Null-ptr dereference in megasas_finish_dcmd

This was originally reported at: https://bugs.launchpad.net/qemu/+bug/1918321

Hello,

Reproducer

cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest \
-m 512M -machine q35 -nodefaults -device megasas -device \
scsi-cd,drive=null0 -blockdev \
driver=null-co,read-zeroes=on,node-name=null0 -qtest stdio
outl 0xcf8 0x80000801
outl 0xcfc 0x05000000
outl 0xcf8 0x80000816
outl 0xcfc 0x19000000
write 0x1e1ed300 0x1 0x01
write 0x1e1ed307 0x1 0x01
write 0x1e1ed316 0x1 0x01
write 0x1e1ed328 0x1 0x01
write 0x1e1ed32f 0x1 0x01
outl 0x1940 0x1e1ed300
outl 0x1940 0x1e1ed300
clock_step
clock_step
clock_step
clock_step
clock_step
clock_step
clock_step
clock_step
clock_step
clock_step
clock_step
clock_step
clock_step
clock_step
clock_step
clock_step
clock_step
clock_step
clock_step
clock_step
clock_step
clock_step
clock_step
clock_step
clock_step
clock_step
clock_step
clock_step
clock_step
clock_step
clock_step
clock_step
clock_step
clock_step
clock_step
clock_step
clock_step
clock_step
clock_step
clock_step
clock_step
clock_step
clock_step
clock_step
clock_step
clock_step
clock_step
clock_step
clock_step
clock_step
clock_step
clock_step
clock_step
clock_step
clock_step
clock_step
clock_step
clock_step
clock_step
clock_step
clock_step
clock_step
clock_step
clock_step
clock_step
clock_step
clock_step
clock_step
outb 0x1940 0x0
write 0x0 0x1 0x01
write 0x7 0x1 0x01
write 0x16 0x1 0x01
write 0x28 0x1 0x01
write 0x2f 0x1 0x01
outb 0x1940 0x0
write 0x0 0x1 0x05
write 0x7 0x1 0x01
write 0x19 0x1 0x02
write 0x1a 0x1 0x01
write 0x1b 0x1 0x08
write 0x2f 0x1 0x01
outb 0x1940 0x0
EOF

Stack-Trace

../hw/scsi/megasas.c:726:25: runtime error: member access within null pointer of type 'union mfi_frame'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../hw/scsi/megasas.c:726:25 in
../hw/scsi/megasas.c:726:25: runtime error: member access within null pointer of type 'struct mfi_dcmd_frame'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../hw/scsi/megasas.c:726:25 in
AddressSanitizer:DEADLYSIGNAL
=================================================================
==966650==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000002c (pc 0x55abf56c7955 bp 0x7fff888f64d0 sp 0x7fff888f6400 T0)
==966650==The signal is caused by a WRITE memory access.
==966650==Hint: address points to the zero page.
#0 0x55abf56c7955 in megasas_finish_dcmd build/../hw/scsi/megasas.c
#1 0x55abf56b97c1 in megasas_handle_dcmd build/../hw/scsi/megasas.c:1601:9
#2 0x55abf56b97c1 in megasas_handle_frame build/../hw/scsi/megasas.c:1965:24
#3 0x55abf56b0e54 in megasas_mmio_write build/../hw/scsi/megasas.c:2129:9
#4 0x55abf6a867f6 in memory_region_write_accessor build/../softmmu/memory.c:491:5
#5 0x55abf6a86263 in access_with_adjusted_size build/../softmmu/memory.c:552:18
#6 0x55abf6a85ac0 in memory_region_dispatch_write build/../softmmu/memory.c
#7 0x55abf6696d86 in flatview_write_continue build/../softmmu/physmem.c:2776:23
#8 0x55abf668c74b in flatview_write build/../softmmu/physmem.c:2816:14
#9 0x55abf668c74b in address_space_write build/../softmmu/physmem.c:2908:18
#10 0x55abf67e6571 in cpu_outb build/../softmmu/ioport.c:60:5
#11 0x55abf6b68ec9 in qtest_process_command build/../softmmu/qtest.c:479:13
#12 0x55abf6b66d6f in qtest_process_inbuf build/../softmmu/qtest.c:797:9
#13 0x55abf6d4c65e in fd_chr_read build/../chardev/char-fd.c:68:9
#14 0x7f976e846aae in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x51aae)
#15 0x55abf76eba3c in glib_pollfds_poll build/../util/main-loop.c:232:9
#16 0x55abf76eba3c in os_host_main_loop_wait build/../util/main-loop.c:255:5
#17 0x55abf76eba3c in main_loop_wait build/../util/main-loop.c:531:11
#18 0x55abf69398a9 in qemu_main_loop build/../softmmu/runstate.c:725:9
#19 0x55abf54071e5 in main build/../softmmu/main.c:50:5
#20 0x7f976d674d09 in __libc_start_main csu/../csu/libc-start.c:308:16
#21 0x55abf535abb9 in _start (system-i386+0x2b5fbb9)

OSS-Fuzz Report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=31875

Thank you

Edited by Alexander Bulekov