qemu SCSI REPORT LUNS buffer overflow

ISSUE DESCRIPTION

qemu contains a possible buffer overflow in the SCSI code that implements the REPORT LUNS command. The buffer can be overflowed by creating a SCSI controller with more than 256 attached devices (such as disks) and sending a REPORT LUNS command with a short transfer buffer (less than 2056 bytes).
Xen systems do not use the qemu SCSI code by default.

IMPACT

On Xen systems where the device_model_args (or equivalent) parameters have been used to configure a SCSI controller for a guest, with more than 256 devices, a malicious guest might be able to escalate its privilege to that of the qemu process in the host (typically root).

VULNERABLE SYSTEMS

Only Xen systems whose administrators have deliberately configured HVM guests to have emulated SCSI controllers, and where those guests are provided with more than 256 devices, are vulnerable.
We are not aware of any such systems.