qemu/hw/scsi
John Millikin 6d1511cea0 scsi: Reject commands if the CDB length exceeds buf_len
In scsi_req_parse_cdb(), if the CDB length implied by the command type
exceeds the initialized portion of the command buffer, reject the request.

Rejected requests are recorded by the `scsi_req_parse_bad` trace event.

On example of a bug detected by this check is SunOS's use of interleaved
DMA and non-DMA commands. This guest behavior currently causes QEMU to
parse uninitialized memory as a SCSI command, with unpredictable
outcomes.

With the new check in place:

  * QEMU consistently creates a trace event and rejects the request.

  * SunOS retries the request(s) and is able to successfully boot from
    disk.

Signed-off-by: John Millikin <john@john-millikin.com>
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1127
Message-Id: <20220817053458.698416-2-john@john-millikin.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2022-09-01 07:42:37 +02:00
..
emulation.c
esp-pci.c
esp.c scsi: Add buf_len parameter to scsi_req_new() 2022-09-01 07:42:37 +02:00
Kconfig
lsi53c895a.c scsi: Add buf_len parameter to scsi_req_new() 2022-09-01 07:42:37 +02:00
megasas.c scsi: Add buf_len parameter to scsi_req_new() 2022-09-01 07:42:37 +02:00
meson.build
mfi.h
mpi.h
mptconfig.c
mptendian.c
mptsas.c scsi: Add buf_len parameter to scsi_req_new() 2022-09-01 07:42:37 +02:00
mptsas.h
scsi-bus.c scsi: Reject commands if the CDB length exceeds buf_len 2022-09-01 07:42:37 +02:00
scsi-disk.c scsi: Add buf_len parameter to scsi_req_new() 2022-09-01 07:42:37 +02:00
scsi-generic.c scsi: Add buf_len parameter to scsi_req_new() 2022-09-01 07:42:37 +02:00
spapr_vscsi.c scsi: Add buf_len parameter to scsi_req_new() 2022-09-01 07:42:37 +02:00
srp.h
trace-events
trace.h
vhost-scsi-common.c
vhost-scsi.c
vhost-user-scsi.c
viosrp.h
virtio-scsi-dataplane.c
virtio-scsi.c scsi: Add buf_len parameter to scsi_req_new() 2022-09-01 07:42:37 +02:00
vmw_pvscsi.c scsi: Add buf_len parameter to scsi_req_new() 2022-09-01 07:42:37 +02:00
vmw_pvscsi.h