Memory out of bounds access vulnerability when guest accesses Block Limits information of SCSI devices Description of problem: When a guest uses a Linux kernel version 5.19 or higher and uses an scsi device, there will be a memory access violation, which can be clearly seen when ASAN is turned on. **reason:** Linux kernel 5.19 merge commit: https://github.com/torvalds/linux/commit/c92a6b5d63359dd6d2ce6ea88ecd8e31dd769f6b The Linux kernel will first issue a header request to obtain the VPD length before obtaining the VPD information. The BUF for obtaining the VPD length is less than 8 bytes. However, QEMU regards the header for obtaining the VPD length as obtaining all VPD information, and a memory access violation occurs when writing information to BUF. The specific memory out of bounds information is as follows: ==12430==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! ==12430==WARNING: ASan is ignoring requested __asan_handle_no_return: stack top: 0x7fffebc1d000; bottom 0x7f61115ee000; size: 0x009eda62f000 (682268749824) False positive error reports may follow ==12430==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200024d858 at pc 0x55767513791c bp 0x7f6111fcddc0 sp 0x7f6111fcddb0 WRITE of size 4 at 0x60200024d858 thread T0 #0 0x55767513791b in stl_he_p /root/hci/qemu/qemu-5.0.0/include/qemu/bswap.h:357 #1 0x55767513791b in stl_be_p /root/hci/qemu/qemu-5.0.0/include/qemu/bswap.h:464 #2 0x55767513791b in scsi_handle_inquiry_reply hw/scsi/scsi-generic.c:173 #3 0x55767513791b in scsi_read_complete hw/scsi/scsi-generic.c:318 #4 0x55767545d7c6 in blk_aio_complete block/block-backend.c:1425 #5 0x557675544d79 in coroutine_trampoline util/coroutine-ucontext.c:115 #6 0x7f611b9f14df (/lib/x86_64-linux-gnu/libc.so.6+0x5b4df) 0x60200024d858 is located 4 bytes to the right of 4-byte region [0x60200024d850,0x60200024d854) allocated by thread T0 here: #0 0x557674a987f2 in malloc (/sf/bin/qemu-system-x86_64+0x7827f2) #1 0x7f6120141d41 in g_malloc (/usr/lib/libglib256-2.0.so.0+0x61d41) #2 0x557675137bb4 in scsi_send_command hw/scsi/scsi-generic.c:459 #3 0x55767513e902 in scsi_req_enqueue hw/scsi/scsi-bus.c:836 #4 0x557674c5f26e in virtio_scsi_handle_cmd_req_submit /root/hci/qemu/qemu-5.0.0/hw/scsi/virtio-scsi.c:589 #5 0x557674c5f26e in virtio_scsi_handle_cmd_vq /root/hci/qemu/qemu-5.0.0/hw/scsi/virtio-scsi.c:634 #6 0x557674c61089 in virtio_scsi_data_plane_handle_cmd /root/hci/qemu/qemu-5.0.0/hw/scsi/virtio-scsi-dataplane.c:60 #7 0x557674c9a520 in virtio_queue_notify_aio_vq /root/hci/qemu/qemu-5.0.0/hw/virtio/virtio.c:2338 #8 0x55767552c7c4 in aio_dispatch_handler util/aio-posix.c:328 SUMMARY: AddressSanitizer: heap-buffer-overflow /root/hci/qemu/qemu-5.0.0/include/qemu/bswap.h:357 stl_he_p Steps to reproduce: 1. QEMU Enable ASAN 2. Use a guest with a Linux kernel version greater than 5.19 and mount an scsi physical device 3. Upon startup, memory out of bounds access can be detected Additional information: At present, I have made some simple modifications, but I am not sure if this is the best solution and can serve as a reference. Make a judgment on buflen, ignore the header information issued by the Linux kernel, and write the VPD information when issuing the actual instruction to obtain VPD information. hw/scsi/scsi-generic.c:scsi_handle_inquiry_reply ``` if (r->buflen >= 12) { stl_be_p(&r->buf[8], max_transfer); } if (r->buflen >= 16){ /* Also take care of the opt xfer len. */ stl_be_p(&r->buf[12], MIN_NON_ZERO(max_transfer, ldl_be_p(&r->buf[12]))); } ```