From: Thomas Huth <1844635@bugs.launchpad.net>
To: qemu-devel@nongnu.org
Subject: [Bug 1844635] Re: qemu bug where load linux kernel
Date: Tue, 12 May 2020 05:27:49 -0000 [thread overview]
Message-ID: <158926127020.5900.10563999453315283792.launchpad@soybean.canonical.com> (raw)
In-Reply-To: 156888216450.5144.14810121266968903921.malonedeb@chaenomeles.canonical.com
** Information type changed from Private Security to Public Security
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1844635
Title:
qemu bug where load linux kernel
Status in QEMU:
Fix Released
Bug description:
i found a qemu bug ,when the qemu start and parse the kernel file .
This vulnerability can be exploited.
thanks
/****
(gdb) set args -nodefaults -device pc-testdev -device isa-debug-exit,iobase=0xf4,iosize=0x4 -vnc none -serial stdio -device pci-testdev -machine accel=kvm -m 2048 -smp 2 -cpu host -machine kernel_irqchip=split -kernel poc1
(gdb) r
Starting program: /usr/bin/qemu-system-x86_64 -nodefaults -device pc-testdev -device isa-debug-exit,iobase=0xf4,iosize=0x4 -vnc none -serial stdio -device pci-testdev -machine accel=kvm -m 2048 -smp 2 -cpu host -machine kernel_irqchip=split -kernel ./poc/poc1
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[New Thread 0x7fffe9a03700 (LWP 30066)]
[New Thread 0x7fffe9202700 (LWP 30068)]
[New Thread 0x7fffe8a01700 (LWP 30069)]
Thread 1 "qemu-system-x86" received signal SIGSEGV, Segmentation fault.
__memmove_avx_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:249
249 ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S: No such file or directory.
(gdb) bt
#0 0x00007ffff2390b1f in __memmove_avx_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:249
#1 0x00005555559ebdcf in rom_copy ()
#2 0x00005555558dd1b3 in load_multiboot ()
#3 0x00005555558de1c3 in ()
#4 0x00005555558e19d1 in pc_memory_init ()
#5 0x00005555558e4ee3 in ()
#6 0x00005555559e8500 in machine_run_board_init ()
#7 0x0000555555834959 in main ()
(gdb) c
Continuing.
Couldn't get registers: No such process.
Couldn't get registers: No such process.
(gdb) [Thread 0x7fffe8a01700 (LWP 30069) exited]
[Thread 0x7fffe9202700 (LWP 30068) exited]
[Thread 0x7fffe9a03700 (LWP 30066) exited]
Program terminated with signal SIGSEGV, Segmentation fault.
The program no longer exists.
***/
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1844635/+subscriptions
parent reply other threads:[~2020-05-12 5:36 UTC|newest]
Thread overview: expand[flat|nested] mbox.gz Atom feed
[parent not found: <156888216450.5144.14810121266968903921.malonedeb@chaenomeles.canonical.com>]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=158926127020.5900.10563999453315283792.launchpad@soybean.canonical.com \
--to=1844635@bugs.launchpad.net \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.