scsi: Add buf_len parameter to scsi_req_new()

When a SCSI command is received from the guest, the CDB length implied by the first byte might exceed the number of bytes the guest sent. In this case scsi_req_new() will read uninitialized data, causing unpredictable behavior. Adds the buf_len parameter to scsi_req_new() and plumbs it through the call stack. Signed-off-by: John Millikin <john@john-millikin.com> Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1127 Message-Id: <20220817053458.698416-1-john@john-millikin.com> [Fill in correct length for adapters other than ESP. - Paolo] Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2025-08-05 00:33:55 -06:00 · 2022-08-17 14:34:58 +09:00 · 2022-08-17 14:34:58 +09:00 · fe9d8927e2
commit fe9d8927e2
parent c6e51f1bb2
13 changed files with 45 additions and 33 deletions
--- a/hw/usb/dev-storage.c
+++ b/hw/usb/dev-storage.c
@ -415,7 +415,7 @@ static void usb_msd_handle_data(USBDevice *dev, USBPacket *p)
                                     cbw.cmd_len, s->data_len);
            assert(le32_to_cpu(s->csw.residue) == 0);
            s->scsi_len = 0;
-            s->req = scsi_req_new(scsi_dev, tag, cbw.lun, cbw.cmd, NULL);
+            s->req = scsi_req_new(scsi_dev, tag, cbw.lun, cbw.cmd, cbw.cmd_len, NULL);
            if (s->commandlog) {
                scsi_req_print(s->req);
            }
--- a/hw/usb/dev-uas.c
+++ b/hw/usb/dev-uas.c
@ -71,7 +71,7 @@ typedef struct {
    uint8_t    reserved_2;
    uint64_t   lun;
    uint8_t    cdb[16];
-    uint8_t    add_cdb[1];      /* not supported by QEMU */
+    uint8_t    add_cdb[1];
 } QEMU_PACKED  uas_iu_command;

 typedef struct {
@ -699,6 +699,7 @@ static void usb_uas_command(UASDevice *uas, uas_iu *iu)
    UASRequest *req;
    uint32_t len;
    uint16_t tag = be16_to_cpu(iu->hdr.tag);
+    size_t cdb_len = sizeof(iu->command.cdb) + iu->command.add_cdb_length;

    if (iu->command.add_cdb_length > 0) {
        qemu_log_mask(LOG_UNIMP, "additional adb length not yet supported\n");
@ -729,7 +730,7 @@ static void usb_uas_command(UASDevice *uas, uas_iu *iu)

    req->req = scsi_req_new(req->dev, req->tag,
                            usb_uas_get_lun(req->lun),
-                            iu->command.cdb, req);
+                            iu->command.cdb, cdb_len, req);
    if (uas->requestlog) {
        scsi_req_print(req->req);
    }