A vulnerability in the lsi53c895a device which affects the latest version of qemu.
The carefully designed PoC can repeatedly trigger DMA writes but does
not limit the addresses written to the DMA, resulting in reentrancy
issues and eventually overflow. A privileged local user could use
this flaw to crash the QEMU process on the host.
It is worth noting that the DMA operation is the pci_dma_write() in
lsi_mem_write(), so the issue cannot be solved by modifying the
'attrs' flag.
The following log can reveal it:
==3850539==ERROR: AddressSanitizer: stack-overflow on address
0x7ffeb10d5e58 (pc 0x55cd154d0f16 bp 0x7ffeb10d6690 sp 0x7ffeb10d5e60
T0)
#0 0x55cd154d0f16 in __asan_memcpy
llvm/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22:3
#1 0x55cd15b25676 in sparse_mem_read qemu/hw/mem/sparse-mem.c:50:9
#2 0x55cd16c973cd in memory_region_read_accessor
qemu/softmmu/memory.c:440:11
#3 0x55cd16c6e9fa in access_with_adjusted_size qemu/softmmu/memory.c:554:18
#4 0x55cd16c6cf11 in memory_region_dispatch_read1 qemu/softmmu/memory.c
#5 0x55cd16c6cf11 in memory_region_dispatch_read
qemu/softmmu/memory.c:1457:9
#6 0x55cd16cb9270 in flatview_read_continue qemu/softmmu/physmem.c:2892:23
#7 0x55cd16cba14f in flatview_read qemu/softmmu/physmem.c:2934:12
#8 0x55cd16cb9ee3 in address_space_read_full qemu/softmmu/physmem.c:2947:18
#9 0x55cd15ed44c5 in dma_memory_rw_relaxed qemu/include/sysemu/dma.h:87:12
#10 0x55cd15ed44c5 in dma_memory_rw qemu/include/sysemu/dma.h:130:12
#11 0x55cd15ed44c5 in pci_dma_rw qemu/include/hw/pci/pci.h:850:12
#12 0x55cd15ed44c5 in pci_dma_read qemu/include/hw/pci/pci.h:869:12
#13 0x55cd15ed44c5 in read_dword qemu/hw/scsi/lsi53c895a.c:472:5
#14 0x55cd15ed44c5 in lsi_execute_script qemu/hw/scsi/lsi53c895a.c:1154:12
#15 0x55cd15eed0e5 in lsi_command_complete qemu/hw/scsi/lsi53c895a.c:810:5
#16 0x55cd15e3d5c1 in scsi_req_complete qemu/hw/scsi/scsi-bus.c:1518:5
#17 0x55cd15e41f9c in scsi_unit_attention qemu/hw/scsi/scsi-bus.c:422:5
#18 0x55cd15e33c59 in scsi_req_enqueue qemu/hw/scsi/scsi-bus.c:890:10
#19 0x55cd15ed869c in lsi_do_command qemu/hw/scsi/lsi53c895a.c:869:9
#20 0x55cd15ed869c in lsi_execute_script qemu/hw/scsi/lsi53c895a.c:1261:13
#21 0x55cd15ece001 in lsi_reg_writeb qemu/hw/scsi/lsi53c895a.c
#22 0x55cd16c6ef86 in memory_region_write_accessor
qemu/softmmu/memory.c:492:5
#23 0x55cd16c6e9fa in access_with_adjusted_size qemu/softmmu/memory.c:554:18
#24 0x55cd16c6e2fa in memory_region_dispatch_write qemu/softmmu/memory.c
#25 0x55cd16cc274c in flatview_write_continue qemu/softmmu/physmem.c:2825:23
#26 0x55cd16cba662 in flatview_write qemu/softmmu/physmem.c:2867:12
#27 0x55cd16cba3f3 in address_space_write qemu/softmmu/physmem.c:2963:18
#28 0x55cd15ed4d5c in lsi_memcpy qemu/hw/scsi/lsi53c895a.c:1104:9
#29 0x55cd15ed4d5c in lsi_execute_script qemu/hw/scsi/lsi53c895a.c:1563:13
#30 0x55cd15ece001 in lsi_reg_writeb qemu/hw/scsi/lsi53c895a.c
Comment 3Mauro Matteo Cascella
2023-01-16 21:56:08 UTC