scsi: Reject commands if the CDB length exceeds buf_len
In scsi_req_parse_cdb(), if the CDB length implied by the command type
exceeds the initialized portion of the command buffer, reject the request.
Rejected requests are recorded by the `scsi_req_parse_bad` trace event.
On example of a bug detected by this check is SunOS's use of interleaved
DMA and non-DMA commands. This guest behavior currently causes QEMU to
parse uninitialized memory as a SCSI command, with unpredictable
outcomes.
With the new check in place:
* QEMU consistently creates a trace event and rejects the request.
* SunOS retries the request(s) and is able to successfully boot from
disk.
Signed-off-by: John Millikin <[email protected]>
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1127
Message-Id: <
20220817053458[email protected]>
Signed-off-by: Paolo Bonzini <[email protected]>
projects / qemu.git / commit