summary refs log tree commit diff stats
path: root/results/classifier/zero-shot/108/other/1654
diff options
context:
space:
mode:
Diffstat (limited to 'results/classifier/zero-shot/108/other/1654')
-rw-r--r--results/classifier/zero-shot/108/other/165496
1 files changed, 96 insertions, 0 deletions
diff --git a/results/classifier/zero-shot/108/other/1654 b/results/classifier/zero-shot/108/other/1654
new file mode 100644
index 000000000..9420c0766
--- /dev/null
+++ b/results/classifier/zero-shot/108/other/1654
@@ -0,0 +1,96 @@
+vnc: 0.832
+other: 0.814
+KVM: 0.803
+graphic: 0.785
+device: 0.784
+socket: 0.761
+performance: 0.740
+debug: 0.713
+permissions: 0.706
+semantic: 0.703
+PID: 0.677
+files: 0.663
+network: 0.608
+boot: 0.600
+
+Memory out of bounds access vulnerability when guest accesses Block Limits information of SCSI devices
+Description of problem:
+When a guest uses a Linux kernel version 5.19 or higher and uses an scsi device, there will be a memory access violation, which can be clearly seen when ASAN is turned on.
+
+**reason:**
+Linux kernel 5.19 merge commit:
+
+https://github.com/torvalds/linux/commit/c92a6b5d63359dd6d2ce6ea88ecd8e31dd769f6b
+
+The Linux kernel will first issue a header request to obtain the VPD length before obtaining the VPD information. The BUF for obtaining the VPD length is less than 8 bytes. However, QEMU regards the header for obtaining the VPD length as obtaining all VPD information, and a memory access violation occurs when writing information to BUF.
+
+The specific memory out of bounds information is as follows:
+==12430==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases!
+
+==12430==WARNING: ASan is ignoring requested __asan_handle_no_return: stack top: 
+0x7fffebc1d000; bottom 0x7f61115ee000; size: 0x009eda62f000 (682268749824)
+
+False positive error reports may follow
+
+==12430==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200024d858 at pc 0x55767513791c bp 0x7f6111fcddc0 sp 0x7f6111fcddb0
+
+WRITE of size 4 at 0x60200024d858 thread T0
+
+    #0 0x55767513791b in stl_he_p /root/hci/qemu/qemu-5.0.0/include/qemu/bswap.h:357
+
+    #1 0x55767513791b in stl_be_p /root/hci/qemu/qemu-5.0.0/include/qemu/bswap.h:464
+
+    #2 0x55767513791b in scsi_handle_inquiry_reply hw/scsi/scsi-generic.c:173
+
+    #3 0x55767513791b in scsi_read_complete hw/scsi/scsi-generic.c:318
+
+    #4 0x55767545d7c6 in blk_aio_complete block/block-backend.c:1425
+
+    #5 0x557675544d79 in coroutine_trampoline util/coroutine-ucontext.c:115
+
+    #6 0x7f611b9f14df  (/lib/x86_64-linux-gnu/libc.so.6+0x5b4df)
+
+0x60200024d858 is located 4 bytes to the right of 4-byte region [0x60200024d850,0x60200024d854)
+
+allocated by thread T0 here:
+
+    #0 0x557674a987f2 in malloc (/sf/bin/qemu-system-x86_64+0x7827f2)
+
+    #1 0x7f6120141d41 in g_malloc (/usr/lib/libglib256-2.0.so.0+0x61d41)
+
+    #2 0x557675137bb4 in scsi_send_command hw/scsi/scsi-generic.c:459
+
+    #3 0x55767513e902 in scsi_req_enqueue hw/scsi/scsi-bus.c:836
+
+    #4 0x557674c5f26e in virtio_scsi_handle_cmd_req_submit /root/hci/qemu/qemu-5.0.0/hw/scsi/virtio-scsi.c:589
+
+    #5 0x557674c5f26e in virtio_scsi_handle_cmd_vq /root/hci/qemu/qemu-5.0.0/hw/scsi/virtio-scsi.c:634
+
+    #6 0x557674c61089 in virtio_scsi_data_plane_handle_cmd /root/hci/qemu/qemu-5.0.0/hw/scsi/virtio-scsi-dataplane.c:60
+
+    #7 0x557674c9a520 in virtio_queue_notify_aio_vq /root/hci/qemu/qemu-5.0.0/hw/virtio/virtio.c:2338
+
+    #8 0x55767552c7c4 in aio_dispatch_handler util/aio-posix.c:328
+
+SUMMARY: AddressSanitizer: heap-buffer-overflow /root/hci/qemu/qemu-5.0.0/include/qemu/bswap.h:357 stl_he_p
+Steps to reproduce:
+1. QEMU Enable ASAN
+2. Use a guest with a Linux kernel version greater than 5.19 and mount an scsi physical device
+3. Upon startup, memory out of bounds access can be detected
+Additional information:
+At present, I have made some simple modifications, but I am not sure if this is the best solution and can serve as a reference.
+
+Make a judgment on buflen, ignore the header information issued by the Linux kernel, and write the VPD information when issuing the actual instruction to obtain VPD information.
+
+hw/scsi/scsi-generic.c:scsi_handle_inquiry_reply
+
+```
+if (r->buflen >= 12) {
+    stl_be_p(&r->buf[8], max_transfer);
+}
+if (r->buflen >= 16){
+    /* Also take care of the opt xfer len. */
+    stl_be_p(&r->buf[12],
+        MIN_NON_ZERO(max_transfer, ldl_be_p(&r->buf[12])));
+}
+```