From: "Philippe Mathieu-Daudé" <f4bug@amsat.org> To: Bug 1909247 <1909247@bugs.launchpad.net>, qemu-devel@nongnu.org Cc: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> Subject: Re: [Bug 1909247] Re: QEMU: use after free vulnerability in esp_do_dma() in hw/scsi/esp.c Date: Wed, 24 Mar 2021 18:28:41 +0100 [thread overview] Message-ID: <7cf68684-d214-38a2-4a92-87b381f06a5a@amsat.org> (raw) In-Reply-To: <20210324155324.mfta6pfa573ms5vi@mozz.bu.edu> On 3/24/21 4:53 PM, Alexander Bulekov wrote: > Hi, > I can still trigger stack-overflows, heap-UAFs and heap-overflows in the > code, but Mark's patches fixed some of the issues. I didn't want to > flood the issue-tracker with further problems in this code, since it > isn't clear what the security expectations are for this device. Of > course it is only a matter of time until someone sends more reports to > qemu-security. I'd expect qemu-security to have a template "Thank you for your bug but this device is not within the 'security' boundary, we will forward your report to the community". > > Mark, do you want me to provide more reproducers for this device? Surely Mark prefers you provide bugfixes instead :D Phil.
WARNING: multiple messages have this Message-ID (diff)
From: "Philippe Mathieu-Daudé" <1909247@bugs.launchpad.net> To: qemu-devel@nongnu.org Subject: Re: [Bug 1909247] Re: QEMU: use after free vulnerability in esp_do_dma() in hw/scsi/esp.c Date: Wed, 24 Mar 2021 17:28:41 -0000 [thread overview] Message-ID: <7cf68684-d214-38a2-4a92-87b381f06a5a@amsat.org> (raw) Message-ID: <20210324172841.DTZKzw3ml3FBsdyE_OeQwt7-KREfSDUgquxQWXpQZLE@z> (raw) In-Reply-To: 20210324155324.mfta6pfa573ms5vi@mozz.bu.edu On 3/24/21 4:53 PM, Alexander Bulekov wrote: > Hi, > I can still trigger stack-overflows, heap-UAFs and heap-overflows in the > code, but Mark's patches fixed some of the issues. I didn't want to > flood the issue-tracker with further problems in this code, since it > isn't clear what the security expectations are for this device. Of > course it is only a matter of time until someone sends more reports to > qemu-security. I'd expect qemu-security to have a template "Thank you for your bug but this device is not within the 'security' boundary, we will forward your report to the community". > > Mark, do you want me to provide more reproducers for this device? Surely Mark prefers you provide bugfixes instead :D Phil. -- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/1909247 Title: QEMU: use after free vulnerability in esp_do_dma() in hw/scsi/esp.c Status in QEMU: New Bug description: A use-after-free vulnerability was found in the am53c974 SCSI host bus adapter emulation of QEMU. It could occur in the esp_do_dma() function in hw/scsi/esp.c while handling the 'Information Transfer' command (CMD_TI). A privileged guest user may abuse this flaw to crash the QEMU process on the host, resulting in a denial of service or potential code execution with the privileges of the QEMU process. This issue was reported by Cheolwoo Myung (Seoul National University). Original report: Using hypervisor fuzzer, hyfuzz, I found a use-after-free issue in am53c974 emulator of QEMU enabled ASan. It occurs while transferring information, as it does not check the buffer to be transferred. A malicious guest user/process could use this flaw to crash the QEMU process resulting in DoS scenario. To reproduce this issue, please run the QEMU with the following command line. # To enable ASan option, please set configuration with the following $ ./configure --target-list=i386-softmmu --disable-werror --enable-sanitizers $ make # To reproduce this issue, please run the QEMU process with the following command line $ ./qemu-system-i386 -m 512 -drive file=./hyfuzz.img,index=0,media=disk,format=raw \ -device am53c974,id=scsi -device scsi-hd,drive=SysDisk \ -drive id=SysDisk,if=none,file=./disk.img Please find attached the disk images to reproduce this issue. To manage notifications about this bug go to: https://bugs.launchpad.net/qemu/+bug/1909247/+subscriptions
next prev parent reply other threads:[~2021-03-24 17:29 UTC|newest] Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top 2020-12-24 17:02 [Bug 1909247] [NEW] QEMU: use after free vulnerability in esp_do_dma() in hw/scsi/esp.c Mauro Matteo Cascella 2020-12-24 17:09 ` [Bug 1909247] " Mauro Matteo Cascella 2021-01-15 16:16 ` Peter Maydell 2021-03-15 3:01 ` Alexander Bulekov 2021-03-15 12:11 ` Mauro Matteo Cascella 2021-03-15 13:50 ` Mauro Matteo Cascella 2021-03-15 14:02 ` Mauro Matteo Cascella 2021-03-15 14:19 ` Alexander Bulekov 2021-03-17 7:43 ` Mark Cave-Ayland 2021-03-24 7:31 ` P J P 2021-03-24 8:09 ` Mark Cave-Ayland 2021-03-24 9:51 ` Mauro Matteo Cascella 2021-03-24 15:53 ` Alexander Bulekov 2021-03-24 17:28 ` Philippe Mathieu-Daudé [this message] 2021-03-24 17:28 ` Philippe Mathieu-Daudé 2021-03-25 13:22 ` Mark Cave-Ayland 2021-03-29 3:21 ` [Bug 1909247] [PATCH] tests/qtest: add more tests for am53c974 device Alexander Bulekov 2021-03-29 3:21 ` Alexander Bulekov 2021-04-01 8:15 ` [Bug 1909247] Re: QEMU: use after free vulnerability in esp_do_dma() in hw/scsi/esp.c Mark Cave-Ayland 2021-04-14 13:36 ` Mauro Matteo Cascella 2021-04-14 14:09 ` Mauro Matteo Cascella 2021-04-30 9:00 ` Thomas Huth
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=7cf68684-d214-38a2-4a92-87b381f06a5a@amsat.org \ --to=f4bug@amsat.org \ --cc=1909247@bugs.launchpad.net \ --cc=mark.cave-ayland@ilande.co.uk \ --cc=qemu-devel@nongnu.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).