Re: [Qemu-devel] [PATCH v3] scsi: esp: check length before dma read
On 15/06/2016 19:18, P J P wrote: > Hello Paolo, > > +-- On Wed, 15 Jun 2016, Paolo Bonzini wrote --+ > | Actually, the commit message is wrong. The length parameter cannot > | exceed the buffer size anymore. > > It wouldn't exceed after this patch, right? Is it possible 'esp_do_dma' is > called via 'esp_transfer_data' with 's->do_cmd' set? 'len' isn't checked > there. No, it's not possible; see the discussion in reply to v1. Paolo
Re: [Qemu-devel] [PATCH v3] scsi: esp: check length before dma read
Hello Paolo, +-- On Wed, 15 Jun 2016, Paolo Bonzini wrote --+ | Actually, the commit message is wrong. The length parameter cannot | exceed the buffer size anymore. It wouldn't exceed after this patch, right? Is it possible 'esp_do_dma' is called via 'esp_transfer_data' with 's->do_cmd' set? 'len' isn't checked there. | Can you do a v4 with the corrected | commit message and an assert that avoids overflows like in Laszlo's | proposal? I think this: | |assert (s->cmdlen <= sizeof(s->cmdbuf) && |len <= sizeof(s->cmdbuf) - s->cmdlen); Okay. Thank you. -- Prasad J Pandit / Red Hat Product Security Team 47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F
Re: [Qemu-devel] [PATCH v3] scsi: esp: check length before dma read
On 15/06/2016 18:16, P J P wrote: > From: Prasad J Pandit> > While doing DMA read into ESP command buffer 's->cmdbuf', the > length parameter could exceed the buffer size. Add check to avoid > OOB access. Also increase the command buffer size to 32, which > is maximum when 's->do_cmd' is set. Actually, the commit message is wrong. The length parameter cannot exceed the buffer size anymore. Can you do a v4 with the corrected commit message and an assert that avoids overflows like in Laszlo's proposal? I think this: assert (s->cmdlen <= sizeof(s->cmdbuf) && len <= sizeof(s->cmdbuf) - s->cmdlen); would do. Thanks, Paolo
Re: [Qemu-devel] [PATCH v3] scsi: esp: check length before dma read
On 15/06/2016 18:16, P J P wrote: > From: Prasad J Pandit> > While doing DMA read into ESP command buffer 's->cmdbuf', the > length parameter could exceed the buffer size. Add check to avoid > OOB access. Also increase the command buffer size to 32, which > is maximum when 's->do_cmd' is set. > > Reported-by: Li Qiang > Signed-off-by: Prasad J Pandit > --- > hw/scsi/esp.c | 7 +-- > include/hw/scsi/esp.h | 3 ++- > 2 files changed, 7 insertions(+), 3 deletions(-) > > Update as per > -> https://lists.gnu.org/archive/html/qemu-devel/2016-06/msg04194.html It's okay, but... > diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c > index 4b94bbc..1208a63 100644 > --- a/hw/scsi/esp.c > +++ b/hw/scsi/esp.c > @@ -249,6 +249,9 @@ static void esp_do_dma(ESPState *s) > len = s->dma_left; > if (s->do_cmd) { > trace_esp_do_dma(s->cmdlen, len); > +if (len > sizeof(s->cmdbuf) - s->cmdlen) { > +return; > +} ... this is not necessary so it can be replaced by an assertion. I can do that when applying. Paolo > s->dma_memory_read(s->dma_opaque, >cmdbuf[s->cmdlen], len); > s->ti_size = 0; > s->cmdlen = 0; > @@ -348,7 +351,7 @@ static void handle_ti(ESPState *s) > s->dma_counter = dmalen; > > if (s->do_cmd) > -minlen = (dmalen < 32) ? dmalen : 32; > +minlen = (dmalen < ESP_CMDBUF_SZ) ? dmalen : ESP_CMDBUF_SZ; > else if (s->ti_size < 0) > minlen = (dmalen < -s->ti_size) ? dmalen : -s->ti_size; > else > @@ -452,7 +455,7 @@ void esp_reg_write(ESPState *s, uint32_t saddr, uint64_t > val) > break; > case ESP_FIFO: > if (s->do_cmd) { > -if (s->cmdlen < TI_BUFSZ) { > +if (s->cmdlen < ESP_CMDBUF_SZ) { > s->cmdbuf[s->cmdlen++] = val & 0xff; > } else { > trace_esp_error_fifo_overrun(); > diff --git a/include/hw/scsi/esp.h b/include/hw/scsi/esp.h > index 6c79527..d2c4886 100644 > --- a/include/hw/scsi/esp.h > +++ b/include/hw/scsi/esp.h > @@ -14,6 +14,7 @@ void esp_init(hwaddr espaddr, int it_shift, > > #define ESP_REGS 16 > #define TI_BUFSZ 16 > +#define ESP_CMDBUF_SZ 32 > > typedef struct ESPState ESPState; > > @@ -31,7 +32,7 @@ struct ESPState { > SCSIBus bus; > SCSIDevice *current_dev; > SCSIRequest *current_req; > -uint8_t cmdbuf[TI_BUFSZ]; > +uint8_t cmdbuf[ESP_CMDBUF_SZ]; > uint32_t cmdlen; > uint32_t do_cmd; > >
[Qemu-devel] [PATCH v3] scsi: esp: check length before dma read
From: Prasad J PanditWhile doing DMA read into ESP command buffer 's->cmdbuf', the length parameter could exceed the buffer size. Add check to avoid OOB access. Also increase the command buffer size to 32, which is maximum when 's->do_cmd' is set. Reported-by: Li Qiang Signed-off-by: Prasad J Pandit --- hw/scsi/esp.c | 7 +-- include/hw/scsi/esp.h | 3 ++- 2 files changed, 7 insertions(+), 3 deletions(-) Update as per -> https://lists.gnu.org/archive/html/qemu-devel/2016-06/msg04194.html diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c index 4b94bbc..1208a63 100644 --- a/hw/scsi/esp.c +++ b/hw/scsi/esp.c @@ -249,6 +249,9 @@ static void esp_do_dma(ESPState *s) len = s->dma_left; if (s->do_cmd) { trace_esp_do_dma(s->cmdlen, len); +if (len > sizeof(s->cmdbuf) - s->cmdlen) { +return; +} s->dma_memory_read(s->dma_opaque, >cmdbuf[s->cmdlen], len); s->ti_size = 0; s->cmdlen = 0; @@ -348,7 +351,7 @@ static void handle_ti(ESPState *s) s->dma_counter = dmalen; if (s->do_cmd) -minlen = (dmalen < 32) ? dmalen : 32; +minlen = (dmalen < ESP_CMDBUF_SZ) ? dmalen : ESP_CMDBUF_SZ; else if (s->ti_size < 0) minlen = (dmalen < -s->ti_size) ? dmalen : -s->ti_size; else @@ -452,7 +455,7 @@ void esp_reg_write(ESPState *s, uint32_t saddr, uint64_t val) break; case ESP_FIFO: if (s->do_cmd) { -if (s->cmdlen < TI_BUFSZ) { +if (s->cmdlen < ESP_CMDBUF_SZ) { s->cmdbuf[s->cmdlen++] = val & 0xff; } else { trace_esp_error_fifo_overrun(); diff --git a/include/hw/scsi/esp.h b/include/hw/scsi/esp.h index 6c79527..d2c4886 100644 --- a/include/hw/scsi/esp.h +++ b/include/hw/scsi/esp.h @@ -14,6 +14,7 @@ void esp_init(hwaddr espaddr, int it_shift, #define ESP_REGS 16 #define TI_BUFSZ 16 +#define ESP_CMDBUF_SZ 32 typedef struct ESPState ESPState; @@ -31,7 +32,7 @@ struct ESPState { SCSIBus bus; SCSIDevice *current_dev; SCSIRequest *current_req; -uint8_t cmdbuf[TI_BUFSZ]; +uint8_t cmdbuf[ESP_CMDBUF_SZ]; uint32_t cmdlen; uint32_t do_cmd; -- 2.5.5