On Wednesday, 17 March, 2021, 10:26:36 pm IST, Cheolwoo Myung <cwmyung@snu.ac.kr> wrote: 
> Hello  PJP, Mauro
>
> Of course. you can post the details with our reproducers. 
> I'm glad it helped you.
>
> Thank you.
> - Cheolwoo Myung
>


2021년 3월 17일 (수) 오후 10:30, P J P <pjp@fedoraproject.org>님이 작성:
>
>On Monday, 15 March, 2021, 07:54:30 pm IST, Mauro Matteo Cascella <mcascell@redhat.com> wrote: 
>>JFYI, CVE-2020-35506 was assigned to a very similar (if not the same)
>>issue, see https://bugs.launchpad.net/qemu/+bug/1909247.
>
> * From the QEMU command lines below they do look similar.
>  
> * CVE bug above does not link to an upstream fix/patch. Maybe it's not fixed yet?
>
>
>On Mon, Mar 15, 2021 at 6:58 AM P J P <pjp@fedoraproject.org> wrote:
> >On Monday, 15 March, 2021, 11:11:14 am IST, Cheolwoo Myung <cwmyung@snu.ac.kr> wrote:
> >Using hypervisor fuzzer, hyfuzz, I found a use-after-free issue in am53c974 emulator of QEMU enabled ASan.
> >
> ># To reproduce this issue, please run the QEMU process with the following command line.
> >$ ./qemu-system-i386 -m 512 -drive file=./hyfuzz.img,index=0,media=disk,format=raw \
> >  -device am53c974,id=scsi -device scsi-hd,drive=SysDisk -drive >id=SysDisk,if=none,file=./disk.img
> >
> >
> > Using hypervisor fuzzer, hyfuzz, I found a stack buffer overflow issue in am53c974 emulator of QEMU enabled ASan.
> >
> ># To reproduce this issue, please run the QEMU process with the following command line.
> >$ ./qemu-system-i386 -m 512 -drive file=./hyfuzz.img,index=0,media=disk,format=raw \
> >  -device am53c974,id=scsi -device scsi-hd,drive=SysDisk -drive >id=SysDisk,if=none,file=./disk.img
> >

* I was able to reproduce these issues against the latest upstream git source
  and following patch helps to fix above two issues.
===
$ git diff hw/scsi/
diff --git a/hw/scsi/esp-pci.c b/hw/scsi/esp-pci.c
index c3d3dab05e..4a6f208069 100644
--- a/hw/scsi/esp-pci.c
+++ b/hw/scsi/esp-pci.c
@@ -98,6 +98,7 @@ static void esp_pci_handle_abort(PCIESPState *pci, uint32_t val)
     trace_esp_pci_dma_abort(val);
     if (s->current_req) {
         scsi_req_cancel(s->current_req);
+        s->async_len = 0;
     }
 }
 
diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
index 507ab363bc..99bee7bc66 100644
--- a/hw/scsi/esp.c
+++ b/hw/scsi/esp.c
@@ -564,7 +564,7 @@ static void esp_do_dma(ESPState *s)
     int to_device = ((s->rregs[ESP_RSTAT] & 7) == STAT_DO);
     uint8_t buf[ESP_CMDFIFO_SZ];
 
-    len = esp_get_tc(s);
+    len = MIN(esp_get_tc(s), sizeof(buf));
     if (s->do_cmd) {
         /*
===


> >Using hypervisor fuzzer, hyfuzz, I found a heap buffer overflow issue in am53c974 emulator of QEMU enabled ASan.
> >
> ># To reproduce this issue, please run the QEMU process with the following command line.
> >$ ./qemu-system-i386 -m 512 -drive file=./hyfuzz.img,index=0,media=disk,format=raw \
> >  -device am53c974,id=scsi -device scsi-hd,drive=SysDisk -drive >id=SysDisk,if=none,file=./disk.img

* This heap OOB access issue seems to occur because

   static void do_busid_cmd(...)
     ...
     buf = (uint8_t *)fifo8_pop_buf(&s->cmdfifo, cmdlen, &n); <==

'buf' points towards an end of the 32 byte buffer allocated via

   static void esp_init(Object *obj)
     ...
     fifo8_create(&s->cmdfifo, ESP_CMDFIFO_SZ(=32));  <==

and the OOB access could occur at numerous places, one of which is

scsi_req_new
 -> scsi_req_parse_cdb
  -> memcpy(cmd->buf, buf, cmd->len);  <== buf=27, cmd->len=6 <= 27+6 exceeds limit 32.


* This one is quite tricky to fix. Because 'buf[]' is accessed at various
  places with hard coded index values. It's not easy to check access
  against 's->cmdfifo' object.


@Cheolwoo: is it okay with you if we post above details and your reproducers on the upstream bug

  -> https://bugs.launchpad.net/qemu/+bug/1909247

It'll help to discuss/prepare a proper fix patch.


Thank you.
---
  -P J P
http://feedmug.com

** Attachment added: "hw-esp-oob-issues.zip"
   https://bugs.launchpad.net/qemu/+bug/1909247/+attachment/5480385/+files/hw-esp-oob-issues.zip

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1909247

Title:
  QEMU: use after free vulnerability in esp_do_dma() in hw/scsi/esp.c

Status in QEMU:
  New

Bug description:
  A use-after-free vulnerability was found in the am53c974 SCSI host bus
  adapter emulation of QEMU. It could occur in the esp_do_dma() function
  in hw/scsi/esp.c while handling the 'Information Transfer' command
  (CMD_TI). A privileged guest user may abuse this flaw to crash the
  QEMU process on the host, resulting in a denial of service or
  potential code execution with the privileges of the QEMU process.

  This issue was reported by Cheolwoo Myung (Seoul National University).

  Original report:
  Using hypervisor fuzzer, hyfuzz, I found a use-after-free issue in
  am53c974 emulator of QEMU enabled ASan.

  It occurs while transferring information, as it does not check the
  buffer to be transferred.

  A malicious guest user/process could use this flaw to crash the QEMU
  process resulting in DoS scenario.

  To reproduce this issue, please run the QEMU with the following command
  line.

  # To enable ASan option, please set configuration with the following
  $ ./configure --target-list=i386-softmmu --disable-werror --enable-sanitizers
  $ make

  # To reproduce this issue, please run the QEMU process with the following command line
  $ ./qemu-system-i386 -m 512 -drive file=./hyfuzz.img,index=0,media=disk,format=raw \
  -device am53c974,id=scsi -device scsi-hd,drive=SysDisk \
  -drive id=SysDisk,if=none,file=./disk.img

  Please find attached the disk images to reproduce this issue.

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1909247/+subscriptions