1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
|
Memory out of bounds access vulnerability when guest accesses Block Limits information of SCSI devices
Description of problem:
When a guest uses a Linux kernel version 5.19 or higher and uses an scsi device, there will be a memory access violation, which can be clearly seen when ASAN is turned on.
**reason:**
Linux kernel 5.19 merge commit:
https://github.com/torvalds/linux/commit/c92a6b5d63359dd6d2ce6ea88ecd8e31dd769f6b
The Linux kernel will first issue a header request to obtain the VPD length before obtaining the VPD information. The BUF for obtaining the VPD length is less than 8 bytes. However, QEMU regards the header for obtaining the VPD length as obtaining all VPD information, and a memory access violation occurs when writing information to BUF.
The specific memory out of bounds information is as follows:
==12430==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases!
==12430==WARNING: ASan is ignoring requested __asan_handle_no_return: stack top:
0x7fffebc1d000; bottom 0x7f61115ee000; size: 0x009eda62f000 (682268749824)
False positive error reports may follow
==12430==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200024d858 at pc 0x55767513791c bp 0x7f6111fcddc0 sp 0x7f6111fcddb0
WRITE of size 4 at 0x60200024d858 thread T0
#0 0x55767513791b in stl_he_p /root/hci/qemu/qemu-5.0.0/include/qemu/bswap.h:357
#1 0x55767513791b in stl_be_p /root/hci/qemu/qemu-5.0.0/include/qemu/bswap.h:464
#2 0x55767513791b in scsi_handle_inquiry_reply hw/scsi/scsi-generic.c:173
#3 0x55767513791b in scsi_read_complete hw/scsi/scsi-generic.c:318
#4 0x55767545d7c6 in blk_aio_complete block/block-backend.c:1425
#5 0x557675544d79 in coroutine_trampoline util/coroutine-ucontext.c:115
#6 0x7f611b9f14df (/lib/x86_64-linux-gnu/libc.so.6+0x5b4df)
0x60200024d858 is located 4 bytes to the right of 4-byte region [0x60200024d850,0x60200024d854)
allocated by thread T0 here:
#0 0x557674a987f2 in malloc (/sf/bin/qemu-system-x86_64+0x7827f2)
#1 0x7f6120141d41 in g_malloc (/usr/lib/libglib256-2.0.so.0+0x61d41)
#2 0x557675137bb4 in scsi_send_command hw/scsi/scsi-generic.c:459
#3 0x55767513e902 in scsi_req_enqueue hw/scsi/scsi-bus.c:836
#4 0x557674c5f26e in virtio_scsi_handle_cmd_req_submit /root/hci/qemu/qemu-5.0.0/hw/scsi/virtio-scsi.c:589
#5 0x557674c5f26e in virtio_scsi_handle_cmd_vq /root/hci/qemu/qemu-5.0.0/hw/scsi/virtio-scsi.c:634
#6 0x557674c61089 in virtio_scsi_data_plane_handle_cmd /root/hci/qemu/qemu-5.0.0/hw/scsi/virtio-scsi-dataplane.c:60
#7 0x557674c9a520 in virtio_queue_notify_aio_vq /root/hci/qemu/qemu-5.0.0/hw/virtio/virtio.c:2338
#8 0x55767552c7c4 in aio_dispatch_handler util/aio-posix.c:328
SUMMARY: AddressSanitizer: heap-buffer-overflow /root/hci/qemu/qemu-5.0.0/include/qemu/bswap.h:357 stl_he_p
Steps to reproduce:
1. QEMU Enable ASAN
2. Use a guest with a Linux kernel version greater than 5.19 and mount an scsi physical device
3. Upon startup, memory out of bounds access can be detected
Additional information:
At present, I have made some simple modifications, but I am not sure if this is the best solution and can serve as a reference.
Make a judgment on buflen, ignore the header information issued by the Linux kernel, and write the VPD information when issuing the actual instruction to obtain VPD information.
hw/scsi/scsi-generic.c:scsi_handle_inquiry_reply
```
if (r->buflen >= 12) {
stl_be_p(&r->buf[8], max_transfer);
}
if (r->buflen >= 16){
/* Also take care of the opt xfer len. */
stl_be_p(&r->buf[12],
MIN_NON_ZERO(max_transfer, ldl_be_p(&r->buf[12])));
}
```
|