From nobody Wed May 8 17:49:42 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail(p=none dis=none) header.from=ilande.co.uk Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1659184127976201.4232832675034; Sat, 30 Jul 2022 05:28:47 -0700 (PDT) Received: from localhost ([::1]:42842 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1oHlaH-0005lj-RH for importer@patchew.org; Sat, 30 Jul 2022 08:28:45 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:58180) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1oHlYx-0004N7-8u for qemu-devel@nongnu.org; Sat, 30 Jul 2022 08:27:23 -0400 Received: from mail.ilande.co.uk ([2001:41c9:1:41f::167]:35158) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1oHlYv-0002G3-P8 for qemu-devel@nongnu.org; Sat, 30 Jul 2022 08:27:23 -0400 Received: from [2a00:23c4:8ba6:5100:d563:eb67:74b1:7b0] (helo=kentang.home) by mail.ilande.co.uk with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1oHlXK-0006Ru-Mq; Sat, 30 Jul 2022 13:25:46 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=ilande.co.uk; s=20220518; h=Subject:Content-Transfer-Encoding:MIME-Version: References:In-Reply-To:Message-Id:Date:To:From:Sender:Reply-To:Cc: Content-Type:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help: List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=MnDX3RrBQq6+e8AYHWlXA94311W1N/WuCrAz0MPrwww=; b=1WQFcSSFqJr5f6BKjddwNyOMMT JeL9gWgBwjSbvmTG1ZZXDjGrC8AiySzjXDq95552dixmZnKo8I7SjAcckWYTCoFN29wyRrkRHYwe9 T/Bng1eZWJWdsZqiRq6EMmIOKUiN51YypUKLhwKqWA6dE6ITpTWKIex+Znzzvz2XlaVo3ZedpR+zy rq4Xc2BYg7JCzE/EE9FtRtcrDisS5Bq0qLRSemBJE8NUwhpfD+/Pk+7XjC+cIoTWR3rUkExpRcfab D+1yFKSolSGljBdxXWK1iwtFa5ARRxJeKlpI6um2SaDUGF+e5llj+WwhVd++u1Gy1lGokTugooF19 /2k6NjDt1RkQbcldwqak7LJjxn9RLHX5l15xFuTtmJekEIHXo+RKB2lvxRuA0T1cI939lcM406Zv+ c6uIqLBAoYJaoGtylEl1ipAYldtqP9hlOT4O90Y+msIv5RSYjiX2I84yFiVxALnEKXSkdyiIDtPok vsctOu4xyHQ/KRPC3xiXKCvZDqWpIeWc+HnMuVB4k3U9GOW7lgnegABgIfJJl5XsTQh3piXwm6WQt M4vMEYXHxOKEVQaIURikG39pGeCjGXlsmw3ZJ7IXXNpcyMtHrBCrD6mnxk8q40X22sn3g509T2zyL oJY6uE5Eo0/qVYpDapjKIEmO/Jmu0lHsKJLC1MeW4=; From: Mark Cave-Ayland To: pbonzini@redhat.com, fam@euphon.net, alxndr@bu.edu, qemu-devel@nongnu.org Date: Sat, 30 Jul 2022 13:26:55 +0100 Message-Id: <20220730122656.253448-2-mark.cave-ayland@ilande.co.uk> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20220730122656.253448-1-mark.cave-ayland@ilande.co.uk> References: <20220730122656.253448-1-mark.cave-ayland@ilande.co.uk> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-SA-Exim-Connect-IP: 2a00:23c4:8ba6:5100:d563:eb67:74b1:7b0 X-SA-Exim-Mail-From: mark.cave-ayland@ilande.co.uk Subject: [PATCH for-7.1 1/2] scsi-disk: fix overflow when block size is not a multiple of BDRV_SECTOR_SIZE X-SA-Exim-Version: 4.2.1 (built Wed, 08 May 2019 21:11:16 +0000) X-SA-Exim-Scanned: Yes (on mail.ilande.co.uk) Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=2001:41c9:1:41f::167; envelope-from=mark.cave-ayland@ilande.co.uk; helo=mail.ilande.co.uk X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZM-MESSAGEID: 1659184129389100001 Content-Type: text/plain; charset="utf-8" In scsi_disk_emulate_write_same() the number of host sectors to transfer is calculated as (s->qdev.blocksize / BDRV_SECTOR_SIZE) which is then used to copy data in block size chunks to the iov buffer. Since the loop copying the data to the iov buffer uses a fixed increment of s->qdev.blocksize then using a block size that isn't a multiple of BDRV_SECTOR_SIZE introduces a rounding error in the iov buffer size calcula= tion such that the iov buffer copy overflows the space allocated. Update the iov buffer copy for() loop so that it will use the smallest of e= ither the current block size or the remaining transfer count to prevent the overf= low. Signed-off-by: Mark Cave-Ayland --- hw/scsi/scsi-disk.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/hw/scsi/scsi-disk.c b/hw/scsi/scsi-disk.c index f5cdb9ad4b..3027ac3b1e 100644 --- a/hw/scsi/scsi-disk.c +++ b/hw/scsi/scsi-disk.c @@ -1849,7 +1849,7 @@ static void scsi_disk_emulate_write_same(SCSIDiskReq = *r, uint8_t *inbuf) uint32_t nb_sectors =3D scsi_data_cdb_xfer(r->req.cmd.buf); WriteSameCBData *data; uint8_t *buf; - int i; + int i, l; =20 /* Fail if PBDATA=3D1 or LBDATA=3D1 or ANCHOR=3D1. */ if (nb_sectors =3D=3D 0 || (req->cmd.buf[1] & 0x16)) { @@ -1891,8 +1891,9 @@ static void scsi_disk_emulate_write_same(SCSIDiskReq = *r, uint8_t *inbuf) data->iov.iov_len); qemu_iovec_init_external(&data->qiov, &data->iov, 1); =20 - for (i =3D 0; i < data->iov.iov_len; i +=3D s->qdev.blocksize) { - memcpy(&buf[i], inbuf, s->qdev.blocksize); + for (i =3D 0; i < data->iov.iov_len; i +=3D l) { + l =3D MIN(s->qdev.blocksize, data->iov.iov_len - i); + memcpy(&buf[i], inbuf, l); } =20 scsi_req_ref(&r->req); --=20 2.30.2 From nobody Wed May 8 17:49:42 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail(p=none dis=none) header.from=ilande.co.uk Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1659184261577357.31076729713425; Sat, 30 Jul 2022 05:31:01 -0700 (PDT) Received: from localhost ([::1]:46130 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1oHlcS-00084u-Co for importer@patchew.org; Sat, 30 Jul 2022 08:31:00 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:58190) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1oHlYy-0004NQ-I5 for qemu-devel@nongnu.org; Sat, 30 Jul 2022 08:27:24 -0400 Received: from mail.ilande.co.uk ([2001:41c9:1:41f::167]:35160) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1oHlYw-0002G8-6r for qemu-devel@nongnu.org; Sat, 30 Jul 2022 08:27:24 -0400 Received: from [2a00:23c4:8ba6:5100:d563:eb67:74b1:7b0] (helo=kentang.home) by mail.ilande.co.uk with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1oHlXP-0006Ru-5d; Sat, 30 Jul 2022 13:25:51 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=ilande.co.uk; s=20220518; h=Subject:Content-Transfer-Encoding:MIME-Version: References:In-Reply-To:Message-Id:Date:To:From:Sender:Reply-To:Cc: Content-Type:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help: List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=FzqEmNUvZaMnYSzVcR2bU2YESYx3Lp0BIU8dj6YHjbQ=; b=dO25YRV9E+XftlLTgNkA1XC6Nu QfA5qr9Mjem1xLFijPgZda06zpbaaZadASkZ2bA6dkQpSSAMe5q6KiF/76It6gnuq1ChM+Pq7REXq cYywzrb7GBIbbmgaEB/4NOI0KSZBCRcdNMsGTAxkult022yLAh/2O9hhK5nE8kTqTzcjxOJr9PCzV xCcWEoCjQ4ii8MoudX6OiKYOg/dSMPjdTybZSdmwZd5QfPlfE5A3s+RBaJGaXObvuwy5DErUL2RqP Iv53NOqO9QJ75ckGim7EYxGsGuCUDmrnQqcvMJygOwwEm00aShNWs3aFiuSY+cYaCNBk64ilsuPZX Fs/6OqbAD9VpnGPtPYQ6/53vm2XGMf99wjshA48PlH3XQzm4vlvH2BzCStHuxpVzKba35BkRfH7bF 2n0lan6ribaE9mAHK3yMTi/htr7Yf/PSaKfgVnnorR65bKVlj6CBKGvPkUtruMvFY/LtJgoxwiARC ceS4IuCiK809HstV5s23njtjHfzHjGIW5zPS57yJR+1hZ+GE6/Rex7FXJgyAviwYMFqF7D5ZEYy9b SQD3ru79WurgpoRNMgUnbsbtCgnFPfR6c7XhHPTDX7CZVJTaWTeehN81x+4DcM9Y3vxE1q7QT59/a kCjpt0cxoH6uhR6N0HWxQt7Ygq9LZB5BPsY5q6OnA=; From: Mark Cave-Ayland To: pbonzini@redhat.com, fam@euphon.net, alxndr@bu.edu, qemu-devel@nongnu.org Date: Sat, 30 Jul 2022 13:26:56 +0100 Message-Id: <20220730122656.253448-3-mark.cave-ayland@ilande.co.uk> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20220730122656.253448-1-mark.cave-ayland@ilande.co.uk> References: <20220730122656.253448-1-mark.cave-ayland@ilande.co.uk> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-SA-Exim-Connect-IP: 2a00:23c4:8ba6:5100:d563:eb67:74b1:7b0 X-SA-Exim-Mail-From: mark.cave-ayland@ilande.co.uk Subject: [PATCH for-7.1 2/2] scsi-disk: ensure block size is non-zero and changes limited to bits 8-15 X-SA-Exim-Version: 4.2.1 (built Wed, 08 May 2019 21:11:16 +0000) X-SA-Exim-Scanned: Yes (on mail.ilande.co.uk) Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=2001:41c9:1:41f::167; envelope-from=mark.cave-ayland@ilande.co.uk; helo=mail.ilande.co.uk X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZM-MESSAGEID: 1659184263847100001 Content-Type: text/plain; charset="utf-8" The existing code assumes that the block size can be generated from p[1] <<= 8 in multiple places which ignores the top and bottom 8 bits. If the block si= ze is allowed to be set to an arbitrary value then this causes a mismatch between the value written by the guest in the block descriptor and the value subsequently read back using READ CAPACITY causing the guest to generate requests that can crash QEMU. For now restrict block size changes to bits 8-15 and also ignore requests to set the block size to 0 which causes the SCSI emulation to crash in at least one place with a divide by zero error. Fixes: 356c4c441e ("scsi-disk: allow MODE SELECT block descriptor to set th= e block size") Closes: https://gitlab.com/qemu-project/qemu/-/issues/1112 Signed-off-by: Mark Cave-Ayland --- hw/scsi/scsi-disk.c | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/hw/scsi/scsi-disk.c b/hw/scsi/scsi-disk.c index 3027ac3b1e..efee6739f9 100644 --- a/hw/scsi/scsi-disk.c +++ b/hw/scsi/scsi-disk.c @@ -1591,7 +1591,7 @@ static void scsi_disk_emulate_mode_select(SCSIDiskReq= *r, uint8_t *inbuf) int cmd =3D r->req.cmd.buf[0]; int len =3D r->req.cmd.xfer; int hdr_len =3D (cmd =3D=3D MODE_SELECT ? 4 : 8); - int bd_len; + int bd_len, bs; int pass; =20 if ((r->req.cmd.buf[1] & 0x11) !=3D 0x10) { @@ -1617,9 +1617,19 @@ static void scsi_disk_emulate_mode_select(SCSIDiskRe= q *r, uint8_t *inbuf) } =20 /* Allow changing the block size */ - if (bd_len && p[6] !=3D (s->qdev.blocksize >> 8)) { - s->qdev.blocksize =3D p[6] << 8; - trace_scsi_disk_mode_select_set_blocksize(s->qdev.blocksize); + if (bd_len) { + bs =3D p[5] << 16 | p[6] << 8 | p[7]; + + /* + * Since the existing code only checks/updates bits 8-15 of the bl= ock + * size, restrict ourselves to the same requirement for now to ens= ure + * that a block size set by a block descriptor and then read back = by + * a subsequent SCSI command will be the same + */ + if (bs && !(bs & ~0xff00) && bs !=3D s->qdev.blocksize) { + s->qdev.blocksize =3D bs; + trace_scsi_disk_mode_select_set_blocksize(s->qdev.blocksize); + } } =20 len -=3D bd_len; --=20 2.30.2