From: Alexander Bulekov <1909247@bugs.launchpad.net>
To: qemu-devel@nongnu.org
Subject: [Bug 1909247] Re: QEMU: use after free vulnerability in esp_do_dma() in hw/scsi/esp.c
Date: Mon, 15 Mar 2021 03:01:18 -0000 [thread overview]
Message-ID: <161577727841.18993.1666066767594437272.malone@soybean.canonical.com> (raw)
In-Reply-To: 160882932286.4370.15587232403500958955.malonedeb@wampee.canonical.com
Looks the same, or very similar to this one:
/*
* Autogenerated Fuzzer Test Case
*
* This work is licensed under the terms of the GNU GPL, version 2 or
* later. See the COPYING file in the top-level directory.
*/
#include "qemu/osdep.h"
#include "libqos/libqtest.h"
/*
* cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, \
* -m 4G -device am53c974,id=scsi -device scsi-hd,drive=disk0 -drive \
* id=disk0,if=none,file=null-co://,format=raw -nodefaults -qtest stdio
* outl 0xcf8 0x80001010
* outl 0xcfc 0xc000
* outl 0xcf8 0x80001004
* outw 0xcfc 0x01
* outl 0xc046 0x02
* outl 0xc03f 0x0300
* outw 0xc00b 0x4300
* outl 0xc00b 0x9000
* EOF
*/
static void test_fuzz(void)
{
QTestState *s = qtest_init(
"-display none , -m 4G -device am53c974,id=scsi -device "
"scsi-hd,drive=disk0 -drive "
"id=disk0,if=none,file=null-co://,format=raw -nodefaults");
qtest_outl(s, 0xcf8, 0x80001010);
qtest_outl(s, 0xcfc, 0xc000);
qtest_outl(s, 0xcf8, 0x80001004);
qtest_outw(s, 0xcfc, 0x01);
qtest_outl(s, 0xc046, 0x02);
qtest_outl(s, 0xc03f, 0x0300);
qtest_outw(s, 0xc00b, 0x4300);
qtest_outl(s, 0xc00b, 0x9000);
qtest_quit(s);
}
int main(int argc, char **argv)
{
const char *arch = qtest_get_arch();
g_test_init(&argc, &argv, NULL);
if (strcmp(arch, "i386") == 0) {
qtest_add_func("fuzz/test_fuzz", test_fuzz);
}
return g_test_run();
}
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1909247
Title:
QEMU: use after free vulnerability in esp_do_dma() in hw/scsi/esp.c
Status in QEMU:
New
Bug description:
A use-after-free vulnerability was found in the am53c974 SCSI host bus
adapter emulation of QEMU. It could occur in the esp_do_dma() function
in hw/scsi/esp.c while handling the 'Information Transfer' command
(CMD_TI). A privileged guest user may abuse this flaw to crash the
QEMU process on the host, resulting in a denial of service or
potential code execution with the privileges of the QEMU process.
This issue was reported by Cheolwoo Myung (Seoul National University).
Original report:
Using hypervisor fuzzer, hyfuzz, I found a use-after-free issue in
am53c974 emulator of QEMU enabled ASan.
It occurs while transferring information, as it does not check the
buffer to be transferred.
A malicious guest user/process could use this flaw to crash the QEMU
process resulting in DoS scenario.
To reproduce this issue, please run the QEMU with the following command
line.
# To enable ASan option, please set configuration with the following
$ ./configure --target-list=i386-softmmu --disable-werror --enable-sanitizers
$ make
# To reproduce this issue, please run the QEMU process with the following command line
$ ./qemu-system-i386 -m 512 -drive file=./hyfuzz.img,index=0,media=disk,format=raw \
-device am53c974,id=scsi -device scsi-hd,drive=SysDisk \
-drive id=SysDisk,if=none,file=./disk.img
Please find attached the disk images to reproduce this issue.
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1909247/+subscriptions
next prev parent reply other threads:[~2021-03-15 3:13 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-12-24 17:02 [Bug 1909247] [NEW] QEMU: use after free vulnerability in esp_do_dma() in hw/scsi/esp.c Mauro Matteo Cascella
2020-12-24 17:09 ` [Bug 1909247] " Mauro Matteo Cascella
2021-01-15 16:16 ` Peter Maydell
2021-03-15 3:01 ` Alexander Bulekov [this message]
2021-03-15 12:11 ` Mauro Matteo Cascella
2021-03-15 13:50 ` Mauro Matteo Cascella
2021-03-15 14:02 ` Mauro Matteo Cascella
2021-03-15 14:19 ` Alexander Bulekov
2021-03-17 7:43 ` Mark Cave-Ayland
2021-03-24 7:31 ` P J P
2021-03-24 8:09 ` Mark Cave-Ayland
2021-03-24 9:51 ` Mauro Matteo Cascella
2021-03-24 15:53 ` Alexander Bulekov
2021-03-24 17:28 ` Philippe Mathieu-Daudé
2021-03-24 17:28 ` Philippe Mathieu-Daudé
2021-03-25 13:22 ` Mark Cave-Ayland
2021-03-29 3:21 ` [Bug 1909247] [PATCH] tests/qtest: add more tests for am53c974 device Alexander Bulekov
2021-03-29 3:21 ` Alexander Bulekov
2021-04-01 8:15 ` [Bug 1909247] Re: QEMU: use after free vulnerability in esp_do_dma() in hw/scsi/esp.c Mark Cave-Ayland
2021-04-14 13:36 ` Mauro Matteo Cascella
2021-04-14 14:09 ` Mauro Matteo Cascella
2021-04-30 9:00 ` Thomas Huth
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=161577727841.18993.1666066767594437272.malone@soybean.canonical.com \
--to=1909247@bugs.launchpad.net \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).