From: Jeuk Kim <[email protected]>
ufs_emulate_report_luns() writes the 4-byte LUN list length into
outbuf[0..3] via stl_be_p() but leaves outbuf[4..7], the reserved
field, uninitialized. Those bytes are then DMA'd to guest memory,
leaking uninitialized QEMU stack data.
Fixes: 7708e298180 ("hw/ufs/lu: skip automatic zero-init of large array")
Cc: [email protected]
Signed-off-by: Jeuk Kim <[email protected]>
---
hw/ufs/lu.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/hw/ufs/lu.c b/hw/ufs/lu.c
index 3f3c9589ce..709d6adcf6 100644
--- a/hw/ufs/lu.c
+++ b/hw/ufs/lu.c
@@ -101,6 +101,10 @@ static int ufs_emulate_report_luns(UfsRequest *req,
uint8_t *outbuf,
return SCSI_COMMAND_FAIL;
}
+ if (outbuf_len < 8) {
+ return SCSI_COMMAND_FAIL;
+ }
+ memset(outbuf, 0, 8);
len += 8;
for (uint8_t lun = 0; lun < UFS_MAX_LUS; ++lun) {
--
2.43.0
