qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed
* [Bug 1880332] [NEW] Possible regression in QEMU 5.0.0 after CVE-2020-10702 (segmentation fault)
@ 2020-05-23 19:13 Héctor Molinero Fernández
  2020-05-25 14:41 ` [Bug 1880332] " Laurent Vivier
  2020-06-01 18:18 ` Richard Henderson
  0 siblings, 2 replies; 3+ messages in thread
From: Héctor Molinero Fernández @ 2020-05-23 19:13 UTC (permalink / raw)
  To: qemu-devel

Public bug reported:

I've come across a very specific situation, but I'm sure it could be
replicated in other cases.

In QEMU 5.0.0 when I use user emulation with a cURL binary for aarch64
and connect to a server using TLS 1.2 and ECDHE-ECDSA-CHACHA20-POLY1305
cypher a segmentation fault occurs.

I attach a Dockerfile that reproduces this crash and the strace output
with and without the de0b1bae6461f67243282555475f88b2384a1eb9 commit
reverted.

** Affects: qemu
     Importance: Undecided
         Status: New

** Attachment added: "crash-replication.zip"
   https://bugs.launchpad.net/bugs/1880332/+attachment/5375960/+files/crash-replication.zip

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1880332

Title:
  Possible regression in QEMU 5.0.0 after CVE-2020-10702 (segmentation
  fault)

Status in QEMU:
  New

Bug description:
  I've come across a very specific situation, but I'm sure it could be
  replicated in other cases.

  In QEMU 5.0.0 when I use user emulation with a cURL binary for aarch64
  and connect to a server using TLS 1.2 and ECDHE-ECDSA-
  CHACHA20-POLY1305 cypher a segmentation fault occurs.

  I attach a Dockerfile that reproduces this crash and the strace output
  with and without the de0b1bae6461f67243282555475f88b2384a1eb9 commit
  reverted.

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1880332/+subscriptions


^ permalink raw reply	[flat|nested] 3+ messages in thread
* [Bug 1880332] Re: Possible regression in QEMU 5.0.0 after CVE-2020-10702 (segmentation fault)
  2020-05-23 19:13 [Bug 1880332] [NEW] Possible regression in QEMU 5.0.0 after CVE-2020-10702 (segmentation fault) Héctor Molinero Fernández
@ 2020-05-25 14:41 ` Laurent Vivier
  2020-06-01 18:18 ` Richard Henderson
  1 sibling, 0 replies; 3+ messages in thread
From: Laurent Vivier @ 2020-05-25 14:41 UTC (permalink / raw)
  To: qemu-devel

** Tags added: linux-user

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1880332

Title:
  Possible regression in QEMU 5.0.0 after CVE-2020-10702 (segmentation
  fault)

Status in QEMU:
  New

Bug description:
  I've come across a very specific situation, but I'm sure it could be
  replicated in other cases.

  In QEMU 5.0.0 when I use user emulation with a cURL binary for aarch64
  and connect to a server using TLS 1.2 and ECDHE-ECDSA-
  CHACHA20-POLY1305 cypher a segmentation fault occurs.

  I attach a Dockerfile that reproduces this crash and the strace output
  with and without the de0b1bae6461f67243282555475f88b2384a1eb9 commit
  reverted.

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1880332/+subscriptions


^ permalink raw reply	[flat|nested] 3+ messages in thread
* [Bug 1880332] Re: Possible regression in QEMU 5.0.0 after CVE-2020-10702 (segmentation fault)
  2020-05-23 19:13 [Bug 1880332] [NEW] Possible regression in QEMU 5.0.0 after CVE-2020-10702 (segmentation fault) Héctor Molinero Fernández
  2020-05-25 14:41 ` [Bug 1880332] " Laurent Vivier
@ 2020-06-01 18:18 ` Richard Henderson
  1 sibling, 0 replies; 3+ messages in thread
From: Richard Henderson @ 2020-06-01 18:18 UTC (permalink / raw)
  To: qemu-devel

This is a compiler bug affecting (at least) libcrypto.so.1.1:

  179d90:       d503233f        paciasp
  179d94:       a9bb7bfd        stp     x29, x30, [sp, #-80]!
...
  17a400:       d50323bf        autiasp
  17a404:       f84507fd        ldr     x29, [sp], #80
  17a408:       d65f03c0        ret

The PAC happens with the initial sp:

  X30=0000005501de55fc  SP=00000055018477a0

while the AUTH happens with the decremented sp:

  X30=0011005501de55fc  SP=0000005501847750

Since the salt (sp) is different for the two operations, the
authorization should and does fail:

  X30=0020005501de55fc

Note bit 53 is now set in x30, which is the error indication.

The compiler must move the authiasp down below the ldr pop.


** Changed in: qemu
       Status: New => Invalid

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1880332

Title:
  Possible regression in QEMU 5.0.0 after CVE-2020-10702 (segmentation
  fault)

Status in QEMU:
  Invalid

Bug description:
  I've come across a very specific situation, but I'm sure it could be
  replicated in other cases.

  In QEMU 5.0.0 when I use user emulation with a cURL binary for aarch64
  and connect to a server using TLS 1.2 and ECDHE-ECDSA-
  CHACHA20-POLY1305 cypher a segmentation fault occurs.

  I attach a Dockerfile that reproduces this crash and the strace output
  with and without the de0b1bae6461f67243282555475f88b2384a1eb9 commit
  reverted.

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1880332/+subscriptions


^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2020-06-01 18:32 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-05-23 19:13 [Bug 1880332] [NEW] Possible regression in QEMU 5.0.0 after CVE-2020-10702 (segmentation fault) Héctor Molinero Fernández
2020-05-25 14:41 ` [Bug 1880332] " Laurent Vivier
2020-06-01 18:18 ` Richard Henderson

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).