From: Nicholas Piggin <npiggin@gmail.com>
To: Gerd Hoffmann <kraxel@redhat.com>
Cc: Nicholas Piggin <npiggin@gmail.com>,
qemu-devel@nongnu.org, Kevin Wolf <kwolf@redhat.com>
Subject: [PATCH v2 04/10] usb/msd: Improve packet validation error logging
Date: Fri, 11 Apr 2025 18:04:25 +1000 [thread overview]
Message-ID: <20250411080431.207579-5-npiggin@gmail.com> (raw)
In-Reply-To: <20250411080431.207579-1-npiggin@gmail.com>
Errors in incoming USB MSD packet format or context would typically
be guest software errors. Log these under guest errors.
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
---
hw/usb/dev-storage.c | 53 +++++++++++++++++++++++++++++++++++---------
1 file changed, 42 insertions(+), 11 deletions(-)
diff --git a/hw/usb/dev-storage.c b/hw/usb/dev-storage.c
index c7c36ac80fa..6668114ea74 100644
--- a/hw/usb/dev-storage.c
+++ b/hw/usb/dev-storage.c
@@ -10,6 +10,7 @@
#include "qemu/osdep.h"
#include "qapi/error.h"
#include "qemu/error-report.h"
+#include "qemu/log.h"
#include "qemu/module.h"
#include "qemu/option.h"
#include "qemu/config-file.h"
@@ -395,6 +396,36 @@ static void usb_msd_cancel_io(USBDevice *dev, USBPacket *p)
}
}
+static bool try_get_valid_cbw(USBPacket *p, struct usb_msd_cbw *cbw)
+{
+ uint32_t sig;
+
+ if (p->iov.size != 31) {
+ qemu_log_mask(LOG_GUEST_ERROR, "usb-msd: Bad CBW size %zu\n",
+ p->iov.size);
+ return false;
+ }
+ usb_packet_copy(p, cbw, 31);
+ sig = le32_to_cpu(cbw->sig);
+ if (sig != 0x43425355) {
+ qemu_log_mask(LOG_GUEST_ERROR, "usb-msd: Bad CBW signature 0x%08x\n",
+ sig);
+ return false;
+ }
+
+ return true;
+}
+
+static bool check_valid_csw(USBPacket *p)
+{
+ if (p->iov.size < 13) {
+ qemu_log_mask(LOG_GUEST_ERROR, "usb-msd: Bad CSW size %zu\n",
+ p->iov.size);
+ return false;
+ }
+ return true;
+}
+
static void usb_msd_handle_data_out(USBDevice *dev, USBPacket *p)
{
MSDState *s = (MSDState *)dev;
@@ -405,19 +436,13 @@ static void usb_msd_handle_data_out(USBDevice *dev, USBPacket *p)
switch (s->mode) {
case USB_MSDM_CBW:
- if (p->iov.size != 31) {
- error_report("usb-msd: Bad CBW size");
- goto fail;
- }
- usb_packet_copy(p, &cbw, 31);
- if (le32_to_cpu(cbw.sig) != 0x43425355) {
- error_report("usb-msd: Bad signature %08x",
- le32_to_cpu(cbw.sig));
+ if (!try_get_valid_cbw(p, &cbw)) {
goto fail;
}
scsi_dev = scsi_device_find(&s->bus, 0, 0, cbw.lun);
if (scsi_dev == NULL) {
- error_report("usb-msd: Bad LUN %d", cbw.lun);
+ qemu_log_mask(LOG_GUEST_ERROR, "usb-msd: Bad CBW LUN %d\n",
+ cbw.lun);
goto fail;
}
tag = le32_to_cpu(cbw.tag);
@@ -489,9 +514,15 @@ static void usb_msd_handle_data_in(USBDevice *dev, USBPacket *p)
switch (s->mode) {
case USB_MSDM_DATAOUT:
- if (s->data_len != 0 || p->iov.size < 13) {
+ if (!check_valid_csw(p)) {
+ goto fail;
+ }
+ if (s->data_len != 0) {
+ qemu_log_mask(LOG_GUEST_ERROR, "usb-msd: CSW received before "
+ "all data was sent\n");
goto fail;
}
+
/* Waiting for SCSI write to complete. */
trace_usb_msd_packet_async();
s->packet = p;
@@ -499,7 +530,7 @@ static void usb_msd_handle_data_in(USBDevice *dev, USBPacket *p)
break;
case USB_MSDM_CSW:
- if (p->iov.size < 13) {
+ if (!check_valid_csw(p)) {
goto fail;
}
--
2.47.1
next prev parent reply other threads:[~2025-04-11 8:06 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-04-11 8:04 [PATCH v2 00/10] usb/msd: Permit relaxed ordering of IN packets Nicholas Piggin
2025-04-11 8:04 ` [PATCH v2 01/10] usb/msd: Split in and out packet handling Nicholas Piggin
2025-04-11 8:04 ` [PATCH v2 02/10] usb/msd: Ensure packet structure layout is correct Nicholas Piggin
2025-04-11 10:18 ` Philippe Mathieu-Daudé
2025-04-11 10:21 ` Philippe Mathieu-Daudé
2025-04-11 10:23 ` Philippe Mathieu-Daudé
2025-04-12 5:32 ` Nicholas Piggin
2025-04-11 8:04 ` [PATCH v2 03/10] usb/msd: Improved handling of mass storage reset Nicholas Piggin
2025-04-11 10:19 ` Philippe Mathieu-Daudé
2025-04-11 8:04 ` Nicholas Piggin [this message]
2025-04-11 8:04 ` [PATCH v2 05/10] usb/msd: Allow CBW packet size greater than 31 Nicholas Piggin
2025-04-11 8:04 ` [PATCH v2 06/10] usb/msd: Split async packet tracking into data and csw Nicholas Piggin
2025-04-11 8:04 ` [PATCH v2 07/10] usb/msd: Add some additional assertions Nicholas Piggin
2025-04-11 10:27 ` Philippe Mathieu-Daudé
2025-04-11 8:04 ` [PATCH v2 08/10] usb/msd: Rename mode to cbw_state, and tweak names Nicholas Piggin
2025-04-11 10:28 ` Philippe Mathieu-Daudé
2025-04-11 10:37 ` Philippe Mathieu-Daudé
2025-04-12 5:33 ` Nicholas Piggin
2025-04-11 8:04 ` [PATCH v2 09/10] usb/msd: Permit a DATA-IN or CSW packet before CBW packet Nicholas Piggin
2025-04-11 8:04 ` [PATCH v2 10/10] usb/msd: Add more tracing Nicholas Piggin
2025-04-11 10:36 ` Philippe Mathieu-Daudé
2025-04-12 5:33 ` Nicholas Piggin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250411080431.207579-5-npiggin@gmail.com \
--to=npiggin@gmail.com \
--cc=kraxel@redhat.com \
--cc=kwolf@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).