[Security] some vulnerability is caused by qemu code

[Crispy-fried-chicken]

Hi, Our tool have found that this repo reuse some of the qemu code, and remains some unfixed CVE. Some of there are as follows:

1. usb_mtp_object_readdir and usb_mtp_get_object function in the file hw/usb/dev-mtp.c shares the similarity with the CVE-2018-16872, the fix is https://github.com/qemu/qemu/commit/bab9df35ce73d1c8e19a37e2737717ea1c984dc1
2. mode_sense_page function in the file hw/scsi/scsi-disk.c shares the similarity with the CVE-2021-3930, the fix is https://github.com/qemu/qemu/commit/b3af7fdf9cc537f8f0dd3e2423d83f5c99a457e8
3. megasas_pd_get_info_submit, megasas_ld_get_info_submit and megasas_command_complete functions in the file hw/scsi/megasas.c shares the similarity with the CVE-2017-9503, the fix is https://github.com/qemu/qemu/commit/87e459a810d7b1ec1638085b5a80ea3d9b43119a
4. mptsas_free_request, mptsas_process_scsi_io_request and mptsas_scsi_realize functions in the file hw/scsi/mptsas.c shares the similarity with the CVE-2021-3392, the fix is https://github.com/qemu/qemu/commit/3791642c8d60029adf9b00bcb4e34d7d8a1aea4d.

We have preliminarily verified the correctness of the above list through static analysis. Would you can help to check if this bug is true? If it's true, please try to fix it, or I'd like to open a PR for that if necessary. Thank you for your effort and patience!

[AndrewFasano]

We're a fork of qemu from like 10 years ago without a dedicated development team so we know there are lots of unfixed qemu bugs present in PANDA. If you want to open PRs for any of these, we'd be happy to merge.