[Qemu-block] Overflow in Virtio-BLK and SCSI Requests?

qemu-block

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Qemu-block] Overflow in Virtio-BLK and SCSI Requests?

From:	Peter Lieven
Subject:	[Qemu-block] Overflow in Virtio-BLK and SCSI Requests?
Date:	Fri, 20 May 2016 11:27:02 +0200
User-agent:	Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.4.0

Hi,

while working at the iSCSI code in Qemu I came across the following line in 
iscsi_aio_ioctl

memcpy(&acb->task->cdb[0], acb->ioh->cmdp, acb->ioh->cmd_len);

Is there anything to ensure that the cmd_len is valid when the requests is e.g. 
coming in via
virtio_blk_handle_scsi ?

It seems that virtio-scsi does not allow to pass ioctls directly from Guest, 
but at least virtio-blk
does. And in virtio-blk it seems the data is blindly copied from 
elem->out_sg[1]. So it would
be possible to overflow the acb->task->cdb. Or am I wrong here?

Peter

[Prev in Thread]

Current Thread

[Next in Thread]

[Qemu-block] Overflow in Virtio-BLK and SCSI Requests?, Peter Lieven <=
- Re: [Qemu-block] Overflow in Virtio-BLK and SCSI Requests?, Stefan Hajnoczi, 2016/05/27
  - Re: [Qemu-block] Overflow in Virtio-BLK and SCSI Requests?, Peter Lieven, 2016/05/30
    - Re: [Qemu-block] Overflow in Virtio-BLK and SCSI Requests?, P J P, 2016/05/30

Prev by Date: Re: [Qemu-block] [PATCH] block: Fix memory leak in bdrv_next()
Next by Date: Re: [Qemu-block] [PULL 21/31] block: Avoid bs->blk in bdrv_next()
Previous by thread: [Qemu-block] [PATCH] block: Fix memory leak in bdrv_next()
Next by thread: Re: [Qemu-block] Overflow in Virtio-BLK and SCSI Requests?
Index(es):
- Date
- Thread