From: "Philippe Mathieu-Daudé" <philmd@linaro.org>
To: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>,
pbonzini@redhat.com, fam@euphon.net, farosas@suse.de,
lvivier@redhat.com, qemu-devel@nongnu.org,
Alexander Bulekov <alxndr@bu.edu>
Subject: Re: [PATCH 1/2] esp.c: fix esp_cdb_ready() FIFO wraparound limit calculation
Date: Thu, 25 Sep 2025 15:33:01 +0200 [thread overview]
Message-ID: <f5655322-fc2b-4577-a802-1ea736e08f4c@linaro.org> (raw)
In-Reply-To: <20250925122846.527615-2-mark.cave-ayland@ilande.co.uk>
On 25/9/25 14:28, Mark Cave-Ayland wrote:
> The original calculation in commit 3cc70889a3 ("esp.c: prevent cmdfifo overflow
> in esp_cdb_ready()") subtracted cmdfifo_cdb_offset from fifo8_num_used() to
"substracted"
> calculate the outstanding cmdfifo length, but this is incorrect because
> fifo8_num_used() can also include wraparound data.
>
> Instead calculate the maximum offset used by scsi_cdb_length() which is just
> the first byte after cmdfifo_cdb_offset, and then peek the entire content
> of the cmdfifo. The fifo8_peek_bufptr() result will then return the maximum
> length of remaining data up to the end of the internal cmdfifo array, which
> can then be used for the overflow check.
>
> Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
> Fixes: 3cc70889a3 ("esp.c: prevent cmdfifo overflow in esp_cdb_ready()")
Buglink: https://issues.oss-fuzz.com/issues/439878564
> Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3082
> ---
> hw/scsi/esp.c | 6 ++++--
> 1 file changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
> index 1d264c40e5..2809fcdee0 100644
> --- a/hw/scsi/esp.c
> +++ b/hw/scsi/esp.c
> @@ -447,7 +447,9 @@ static void write_response(ESPState *s)
>
> static bool esp_cdb_ready(ESPState *s)
> {
> - int len = fifo8_num_used(&s->cmdfifo) - s->cmdfifo_cdb_offset;
> + /* scsi_cdb_length() only reads the first byte */
> + int limit = s->cmdfifo_cdb_offset + 1;
> + int len = fifo8_num_used(&s->cmdfifo);
> const uint8_t *pbuf;
> uint32_t n;
> int cdblen;
> @@ -457,7 +459,7 @@ static bool esp_cdb_ready(ESPState *s)
> }
>
> pbuf = fifo8_peek_bufptr(&s->cmdfifo, len, &n);
> - if (n < len) {
> + if (n < limit) {
> /*
> * In normal use the cmdfifo should never wrap, but include this check
> * to prevent a malicious guest from reading past the end of the
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
next prev parent reply other threads:[~2025-09-25 13:34 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-25 12:28 [PATCH 0/2] esp.c: fix esp_cdb_ready() FIFO wraparound limit calculation Mark Cave-Ayland
2025-09-25 12:28 ` [PATCH 1/2] " Mark Cave-Ayland
2025-09-25 13:33 ` Philippe Mathieu-Daudé [this message]
2025-09-25 19:54 ` Mark Cave-Ayland
2025-09-25 12:28 ` [PATCH 2/2] qtest/am53c974-test: add additional test for cmdfifo overflow Mark Cave-Ayland
2025-09-25 13:33 ` Philippe Mathieu-Daudé
2025-10-22 17:36 ` [PATCH 0/2] esp.c: fix esp_cdb_ready() FIFO wraparound limit calculation Paolo Bonzini
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=f5655322-fc2b-4577-a802-1ea736e08f4c@linaro.org \
--to=philmd@linaro.org \
--cc=alxndr@bu.edu \
--cc=fam@euphon.net \
--cc=farosas@suse.de \
--cc=lvivier@redhat.com \
--cc=mark.cave-ayland@ilande.co.uk \
--cc=pbonzini@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).