xEfQdp7BhmwNb0dxRMlVBvigmZs9K30CbSH82AhVeLUb5ckXZg5E+0QbzYIUKByuslL yfBkGyZcaw01Cag== X-Received: by 2002:adf:f9c6:: with SMTP id w6mr4396190wrr.273.1606835617612; Tue, 01 Dec 2020 07:13:37 -0800 (PST) X-Google-Smtp-Source: ABdhPJyKq/XH9OOJePvtqpdJ8px5vdnIYIbhbgIAwy2/r8PK6lDcC6RpABDguStMYtAiJzbzUbDV3A== X-Received: by 2002:adf:f9c6:: with SMTP id w6mr4396170wrr.273.1606835617441; Tue, 01 Dec 2020 07:13:37 -0800 (PST) From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Cc: qemu-block@nongnu.org, Alexander Bulekov , Fam Zheng , Thomas Huth , Paolo Bonzini , Laurent Vivier , Hannes Reinecke , Li Qiang , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= Subject: [RFC PATCH 3/3] hw/scsi/megasas: Have incorrect cdb return MFI_STAT_ABORT_NOT_POSSIBLE Date: Tue, 1 Dec 2020 16:13:19 +0100 Message-Id: <20201201151319.2943325-4-philmd@redhat.com> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20201201151319.2943325-1-philmd@redhat.com> References: <20201201151319.2943325-1-philmd@redhat.com> MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=philmd@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) Avoid out-of-bound array access with invalid CDB is provided. Signed-off-by: Philippe Mathieu-Daud=C3=A9 --- RFC because I have no clue how hardware works. Maybe returning MFI_STAT_ARRAY_INDEX_INVALID is better? Do we need to call megasas_write_sense()? hw/scsi/megasas.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c index 28efd094111..d89a3c8c3ce 100644 --- a/hw/scsi/megasas.c +++ b/hw/scsi/megasas.c @@ -1676,7 +1676,12 @@ static int megasas_handle_scsi(MegasasState *s, Mega= sasCmd *cmd, lun_id =3D cmd->frame->header.lun_id; cdb_len =3D cmd->frame->header.cdb_len; =20 - assert(cdb_len > 0 && scsi_cdb_length(cdb) >=3D cdb_len); + if (!cdb_len || scsi_cdb_length(cdb) < cdb_len) { + trace_megasas_scsi_invalid_cdb_len(mfi_frame_desc(frame_cmd), + is_logical, target_id, + lun_id, cdb_len); + return MFI_STAT_ABORT_NOT_POSSIBLE; + } if (is_logical) { if (target_id >=3D MFI_MAX_LD || lun_id !=3D 0) { trace_megasas_scsi_target_not_present( --=20 2.26.2