diff options
author | Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> | 2021-04-07 20:57:56 +0100 |
---|---|---|
committer | Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> | 2021-04-12 22:35:53 +0100 |
commit | fa7505c154d4d00ad89a747be2eda556643ce00e (patch) | |
tree | 3df77c250ec9c40a1eaa1bfedfc5c1c0d8be6ecc /hw/scsi | |
parent | 99545751734035b76bd372c4e7215bb337428d89 (diff) | |
download | qemu-fa7505c154d4d00ad89a747be2eda556643ce00e.zip qemu-fa7505c154d4d00ad89a747be2eda556643ce00e.tar.gz qemu-fa7505c154d4d00ad89a747be2eda556643ce00e.tar.bz2 |
esp: don't underflow cmdfifo in do_cmd()
If the guest tries to execute a CDB when cmdfifo is not empty before the start
of the message out phase then clearing the message out phase data will cause
cmdfifo to underflow due to cmdfifo_cdb_offset being larger than the amount of
data within.
Since this can only occur by issuing deliberately incorrect instruction
sequences, ensure that the maximum length of esp_fifo_pop_buf() is limited to
the size of the data within cmdfifo.
Buglink: https://bugs.launchpad.net/qemu/+bug/1909247
Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Tested-by: Alexander Bulekov <alxndr@bu.edu>
Message-Id: <20210407195801.685-8-mark.cave-ayland@ilande.co.uk>
Diffstat (limited to 'hw/scsi')
-rw-r--r-- | hw/scsi/esp.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c index 904fa31..d3b105b 100644 --- a/hw/scsi/esp.c +++ b/hw/scsi/esp.c @@ -319,13 +319,15 @@ static void do_busid_cmd(ESPState *s, uint8_t busid) static void do_cmd(ESPState *s) { - uint8_t busid = fifo8_pop(&s->cmdfifo); + uint8_t busid = esp_fifo_pop(&s->cmdfifo); + int len; s->cmdfifo_cdb_offset--; /* Ignore extended messages for now */ if (s->cmdfifo_cdb_offset) { - esp_fifo_pop_buf(&s->cmdfifo, NULL, s->cmdfifo_cdb_offset); + len = MIN(s->cmdfifo_cdb_offset, fifo8_num_used(&s->cmdfifo)); + esp_fifo_pop_buf(&s->cmdfifo, NULL, len); s->cmdfifo_cdb_offset = 0; } |