QEMU

  1. Bug #1523811
  2. Activity log

Activity log for bug #1523811

Date Who What changed Old value New value Message
2015-12-08 08:45:19 Hajin Jang bug added bug
2015-12-08 08:45:19 Hajin Jang attachment added a.py https://bugs.launchpad.net/bugs/1523811/+attachment/4531401/+files/a.py
2017-01-17 19:27:43 Thomas Huth information type Private Security Public Security
2018-11-27 15:02:43 Thomas Huth qemu: status New Incomplete
2019-01-27 04:17:35 Launchpad Janitor qemu: status Incomplete Expired
2021-02-28 11:13:43 Cheolwoo,Myung attachment added fuzzer https://bugs.launchpad.net/qemu/+bug/1523811/+attachment/5470004/+files/attachment.tar.gz
2021-02-28 11:20:15 Cheolwoo,Myung bug added subscriber Cheolwoo,Myung
2021-02-28 11:38:50 Peter Maydell tags assert usb assert fuzzer usb
2021-03-04 13:38:55 Cheolwoo,Myung description On executing the attached python script in the guest OS, QEMU dies with assert failure: [run python script in guest root shell] # python a.py [host message] qemu-system-x86_64: hw/usb/dev-storage.c:445: usb_msd_handle_data: Assertion `le32_to_cpu(s->csw.residue) == 0' failed. Aborted (core dumped) When I detach the kernel driver and send CBW and reattach it again, without conforming to the command/data/status protocol, QEMU dies. I think this is due to misimplementation of Command/Data/Status protocol in Bulk-only transfer. This kind of assert failure can be misused by malwares to avoid being analyzed by terminating only in the virtual environments and still execute the malicious code in real machines. Before running python script, make sure to change a.py that it should points to usb mass storage's vid and pid. QEMU was running on these environment : [CPU model] Intel(R) Core(TM) i5-4590 CPU @ 3.30GHz [qemu version] QEMU 2.5.0-rc2 (compiled from source, gcc 4.8.4) [host info] Ubuntu 14.04.3, x86_64, 3.19.0-32-generic [guest info] Ubuntu 14.04.3, x86_64, 3.19.0-28-generic [QEMU argument] x86_64-softmmu/qemu-system-x86_64 -hda /media/hdd/img/ubuntu1404.qcow2.5 \ -m 512 \ --usbdevice disk:format=qcow2:../usb.img.5 \ --enable-kvm On executing the attached python script in the guest OS, QEMU dies with assert failure: [run python script in guest root shell] # python a.py [host message] qemu-system-x86_64: hw/usb/dev-storage.c:445: usb_msd_handle_data: Assertion `le32_to_cpu(s->csw.residue) == 0' failed. Aborted (core dumped) When I detach the kernel driver and send CBW and reattach it again, without conforming to the command/data/status protocol, QEMU dies. I think this is due to misimplementation of Command/Data/Status protocol in Bulk-only transfer. This kind of assert failure can be misused by malwares to avoid being analyzed by terminating only in the virtual environments and still execute the malicious code in real machines. Before running python script, make sure to change a.py that it should points to usb mass storage's vid and pid. QEMU was running on these environment : [CPU model] Intel(R) Core(TM) i5-4590 CPU @ 3.30GHz [qemu version] QEMU 2.5.0-rc2 (compiled from source, gcc 4.8.4) [host info] Ubuntu 14.04.3, x86_64, 3.19.0-32-generic [guest info] Ubuntu 14.04.3, x86_64, 3.19.0-28-generic [QEMU argument] x86_64-softmmu/qemu-system-x86_64 -hda /media/hdd/img/ubuntu1404.qcow2.5 \  -m 512 \  --usbdevice disk:format=qcow2:../usb.img.5 \  --enable-kvm
2021-03-11 16:05:56 Philippe Mathieu-Daudé bug added subscriber Gerd Hoffmann
2021-03-11 16:06:16 Philippe Mathieu-Daudé qemu: status Expired Confirmed
2021-04-30 08:55:16 Thomas Huth qemu: status Confirmed Fix Released