esp: ensure that do_cmd is set to zero before submitting an ESP select command

Git-commit: 607206948cacda4a80be5b976dba490970a18a76
References: bsc#1180433, CVE-2020-35504
            bsc#1180434, CVE-2020-35505
            bsc#1180435, CVE-2020-35506

When a CDB has been received and is about to be submitted to the SCSI layer
via one of the ESP select commands, ensure that do_cmd is set to zero before
executing the command.

Otherwise a guest executing 2 valid CDBs in quick sequence can invoke the SCSI
.transfer_data callback again before do_cmd is set to zero by the callback
function triggering an assert at the start of esp_transfer_data().

Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-Id: <20210407195801.685-12-mark.cave-ayland@ilande.co.uk>
Signed-off-by: Jose R Ziviani <jose.ziviani@suse.com>

diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
index 8445ebdb1f14f911498289fb3c7375d8da2f4eb3..e1072a3c5afca523b0ac2b51ae15775cd221f415 100644 (file)
--- a/hw/scsi/esp.c
+++ b/hw/scsi/esp.c
@@ -246,8 +246,10 @@ static void handle_satn(ESPState *s)
     }
     s->pdma_cb = satn_pdma_cb;
     len = get_cmd(s, buf, sizeof(buf));
-    if (len)
+    if (len) {
+        s->do_cmd = 0;
         do_cmd(s, buf);
+    }
 }
 
 static void s_without_satn_pdma_cb(ESPState *s)
@@ -272,6 +274,7 @@ static void handle_s_without_atn(ESPState *s)
     s->pdma_cb = s_without_satn_pdma_cb;
     len = get_cmd(s, buf, sizeof(buf));
     if (len) {
+        s->do_cmd = 0;
         do_busid_cmd(s, buf, 0);
     }
 }