From: "Philippe Mathieu-Daudé" <philmd@linaro.org>
To: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>,
pbonzini@redhat.com, fam@euphon.net, laurent@vivier.eu,
qemu-devel@nongnu.org
Subject: Re: [PATCH v3 12/17] esp.c: prevent cmdfifo overflow in esp_cdb_ready()
Date: Tue, 2 Apr 2024 13:36:20 +0200 [thread overview]
Message-ID: <2153d65c-9a33-4793-9c7c-0d8750f39040@linaro.org> (raw)
In-Reply-To: <2fe371b5-07a3-4322-8543-76b15244dbe1@ilande.co.uk>
On 25/3/24 13:41, Mark Cave-Ayland wrote:
> On 25/03/2024 10:26, Philippe Mathieu-Daudé wrote:
>
>> On 24/3/24 20:17, Mark Cave-Ayland wrote:
>>> During normal use the cmdfifo will never wrap internally and
>>> cmdfifo_cdb_offset
>>> will always indicate the start of the SCSI CDB. However it is
>>> possible that a
>>> malicious guest could issue an invalid ESP command sequence such that
>>> cmdfifo
>>> wraps internally and cmdfifo_cdb_offset could point beyond the end of
>>> the FIFO
>>> data buffer.
>>>
>>> Add an extra check to fifo8_peek_buf() to ensure that if the cmdfifo
>>> has wrapped
>>> internally then esp_cdb_ready() will exit rather than allow
>>> scsi_cdb_length() to
>>> access data outside the cmdfifo data buffer.
>>>
>>> Reported-by: Chuhong Yuan <hslester96@gmail.com>
>>> Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
>>> ---
>>> hw/scsi/esp.c | 12 +++++++++++-
>>> 1 file changed, 11 insertions(+), 1 deletion(-)
>>>
>>> diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
>>> index f47abc36d6..d8db33b921 100644
>>> --- a/hw/scsi/esp.c
>>> +++ b/hw/scsi/esp.c
>>> @@ -429,13 +429,23 @@ static bool esp_cdb_ready(ESPState *s)
>>> {
>>> int len = fifo8_num_used(&s->cmdfifo) - s->cmdfifo_cdb_offset;
>>> const uint8_t *pbuf;
>>> + uint32_t n;
>>> int cdblen;
>>> if (len <= 0) {
>>> return false;
>>> }
>>> - pbuf = fifo8_peek_buf(&s->cmdfifo, len, NULL);
>>> + pbuf = fifo8_peek_buf(&s->cmdfifo, len, &n);
>>> + if (n < len) {
>>> + /*
>>> + * In normal use the cmdfifo should never wrap, but include
>>> this check
>>> + * to prevent a malicious guest from reading past the end of
>>> the
>>> + * cmdfifo data buffer below
>>> + */
>>
>> Can we qemu_log_mask(LOG_GUEST_ERROR) something here?
>
> I'm not sure that this makes sense here? The cmdfifo wrapping is
> internal artifact of the Fifo8 implementation rather than being directly
> affected by writes to the ESP hardware FIFO (i.e. this is not the same
> as the ESP hardware FIFO overflow).
Still this check "prevent[s from] a malicious guest", but I don't
mind, better be safe here.
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
next prev parent reply other threads:[~2024-04-02 11:36 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-03-24 19:16 [PATCH v3 00/17] [for-9.0] esp: avoid explicit setting of DRQ within ESP state machine Mark Cave-Ayland
2024-03-24 19:16 ` [PATCH v3 01/17] esp.c: move esp_fifo_pop_buf() internals to new esp_fifo8_pop_buf() function Mark Cave-Ayland
2024-03-25 10:20 ` Philippe Mathieu-Daudé
2024-03-24 19:16 ` [PATCH v3 02/17] esp.c: replace esp_fifo_pop_buf() with esp_fifo8_pop_buf() in do_command_phase() Mark Cave-Ayland
2024-03-25 10:21 ` Philippe Mathieu-Daudé
2024-03-24 19:16 ` [PATCH v3 03/17] esp.c: replace esp_fifo_pop_buf() with esp_fifo8_pop_buf() in do_message_phase() Mark Cave-Ayland
2024-03-25 10:21 ` Philippe Mathieu-Daudé
2024-03-24 19:16 ` [PATCH v3 04/17] esp.c: replace cmdfifo use of esp_fifo_pop() " Mark Cave-Ayland
2024-03-24 19:16 ` [PATCH v3 05/17] esp.c: change esp_fifo_push() to take ESPState Mark Cave-Ayland
2024-03-24 19:16 ` [PATCH v3 06/17] esp.c: change esp_fifo_pop() " Mark Cave-Ayland
2024-03-24 19:16 ` [PATCH v3 07/17] esp.c: use esp_fifo_push() instead of fifo8_push() Mark Cave-Ayland
2024-03-24 19:16 ` [PATCH v3 08/17] esp.c: change esp_fifo_pop_buf() to take ESPState Mark Cave-Ayland
2024-03-24 19:16 ` [PATCH v3 09/17] esp.c: introduce esp_fifo_push_buf() function for pushing to the FIFO Mark Cave-Ayland
2024-03-24 19:16 ` [PATCH v3 10/17] esp.c: don't assert() if FIFO empty when executing non-DMA SELATNS Mark Cave-Ayland
2024-03-25 10:49 ` Philippe Mathieu-Daudé
2024-03-25 12:57 ` Mark Cave-Ayland
2024-04-02 11:34 ` Philippe Mathieu-Daudé
2024-03-24 19:17 ` [PATCH v3 11/17] esp.c: rework esp_cdb_length() into esp_cdb_ready() Mark Cave-Ayland
2024-04-02 11:38 ` Philippe Mathieu-Daudé
2024-03-24 19:17 ` [PATCH v3 12/17] esp.c: prevent cmdfifo overflow in esp_cdb_ready() Mark Cave-Ayland
2024-03-25 10:26 ` Philippe Mathieu-Daudé
2024-03-25 12:41 ` Mark Cave-Ayland
2024-04-02 11:36 ` Philippe Mathieu-Daudé [this message]
2024-03-24 19:17 ` [PATCH v3 13/17] esp.c: move esp_set_phase() and esp_get_phase() towards the beginning of the file Mark Cave-Ayland
2024-03-24 19:17 ` [PATCH v3 14/17] esp.c: introduce esp_update_drq() and update esp_fifo_{push, pop}_buf() to use it Mark Cave-Ayland
2024-03-24 19:17 ` [PATCH v3 15/17] esp.c: update esp_fifo_{push, pop}() to call esp_update_drq() Mark Cave-Ayland
2024-03-24 19:17 ` [PATCH v3 16/17] esp.c: ensure esp_pdma_write() always calls esp_fifo_push() Mark Cave-Ayland
2024-03-24 19:17 ` [PATCH v3 17/17] esp.c: remove explicit setting of DRQ within ESP state machine Mark Cave-Ayland
2024-04-04 10:04 ` [PATCH v3 00/17] [for-9.0] esp: avoid " Paolo Bonzini
2024-04-04 10:28 ` Philippe Mathieu-Daudé
2024-04-04 12:53 ` Mark Cave-Ayland
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2153d65c-9a33-4793-9c7c-0d8750f39040@linaro.org \
--to=philmd@linaro.org \
--cc=fam@euphon.net \
--cc=laurent@vivier.eu \
--cc=mark.cave-ayland@ilande.co.uk \
--cc=pbonzini@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).