From: Launchpad Bug Tracker <1525123@bugs.launchpad.net>
To: qemu-devel@nongnu.org
Subject: [Qemu-devel] [Bug 1525123] Re: USB assert failure on hcd-uhci.c
Date: Sun, 27 Jan 2019 04:17:34 -0000 [thread overview]
Message-ID: <154856265432.21534.1946367695365825954.malone@loganberry.canonical.com> (raw)
In-Reply-To: 20151211084346.25665.93589.malonedeb@gac.canonical.com
[Expired for QEMU because there has been no activity for 60 days.]
** Changed in: qemu
Status: Incomplete => Expired
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1525123
Title:
USB assert failure on hcd-uhci.c
Status in QEMU:
Expired
Bug description:
When inserting the attached kernel moudle in the guest OS, QEMU quits
with therse assert failure:
[insert kernel module in guest root shell]
root@qemu:~# insmod mymod.ko
root@qemu:~#
Connection closed by foreign host.
[host message]
qemu-system-x86_64: hw/usb/core.c:718: usb_ep_get: Assertion `pid == 0x69 || pid == 0xe1' failed.
Aborted
The direct cause of this bug is due to misimplementation of UHCI.
According to Intel's UHCI design guide, packet identification in transfer descriptor must be one of these three values : IN (69h), OUT (E1h), and SETUP (2Dh). Any other value in this field must cause the HALT of only HOST CONTROLLER.
However, due to misimplementation in uhci_handle_td, instead of host
controller being halted, QEMU itself dies with assertion failure. The
assertion code is in usb_ep_get():718, which is called during
uhci_handle_td().
Another issue resides in uhci_handle_td(). This function must check
that transfer descriptor's pid is one of IN, OUT, SETUP before calling
usb_ep_get() or other functions. If it does so, usb_ep_get() only
needs to check if pid is not SETUP.
This kind of assert failure can be misused by malwares to avoid being
analyzed by terminating only in the virtual environments and still
execute the malicious code in real machines.
[How to run exploit code]
Prepare linux kernel's source header, then type these lines in root shell.
# make
# insmod mymod.ko
It needs uhci-hcd.h from linux kernel source.
I attached linux 3.18.24's uhci-hcd.h for tempory measure; You should get proper version of uhci-hcd.h.
In the following envrionment, this exploit worked, exiting whole QEMU, not only USB.
QEMU was running on these environment :
[CPU model] Intel(R) Core(TM) i5-4590 CPU @ 3.30GHz
[qemu version] QEMU 2.5.0-rc3 (compiled from source, gcc 4.8.4)
[host info] Ubuntu 14.04.3, x86_64, 3.19.0-32-generic
[guest info] Ubuntu 14.04.3, x86_64, 3.19.0-28-generic
[QEMU argument]
x86_64-softmmu/qemu-system-x86_64 -hda /media/hdd/img/ubuntu1404.qcow2 \
-m 512 \
--usbdevice disk:format=qcow2:../usb.img \
--enable-kvm
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1525123/+subscriptions
next prev parent reply other threads:[~2019-01-27 4:29 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20151211084346.25665.93589.malonedeb@gac.canonical.com>
2017-01-17 19:31 ` [Qemu-devel] [Bug 1525123] Re: USB assert failure on hcd-uhci.c Thomas Huth
2018-11-27 15:02 ` Thomas Huth
2019-01-27 4:17 ` Launchpad Bug Tracker [this message]
2020-05-13 1:58 ` Alexander Bulekov
2020-06-16 15:41 ` Bugs SysSec
2020-06-16 15:54 ` Bugs SysSec
2021-05-04 7:23 ` Thomas Huth
2021-05-12 11:40 ` Thomas Huth
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=154856265432.21534.1946367695365825954.malone@loganberry.canonical.com \
--to=1525123@bugs.launchpad.net \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).