[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Bug 1909247] Re: QEMU: use after free vulnerability in esp_do_dma()
|
From: |
Alexander Bulekov |
|
Subject: |
Re: [Bug 1909247] Re: QEMU: use after free vulnerability in esp_do_dma() in hw/scsi/esp.c |
|
Date: |
Wed, 24 Mar 2021 15:53:24 -0000 |
Hi,
I can still trigger stack-overflows, heap-UAFs and heap-overflows in the
code, but Mark's patches fixed some of the issues. I didn't want to
flood the issue-tracker with further problems in this code, since it
isn't clear what the security expectations are for this device. Of
course it is only a matter of time until someone sends more reports to
qemu-security.
Mark, do you want me to provide more reproducers for this device?
-Alex
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1909247
Title:
QEMU: use after free vulnerability in esp_do_dma() in hw/scsi/esp.c
Status in QEMU:
New
Bug description:
A use-after-free vulnerability was found in the am53c974 SCSI host bus
adapter emulation of QEMU. It could occur in the esp_do_dma() function
in hw/scsi/esp.c while handling the 'Information Transfer' command
(CMD_TI). A privileged guest user may abuse this flaw to crash the
QEMU process on the host, resulting in a denial of service or
potential code execution with the privileges of the QEMU process.
This issue was reported by Cheolwoo Myung (Seoul National University).
Original report:
Using hypervisor fuzzer, hyfuzz, I found a use-after-free issue in
am53c974 emulator of QEMU enabled ASan.
It occurs while transferring information, as it does not check the
buffer to be transferred.
A malicious guest user/process could use this flaw to crash the QEMU
process resulting in DoS scenario.
To reproduce this issue, please run the QEMU with the following command
line.
# To enable ASan option, please set configuration with the following
$ ./configure --target-list=i386-softmmu --disable-werror --enable-sanitizers
$ make
# To reproduce this issue, please run the QEMU process with the following
command line
$ ./qemu-system-i386 -m 512 -drive
file=./hyfuzz.img,index=0,media=disk,format=raw \
-device am53c974,id=scsi -device scsi-hd,drive=SysDisk \
-drive id=SysDisk,if=none,file=./disk.img
Please find attached the disk images to reproduce this issue.
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1909247/+subscriptions
- [Bug 1909247] Re: QEMU: use after free vulnerability in esp_do_dma() in hw/scsi/esp.c, Alexander Bulekov, 2021/03/14
- [Bug 1909247] Re: QEMU: use after free vulnerability in esp_do_dma() in hw/scsi/esp.c, Mauro Matteo Cascella, 2021/03/15
- [Bug 1909247] Re: QEMU: use after free vulnerability in esp_do_dma() in hw/scsi/esp.c, Mauro Matteo Cascella, 2021/03/15
- [Bug 1909247] Re: QEMU: use after free vulnerability in esp_do_dma() in hw/scsi/esp.c, Mauro Matteo Cascella, 2021/03/15
- [Bug 1909247] Re: QEMU: use after free vulnerability in esp_do_dma() in hw/scsi/esp.c, Alexander Bulekov, 2021/03/15
- [Bug 1909247] Re: QEMU: use after free vulnerability in esp_do_dma() in hw/scsi/esp.c, Mark Cave-Ayland, 2021/03/17
- [Bug 1909247] Re: QEMU: use after free vulnerability in esp_do_dma() in hw/scsi/esp.c, P J P, 2021/03/24
- [Bug 1909247] Re: QEMU: use after free vulnerability in esp_do_dma() in hw/scsi/esp.c, Mark Cave-Ayland, 2021/03/24
- [Bug 1909247] Re: QEMU: use after free vulnerability in esp_do_dma() in hw/scsi/esp.c, Mauro Matteo Cascella, 2021/03/24
- Re: [Bug 1909247] Re: QEMU: use after free vulnerability in esp_do_dma() in hw/scsi/esp.c,
Alexander Bulekov <=
- [Bug 1909247] Re: QEMU: use after free vulnerability in esp_do_dma() in hw/scsi/esp.c, Mark Cave-Ayland, 2021/03/25