diff options
| author | Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> | 2023-09-13 21:44:09 +0100 |
|---|---|---|
| committer | Michael Tokarev <mjt@tls.msk.ru> | 2023-10-03 18:25:00 +0300 |
| commit | fa2f090d6225b1266fa1a44f27e3048f530ef06e (patch) | |
| tree | 05321f413ca47d2b04b83a5fa3f869af4b585b1f | |
| parent | 9b7feb87d0acfda5aff5b0830740ddc2d9ed7dcb (diff) | |
esp: restrict non-DMA transfer length to that of available data
In the case where a SCSI layer transfer is incorrectly terminated, it is
possible for a TI command to cause a SCSI buffer overflow due to the
expected transfer data length being less than the available data in the
FIFO. When this occurs the unsigned async_len variable underflows and
becomes a large offset which writes past the end of the allocated SCSI
buffer.
Restrict the non-DMA transfer length to be the smallest of the expected
transfer length and the available FIFO data to ensure that it is no longer
possible for the SCSI buffer overflow to occur.
Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1810
Reviewed-by: Thomas Huth <thuth@redhat.com>
Message-ID: <20230913204410.65650-3-mark.cave-ayland@ilande.co.uk>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 77668e4b9bca03a856c27ba899a2513ddf52bb52)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
| -rw-r--r-- | hw/scsi/esp.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c index 4218a6a960..9b11d8c573 100644 --- a/hw/scsi/esp.c +++ b/hw/scsi/esp.c @@ -759,7 +759,8 @@ static void esp_do_nodma(ESPState *s) } if (to_device) { - len = MIN(fifo8_num_used(&s->fifo), ESP_FIFO_SZ); + len = MIN(s->async_len, ESP_FIFO_SZ); + len = MIN(len, fifo8_num_used(&s->fifo)); esp_fifo_pop_buf(&s->fifo, s->async_buf, len); s->async_buf += len; s->async_len -= len; |