blob: 659452e12d817d0f82548507e7cd398ea6c93623 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
|
device: 0.761
TCG: 0.697
boot: 0.693
graphic: 0.667
network: 0.537
socket: 0.478
files: 0.465
risc-v: 0.449
kernel: 0.446
vnc: 0.441
arm: 0.373
semantic: 0.369
register: 0.363
architecture: 0.357
PID: 0.344
ppc: 0.321
mistranslation: 0.293
peripherals: 0.290
permissions: 0.277
performance: 0.241
i386: 0.234
hypervisor: 0.219
x86: 0.216
virtual: 0.160
VMM: 0.159
debug: 0.149
user-level: 0.124
KVM: 0.076
assembly: 0.070
qemu-2.12.1 crashes when running malicious bootloader.
Running specific bootloader on Qemu causes fatal error and
hence SIGABRT in /qemu-2.12.1/tcg/tcg.c on line 2684.
Bootloader binary code is included in attachments.
The code was generated by assembling a valid bootloader, then
appending random-bytes from file `/dev/urandom` to the binary file.
This is a bug, obviously, but note that we do not guarantee TCG binary translation to be a security boundary against malicious code. Don't run guest code you don't trust inside TCG without further sandboxing around QEMU. (Much of the code that runs in a TCG configuration is old and unaudited, so there may be lurking bugs. Configurations using KVM are the only ones where we treat guest escapes as security bugs.)
I think this bug was fixed in QEMU 3.1 -- I can reproduce the assert on 3.0 but not on 3.1.
|