hw/ufs: Fix guest-triggerable MCQ crashes

[PATCH 0/4] hw/ufs: Fix guest-triggerable MCQ crashes

Jeuk Kim posted 4 patches 3 weeks, 3 days ago

Download series mbox

Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/qemu tags/patchew/cover.1778053560.git.jeuk20.kim@samsung.com

Maintainers: Jeuk Kim <jeuk20.kim@samsung.com>

hw/ufs/trace-events |  3 ++
hw/ufs/ufs.c        | 92 +++++++++++++++++++++++++++++++++++++++------
hw/ufs/ufs.h        |  9 ++++-
3 files changed, 92 insertions(+), 12 deletions(-)

Expand all Fold all

[PATCH 0/4] hw/ufs: Fix guest-triggerable MCQ crashes

Posted by Jeuk Kim 3 weeks, 3 days ago

This series fixes four guest-triggerable bugs in the UFS MCQ emulation,
all reachable via MMIO writes to the UFS PCI BAR with mcq=on.

Patches 1-2 fix bugs reported by Rayhan Ramdhany Hanaputra:

  - Out-of-bounds array read: SQATTR.CQID is not checked against
    mcq_maxq before indexing u->cq[].
  - NULL dereference: SQ doorbell is processed without checking whether
    the SQ exists.
  - NULL dereference: CQ head doorbell is processed without checking
    whether the CQ exists.

Patches 3-4 fix additional bugs found during review:

  - Divide-by-zero: a small SQATTR.SIZE or CQATTR.SIZE produces a
    zero-depth queue that crashes when its pointers are advanced.
  - Use-after-free: disabling an SQ while requests are still in flight
    on the CQ list or in the SCSI layer frees memory that is still
    referenced by the completion paths.

Jeuk Kim (4):
  hw/ufs: Validate MCQ SQ references before use
  hw/ufs: Guard MCQ CQ accesses against missing queues
  hw/ufs: Reject zero-depth MCQ queues
  hw/ufs: Keep MCQ SQs alive while requests are outstanding

 hw/ufs/trace-events |  3 ++
 hw/ufs/ufs.c        | 92 +++++++++++++++++++++++++++++++++++++++------
 hw/ufs/ufs.h        |  9 ++++-
 3 files changed, 92 insertions(+), 12 deletions(-)

-- 
2.43.0