Qemu crash when a guest linux issues specific scsi command via ioctl(SG_IO) with SCSI disk emulation.
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
QEMU |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
As of git revision 362ca922eea0324
To reproduce.
1. launch qemu with scsi emulatoin
qemu-sysytem-
2. issues scsi command via ioctl(SG_IO) on guest linux. like below.
-------
struct request_sense sens;
struct sg_io_hdr sg;
unsigned char cdb[6];
unsigned char buf[127];
memset( &sens, 0, sizeof(sens) );
memset(&sg, 0, sizeof(sg));
memset(cdb, 0, sizeof(cdb));
memset(buf, 0, sizeof(buf));
// qemu crash!!!
cdb[0] = 0xff;
sg.dxferp = buf;
sg.dxfer_len = sizeof(buf);
sg.dxfer_direction = SG_DXFER_FROM_DEV;
sg.flags = 0;
sg.interface_id = 'S';
sg.cmdp = cdb;
sg.cmd_len = sizeof( cdb );
sg.sbp = (unsigned char*)&sens;
sg.mx_sb_len = sizeof( sens );
ioctl( fd, SG_IO, &sg );
-------
I think cause is below code.
scsi-bus.c L1239
int scsi_req_
{
int rc;
cmd->lba = -1;
cmd->len = scsi_cdb_
...
memcpy(
}
scsi_cdb_
Then memcpy(cmd->buf, buf, 4294967295); is executed and crash.
Environment
Qemu: git revision 362ca922eea0324
Guest: linux kernel 3.18.4 + buildroot
Host: Windows 7 64bit
Thanks,
hiroaki
Looks like this has been fixed here: /git.qemu. org/?p= qemu.git; a=commitdiff; h=c170aad8b0572 23b1139d7
https:/