hw/ufs: Zero reserved bytes in REPORT LUNS response header

[PATCH] hw/ufs: Zero reserved bytes in REPORT LUNS response header

Jeuk Kim posted 1 patch 2 weeks ago

Download mbox

Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/qemu tags/patchew/c6bc0c611cf43f3d75bb6459362f71666d3b4240.1778476327.git.jeuk20.kim@samsung.com

Maintainers: Jeuk Kim <jeuk20.kim@samsung.com>

hw/ufs/lu.c | 4 ++++
1 file changed, 4 insertions(+)

Expand all Fold all

[PATCH] hw/ufs: Zero reserved bytes in REPORT LUNS response header

Posted by Jeuk Kim 2 weeks ago

ufs_emulate_report_luns() writes the 4-byte LUN list length into
outbuf[0..3] via stl_be_p() but leaves outbuf[4..7], the reserved
field, uninitialized. Those bytes are then DMA'd to guest memory,
leaking uninitialized QEMU stack data.

Fixes: 7708e298180 ("hw/ufs/lu: skip automatic zero-init of large array")
Cc: qemu-stable@nongnu.org
Signed-off-by: Jeuk Kim <jeuk20.kim@samsung.com>
---
 hw/ufs/lu.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/hw/ufs/lu.c b/hw/ufs/lu.c
index 3f3c9589ce..709d6adcf6 100644
--- a/hw/ufs/lu.c
+++ b/hw/ufs/lu.c
@@ -101,6 +101,10 @@ static int ufs_emulate_report_luns(UfsRequest *req, uint8_t *outbuf,
         return SCSI_COMMAND_FAIL;
     }
 
+    if (outbuf_len < 8) {
+        return SCSI_COMMAND_FAIL;
+    }
+    memset(outbuf, 0, 8);
     len += 8;
 
     for (uint8_t lun = 0; lun < UFS_MAX_LUS; ++lun) {
-- 
2.43.0