From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-3.8 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 23877C433E6 for ; Mon, 15 Mar 2021 03:13:37 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id A4CFE64E67 for ; Mon, 15 Mar 2021 03:13:36 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org A4CFE64E67 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=bugs.launchpad.net Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Received: from localhost ([::1]:55788 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lLdfj-0007Ju-Os for qemu-devel@archiver.kernel.org; Sun, 14 Mar 2021 23:13:35 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:48490) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lLdd8-0005pY-E8 for qemu-devel@nongnu.org; Sun, 14 Mar 2021 23:10:54 -0400 Received: from indium.canonical.com ([91.189.90.7]:35202) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lLdd6-0006MF-F0 for qemu-devel@nongnu.org; Sun, 14 Mar 2021 23:10:54 -0400 Received: from loganberry.canonical.com ([91.189.90.37]) by indium.canonical.com with esmtp (Exim 4.86_2 #2 (Debian)) id 1lLdd5-0007bT-Aa for ; Mon, 15 Mar 2021 03:10:51 +0000 Received: from loganberry.canonical.com (localhost [127.0.0.1]) by loganberry.canonical.com (Postfix) with ESMTP id 489102E8157 for ; Mon, 15 Mar 2021 03:10:51 +0000 (UTC) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Date: Mon, 15 Mar 2021 03:01:18 -0000 From: Alexander Bulekov <1909247@bugs.launchpad.net> To: qemu-devel@nongnu.org X-Launchpad-Notification-Type: bug X-Launchpad-Bug: product=qemu; status=New; importance=Undecided; assignee=None; X-Launchpad-Bug-Tags: cve fuzzer qemu security X-Launchpad-Bug-Information-Type: Public Security X-Launchpad-Bug-Private: no X-Launchpad-Bug-Security-Vulnerability: yes X-Launchpad-Bug-Commenters: a1xndr mauro-cascella X-Launchpad-Bug-Reporter: Mauro Matteo Cascella (mauro-cascella) X-Launchpad-Bug-Modifier: Alexander Bulekov (a1xndr) References: <160882932286.4370.15587232403500958955.malonedeb@wampee.canonical.com> Message-Id: <161577727841.18993.1666066767594437272.malone@soybean.canonical.com> Subject: [Bug 1909247] Re: QEMU: use after free vulnerability in esp_do_dma() in hw/scsi/esp.c X-Launchpad-Message-Rationale: Subscriber (QEMU) @qemu-devel-ml X-Launchpad-Message-For: qemu-devel-ml Precedence: bulk X-Generated-By: Launchpad (canonical.com); Revision="d4fcb062545ed29d3cd7773e52e43615e042623f"; Instance="production" X-Launchpad-Hash: 3d6ec3e55bcc32790a06ac0c3974b11b7b2dbbef Received-SPF: none client-ip=91.189.90.7; envelope-from=bounces@canonical.com; helo=indium.canonical.com X-Spam_score_int: -66 X-Spam_score: -6.7 X-Spam_bar: ------ X-Spam_report: (-6.7 / 5.0 requ) BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.249, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_NONE=0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Bug 1909247 <1909247@bugs.launchpad.net> Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" Looks the same, or very similar to this one: /* * Autogenerated Fuzzer Test Case * * This work is licensed under the terms of the GNU GPL, version 2 or * later. See the COPYING file in the top-level directory. */ #include "qemu/osdep.h" #include "libqos/libqtest.h" /* * cat << EOF | ./qemu-system-i386 -display none -machine accel=3Dqtest, \ * -m 4G -device am53c974,id=3Dscsi -device scsi-hd,drive=3Ddisk0 -drive \ * id=3Ddisk0,if=3Dnone,file=3Dnull-co://,format=3Draw -nodefaults -qtest s= tdio * outl 0xcf8 0x80001010 * outl 0xcfc 0xc000 * outl 0xcf8 0x80001004 * outw 0xcfc 0x01 * outl 0xc046 0x02 * outl 0xc03f 0x0300 * outw 0xc00b 0x4300 * outl 0xc00b 0x9000 * EOF */ static void test_fuzz(void) { QTestState *s =3D qtest_init( "-display none , -m 4G -device am53c974,id=3Dscsi -device " "scsi-hd,drive=3Ddisk0 -drive " "id=3Ddisk0,if=3Dnone,file=3Dnull-co://,format=3Draw -nodefaults"); qtest_outl(s, 0xcf8, 0x80001010); qtest_outl(s, 0xcfc, 0xc000); qtest_outl(s, 0xcf8, 0x80001004); qtest_outw(s, 0xcfc, 0x01); qtest_outl(s, 0xc046, 0x02); qtest_outl(s, 0xc03f, 0x0300); qtest_outw(s, 0xc00b, 0x4300); qtest_outl(s, 0xc00b, 0x9000); qtest_quit(s); } int main(int argc, char **argv) { const char *arch =3D qtest_get_arch(); g_test_init(&argc, &argv, NULL); if (strcmp(arch, "i386") =3D=3D 0) { qtest_add_func("fuzz/test_fuzz", test_fuzz); } return g_test_run(); } -- = You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/1909247 Title: QEMU: use after free vulnerability in esp_do_dma() in hw/scsi/esp.c Status in QEMU: New Bug description: A use-after-free vulnerability was found in the am53c974 SCSI host bus adapter emulation of QEMU. It could occur in the esp_do_dma() function in hw/scsi/esp.c while handling the 'Information Transfer' command (CMD_TI). A privileged guest user may abuse this flaw to crash the QEMU process on the host, resulting in a denial of service or potential code execution with the privileges of the QEMU process. This issue was reported by Cheolwoo Myung (Seoul National University). Original report: Using hypervisor fuzzer, hyfuzz, I found a use-after-free issue in am53c974 emulator of QEMU enabled ASan. It occurs while transferring information, as it does not check the buffer to be transferred. A malicious guest user/process could use this flaw to crash the QEMU process resulting in DoS scenario. To reproduce this issue, please run the QEMU with the following command line. # To enable ASan option, please set configuration with the following $ ./configure --target-list=3Di386-softmmu --disable-werror --enable-sani= tizers $ make # To reproduce this issue, please run the QEMU process with the following= command line $ ./qemu-system-i386 -m 512 -drive file=3D./hyfuzz.img,index=3D0,media=3D= disk,format=3Draw \ -device am53c974,id=3Dscsi -device scsi-hd,drive=3DSysDisk \ -drive id=3DSysDisk,if=3Dnone,file=3D./disk.img Please find attached the disk images to reproduce this issue. To manage notifications about this bug go to: https://bugs.launchpad.net/qemu/+bug/1909247/+subscriptions