On Wednesday, 17 March, 2021, 10:26:36 pm IST, Cheolwoo Myung <cwmyung@snu.ac.kr> wrote:
> Hello PJP, Mauro
>
> Of course. you can post the details with our reproducers.
> I'm glad it helped you.
>
> Thank you.
> - Cheolwoo Myung
>
2021년 3월 17일 (수) 오후 10:30, P J P <pjp@fedoraproject.org>님이 작성:
>
>On Monday, 15 March, 2021, 07:54:30 pm IST, Mauro Matteo Cascella <mcascell@redhat.com> wrote:
>>JFYI, CVE-2020-35506 was assigned to a very similar (if not the same)
>>issue, see https://bugs.launchpad.net/qemu/+bug/1909247.
>
> * From the QEMU command lines below they do look similar.
>
> * CVE bug above does not link to an upstream fix/patch. Maybe it's not fixed yet?
>
>
>On Mon, Mar 15, 2021 at 6:58 AM P J P <pjp@fedoraproject.org> wrote:
> >On Monday, 15 March, 2021, 11:11:14 am IST, Cheolwoo Myung <cwmyung@snu.ac.kr> wrote:
> >Using hypervisor fuzzer, hyfuzz, I found a use-after-free issue in am53c974 emulator of QEMU enabled ASan.
> >
> ># To reproduce this issue, please run the QEMU process with the following command line.
> >$ ./qemu-system-i386 -m 512 -drive file=./hyfuzz.img,index=0,media=disk,format=raw \
> > -device am53c974,id=scsi -device scsi-hd,drive=SysDisk -drive >id=SysDisk,if=none,file=./disk.img
> >
> >
> > Using hypervisor fuzzer, hyfuzz, I found a stack buffer overflow issue in am53c974 emulator of QEMU enabled ASan.
> >
> ># To reproduce this issue, please run the QEMU process with the following command line.
> >$ ./qemu-system-i386 -m 512 -drive file=./hyfuzz.img,index=0,media=disk,format=raw \
> > -device am53c974,id=scsi -device scsi-hd,drive=SysDisk -drive >id=SysDisk,if=none,file=./disk.img
> >
* I was able to reproduce these issues against the latest upstream git source
and following patch helps to fix above two issues.
===
$ git diff hw/scsi/
diff --git a/hw/scsi/esp-pci.c b/hw/scsi/esp-pci.c
index c3d3dab05e..4a6f208069 100644
--- a/hw/scsi/esp-pci.c
+++ b/hw/scsi/esp-pci.c
@@ -98,6 +98,7 @@ static void esp_pci_handle_abort(PCIESPState *pci, uint32_t val)
trace_esp_pci_dma_abort(val);
if (s->current_req) {
scsi_req_cancel(s->current_req);
+ s->async_len = 0;
}
}
diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
index 507ab363bc..99bee7bc66 100644
--- a/hw/scsi/esp.c
+++ b/hw/scsi/esp.c
@@ -564,7 +564,7 @@ static void esp_do_dma(ESPState *s)
int to_device = ((s->rregs[ESP_RSTAT] & 7) == STAT_DO);
uint8_t buf[ESP_CMDFIFO_SZ];
- len = esp_get_tc(s);
+ len = MIN(esp_get_tc(s), sizeof(buf));
if (s->do_cmd) {
/*
===
> >Using hypervisor fuzzer, hyfuzz, I found a heap buffer overflow issue in am53c974 emulator of QEMU enabled ASan.
> >
> ># To reproduce this issue, please run the QEMU process with the following command line.
> >$ ./qemu-system-i386 -m 512 -drive file=./hyfuzz.img,index=0,media=disk,format=raw \
> > -device am53c974,id=scsi -device scsi-hd,drive=SysDisk -drive >id=SysDisk,if=none,file=./disk.img
* This heap OOB access issue seems to occur because
static void do_busid_cmd(...)
...
buf = (uint8_t *)fifo8_pop_buf(&s->cmdfifo, cmdlen, &n); <==
'buf' points towards an end of the 32 byte buffer allocated via
static void esp_init(Object *obj)
...
fifo8_create(&s->cmdfifo, ESP_CMDFIFO_SZ(=32)); <==
and the OOB access could occur at numerous places, one of which is
scsi_req_new
-> scsi_req_parse_cdb
-> memcpy(cmd->buf, buf, cmd->len); <== buf=27, cmd->len=6 <= 27+6 exceeds limit 32.
* This one is quite tricky to fix. Because 'buf[]' is accessed at various
places with hard coded index values. It's not easy to check access
against 's->cmdfifo' object.
@Cheolwoo: is it okay with you if we post above details and your reproducers on the upstream bug
-> https://bugs.launchpad.net/qemu/+bug/1909247
It'll help to discuss/prepare a proper fix patch.
Thank you.
---
-P J P
http://feedmug.com
** Attachment added: "hw-esp-oob-issues.zip"
https://bugs.launchpad.net/qemu/+bug/1909247/+attachment/5480385/+files/hw-esp-oob-issues.zip
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1909247
Title:
QEMU: use after free vulnerability in esp_do_dma() in hw/scsi/esp.c
Status in QEMU:
New
Bug description:
A use-after-free vulnerability was found in the am53c974 SCSI host bus
adapter emulation of QEMU. It could occur in the esp_do_dma() function
in hw/scsi/esp.c while handling the 'Information Transfer' command
(CMD_TI). A privileged guest user may abuse this flaw to crash the
QEMU process on the host, resulting in a denial of service or
potential code execution with the privileges of the QEMU process.
This issue was reported by Cheolwoo Myung (Seoul National University).
Original report:
Using hypervisor fuzzer, hyfuzz, I found a use-after-free issue in
am53c974 emulator of QEMU enabled ASan.
It occurs while transferring information, as it does not check the
buffer to be transferred.
A malicious guest user/process could use this flaw to crash the QEMU
process resulting in DoS scenario.
To reproduce this issue, please run the QEMU with the following command
line.
# To enable ASan option, please set configuration with the following
$ ./configure --target-list=i386-softmmu --disable-werror --enable-sanitizers
$ make
# To reproduce this issue, please run the QEMU process with the following command line
$ ./qemu-system-i386 -m 512 -drive file=./hyfuzz.img,index=0,media=disk,format=raw \
-device am53c974,id=scsi -device scsi-hd,drive=SysDisk \
-drive id=SysDisk,if=none,file=./disk.img
Please find attached the disk images to reproduce this issue.
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1909247/+subscriptions
© 2016 - 2024 Red Hat, Inc.