add gitlab issues in toml format

1 files changed, 89 insertions, 0 deletions

diff --git a/gitlab/issues/target_missing/host_missing/accel_missing/1654.toml b/gitlab/issues/target_missing/host_missing/accel_missing/1654.toml
new file mode 100644
index 00000000..96935a04
--- /dev/null
+++ b/gitlab/issues/target_missing/host_missing/accel_missing/1654.toml
@@ -0,0 +1,89 @@
+id = 1654
+title = "Memory out of bounds access vulnerability when guest accesses Block Limits information of SCSI devices"
+state = "opened"
+created_at = "2023-05-16T03:12:44.063Z"
+closed_at = "n/a"
+labels = ["Security", "Storage"]
+url = "https://gitlab.com/qemu-project/qemu/-/issues/1654"
+host-os = "n/a"
+host-arch = "n/a"
+qemu-version = "n/a"
+guest-os = "n/a"
+guest-arch = "n/a"
+description = """When a guest uses a Linux kernel version 5.19 or higher and uses an scsi device, there will be a memory access violation, which can be clearly seen when ASAN is turned on.
+
+**reason：**
+Linux kernel 5.19 merge commit：
+
+https://github.com/torvalds/linux/commit/c92a6b5d63359dd6d2ce6ea88ecd8e31dd769f6b
+
+The Linux kernel will first issue a header request to obtain the VPD length before obtaining the VPD information. The BUF for obtaining the VPD length is less than 8 bytes. However, QEMU regards the header for obtaining the VPD length as obtaining all VPD information, and a memory access violation occurs when writing information to BUF.
+
+The specific memory out of bounds information is as follows:
+==12430==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases!
+
+==12430==WARNING: ASan is ignoring requested __asan_handle_no_return: stack top: 
+0x7fffebc1d000; bottom 0x7f61115ee000; size: 0x009eda62f000 (682268749824)
+
+False positive error reports may follow
+
+==12430==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200024d858 at pc 0x55767513791c bp 0x7f6111fcddc0 sp 0x7f6111fcddb0
+
+WRITE of size 4 at 0x60200024d858 thread T0
+
+    #0 0x55767513791b in stl_he_p /root/hci/qemu/qemu-5.0.0/include/qemu/bswap.h:357
+
+    #1 0x55767513791b in stl_be_p /root/hci/qemu/qemu-5.0.0/include/qemu/bswap.h:464
+
+    #2 0x55767513791b in scsi_handle_inquiry_reply hw/scsi/scsi-generic.c:173
+
+    #3 0x55767513791b in scsi_read_complete hw/scsi/scsi-generic.c:318
+
+    #4 0x55767545d7c6 in blk_aio_complete block/block-backend.c:1425
+
+    #5 0x557675544d79 in coroutine_trampoline util/coroutine-ucontext.c:115
+
+    #6 0x7f611b9f14df  (/lib/x86_64-linux-gnu/libc.so.6+0x5b4df)
+
+0x60200024d858 is located 4 bytes to the right of 4-byte region [0x60200024d850,0x60200024d854)
+
+allocated by thread T0 here:
+
+    #0 0x557674a987f2 in malloc (/sf/bin/qemu-system-x86_64+0x7827f2)
+
+    #1 0x7f6120141d41 in g_malloc (/usr/lib/libglib256-2.0.so.0+0x61d41)
+
+    #2 0x557675137bb4 in scsi_send_command hw/scsi/scsi-generic.c:459
+
+    #3 0x55767513e902 in scsi_req_enqueue hw/scsi/scsi-bus.c:836
+
+    #4 0x557674c5f26e in virtio_scsi_handle_cmd_req_submit /root/hci/qemu/qemu-5.0.0/hw/scsi/virtio-scsi.c:589
+
+    #5 0x557674c5f26e in virtio_scsi_handle_cmd_vq /root/hci/qemu/qemu-5.0.0/hw/scsi/virtio-scsi.c:634
+
+    #6 0x557674c61089 in virtio_scsi_data_plane_handle_cmd /root/hci/qemu/qemu-5.0.0/hw/scsi/virtio-scsi-dataplane.c:60
+
+    #7 0x557674c9a520 in virtio_queue_notify_aio_vq /root/hci/qemu/qemu-5.0.0/hw/virtio/virtio.c:2338
+
+    #8 0x55767552c7c4 in aio_dispatch_handler util/aio-posix.c:328
+
+SUMMARY: AddressSanitizer: heap-buffer-overflow /root/hci/qemu/qemu-5.0.0/include/qemu/bswap.h:357 stl_he_p"""
+reproduce = """1. QEMU Enable ASAN
+2. Use a guest with a Linux kernel version greater than 5.19 and mount an scsi physical device
+3. Upon startup, memory out of bounds access can be detected"""
+additional = """At present, I have made some simple modifications, but I am not sure if this is the best solution and can serve as a reference.
+
+Make a judgment on buflen, ignore the header information issued by the Linux kernel, and write the VPD information when issuing the actual instruction to obtain VPD information.
+
+hw/scsi/scsi-generic.c:scsi_handle_inquiry_reply
+
+```
+if (r->buflen >= 12) {
+    stl_be_p(&r->buf[8], max_transfer);
+}
+if (r->buflen >= 16){
+    /* Also take care of the opt xfer len. */
+    stl_be_p(&r->buf[12],
+        MIN_NON_ZERO(max_transfer, ldl_be_p(&r->buf[12])));
+}
+```"""