From 41d5e8da3d5e0a143a9fb397c9f34707ec544997 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= Date: Fri, 17 Dec 2021 22:43:05 +0100 Subject: [PATCH] hw/scsi/megasas: Use uint32_t for reply queue head/tail values MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit While the reply queue values fit in 16-bit, they are accessed as 32-bit: 661: s->reply_queue_head = ldl_le_pci_dma(pcid, s->producer_pa); 662: s->reply_queue_head %= MEGASAS_MAX_FRAMES; 663: s->reply_queue_tail = ldl_le_pci_dma(pcid, s->consumer_pa); 664: s->reply_queue_tail %= MEGASAS_MAX_FRAMES; Having: 41:#define MEGASAS_MAX_FRAMES 2048 /* Firmware limit at 65535 */ In order to update the ld/st*_pci_dma() API to pass the address of the value to access, it is simpler to have the head/tail declared as 32-bit values. Replace the uint16_t by uint32_t, wasting 4 bytes in the MegasasState structure. CVE: CVE-2021-3611 Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=41d5e8da3d5e0a143a9fb397c9f34707ec544997] Acked-by: Richard Henderson Signed-off-by: Philippe Mathieu-Daudé Message-Id: <20211223115554.3155328-20-philmd@redhat.com> Signed-off-by: Bhabu Bindu --- hw/scsi/megasas.c | 4 ++-- hw/scsi/trace-events | 8 ++++---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c index 8f35784..14ec6d6 100644 --- a/hw/scsi/megasas.c +++ b/hw/scsi/megasas.c @@ -109,8 +109,8 @@ struct MegasasState { uint64_t reply_queue_pa; void *reply_queue; uint16_t reply_queue_len; - uint16_t reply_queue_head; - uint16_t reply_queue_tail; + uint32_t reply_queue_head; + uint32_t reply_queue_tail; uint64_t consumer_pa; uint64_t producer_pa; diff --git a/hw/scsi/trace-events b/hw/scsi/trace-events index 92d5b40..ae8551f 100644 --- a/hw/scsi/trace-events +++ b/hw/scsi/trace-events @@ -42,18 +42,18 @@ mptsas_config_sas_phy(void *dev, int address, int port, int phy_handle, int dev_ # megasas.c megasas_init_firmware(uint64_t pa) "pa 0x%" PRIx64 " " -megasas_init_queue(uint64_t queue_pa, int queue_len, uint64_t head, uint64_t tail, uint32_t flags) "queue at 0x%" PRIx64 " len %d head 0x%" PRIx64 " tail 0x%" PRIx64 " flags 0x%x" +megasas_init_queue(uint64_t queue_pa, int queue_len, uint32_t head, uint32_t tail, uint32_t flags) "queue at 0x%" PRIx64 " len %d head 0x%" PRIx32 " tail 0x%" PRIx32 " flags 0x%x" megasas_initq_map_failed(int frame) "scmd %d: failed to map queue" megasas_initq_mapped(uint64_t pa) "queue already mapped at 0x%" PRIx64 megasas_initq_mismatch(int queue_len, int fw_cmds) "queue size %d max fw cmds %d" megasas_qf_mapped(unsigned int index) "skip mapped frame 0x%x" megasas_qf_new(unsigned int index, uint64_t frame) "frame 0x%x addr 0x%" PRIx64 megasas_qf_busy(unsigned long pa) "all frames busy for frame 0x%lx" -megasas_qf_enqueue(unsigned int index, unsigned int count, uint64_t context, unsigned int head, unsigned int tail, int busy) "frame 0x%x count %d context 0x%" PRIx64 " head 0x%x tail 0x%x busy %d" -megasas_qf_update(unsigned int head, unsigned int tail, unsigned int busy) "head 0x%x tail 0x%x busy %d" +megasas_qf_enqueue(unsigned int index, unsigned int count, uint64_t context, uint32_t head, uint32_t tail, unsigned int busy) "frame 0x%x count %d context 0x%" PRIx64 " head 0x%" PRIx32 " tail 0x%" PRIx32 " busy %u" +megasas_qf_update(uint32_t head, uint32_t tail, unsigned int busy) "head 0x%" PRIx32 " tail 0x%" PRIx32 " busy %u" megasas_qf_map_failed(int cmd, unsigned long frame) "scmd %d: frame %lu" megasas_qf_complete_noirq(uint64_t context) "context 0x%" PRIx64 " " -megasas_qf_complete(uint64_t context, unsigned int head, unsigned int tail, int busy) "context 0x%" PRIx64 " head 0x%x tail 0x%x busy %d" +megasas_qf_complete(uint64_t context, uint32_t head, uint32_t tail, int busy) "context 0x%" PRIx64 " head 0x%" PRIx32 " tail 0x%" PRIx32 " busy %u" megasas_frame_busy(uint64_t addr) "frame 0x%" PRIx64 " busy" megasas_unhandled_frame_cmd(int cmd, uint8_t frame_cmd) "scmd %d: MFI cmd 0x%x" megasas_handle_scsi(const char *frame, int bus, int dev, int lun, void *sdev, unsigned long size) "%s dev %x/%x/%x sdev %p xfer %lu" -- 1.8.3.1