From nobody Tue Jul 1 12:49:51 2025 Delivered-To: importer2@patchew.org Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer2=patchew.org@nongnu.org; dmarc=fail(p=none dis=none) header.from=ilande.co.uk Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1712240817695354.48566838243084; Thu, 4 Apr 2024 07:26:57 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1rsO38-0004st-Er; Thu, 04 Apr 2024 10:26:42 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rsO36-0004ky-LD for qemu-devel@nongnu.org; Thu, 04 Apr 2024 10:26:40 -0400 Received: from mail.ilande.co.uk ([2001:41c9:1:41f::167]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rsO35-00068g-1T for qemu-devel@nongnu.org; Thu, 04 Apr 2024 10:26:40 -0400 Received: from [2a02:8012:c93d:0:260e:bf57:a4e9:8142] (helo=cheesecake.fritz.box) by mail.ilande.co.uk with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1rsO26-000Bmt-Sj; Thu, 04 Apr 2024 15:25:42 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=ilande.co.uk; s=20220518; h=Subject:Content-Transfer-Encoding:Content-Type: MIME-Version:References:In-Reply-To:Message-Id:Date:To:From:Sender:Reply-To: Cc:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=RGI/dW+wU4cE10AbKx7qwjc00hana6geqec5d2Ig5yc=; b=ApRpZAYYQ+qFCij4falSflhdmp ZkVPecp0gAvU6gojpXppz9zdK/tleN7puGkr4L8UmjjmYDRsQVOtYwPx8egAUexTM636i/Jr4OTif +ZX2BNBeer8PKwLz4ImG24DMxsIg9sb9TiVKoDDGXIaHTv2euBF/vIgvPaumleVH2KewCUvdDBxk9 f4t7U5oAQl17ytha0dLdvI+LEUdXwp+fMWxruYTMRt+35MLz6RbPKKtpYaacyVOGhHm2noCf+8idU 0j3wHPEJHaYWa+cg08IGlQUtjgeqCo+YQVWf/PeehFLsokVtV4b6ovfofWec142rHFbqsxvm1YG+f f/+S8z8AUg5kJUh//ikqW7M9XqgYkQVid+l1RsMOI6h5BxCu4wBR4x1syALMJVVE+ksuXsClh4fKr Npwi0pmCXrEuzlYnX3pkXarTjr3F7mW2dafv+xZaGJfjeDu6NbbTImweD1F1Z7YKJJzEpby0kRRBm BOIOiqPRxUZKEYUe/JoqqNXKvk/KeOrnho2iK09aUbUpCtC3h1qZp5RwzHb80O/RVlrH6iWnm2VG4 X2HlI7mPf6aRB2so8g2Z/+rVedNxeBB9aevVTls93IvcfIfzupCNgqNtJc1CBUvds6TYXn53HIjIO cY+VCcaHJ/BkdnctNp1M0CIbQUTicFIJlj8jGqKUc=; From: Mark Cave-Ayland To: peter.maydell@linaro.org, qemu-devel@nongnu.org Date: Thu, 4 Apr 2024 15:25:34 +0100 Message-Id: <20240404142539.711134-13-mark.cave-ayland@ilande.co.uk> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20240404142539.711134-1-mark.cave-ayland@ilande.co.uk> References: <20240404142539.711134-1-mark.cave-ayland@ilande.co.uk> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-SA-Exim-Connect-IP: 2a02:8012:c93d:0:260e:bf57:a4e9:8142 X-SA-Exim-Mail-From: mark.cave-ayland@ilande.co.uk Subject: [PULL 12/17] esp.c: prevent cmdfifo overflow in esp_cdb_ready() X-SA-Exim-Version: 4.2.1 (built Wed, 08 May 2019 21:11:16 +0000) X-SA-Exim-Scanned: Yes (on mail.ilande.co.uk) Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer2=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=2001:41c9:1:41f::167; envelope-from=mark.cave-ayland@ilande.co.uk; helo=mail.ilande.co.uk X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer2=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer2=patchew.org@nongnu.org X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZM-MESSAGEID: 1712240819358100011 During normal use the cmdfifo will never wrap internally and cmdfifo_cdb_of= fset will always indicate the start of the SCSI CDB. However it is possible that= a malicious guest could issue an invalid ESP command sequence such that cmdfi= fo wraps internally and cmdfifo_cdb_offset could point beyond the end of the F= IFO data buffer. Add an extra check to fifo8_peek_buf() to ensure that if the cmdfifo has wr= apped internally then esp_cdb_ready() will exit rather than allow scsi_cdb_length= () to access data outside the cmdfifo data buffer. Reported-by: Chuhong Yuan Signed-off-by: Mark Cave-Ayland Reviewed-by: Paolo Bonzini Reviewed-by: Philippe Mathieu-Daud=C3=A9 Message-Id: <20240324191707.623175-13-mark.cave-ayland@ilande.co.uk> Signed-off-by: Mark Cave-Ayland --- hw/scsi/esp.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c index f47abc36d6..d8db33b921 100644 --- a/hw/scsi/esp.c +++ b/hw/scsi/esp.c @@ -429,13 +429,23 @@ static bool esp_cdb_ready(ESPState *s) { int len =3D fifo8_num_used(&s->cmdfifo) - s->cmdfifo_cdb_offset; const uint8_t *pbuf; + uint32_t n; int cdblen; =20 if (len <=3D 0) { return false; } =20 - pbuf =3D fifo8_peek_buf(&s->cmdfifo, len, NULL); + pbuf =3D fifo8_peek_buf(&s->cmdfifo, len, &n); + if (n < len) { + /* + * In normal use the cmdfifo should never wrap, but include this c= heck + * to prevent a malicious guest from reading past the end of the + * cmdfifo data buffer below + */ + return false; + } + cdblen =3D scsi_cdb_length((uint8_t *)&pbuf[s->cmdfifo_cdb_offset]); =20 return cdblen < 0 ? false : (len >=3D cdblen); --=20 2.39.2