* Guest-induced heap overrun
@ 2010-05-18 16:10 Andrew Lutomirski
0 siblings, 0 replies; only message in thread
From: Andrew Lutomirski @ 2010-05-18 16:10 UTC (permalink / raw)
To: kvm
There's a bug in the VNC code that overruns the heap whenever the
horizontal resolution isn't a multiple of 16. Here's how to trigger
it:
Step 1: build a linux kernel with CONFIG_FB_VESA=y. The one you're
running right now probably works.
Step 2: <qemu-kvm binary> -vga std -kernel bzImage -append 'vga=898'
-vnc localhost:2
Step 3: Connect and disconnect VNC a few times.
This can also be triggered on Windows, etc. I can't trigger it on
upstream qemu because 1400x1050 isn't listed, cirrusfb is too broken
to force that mode, and vmwgfx seems to be even more broken right now.
(I'm way too lazy to make an image containing X just for this.)
This bug is present in F13 and in Avi's tree from a week or so ago. I
can't test the latest -git because that one segfaults instantly no
matter what I do.
I'll leave the actual exploit as an exercise to the reader. I'm
emailing here because the bug is easiest to trigger in qemu-kvm and
because both Red Hat / Fedora and upstream qemu have been ignoring a
security bug for over two weeks.
See:
https://bugs.launchpad.net/qemu/+bug/575887 (Upstream bug)
https://bugzilla.redhat.com/show_bug.cgi?id=583850 (Fedora bug)
--Andy
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2010-05-18 16:10 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2010-05-18 16:10 Guest-induced heap overrun Andrew Lutomirski
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.