FYI:
http://terenceli.github.io/%E6%8A%80%E6%9C%AF/2018/12/06/qemu-escape
在 2018/12/6 17:02, li qiang 写道:
> 在 2018/12/6 16:48, P J P 写道:
>> From: Prasad J Pandit <p...@fedoraproject.org>
>>
>> While performing block transfer write in smb_ioport_writeb(),
>> 'smb_index' is incremented and used to index smb_data[] array.
>> Check 'smb_index' value to avoid OOB access.
>>
>> Reported-by: Michael Hanselmann <pub...@hansmi.ch>
>> Signed-off-by: Prasad J Pandit <p...@fedoraproject.org>
>> ---
>> hw/i2c/pm_smbus.c | 3 +++
>> 1 file changed, 3 insertions(+)
>>
>> diff --git a/hw/i2c/pm_smbus.c b/hw/i2c/pm_smbus.c
>> index 685a2378ed..03062740cc 100644
>> --- a/hw/i2c/pm_smbus.c
>> +++ b/hw/i2c/pm_smbus.c
>> @@ -240,6 +240,9 @@ static void smb_ioport_writeb(void *opaque, hwaddr addr,
>> uint64_t val,
>> uint8_t read = s->smb_addr & 0x01;
>>
>> s->smb_index++;
>> + if (s->smb_index >= PM_SMBUS_MAX_MSG_SIZE) {
>> + s->smb_index = 0;
>> + }
>> if (!read && s->smb_index == s->smb_data0) {
>> uint8_t prot = (s->smb_ctl >> 2) & 0x07;
>> uint8_t cmd = s->smb_cmd;
> Oh... Finally another one find this.....
>
> I've already found this. This is very a serious security issue.
>
> I have wrote a full exploit to make a VM escape using this vulnerability.
>
> This guest can read/write a 4G memory of qemu process by default
> configuration.
>
> As far as I know, this vulnerability may be the most serious
> vulnerability of the qemu history.
>
> Please pay a lot of attention for this issue.
>
> Later I will release the full paper and exploit. It's not harm as this
> is introduced in 3.1
>
> and no one use it now.
>
>
> Thanks,
>
> Li Qiang
>
>
>
>
