On Wednesday, 17 March, 2021, 10:26:36 pm IST, Cheolwoo Myung <email address hidden> wrote:
> Hello PJP, Mauro
>
> Of course. you can post the details with our reproducers.
> I'm glad it helped you.
>
> Thank you.
> - Cheolwoo Myung
>
2021년 3월 17일 (수) 오후 10:30, P J P <email address hidden>님이 작성:
>
>On Monday, 15 March, 2021, 07:54:30 pm IST, Mauro Matteo Cascella <email address hidden> wrote:
>>JFYI, CVE-2020-35506 was assigned to a very similar (if not the same)
>>issue, see https://bugs.launchpad.net/qemu/+bug/1909247.
>
> * From the QEMU command lines below they do look similar.
>
> * CVE bug above does not link to an upstream fix/patch. Maybe it's not fixed yet?
>
>
>On Mon, Mar 15, 2021 at 6:58 AM P J P <email address hidden> wrote:
> >On Monday, 15 March, 2021, 11:11:14 am IST, Cheolwoo Myung <email address hidden> wrote:
> >Using hypervisor fuzzer, hyfuzz, I found a use-after-free issue in am53c974 emulator of QEMU enabled ASan.
> >
> ># To reproduce this issue, please run the QEMU process with the following command line.
> >$ ./qemu-system-i386 -m 512 -drive file=./hyfuzz.img,index=0,media=disk,format=raw \
> > -device am53c974,id=scsi -device scsi-hd,drive=SysDisk -drive >id=SysDisk,if=none,file=./disk.img
> >
> >
> > Using hypervisor fuzzer, hyfuzz, I found a stack buffer overflow issue in am53c974 emulator of QEMU enabled ASan.
> >
> ># To reproduce this issue, please run the QEMU process with the following command line.
> >$ ./qemu-system-i386 -m 512 -drive file=./hyfuzz.img,index=0,media=disk,format=raw \
> > -device am53c974,id=scsi -device scsi-hd,drive=SysDisk -drive >id=SysDisk,if=none,file=./disk.img
> >
* I was able to reproduce these issues against the latest upstream git source
and following patch helps to fix above two issues.
===
$ git diff hw/scsi/
diff --git a/hw/scsi/esp-pci.c b/hw/scsi/esp-pci.c
index c3d3dab05e..4a6f208069 100644
--- a/hw/scsi/esp-pci.c
+++ b/hw/scsi/esp-pci.c
@@ -98,6 +98,7 @@ static void esp_pci_handle_abort(PCIESPState *pci, uint32_t val)
trace_esp_pci_dma_abort(val);
if (s->current_req) { scsi_req_cancel(s->current_req);
+ s->async_len = 0;
}
}
- len = esp_get_tc(s);
+ len = MIN(esp_get_tc(s), sizeof(buf));
if (s->do_cmd) {
/*
===
> >Using hypervisor fuzzer, hyfuzz, I found a heap buffer overflow issue in am53c974 emulator of QEMU enabled ASan.
> >
> ># To reproduce this issue, please run the QEMU process with the following command line.
> >$ ./qemu-system-i386 -m 512 -drive file=./hyfuzz.img,index=0,media=disk,format=raw \
> > -device am53c974,id=scsi -device scsi-hd,drive=SysDisk -drive >id=SysDisk,if=none,file=./disk.img
* This heap OOB access issue seems to occur because
* This one is quite tricky to fix. Because 'buf[]' is accessed at various
places with hard coded index values. It's not easy to check access
against 's->cmdfifo' object.
@Cheolwoo: is it okay with you if we post above details and your reproducers on the upstream bug
On Wednesday, 17 March, 2021, 10:26:36 pm IST, Cheolwoo Myung <email address hidden> wrote:
> Hello PJP, Mauro
>
> Of course. you can post the details with our reproducers.
> I'm glad it helped you.
>
> Thank you.
> - Cheolwoo Myung
>
2021년 3월 17일 (수) 오후 10:30, P J P <email address hidden>님이 작성: /bugs.launchpad .net/qemu/ +bug/1909247. hyfuzz. img,index= 0,media= disk,format= raw \ drive=SysDisk -drive >id=SysDisk, if=none, file=./ disk.img hyfuzz. img,index= 0,media= disk,format= raw \ drive=SysDisk -drive >id=SysDisk, if=none, file=./ disk.img
>
>On Monday, 15 March, 2021, 07:54:30 pm IST, Mauro Matteo Cascella <email address hidden> wrote:
>>JFYI, CVE-2020-35506 was assigned to a very similar (if not the same)
>>issue, see https:/
>
> * From the QEMU command lines below they do look similar.
>
> * CVE bug above does not link to an upstream fix/patch. Maybe it's not fixed yet?
>
>
>On Mon, Mar 15, 2021 at 6:58 AM P J P <email address hidden> wrote:
> >On Monday, 15 March, 2021, 11:11:14 am IST, Cheolwoo Myung <email address hidden> wrote:
> >Using hypervisor fuzzer, hyfuzz, I found a use-after-free issue in am53c974 emulator of QEMU enabled ASan.
> >
> ># To reproduce this issue, please run the QEMU process with the following command line.
> >$ ./qemu-system-i386 -m 512 -drive file=./
> > -device am53c974,id=scsi -device scsi-hd,
> >
> >
> > Using hypervisor fuzzer, hyfuzz, I found a stack buffer overflow issue in am53c974 emulator of QEMU enabled ASan.
> >
> ># To reproduce this issue, please run the QEMU process with the following command line.
> >$ ./qemu-system-i386 -m 512 -drive file=./
> > -device am53c974,id=scsi -device scsi-hd,
> >
* I was able to reproduce these issues against the latest upstream git source .4a6f208069 100644 handle_ abort(PCIESPSta te *pci, uint32_t val) esp_pci_ dma_abort( val);
scsi_ req_cancel( s->current_ req);
and following patch helps to fix above two issues.
===
$ git diff hw/scsi/
diff --git a/hw/scsi/esp-pci.c b/hw/scsi/esp-pci.c
index c3d3dab05e.
--- a/hw/scsi/esp-pci.c
+++ b/hw/scsi/esp-pci.c
@@ -98,6 +98,7 @@ static void esp_pci_
trace_
if (s->current_req) {
+ s->async_len = 0;
}
}
diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c .99bee7bc66 100644 ESP_RSTAT] & 7) == STAT_DO); CMDFIFO_ SZ];
index 507ab363bc.
--- a/hw/scsi/esp.c
+++ b/hw/scsi/esp.c
@@ -564,7 +564,7 @@ static void esp_do_dma(ESPState *s)
int to_device = ((s->rregs[
uint8_t buf[ESP_
- len = esp_get_tc(s);
+ len = MIN(esp_get_tc(s), sizeof(buf));
if (s->do_cmd) {
/*
===
> >Using hypervisor fuzzer, hyfuzz, I found a heap buffer overflow issue in am53c974 emulator of QEMU enabled ASan. hyfuzz. img,index= 0,media= disk,format= raw \ drive=SysDisk -drive >id=SysDisk, if=none, file=./ disk.img
> >
> ># To reproduce this issue, please run the QEMU process with the following command line.
> >$ ./qemu-system-i386 -m 512 -drive file=./
> > -device am53c974,id=scsi -device scsi-hd,
* This heap OOB access issue seems to occur because
static void do_busid_cmd(...) pop_buf( &s->cmdfifo, cmdlen, &n); <==
...
buf = (uint8_t *)fifo8_
'buf' points towards an end of the 32 byte buffer allocated via
static void esp_init(Object *obj) create( &s->cmdfifo, ESP_CMDFIFO_ SZ(=32) ); <==
...
fifo8_
and the OOB access could occur at numerous places, one of which is
scsi_req_new
-> scsi_req_parse_cdb
-> memcpy(cmd->buf, buf, cmd->len); <== buf=27, cmd->len=6 <= 27+6 exceeds limit 32.
* This one is quite tricky to fix. Because 'buf[]' is accessed at various
places with hard coded index values. It's not easy to check access
against 's->cmdfifo' object.
@Cheolwoo: is it okay with you if we post above details and your reproducers on the upstream bug
-> https:/ /bugs.launchpad .net/qemu/ +bug/1909247
It'll help to discuss/prepare a proper fix patch.
Thank you. feedmug. com
---
-P J P
http://