1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
|
USB assert failure on hcd-uhci.c
When inserting the attached kernel moudle in the guest OS, QEMU quits with therse assert failure:
[insert kernel module in guest root shell]
root@qemu:~# insmod mymod.ko
root@qemu:~#
Connection closed by foreign host.
[host message]
qemu-system-x86_64: hw/usb/core.c:718: usb_ep_get: Assertion `pid == 0x69 || pid == 0xe1' failed.
Aborted
The cause of this bug is due to misimplementation of UHCI.
According to Intel's UHCI design guide, packet identification in transfer descriptor should have one of these three value : IN (69h), OUT (E1h), and SETUP (2Dh). Any other value in this field shoudl cause HALT OF only HOST CONTROLLER.
However, due to misimplementation in QEMU, not only host controller halts, but QEMU itself exits with assertion failure.
This kind of assert failure can be misused by malwares to avoid being analyzed by terminating only in the virtual environments and still execute the malicious code in real machines.
[How to run exploit code]
Prepare linux kernel's source header, then type these lines in root shell.
# make
# insmod mymod.ko
It needs uhci-hcd.h from linux kernel source.
I attached linux 3.18.24's uhci-hcd.h for tempory measure; You should get proper version of uhci-hcd.h.
In the following envrionment, this exploit worked, exiting whole QEMU, not only USB.
QEMU was running on these environment :
[CPU model] Intel(R) Core(TM) i5-4590 CPU @ 3.30GHz
[qemu version] QEMU 2.5.0-rc3 (compiled from source, gcc 4.8.4)
[host info] Ubuntu 14.04.3, x86_64, 3.19.0-32-generic
[guest info] Ubuntu 14.04.3, x86_64, 3.19.0-28-generic
[QEMU argument]
x86_64-softmmu/qemu-system-x86_64 -hda /media/hdd/img/ubuntu1404.qcow2 \
-m 512 \
--usbdevice disk:format=qcow2:../usb.img \
--enable-kvm
|