diff options
| author | Christian Krinitsin <mail@krinitsin.com> | 2025-06-30 12:24:58 +0000 |
|---|---|---|
| committer | Christian Krinitsin <mail@krinitsin.com> | 2025-06-30 12:27:06 +0000 |
| commit | 33606b41d35115f887ea688b1a16f2ff85bf2fe4 (patch) | |
| tree | 406b2c7b19a087ba437c68f3dbf0b589fa1d6150 /results/scraper/launchpad-without-comments/1525123 | |
| parent | adedf8771bc4de3113041ca21bd4d0d1c0014b6a (diff) | |
| download | emulator-bug-study-33606b41d35115f887ea688b1a16f2ff85bf2fe4.tar.gz emulator-bug-study-33606b41d35115f887ea688b1a16f2ff85bf2fe4.zip | |
add launchpad bug reports without comments
Diffstat (limited to 'results/scraper/launchpad-without-comments/1525123')
| -rw-r--r-- | results/scraper/launchpad-without-comments/1525123 | 38 |
1 files changed, 38 insertions, 0 deletions
diff --git a/results/scraper/launchpad-without-comments/1525123 b/results/scraper/launchpad-without-comments/1525123 new file mode 100644 index 00000000..be30b3c2 --- /dev/null +++ b/results/scraper/launchpad-without-comments/1525123 @@ -0,0 +1,38 @@ +USB assert failure on hcd-uhci.c + +When inserting the attached kernel moudle in the guest OS, QEMU quits with therse assert failure: + + +[insert kernel module in guest root shell] +root@qemu:~# insmod mymod.ko +root@qemu:~# +Connection closed by foreign host. + +[host message] +qemu-system-x86_64: hw/usb/core.c:718: usb_ep_get: Assertion `pid == 0x69 || pid == 0xe1' failed. +Aborted + +The cause of this bug is due to misimplementation of UHCI. +According to Intel's UHCI design guide, packet identification in transfer descriptor should have one of these three value : IN (69h), OUT (E1h), and SETUP (2Dh). Any other value in this field shoudl cause HALT OF only HOST CONTROLLER. +However, due to misimplementation in QEMU, not only host controller halts, but QEMU itself exits with assertion failure. +This kind of assert failure can be misused by malwares to avoid being analyzed by terminating only in the virtual environments and still execute the malicious code in real machines. + +[How to run exploit code] +Prepare linux kernel's source header, then type these lines in root shell. +# make +# insmod mymod.ko + +It needs uhci-hcd.h from linux kernel source. +I attached linux 3.18.24's uhci-hcd.h for tempory measure; You should get proper version of uhci-hcd.h. +In the following envrionment, this exploit worked, exiting whole QEMU, not only USB. + +QEMU was running on these environment : +[CPU model] Intel(R) Core(TM) i5-4590 CPU @ 3.30GHz +[qemu version] QEMU 2.5.0-rc3 (compiled from source, gcc 4.8.4) +[host info] Ubuntu 14.04.3, x86_64, 3.19.0-32-generic +[guest info] Ubuntu 14.04.3, x86_64, 3.19.0-28-generic +[QEMU argument] +x86_64-softmmu/qemu-system-x86_64 -hda /media/hdd/img/ubuntu1404.qcow2 \ + -m 512 \ + --usbdevice disk:format=qcow2:../usb.img \ + --enable-kvm \ No newline at end of file |