summary refs log tree commit diff stats
path: root/results/classifier/gemma3:12b/device/1525123
diff options
context:
space:
mode:
Diffstat (limited to 'results/classifier/gemma3:12b/device/1525123')
-rw-r--r--results/classifier/gemma3:12b/device/152512339
1 files changed, 39 insertions, 0 deletions
diff --git a/results/classifier/gemma3:12b/device/1525123 b/results/classifier/gemma3:12b/device/1525123
new file mode 100644
index 000000000..6126b8862
--- /dev/null
+++ b/results/classifier/gemma3:12b/device/1525123
@@ -0,0 +1,39 @@
+
+USB assert failure on hcd-uhci.c
+
+When inserting the attached kernel moudle in the guest OS, QEMU quits with therse assert failure:
+
+
+[insert kernel module in guest root shell]
+root@qemu:~# insmod mymod.ko
+root@qemu:~# 
+Connection closed by foreign host.
+
+[host message]
+qemu-system-x86_64: hw/usb/core.c:718: usb_ep_get: Assertion `pid == 0x69 || pid == 0xe1' failed.
+Aborted
+
+The cause of this bug is due to misimplementation of UHCI.
+According to Intel's UHCI design guide, packet identification in transfer descriptor should have one of these three value : IN (69h), OUT (E1h), and SETUP (2Dh). Any other value in this field shoudl cause HALT OF only HOST CONTROLLER.
+However, due to misimplementation in QEMU, not only host controller halts, but QEMU itself exits with assertion failure.
+This kind of assert failure can be misused by malwares to avoid being analyzed by terminating only in the virtual environments and still execute the malicious code in real machines.
+
+[How to run exploit code]
+Prepare linux kernel's source header, then type these lines in root shell.
+# make
+# insmod mymod.ko
+
+It needs uhci-hcd.h from linux kernel source.
+I attached linux 3.18.24's uhci-hcd.h for tempory measure; You should get proper version of uhci-hcd.h.
+In the following envrionment, this exploit worked, exiting whole QEMU, not only USB.
+
+QEMU was running on these environment :
+[CPU model] Intel(R) Core(TM) i5-4590 CPU @ 3.30GHz
+[qemu version] QEMU 2.5.0-rc3 (compiled from source, gcc 4.8.4)
+[host info] Ubuntu 14.04.3, x86_64, 3.19.0-32-generic
+[guest info] Ubuntu 14.04.3, x86_64, 3.19.0-28-generic
+[QEMU argument]
+x86_64-softmmu/qemu-system-x86_64 -hda /media/hdd/img/ubuntu1404.qcow2 \
+ -m 512 \
+ --usbdevice disk:format=qcow2:../usb.img \
+ --enable-kvm
\ No newline at end of file