QEMU

Bug #1909247
Comment #8

Comment 8 for bug 1909247

Revision history for this message

P J P (pjps) wrote on 2021-03-24:

hw-esp-oob-issues.zip Edit (4.0 MiB, application/zip)

On Wednesday, 17 March, 2021, 10:26:36 pm IST, Cheolwoo Myung <email address hidden> wrote:
> Hello PJP, Mauro
>
> Of course. you can post the details with our reproducers.
> I'm glad it helped you.
>
> Thank you.
> - Cheolwoo Myung
>

2021년 3월 17일 (수) 오후 10:30, P J P <email address hidden>님이 작성:
>
>On Monday, 15 March, 2021, 07:54:30 pm IST, Mauro Matteo Cascella <email address hidden> wrote:
>>JFYI, CVE-2020-35506 was assigned to a very similar (if not the same)
>>issue, see https://bugs.launchpad.net/qemu/+bug/1909247.
>
> * From the QEMU command lines below they do look similar.
>
> * CVE bug above does not link to an upstream fix/patch. Maybe it's not fixed yet?
>
>
>On Mon, Mar 15, 2021 at 6:58 AM P J P <email address hidden> wrote:
> >On Monday, 15 March, 2021, 11:11:14 am IST, Cheolwoo Myung <email address hidden> wrote:
> >Using hypervisor fuzzer, hyfuzz, I found a use-after-free issue in am53c974 emulator of QEMU enabled ASan.
> >
> ># To reproduce this issue, please run the QEMU process with the following command line.
> >$ ./qemu-system-i386 -m 512 -drive file=./hyfuzz.img,index=0,media=disk,format=raw \
> > -device am53c974,id=scsi -device scsi-hd,drive=SysDisk -drive >id=SysDisk,if=none,file=./disk.img
> >
> >
> > Using hypervisor fuzzer, hyfuzz, I found a stack buffer overflow issue in am53c974 emulator of QEMU enabled ASan.
> >
> ># To reproduce this issue, please run the QEMU process with the following command line.
> >$ ./qemu-system-i386 -m 512 -drive file=./hyfuzz.img,index=0,media=disk,format=raw \
> > -device am53c974,id=scsi -device scsi-hd,drive=SysDisk -drive >id=SysDisk,if=none,file=./disk.img
> >

diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
index 507ab363bc..99bee7bc66 100644
--- a/hw/scsi/esp.c
+++ b/hw/scsi/esp.c
@@ -564,7 +564,7 @@ static void esp_do_dma(ESPState *s)
int to_device = ((s->rregs[ESP_RSTAT] & 7) == STAT_DO);
uint8_t buf[ESP_CMDFIFO_SZ];

- len = esp_get_tc(s);
+ len = MIN(esp_get_tc(s), sizeof(buf));
if (s->do_cmd) {
/*
===

> >Using hypervisor fuzzer, hyfuzz, I found a heap buffer overflow issue in am53c974 emulator of QEMU enabled ASan.
> >
> ># To reproduce this issue, please run the QEMU process with the following command line.
> >$ ./qemu-system-i386 -m 512 -drive file=./hyfuzz.img,index=0,media=disk,format=raw \
> > -device am53c974,id=scsi -device scsi-hd,drive=SysDisk -drive >id=SysDisk,if=none,file=./disk.img

* This heap OOB access issue seems to occur because

   static void do_busid_cmd(...)
     ...
     buf = (uint8_t *)fifo8_pop_buf(&s->cmdfifo, cmdlen, &n); <==

'buf' points towards an end of the 32 byte buffer allocated via

   static void esp_init(Object *obj)
     ...
     fifo8_create(&s->cmdfifo, ESP_CMDFIFO_SZ(=32)); <==

and the OOB access could occur at numerous places, one of which is

scsi_req_new
-> scsi_req_parse_cdb
-> memcpy(cmd->buf, buf, cmd->len); <== buf=27, cmd->len=6 <= 27+6 exceeds limit 32.

* This one is quite tricky to fix. Because 'buf[]' is accessed at various
places with hard coded index values. It's not easy to check access
against 's->cmdfifo' object.

@Cheolwoo: is it okay with you if we post above details and your reproducers on the upstream bug

-> https://bugs.launchpad.net/qemu/+bug/1909247

It'll help to discuss/prepare a proper fix patch.

Thank you.
---
-P J P
http://feedmug.com

On Wednesday, 17 March, 2021, 10:26:36 pm IST, Cheolwoo Myung <cwmyung@snu.ac.kr> wrote: 
> Hello  PJP, Mauro
>
> Of course. you can post the details with our reproducers. 
> I'm glad it helped you.
>
> Thank you.
> - Cheolwoo Myung
>

2021년 3월 17일 (수) 오후 10:30, P J P <pjp@fedoraproject.org>님이 작성:
>
>On Monday, 15 March, 2021, 07:54:30 pm IST, Mauro Matteo Cascella <mcascell@redhat.com> wrote: 
>>JFYI, CVE-2020-35506 was assigned to a very similar (if not the same)
>>issue, see https://bugs.launchpad.net/qemu/+bug/1909247.
>
> * From the QEMU command lines below they do look similar.
>  
> * CVE bug above does not link to an upstream fix/patch. Maybe it's not fixed yet?
>
>
>On Mon, Mar 15, 2021 at 6:58 AM P J P <pjp@fedoraproject.org> wrote:
> >On Monday, 15 March, 2021, 11:11:14 am IST, Cheolwoo Myung <cwmyung@snu.ac.kr> wrote:
> >Using hypervisor fuzzer, hyfuzz, I found a use-after-free issue in am53c974 emulator of QEMU enabled ASan.
> >
> ># To reproduce this issue, please run the QEMU process with the following command line.
> >$ ./qemu-system-i386 -m 512 -drive file=./hyfuzz.img,index=0,media=disk,format=raw \
> >  -device am53c974,id=scsi -device scsi-hd,drive=SysDisk -drive >id=SysDisk,if=none,file=./disk.img
> >
> >
> > Using hypervisor fuzzer, hyfuzz, I found a stack buffer overflow issue in am53c974 emulator of QEMU enabled ASan.
> >
> ># To reproduce this issue, please run the QEMU process with the following command line.
> >$ ./qemu-system-i386 -m 512 -drive file=./hyfuzz.img,index=0,media=disk,format=raw \
> >  -device am53c974,id=scsi -device scsi-hd,drive=SysDisk -drive >id=SysDisk,if=none,file=./disk.img
> >

* I was able to reproduce these issues against the latest upstream git source
  and following patch helps to fix above two issues.
===
$ git diff hw/scsi/
diff --git a/hw/scsi/esp-pci.c b/hw/scsi/esp-pci.c
index c3d3dab05e..4a6f208069 100644
--- a/hw/scsi/esp-pci.c
+++ b/hw/scsi/esp-pci.c
@@ -98,6 +98,7 @@ static void esp_pci_handle_abort(PCIESPState *pci, uint32_t val)
     trace_esp_pci_dma_abort(val);
     if (s->current_req) {
         scsi_req_cancel(s->current_req);
+        s->async_len = 0;
     }
 }
 
diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
index 507ab363bc..99bee7bc66 100644
--- a/hw/scsi/esp.c
+++ b/hw/scsi/esp.c
@@ -564,7 +564,7 @@ static void esp_do_dma(ESPState *s)
     int to_device = ((s->rregs[ESP_RSTAT] & 7) == STAT_DO);
     uint8_t buf[ESP_CMDFIFO_SZ];
 
-    len = esp_get_tc(s);
+    len = MIN(esp_get_tc(s), sizeof(buf));
     if (s->do_cmd) {
         /*
===

> >Using hypervisor fuzzer, hyfuzz, I found a heap buffer overflow issue in am53c974 emulator of QEMU enabled ASan.
> >
> ># To reproduce this issue, please run the QEMU process with the following command line.
> >$ ./qemu-system-i386 -m 512 -drive file=./hyfuzz.img,index=0,media=disk,format=raw \
> >  -device am53c974,id=scsi -device scsi-hd,drive=SysDisk -drive >id=SysDisk,if=none,file=./disk.img

* This heap OOB access issue seems to occur because

static void do_busid_cmd(...)
     ...
     buf = (uint8_t *)fifo8_pop_buf(&s->cmdfifo, cmdlen, &n); <==

'buf' points towards an end of the 32 byte buffer allocated via

static void esp_init(Object *obj)
     ...
     fifo8_create(&s->cmdfifo, ESP_CMDFIFO_SZ(=32));  <==

and the OOB access could occur at numerous places, one of which is

scsi_req_new
 -> scsi_req_parse_cdb
  -> memcpy(cmd->buf, buf, cmd->len);  <== buf=27, cmd->len=6 <= 27+6 exceeds limit 32.

* This one is quite tricky to fix. Because 'buf[]' is accessed at various
  places with hard coded index values. It's not easy to check access
  against 's->cmdfifo' object.

@Cheolwoo: is it okay with you if we post above details and your reproducers on the upstream bug

-> https://bugs.launchpad.net/qemu/+bug/1909247

It'll help to discuss/prepare a proper fix patch.

Thank you.
---
  -P J P
http://feedmug.com