[v2,0/4] hw/scsi/megasas: Avoid buffer overrun in megasas_handle_scsi()

Message ID	20201201191026.4149955-1-philmd@redhat.com (mailing list archive)
Headers	show Return-Path: <SRS0=RQL/=FF=nongnu.org=qemu-devel-bounces+qemu-devel=archiver.kernel.org@kernel.org> DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 9E28D20639 From: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= <philmd@redhat.com> To: qemu-devel@nongnu.org Subject: [PATCH v2 0/4] hw/scsi/megasas: Avoid buffer overrun in megasas_handle_scsi() Date: Tue, 1 Dec 2020 20:10:22 +0100 Message-Id: <20201201191026.4149955-1-philmd@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Received-SPF: pass client-ip=63.128.21.124; envelope-from=philmd@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -35 X-Spam_score: -3.6 X-Spam_bar: --- X-Spam_report: (-3.6 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-1.497, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action Precedence: list Cc: Laurent Vivier <lvivier@redhat.com>, Fam Zheng <fam@euphon.net>, Thomas Huth <thuth@redhat.com>, qemu-block@nongnu.org, Li Qiang <liq3ea@163.com>, Hannes Reinecke <hare@suse.com>, Alexander Bulekov <alxndr@bu.edu>, Paolo Bonzini <pbonzini@redhat.com>, =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= <philmd@redhat.com> Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" <qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org>
Series	hw/scsi/megasas: Avoid buffer overrun in megasas_handle_scsi() \| expand [v2,0/4] hw/scsi/megasas: Avoid buffer overrun in megasas_handle_scsi() [v2,1/4] tests/qtest/fuzz-test: Quit test_lp1878642 once done [v2,2/4] hw/scsi/megasas: Assert cdb_len is valid in megasas_handle_scsi() [v2,3/4] tests/qtest/fuzz-test: Add test_megasas_cdb_len_zero() reproducer [RFC,v2,4/4] hw/scsi/megasas: Have incorrect cdb return MFI_STAT_ABORT_NOT_POSSIBLE

Message ID

20201201191026.4149955-1-philmd@redhat.com (mailing list archive)

Headers

DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 9E28D20639
From: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= <philmd@redhat.com>
To: qemu-devel@nongnu.org
Subject: [PATCH v2 0/4] hw/scsi/megasas: Avoid buffer overrun in
 megasas_handle_scsi()
Date: Tue,  1 Dec 2020 20:10:22 +0100
Message-Id: <20201201191026.4149955-1-philmd@redhat.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass client-ip=63.128.21.124; envelope-from=philmd@redhat.com;
 helo=us-smtp-delivery-124.mimecast.com
X-Spam_score_int: -35
X-Spam_score: -3.6
X-Spam_bar: ---
X-Spam_report: (-3.6 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-1.497,
 DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
 RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001,
 SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Cc: Laurent Vivier <lvivier@redhat.com>, Fam Zheng <fam@euphon.net>,
 Thomas Huth <thuth@redhat.com>, qemu-block@nongnu.org,
 Li Qiang <liq3ea@163.com>, Hannes Reinecke <hare@suse.com>,
 Alexander Bulekov <alxndr@bu.edu>, Paolo Bonzini <pbonzini@redhat.com>,
	=?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= <philmd@redhat.com>
Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org
Sender: "Qemu-devel"
 <qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org>

Series

hw/scsi/megasas: Avoid buffer overrun in megasas_handle_scsi() | expand

Message

Philippe Mathieu-Daudé Dec. 1, 2020, 7:10 p.m. UTC

FWIW megasas is not use by KVM.

Not sure what is the proper fix, but at least we
have a reproducer.

Since v1:
- Fix assert() condition
- Extract reproducer in different patch for git-bisect (thuth)
- Add simpler reproducer from Alex
- Try better scsi error

Philippe Mathieu-Daudé (4):
  tests/qtest/fuzz-test: Quit test_lp1878642 once done
  hw/scsi/megasas: Assert cdb_len is valid in megasas_handle_scsi()
  tests/qtest/fuzz-test: Add test_megasas_cdb_len_zero() reproducer
  hw/scsi/megasas: Have incorrect cdb return MFI_STAT_ABORT_NOT_POSSIBLE

 hw/scsi/megasas.c       | 13 +++++++++++++
 tests/qtest/fuzz-test.c | 20 ++++++++++++++++++++
 2 files changed, 33 insertions(+)