qemu/hw/scsi
John Millikin 6d1511cea0 scsi: Reject commands if the CDB length exceeds buf_len
In scsi_req_parse_cdb(), if the CDB length implied by the command type
exceeds the initialized portion of the command buffer, reject the request.

Rejected requests are recorded by the `scsi_req_parse_bad` trace event.

On example of a bug detected by this check is SunOS's use of interleaved
DMA and non-DMA commands. This guest behavior currently causes QEMU to
parse uninitialized memory as a SCSI command, with unpredictable
outcomes.

With the new check in place:

  * QEMU consistently creates a trace event and rejects the request.

  * SunOS retries the request(s) and is able to successfully boot from
    disk.

Signed-off-by: John Millikin <john@john-millikin.com>
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1127
Message-Id: <20220817053458.698416-2-john@john-millikin.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2022-09-01 07:42:37 +02:00
..
emulation.c scsi-generic: avoid invalid access to struct when emulating block limits 2018-11-06 21:35:06 +01:00
esp-pci.c pci: Let pci_dma_rw() take MemTxAttrs argument 2021-12-31 01:05:23 +01:00
esp.c scsi: Add buf_len parameter to scsi_req_new() 2022-09-01 07:42:37 +02:00
Kconfig build: move vhost-scsi configuration to Kconfig 2022-05-07 07:46:58 +02:00
lsi53c895a.c scsi: Add buf_len parameter to scsi_req_new() 2022-09-01 07:42:37 +02:00
megasas.c scsi: Add buf_len parameter to scsi_req_new() 2022-09-01 07:42:37 +02:00
meson.build meson: convert hw/scsi 2020-08-21 06:30:28 -04:00
mfi.h Fix 'writeable' typos 2022-06-08 19:38:47 +01:00
mpi.h hw: Add support for LSI SAS1068 (mptsas) device 2016-02-09 15:45:26 +01:00
mptconfig.c nomaintainer: Fix Lesser GPL version number 2020-11-15 17:04:40 +01:00
mptendian.c nomaintainer: Fix Lesser GPL version number 2020-11-15 17:04:40 +01:00
mptsas.c scsi: Add buf_len parameter to scsi_req_new() 2022-09-01 07:42:37 +02:00
mptsas.h mptsas: Remove unused MPTSASState 'pending' field (CVE-2021-3392) 2021-04-19 15:48:12 +01:00
scsi-bus.c scsi: Reject commands if the CDB length exceeds buf_len 2022-09-01 07:42:37 +02:00
scsi-disk.c scsi: Add buf_len parameter to scsi_req_new() 2022-09-01 07:42:37 +02:00
scsi-generic.c scsi: Add buf_len parameter to scsi_req_new() 2022-09-01 07:42:37 +02:00
spapr_vscsi.c scsi: Add buf_len parameter to scsi_req_new() 2022-09-01 07:42:37 +02:00
srp.h
trace-events scsi-disk: allow MODE SELECT block descriptor to set the block size 2022-07-13 16:58:58 +02:00
trace.h trace: switch position of headers to what Meson requires 2020-08-21 06:18:24 -04:00
vhost-scsi-common.c vhost-scsi: support inflight io track 2020-09-30 19:09:20 +02:00
vhost-scsi.c virtio: add vhost support for virtio devices 2022-05-16 04:38:40 -04:00
vhost-user-scsi.c hw/vhost-user-scsi|blk: set supports_config flag correctly 2022-06-09 19:32:49 -04:00
viosrp.h hw/scsi/spapr_vscsi: Do not mix SRP IU size with DMA buffer size 2020-03-17 15:08:50 +11:00
virtio-scsi-dataplane.c virtio-scsi: fix race in virtio_scsi_dataplane_start() 2022-08-17 07:07:37 -04:00
virtio-scsi.c scsi: Add buf_len parameter to scsi_req_new() 2022-09-01 07:42:37 +02:00
vmw_pvscsi.c scsi: Add buf_len parameter to scsi_req_new() 2022-09-01 07:42:37 +02:00
vmw_pvscsi.h