From fa7505c154d4d00ad89a747be2eda556643ce00e Mon Sep 17 00:00:00 2001 From: Mark Cave-Ayland Date: Wed, 7 Apr 2021 20:57:56 +0100 Subject: [PATCH] esp: don't underflow cmdfifo in do_cmd() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit If the guest tries to execute a CDB when cmdfifo is not empty before the start of the message out phase then clearing the message out phase data will cause cmdfifo to underflow due to cmdfifo_cdb_offset being larger than the amount of data within. Since this can only occur by issuing deliberately incorrect instruction sequences, ensure that the maximum length of esp_fifo_pop_buf() is limited to the size of the data within cmdfifo. Buglink: https://bugs.launchpad.net/qemu/+bug/1909247 Signed-off-by: Mark Cave-Ayland Reviewed-by: Philippe Mathieu-Daudé Tested-by: Alexander Bulekov Message-Id: <20210407195801.685-8-mark.cave-ayland@ilande.co.uk> --- hw/scsi/esp.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c index 904fa3179c..d3b105b703 100644 --- a/hw/scsi/esp.c +++ b/hw/scsi/esp.c @@ -319,13 +319,15 @@ static void do_busid_cmd(ESPState *s, uint8_t busid) static void do_cmd(ESPState *s) { - uint8_t busid = fifo8_pop(&s->cmdfifo); + uint8_t busid = esp_fifo_pop(&s->cmdfifo); + int len; s->cmdfifo_cdb_offset--; /* Ignore extended messages for now */ if (s->cmdfifo_cdb_offset) { - esp_fifo_pop_buf(&s->cmdfifo, NULL, s->cmdfifo_cdb_offset); + len = MIN(s->cmdfifo_cdb_offset, fifo8_num_used(&s->cmdfifo)); + esp_fifo_pop_buf(&s->cmdfifo, NULL, len); s->cmdfifo_cdb_offset = 0; }