* [PATCH] hw/scsi/lsi53c895a: add missing decrement of reentrancy counter
@ 2024-01-28 20:22 Sven Schnelle
2024-01-29 4:16 ` Thomas Huth
` (2 more replies)
0 siblings, 3 replies; 5+ messages in thread
From: Sven Schnelle @ 2024-01-28 20:22 UTC (permalink / raw)
To: Thomas Huth, Fam Zheng; +Cc: qemu-devel, deller
When the maximum count of SCRIPTS instructions is reached, the code
stops execution and returns, but fails to decrement the reentrancy
counter. This effectively renders the SCSI controller unusable
because on next entry the reentrancy counter is still above the limit.
This bug was seen on HP-UX 10.20 which seems to trigger SCRIPTS
loops.
Fixes: b987718bbb ("hw/scsi/lsi53c895a: Fix reentrancy issues in the LSI controller (CVE-2023-0330)")
Signed-off-by: Sven Schnelle <svens@stackframe.org>
---
hw/scsi/lsi53c895a.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c
index 34e3b89287..d607a5f9fb 100644
--- a/hw/scsi/lsi53c895a.c
+++ b/hw/scsi/lsi53c895a.c
@@ -1159,6 +1159,7 @@ again:
lsi_script_scsi_interrupt(s, LSI_SIST0_UDC, 0);
lsi_disconnect(s);
trace_lsi_execute_script_stop();
+ reentrancy_level--;
return;
}
insn = read_dword(s, s->dsp);
--
2.43.0
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH] hw/scsi/lsi53c895a: add missing decrement of reentrancy counter
2024-01-28 20:22 [PATCH] hw/scsi/lsi53c895a: add missing decrement of reentrancy counter Sven Schnelle
@ 2024-01-29 4:16 ` Thomas Huth
2024-01-29 6:17 ` Sven Schnelle
2024-01-29 6:24 ` Michael Tokarev
2024-01-30 18:41 ` Helge Deller
2 siblings, 1 reply; 5+ messages in thread
From: Thomas Huth @ 2024-01-29 4:16 UTC (permalink / raw)
To: Sven Schnelle, Fam Zheng, Paolo Bonzini
Cc: qemu-devel, deller, Alexander Bulekov
On 28/01/2024 21.22, Sven Schnelle wrote:
> When the maximum count of SCRIPTS instructions is reached, the code
> stops execution and returns, but fails to decrement the reentrancy
> counter. This effectively renders the SCSI controller unusable
> because on next entry the reentrancy counter is still above the limit.
>
> This bug was seen on HP-UX 10.20 which seems to trigger SCRIPTS
> loops.
Out of curiosity: What happened there before we introduced the
reentrancy_level fix? Did it end up in an endless loop, or was it finishing
at one point? In the latter case, we might need to adjust the
"reentrancy_level > 8" to allow deeper nesting.
> Fixes: b987718bbb ("hw/scsi/lsi53c895a: Fix reentrancy issues in the LSI controller (CVE-2023-0330)")
> Signed-off-by: Sven Schnelle <svens@stackframe.org>
> ---
> hw/scsi/lsi53c895a.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c
> index 34e3b89287..d607a5f9fb 100644
> --- a/hw/scsi/lsi53c895a.c
> +++ b/hw/scsi/lsi53c895a.c
> @@ -1159,6 +1159,7 @@ again:
> lsi_script_scsi_interrupt(s, LSI_SIST0_UDC, 0);
> lsi_disconnect(s);
> trace_lsi_execute_script_stop();
> + reentrancy_level--;
> return;
> }
> insn = read_dword(s, s->dsp);
Reviewed-by: Thomas Huth <thuth@redhat.com>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] hw/scsi/lsi53c895a: add missing decrement of reentrancy counter
2024-01-29 4:16 ` Thomas Huth
@ 2024-01-29 6:17 ` Sven Schnelle
0 siblings, 0 replies; 5+ messages in thread
From: Sven Schnelle @ 2024-01-29 6:17 UTC (permalink / raw)
To: Thomas Huth
Cc: Fam Zheng, Paolo Bonzini, qemu-devel, deller, Alexander Bulekov
Thomas Huth <thuth@redhat.com> writes:
> On 28/01/2024 21.22, Sven Schnelle wrote:
>> When the maximum count of SCRIPTS instructions is reached, the code
>> stops execution and returns, but fails to decrement the reentrancy
>> counter. This effectively renders the SCSI controller unusable
>> because on next entry the reentrancy counter is still above the limit.
>> This bug was seen on HP-UX 10.20 which seems to trigger SCRIPTS
>> loops.
>
> Out of curiosity: What happened there before we introduced the
> reentrancy_level fix? Did it end up in an endless loop, or was it
> finishing at one point? In the latter case, we might need to adjust
> the "reentrancy_level > 8" to allow deeper nesting.
Without the reentrancy counter it was triggering the insn_processed
limit. The HP-UX scsi driver seems to spin on some memory value during
some SCSI writes (CDB with command 0x2a). So it is spinning in an
endless loop until the insn_processed counter will trigger the exit.
In HP-UX you will see a SCSI command timeout error in the kernel log
- at least i'm assuming that's related, but can't say for sure as
there's no kernel source available.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] hw/scsi/lsi53c895a: add missing decrement of reentrancy counter
2024-01-28 20:22 [PATCH] hw/scsi/lsi53c895a: add missing decrement of reentrancy counter Sven Schnelle
2024-01-29 4:16 ` Thomas Huth
@ 2024-01-29 6:24 ` Michael Tokarev
2024-01-30 18:41 ` Helge Deller
2 siblings, 0 replies; 5+ messages in thread
From: Michael Tokarev @ 2024-01-29 6:24 UTC (permalink / raw)
To: Sven Schnelle, Thomas Huth, Fam Zheng; +Cc: qemu-devel, deller, qemu-stable
28.01.2024 23:22, Sven Schnelle :
> When the maximum count of SCRIPTS instructions is reached, the code
> stops execution and returns, but fails to decrement the reentrancy
> counter. This effectively renders the SCSI controller unusable
> because on next entry the reentrancy counter is still above the limit.
>
> This bug was seen on HP-UX 10.20 which seems to trigger SCRIPTS
> loops.
Cc: qemu-stable@
/mjt
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] hw/scsi/lsi53c895a: add missing decrement of reentrancy counter
2024-01-28 20:22 [PATCH] hw/scsi/lsi53c895a: add missing decrement of reentrancy counter Sven Schnelle
2024-01-29 4:16 ` Thomas Huth
2024-01-29 6:24 ` Michael Tokarev
@ 2024-01-30 18:41 ` Helge Deller
2 siblings, 0 replies; 5+ messages in thread
From: Helge Deller @ 2024-01-30 18:41 UTC (permalink / raw)
To: Sven Schnelle, Thomas Huth, Fam Zheng; +Cc: qemu-devel
On 1/28/24 21:22, Sven Schnelle wrote:
> When the maximum count of SCRIPTS instructions is reached, the code
> stops execution and returns, but fails to decrement the reentrancy
> counter. This effectively renders the SCSI controller unusable
> because on next entry the reentrancy counter is still above the limit.
>
> This bug was seen on HP-UX 10.20 which seems to trigger SCRIPTS
> loops.
>
> Fixes: b987718bbb ("hw/scsi/lsi53c895a: Fix reentrancy issues in the LSI controller (CVE-2023-0330)")
> Signed-off-by: Sven Schnelle <svens@stackframe.org>
Tested-by: Helge Deller <deller@gmx.de>
Thanks!
Helge
> ---
> hw/scsi/lsi53c895a.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c
> index 34e3b89287..d607a5f9fb 100644
> --- a/hw/scsi/lsi53c895a.c
> +++ b/hw/scsi/lsi53c895a.c
> @@ -1159,6 +1159,7 @@ again:
> lsi_script_scsi_interrupt(s, LSI_SIST0_UDC, 0);
> lsi_disconnect(s);
> trace_lsi_execute_script_stop();
> + reentrancy_level--;
> return;
> }
> insn = read_dword(s, s->dsp);
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2024-01-30 18:42 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-01-28 20:22 [PATCH] hw/scsi/lsi53c895a: add missing decrement of reentrancy counter Sven Schnelle
2024-01-29 4:16 ` Thomas Huth
2024-01-29 6:17 ` Sven Schnelle
2024-01-29 6:24 ` Michael Tokarev
2024-01-30 18:41 ` Helge Deller
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).