summary refs log tree commit diff stats
path: root/gitlab/issues_text/target_missing/host_missing/accel_missing/1654
diff options
context:
space:
mode:
Diffstat (limited to 'gitlab/issues_text/target_missing/host_missing/accel_missing/1654')
-rw-r--r--gitlab/issues_text/target_missing/host_missing/accel_missing/165481
1 files changed, 0 insertions, 81 deletions
diff --git a/gitlab/issues_text/target_missing/host_missing/accel_missing/1654 b/gitlab/issues_text/target_missing/host_missing/accel_missing/1654
deleted file mode 100644
index 642abe676..000000000
--- a/gitlab/issues_text/target_missing/host_missing/accel_missing/1654
+++ /dev/null
@@ -1,81 +0,0 @@
-Memory out of bounds access vulnerability when guest accesses Block Limits information of SCSI devices
-Description of problem:
-When a guest uses a Linux kernel version 5.19 or higher and uses an scsi device, there will be a memory access violation, which can be clearly seen when ASAN is turned on.
-
-**reason:**
-Linux kernel 5.19 merge commit:
-
-https://github.com/torvalds/linux/commit/c92a6b5d63359dd6d2ce6ea88ecd8e31dd769f6b
-
-The Linux kernel will first issue a header request to obtain the VPD length before obtaining the VPD information. The BUF for obtaining the VPD length is less than 8 bytes. However, QEMU regards the header for obtaining the VPD length as obtaining all VPD information, and a memory access violation occurs when writing information to BUF.
-
-The specific memory out of bounds information is as follows:
-==12430==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases!
-
-==12430==WARNING: ASan is ignoring requested __asan_handle_no_return: stack top: 
-0x7fffebc1d000; bottom 0x7f61115ee000; size: 0x009eda62f000 (682268749824)
-
-False positive error reports may follow
-
-==12430==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200024d858 at pc 0x55767513791c bp 0x7f6111fcddc0 sp 0x7f6111fcddb0
-
-WRITE of size 4 at 0x60200024d858 thread T0
-
-    #0 0x55767513791b in stl_he_p /root/hci/qemu/qemu-5.0.0/include/qemu/bswap.h:357
-
-    #1 0x55767513791b in stl_be_p /root/hci/qemu/qemu-5.0.0/include/qemu/bswap.h:464
-
-    #2 0x55767513791b in scsi_handle_inquiry_reply hw/scsi/scsi-generic.c:173
-
-    #3 0x55767513791b in scsi_read_complete hw/scsi/scsi-generic.c:318
-
-    #4 0x55767545d7c6 in blk_aio_complete block/block-backend.c:1425
-
-    #5 0x557675544d79 in coroutine_trampoline util/coroutine-ucontext.c:115
-
-    #6 0x7f611b9f14df  (/lib/x86_64-linux-gnu/libc.so.6+0x5b4df)
-
-0x60200024d858 is located 4 bytes to the right of 4-byte region [0x60200024d850,0x60200024d854)
-
-allocated by thread T0 here:
-
-    #0 0x557674a987f2 in malloc (/sf/bin/qemu-system-x86_64+0x7827f2)
-
-    #1 0x7f6120141d41 in g_malloc (/usr/lib/libglib256-2.0.so.0+0x61d41)
-
-    #2 0x557675137bb4 in scsi_send_command hw/scsi/scsi-generic.c:459
-
-    #3 0x55767513e902 in scsi_req_enqueue hw/scsi/scsi-bus.c:836
-
-    #4 0x557674c5f26e in virtio_scsi_handle_cmd_req_submit /root/hci/qemu/qemu-5.0.0/hw/scsi/virtio-scsi.c:589
-
-    #5 0x557674c5f26e in virtio_scsi_handle_cmd_vq /root/hci/qemu/qemu-5.0.0/hw/scsi/virtio-scsi.c:634
-
-    #6 0x557674c61089 in virtio_scsi_data_plane_handle_cmd /root/hci/qemu/qemu-5.0.0/hw/scsi/virtio-scsi-dataplane.c:60
-
-    #7 0x557674c9a520 in virtio_queue_notify_aio_vq /root/hci/qemu/qemu-5.0.0/hw/virtio/virtio.c:2338
-
-    #8 0x55767552c7c4 in aio_dispatch_handler util/aio-posix.c:328
-
-SUMMARY: AddressSanitizer: heap-buffer-overflow /root/hci/qemu/qemu-5.0.0/include/qemu/bswap.h:357 stl_he_p
-Steps to reproduce:
-1. QEMU Enable ASAN
-2. Use a guest with a Linux kernel version greater than 5.19 and mount an scsi physical device
-3. Upon startup, memory out of bounds access can be detected
-Additional information:
-At present, I have made some simple modifications, but I am not sure if this is the best solution and can serve as a reference.
-
-Make a judgment on buflen, ignore the header information issued by the Linux kernel, and write the VPD information when issuing the actual instruction to obtain VPD information.
-
-hw/scsi/scsi-generic.c:scsi_handle_inquiry_reply
-
-```
-if (r->buflen >= 12) {
-    stl_be_p(&r->buf[8], max_transfer);
-}
-if (r->buflen >= 16){
-    /* Also take care of the opt xfer len. */
-    stl_be_p(&r->buf[12],
-        MIN_NON_ZERO(max_transfer, ldl_be_p(&r->buf[12])));
-}
-```