CVE-2024-49863

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> vhost/scsi: null-ptr-dereference in vhost_scsi_get_req()<br /> <br /> Since commit 3f8ca2e115e5 ("vhost/scsi: Extract common handling code<br /> from control queue handler") a null pointer dereference bug can be<br /> triggered when guest sends an SCSI AN request.<br /> <br /> In vhost_scsi_ctl_handle_vq(), `vc.target` is assigned with<br /> `&amp;v_req.tmf.lun[1]` within a switch-case block and is then passed to<br /> vhost_scsi_get_req() which extracts `vc-&gt;req` and `tpg`. However, for<br /> a `VIRTIO_SCSI_T_AN_*` request, tpg is not required, so `vc.target` is<br /> set to NULL in this branch. Later, in vhost_scsi_get_req(),<br /> `vc-&gt;target` is dereferenced without being checked, leading to a null<br /> pointer dereference bug. This bug can be triggered from guest.<br /> <br /> When this bug occurs, the vhost_worker process is killed while holding<br /> `vq-&gt;mutex` and the corresponding tpg will remain occupied<br /> indefinitely.<br /> <br /> Below is the KASAN report:<br /> Oops: general protection fault, probably for non-canonical address<br /> 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN NOPTI<br /> KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]<br /> CPU: 1 PID: 840 Comm: poc Not tainted 6.10.0+ #1<br /> Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS<br /> 1.16.3-debian-1.16.3-2 04/01/2014<br /> RIP: 0010:vhost_scsi_get_req+0x165/0x3a0<br /> Code: 00 fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 2b 02 00 00<br /> 48 b8 00 00 00 00 00 fc ff df 4d 8b 65 30 4c 89 e2 48 c1 ea 03 b6<br /> 04 02 4c 89 e2 83 e2 07 38 d0 7f 08 84 c0 0f 85 be 01 00 00<br /> RSP: 0018:ffff888017affb50 EFLAGS: 00010246<br /> RAX: dffffc0000000000 RBX: ffff88801b000000 RCX: 0000000000000000<br /> RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff888017affcb8<br /> RBP: ffff888017affb80 R08: 0000000000000000 R09: 0000000000000000<br /> R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000<br /> R13: ffff888017affc88 R14: ffff888017affd1c R15: ffff888017993000<br /> FS: 000055556e076500(0000) GS:ffff88806b100000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 00000000200027c0 CR3: 0000000010ed0004 CR4: 0000000000370ef0<br /> Call Trace:<br /> <br /> ? show_regs+0x86/0xa0<br /> ? die_addr+0x4b/0xd0<br /> ? exc_general_protection+0x163/0x260<br /> ? asm_exc_general_protection+0x27/0x30<br /> ? vhost_scsi_get_req+0x165/0x3a0<br /> vhost_scsi_ctl_handle_vq+0x2a4/0xca0<br /> ? __pfx_vhost_scsi_ctl_handle_vq+0x10/0x10<br /> ? __switch_to+0x721/0xeb0<br /> ? __schedule+0xda5/0x5710<br /> ? __kasan_check_write+0x14/0x30<br /> ? _raw_spin_lock+0x82/0xf0<br /> vhost_scsi_ctl_handle_kick+0x52/0x90<br /> vhost_run_work_list+0x134/0x1b0<br /> vhost_task_fn+0x121/0x350<br /> ...<br /> <br /> ---[ end trace 0000000000000000 ]---<br /> <br /> Let&amp;#39;s add a check in vhost_scsi_get_req.<br /> <br /> [whitespace fixes]