Public bug reported: As of git revision 362ca922eea03240916287a8a6267801ab095d12, when guest linux issues specifit scsi command, qemu crashes.
To reproduce. 1. launch qemu with scsi emulatoin qemu-sysytem-i386.exe -kernel bzImage -drive file=rootfs.ext2,index=0,if=scsi -append root=/dev/sda -drive file=\\.\PhysicalDrive1,index=1,if=scsi 2. issues scsi command via ioctl(SG_IO) on guest linux. like below. ------------------------- struct request_sense sens; struct sg_io_hdr sg; unsigned char cdb[6]; unsigned char buf[127]; memset( &sens, 0, sizeof(sens) ); memset(&sg, 0, sizeof(sg)); memset(cdb, 0, sizeof(cdb)); memset(buf, 0, sizeof(buf)); // qemu crash!!! cdb[0] = 0xff; sg.dxferp = buf; sg.dxfer_len = sizeof(buf); sg.dxfer_direction = SG_DXFER_FROM_DEV; sg.flags = 0; sg.interface_id = 'S'; sg.cmdp = cdb; sg.cmd_len = sizeof( cdb ); sg.sbp = (unsigned char*)&sens; sg.mx_sb_len = sizeof( sens ); ioctl( fd, SG_IO, &sg ); ------------------------- I think cause is below code. scsi-bus.c L1239 int scsi_req_parse_cdb(SCSIDevice *dev, SCSICommand *cmd, uint8_t *buf) { int rc; cmd->lba = -1; cmd->len = scsi_cdb_length(buf); ... memcpy(cmd->buf, buf, cmd->len); } scsi_cdb_length(buf) returns -1 when buf[0] is unexpected value. Then memcpy(cmd->buf, buf, 4294967295); is executed and crash. Environment Qemu: git revision 362ca922eea03240916287a8a6267801ab095d12 Guest: linux kernel 3.18.4 + buildroot Host: Windows 7 64bit Thanks, hiroaki ** Affects: qemu Importance: Undecided Status: New -- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/1435973 Title: Qemu crash when a guest linux issues specific scsi command via ioctl(SG_IO) with SCSI disk emulation. Status in QEMU: New Bug description: As of git revision 362ca922eea03240916287a8a6267801ab095d12, when guest linux issues specifit scsi command, qemu crashes. To reproduce. 1. launch qemu with scsi emulatoin qemu-sysytem-i386.exe -kernel bzImage -drive file=rootfs.ext2,index=0,if=scsi -append root=/dev/sda -drive file=\\.\PhysicalDrive1,index=1,if=scsi 2. issues scsi command via ioctl(SG_IO) on guest linux. like below. ------------------------- struct request_sense sens; struct sg_io_hdr sg; unsigned char cdb[6]; unsigned char buf[127]; memset( &sens, 0, sizeof(sens) ); memset(&sg, 0, sizeof(sg)); memset(cdb, 0, sizeof(cdb)); memset(buf, 0, sizeof(buf)); // qemu crash!!! cdb[0] = 0xff; sg.dxferp = buf; sg.dxfer_len = sizeof(buf); sg.dxfer_direction = SG_DXFER_FROM_DEV; sg.flags = 0; sg.interface_id = 'S'; sg.cmdp = cdb; sg.cmd_len = sizeof( cdb ); sg.sbp = (unsigned char*)&sens; sg.mx_sb_len = sizeof( sens ); ioctl( fd, SG_IO, &sg ); ------------------------- I think cause is below code. scsi-bus.c L1239 int scsi_req_parse_cdb(SCSIDevice *dev, SCSICommand *cmd, uint8_t *buf) { int rc; cmd->lba = -1; cmd->len = scsi_cdb_length(buf); ... memcpy(cmd->buf, buf, cmd->len); } scsi_cdb_length(buf) returns -1 when buf[0] is unexpected value. Then memcpy(cmd->buf, buf, 4294967295); is executed and crash. Environment Qemu: git revision 362ca922eea03240916287a8a6267801ab095d12 Guest: linux kernel 3.18.4 + buildroot Host: Windows 7 64bit Thanks, hiroaki To manage notifications about this bug go to: https://bugs.launchpad.net/qemu/+bug/1435973/+subscriptions