Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-78401

scsi-generic buffer overflow in scsi_handle_inquiry_reply()

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Not a Bug
    • Icon: Normal Normal
    • rhel-9.6
    • rhel-9.2.0.z
    • qemu-kvm / Storage
    • None
    • None
    • Moderate
    • ZStream
    • rhel-sst-virtualization-storage
    • ssg_virtualization
    • None
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • Approved Blocker
    • None
    • None
    • None

      RHEL 9.2 lacks upstream QEMU commit 9bd634b2, which fixed a buffer overflow in scsi-generic. According to the original reporter, the problematic code path is triggered by Linux 6.x guest kernels while booting.

      This was reported as causing a QEMU crash upstream, though when I tried to reproduce, I was lucky enough that it didn't end up causing a crash. The buffer overflow is still visible when running qemu-kvm under valgrind.

      Steps to reproduce

      1. modprobe scsi_debug dev_size_mb=64 num_tgts=1
      2. valgrind --enable-debuginfod=no ./qemu-system-x86_64 -enable-kvm -m 4G -blockdev host_device,filename=/dev/sg0,node-name=sg0 -device virtio-scsi -device scsi-generic,drive=sg0 -cdrom /home/kwolf/images/iso/debian-12.9.0-amd64-netinst.iso
      3. Boot the Linux kernel in the boot menu

      Expected results

      No invalid writes reported

      Actual results

      Three invalid writes are reported, with a backtrace like this:

      ==71930== Invalid write of size 4
==71930==    at 0x529079: stl_he_p (include/qemu/bswap.h:307)
==71930==    by 0x529079: stl_be_p (include/qemu/bswap.h:384)
==71930==    by 0x529079: scsi_handle_inquiry_reply (???:196)
==71930==    by 0x528D44: scsi_read_complete (../hw/scsi/scsi-generic.c:349)
==71930==    by 0x836756: blk_aio_complete (../block/block-backend.c:1502)
==71930==    by 0x836756: blk_aio_ioctl_entry (???:1678)
==71930==    by 0x9EE5C5: coroutine_trampoline (../util/coroutine-ucontext.c:177)
==71930==    by 0x76B98FF: ??? (__start_context.S:66)
==71930==    by 0x1FFEFFEB07: ???
==71930==  Address 0x1491a818 is 4 bytes after a block of size 4 alloc'd
==71930==    at 0x4843866: malloc (vg_replace_malloc.c:446)
==71930==    by 0x5ADD879: g_malloc (gmem.c:100)
==71930==    by 0x528475: scsi_send_command (../hw/scsi/scsi-generic.c:490)
==71930==    by 0x520F05: scsi_req_enqueue (../hw/scsi/scsi-bus.c:905)
==71930==    by 0x6FEB92: virtio_scsi_handle_cmd_req_submit (../hw/scsi/virtio-scsi.c:809)
==71930==    by 0x6FEB92: virtio_scsi_handle_cmd_vq (???:852)
==71930==    by 0x6FEB92: virtio_scsi_handle_cmd (???:866)
==71930==    by 0x718828: virtio_queue_notify_vq (../hw/virtio/virtio.c:2847)
==71930==    by 0x718828: virtio_queue_host_notifier_read (???:4127)
==71930==    by 0x9D7B8F: aio_dispatch_handler (../util/aio-posix.c:369)
==71930==    by 0x9D712B: aio_dispatch_handlers (../util/aio-posix.c:412)
==71930==    by 0x9D712B: aio_dispatch (???:422)
==71930==    by 0x9EC6EA: aio_ctx_dispatch (../util/async.c:325)
==71930==    by 0x5AD6E8B: UnknownInlinedFun (gmain.c:3344)
==71930==    by 0x5AD6E8B: g_main_context_dispatch_unlocked.lto_priv.0 (gmain.c:4152)
==71930==    by 0x5AD7154: g_main_context_dispatch (gmain.c:4140)
==71930==    by 0x9ECEEF: glib_pollfds_poll (../util/main-loop.c:297)
==71930==    by 0x9ECEEF: os_host_main_loop_wait (???:320)
==71930==    by 0x9ECEEF: main_loop_wait (???:606)

              virt-maint virt-maint
              kwolf@redhat.com Kevin Wolf
              virt-maint virt-maint
              virt-bugs virt-bugs
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated:
                Resolved: