From nobody Sat Nov 15 23:38:16 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=gmail.com ARC-Seal: i=1; a=rsa-sha256; t=1746156871; cv=none; d=zohomail.com; s=zohoarc; b=k8zbQ7ndHci2CVRJ/76oR7JPI+sr7xoQpcQU9acur36flRmv1XUGOJrRA1DZnSWMPHzXYaK8T92eL+sP4pDJKs5kszdVNAZEi1j6IOjpVieZZcZWSfoBKBVURRZFF9MLkpoSi45zYVZ1t1KM+2aVUA3enrfxHxas3e+mWtTBbWM= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1746156871; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=MvZGBCpwgyIhQnVbt40juvV6gQDetZ0AELHdCIOiZlg=; b=OzL2zAgXI5louJrVrVdM6kdLrtJ3fWy5g2ulOFhtWHbcp60ax/eAC9kAqub8f93uzub4yiChq3+MDoWmD4Ii+1EFPQvFZC5DrstOJrlJ49XTHVnm+QFe8PZFQuODuI8e9iyFyz9sBWBviCBmafmO5tPqQBiBKfMpLbE8p8luJQs= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1746156871328691.2347606192268; Thu, 1 May 2025 20:34:31 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1uAh8O-0005HK-Qx; Thu, 01 May 2025 23:32:21 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1uAh8K-0004tt-EA for qemu-devel@nongnu.org; Thu, 01 May 2025 23:32:16 -0400 Received: from mail-pf1-x429.google.com ([2607:f8b0:4864:20::429]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1uAh8I-0001KN-0q for qemu-devel@nongnu.org; Thu, 01 May 2025 23:32:15 -0400 Received: by mail-pf1-x429.google.com with SMTP id d2e1a72fcca58-736a7e126c7so1507747b3a.3 for ; Thu, 01 May 2025 20:32:12 -0700 (PDT) Received: from wheely.local0.net ([220.253.99.94]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-74059063f6esm488055b3a.139.2025.05.01.20.32.06 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 01 May 2025 20:32:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1746156731; x=1746761531; darn=nongnu.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=MvZGBCpwgyIhQnVbt40juvV6gQDetZ0AELHdCIOiZlg=; b=QIfwgNTSZQad8lLGHkve8W4EghZJflWYmXd90/Z6uPvANXWbpRmZ0qihaBdQuDEDv+ E3ai8/ikpvxbqxhkh9FpeTPX1imFvYmG6KozomeVCa/fvuWQ85wNZtWHJpmqWaBYYG27 MYD+RqnA+Ao2nz7BCjQEVeeFcYBXhlhqw6MbbHznWg5ELZL3MB16XBpi45RmYZlCZblI Lh+8QX7Sl09xTWJLUYlhjaCXLofcp1ZvDi5zr6+xglXX1zBcb0o5+C+Id8sBSSB6pX2y 3WyOnlNuopJKm1UV03Wh5dQykudryZNz6Wi0vvcYKCMgaA47Rnlm7ecyeNkvWx8YCHGm dIww== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1746156731; x=1746761531; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=MvZGBCpwgyIhQnVbt40juvV6gQDetZ0AELHdCIOiZlg=; b=KZhn3Tr2TGEm9gmL1/RhVxkGe6aJreNwSGE9+lDfX138mivZdORPCU4zeGRbIjTwk/ aWbVYcDIVIzvCee4+0TE2KxBA4LV4jr+rLUeTmDR4jHyzO5mpNMeLCuhl35bdEfp3BHm hNrru79eAkBEvmYGj2jnXu/9ITBEd7Ov/4eVzocMrmT9gan1uAUsd6ekJIiYM8U1O5Cv gIui8L11YYXYP5haMxIUTZUFHfySnf74smht5S5sWgNzMYxWwixid41y0+6pvBQgrbot cFrej7eY0lBfy/F4gJdSQhSK1StwJtlf1uKHV9hG08SuyGEuiCLwwY4Rj/CtHhyfXmk3 SN9w== X-Forwarded-Encrypted: i=1; AJvYcCX2uLzrwPknSsTL5YcUk327Ovcc97QQiQloJvvYY6cpKEEUJxCK8WEdUyqLja2AGvmSLJwvK1HfFqfL@nongnu.org X-Gm-Message-State: AOJu0YxPf/Wzo6dIDIN7LXXYWmAeYXxD2M+cD0Ss9kOgSwV/iTruKEUV V1n84oICIs4CWZgnZmqKVkyWUbSuBN0gWgje004ChZf0KNUiF28M X-Gm-Gg: ASbGncshy3Qwfxezzc8sktUjFgXypz0ITLcSuZgrhXaAqF+u79PwxOuos6gSLvQHZy2 fd+cM5XcxDpmFG9hXQ/WHYrM63wQ2brG4KZaLZMZPAFRHpmXs39MoSCW8iE+zfS3x+B/wT2dg/h wUPuH94++Cp8tijiGcGntkpuNEGzqaZJBakdlFieX2UhMvc8Zi8lpJ0wJn1aJELajl45t8uzQ6T Ml9A3/E2qMaVVZw6Y1W99V68cS5O5pxCUKiin4IpyhZJsVogTPpb6DYf6cLWvslDmgapnvC8Ebq CfndcSLmI+IX2lSjuu2yx3LmRCmSHsABzCSrVdEZMjaY X-Google-Smtp-Source: AGHT+IE1E14jsRF4MO3tuPlO10Mjgz2dV4kZctL+gBHEFTAwF1RzqZu3l58C+jVjMQxhcTqhxmV6PQ== X-Received: by 2002:a05:6a00:8d86:b0:73c:b86:b47f with SMTP id d2e1a72fcca58-740589026cemr1881129b3a.4.1746156731228; Thu, 01 May 2025 20:32:11 -0700 (PDT) From: Nicholas Piggin To: Gerd Hoffmann Cc: Nicholas Piggin , qemu-devel@nongnu.org, Kevin Wolf , Paolo Bonzini , "Michael S. Tsirkin" , Marcel Apfelbaum , Fabiano Rosas , Laurent Vivier , Phil Dennis-Jordan , Bernhard Beschow , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= Subject: [PATCH v4 14/22] usb/msd: Improve packet validation error logging Date: Fri, 2 May 2025 13:30:38 +1000 Message-ID: <20250502033047.102465-15-npiggin@gmail.com> X-Mailer: git-send-email 2.47.1 In-Reply-To: <20250502033047.102465-1-npiggin@gmail.com> References: <20250502033047.102465-1-npiggin@gmail.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=2607:f8b0:4864:20::429; envelope-from=npiggin@gmail.com; helo=mail-pf1-x429.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @gmail.com) X-ZM-MESSAGEID: 1746156873583019100 Content-Type: text/plain; charset="utf-8" Errors in incoming USB MSD packet format or context would typically be guest software errors. Log these under guest errors. Signed-off-by: Nicholas Piggin Reviewed-by: Kevin Wolf --- hw/usb/dev-storage.c | 53 +++++++++++++++++++++++++++++++++++--------- 1 file changed, 42 insertions(+), 11 deletions(-) diff --git a/hw/usb/dev-storage.c b/hw/usb/dev-storage.c index fda14271eae..7bc2f7664b2 100644 --- a/hw/usb/dev-storage.c +++ b/hw/usb/dev-storage.c @@ -10,6 +10,7 @@ #include "qemu/osdep.h" #include "qapi/error.h" #include "qemu/error-report.h" +#include "qemu/log.h" #include "qemu/module.h" #include "qemu/option.h" #include "qemu/config-file.h" @@ -402,6 +403,36 @@ static void usb_msd_cancel_io(USBDevice *dev, USBPacke= t *p) } } =20 +static bool try_get_valid_cbw(USBPacket *p, struct usb_msd_cbw *cbw) +{ + uint32_t sig; + + if (p->iov.size !=3D CBW_SIZE) { + qemu_log_mask(LOG_GUEST_ERROR, "usb-msd: Bad CBW size %zu\n", + p->iov.size); + return false; + } + usb_packet_copy(p, cbw, CBW_SIZE); + sig =3D le32_to_cpu(cbw->sig); + if (sig !=3D 0x43425355) { + qemu_log_mask(LOG_GUEST_ERROR, "usb-msd: Bad CBW signature 0x%08x\= n", + sig); + return false; + } + + return true; +} + +static bool check_valid_csw(USBPacket *p) +{ + if (p->iov.size < CSW_SIZE) { + qemu_log_mask(LOG_GUEST_ERROR, "usb-msd: Bad CSW size %zu\n", + p->iov.size); + return false; + } + return true; +} + static void usb_msd_handle_data_out(USBDevice *dev, USBPacket *p) { MSDState *s =3D (MSDState *)dev; @@ -412,19 +443,13 @@ static void usb_msd_handle_data_out(USBDevice *dev, U= SBPacket *p) =20 switch (s->mode) { case USB_MSDM_CBW: - if (p->iov.size !=3D CBW_SIZE) { - error_report("usb-msd: Bad CBW size"); - goto fail; - } - usb_packet_copy(p, &cbw, CBW_SIZE); - if (le32_to_cpu(cbw.sig) !=3D 0x43425355) { - error_report("usb-msd: Bad signature %08x", - le32_to_cpu(cbw.sig)); + if (!try_get_valid_cbw(p, &cbw)) { goto fail; } scsi_dev =3D scsi_device_find(&s->bus, 0, 0, cbw.lun); if (scsi_dev =3D=3D NULL) { - error_report("usb-msd: Bad LUN %d", cbw.lun); + qemu_log_mask(LOG_GUEST_ERROR, "usb-msd: Bad CBW LUN %d\n", + cbw.lun); goto fail; } tag =3D le32_to_cpu(cbw.tag); @@ -496,9 +521,15 @@ static void usb_msd_handle_data_in(USBDevice *dev, USB= Packet *p) =20 switch (s->mode) { case USB_MSDM_DATAOUT: - if (s->data_len !=3D 0 || p->iov.size < CSW_SIZE) { + if (!check_valid_csw(p)) { + goto fail; + } + if (s->data_len !=3D 0) { + qemu_log_mask(LOG_GUEST_ERROR, "usb-msd: CSW received before " + "all data was sent\n"); goto fail; } + /* Waiting for SCSI write to complete. */ trace_usb_msd_packet_async(); s->packet =3D p; @@ -506,7 +537,7 @@ static void usb_msd_handle_data_in(USBDevice *dev, USBP= acket *p) break; =20 case USB_MSDM_CSW: - if (p->iov.size < CSW_SIZE) { + if (!check_valid_csw(p)) { goto fail; } =20 --=20 2.47.1