diff options
| author | Sven Schnelle <svens@stackframe.org> | 2024-01-28 21:22:14 +0100 |
|---|---|---|
| committer | Thomas Huth <thuth@redhat.com> | 2024-02-05 14:21:21 +0100 |
| commit | 8b09b7fe47082c69295a0fc0cc01b041b6385025 (patch) | |
| tree | 0889c80fdd8f2ac1b9913e4037496abc014f9f38 | |
| parent | 39a6e4f87e7b75a45b08d6dc8b8b7c2954c87440 (diff) | |
| download | qemu-8b09b7fe47082c69295a0fc0cc01b041b6385025.zip qemu-8b09b7fe47082c69295a0fc0cc01b041b6385025.tar.gz qemu-8b09b7fe47082c69295a0fc0cc01b041b6385025.tar.bz2 | |
hw/scsi/lsi53c895a: add missing decrement of reentrancy counter
When the maximum count of SCRIPTS instructions is reached, the code
stops execution and returns, but fails to decrement the reentrancy
counter. This effectively renders the SCSI controller unusable
because on next entry the reentrancy counter is still above the limit.
This bug was seen on HP-UX 10.20 which seems to trigger SCRIPTS
loops.
Fixes: b987718bbb ("hw/scsi/lsi53c895a: Fix reentrancy issues in the LSI controller (CVE-2023-0330)")
Signed-off-by: Sven Schnelle <svens@stackframe.org>
Message-ID: <20240128202214.2644768-1-svens@stackframe.org>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Tested-by: Helge Deller <deller@gmx.de>
Signed-off-by: Thomas Huth <thuth@redhat.com>
| -rw-r--r-- | hw/scsi/lsi53c895a.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c index 34e3b89..d607a5f 100644 --- a/hw/scsi/lsi53c895a.c +++ b/hw/scsi/lsi53c895a.c @@ -1159,6 +1159,7 @@ again: lsi_script_scsi_interrupt(s, LSI_SIST0_UDC, 0); lsi_disconnect(s); trace_lsi_execute_script_stop(); + reentrancy_level--; return; } insn = read_dword(s, s->dsp); |