n0o.com - Personal archive of discovered vulns & writeups.

[NO CVE]QEMU: Use-after-free in scsi-bus.c

Reported to QEMU @ 22 April 2020 Fixed @ 7 July 2020 Reply from the vendor: But considering that the issue depends on an administrator hot plugging/unplugging a drive image, it is more of a non-security bug. Not a CVE issue. ====================================== Overview ====================================== The "opaque" object in scsi_dma_restart_bh can be used after free. The operation qemu_bh_delete(s->bh); will use the freed "opaque (s)" object directly. Freed "s (opaque)" can be occupied by other data, so the s->bh can point to arbitrary address and freed by qemu_bh_delete later: void qemu_bh_delete(QEMUBH *bh){ g_free(bh); } I believe this is not related to system version or hardware architecture. Here's the environment I used to test: Host: Ubuntu 16.04 x86_64 Guest: Ubuntu 18.04 x86_64 Qemu: 4.2.0 (I checked the commit between 4.2.0-5.0.0 and I believe 5.0.0 has the same problem) libvirt: 6.0.0 with KVM enabled The root cause of the vulnerability ======================================= 1. Whenever there's a SCSI device add/plugged into the guest, the callback scsi_dma_restart_cb will be added. 2. When there's a state change in guest, callback scsi_dma_restart_cb will be called and scheduled bottom half: scsi_dma_restart_bh with opaque=s if the guest is not in the shutdown process. 3. In the main IO thread, there's a loop of glib_pollfds_poll, when fd is ready, AIO operations will be called and then scsi_dma_restart_bh is called. (The 'USE' part) 4. Meanwhile, the attacker could write something to IOPORT to unplug the device, and in another thread, will trigger acpi_pcihp_eject_slot, then device_unparent and will free the related memory to the device. (The 'FREE' part) 5. Step (3) (4) could cause a race condition, if (4) is called before (3), there's a UAF. Related code: hw/scsi/scsi-bus.c:scsi_dma_restart_cb, scsi_dma_restart_bh hw/acpi/pcihp.c:acpi_pcihp_eject_slot Different Ways To Trigger the UAF ======================================= a. If the guest system could be suspended (paused), here's a simple way to test: 1. Know the slot number of the disk X being attached. (By finding the next available slot number from lspci) 2. Do not attach disk X now, start a program in the guest. That program will *infinitely* write (2 << slot) to the IOPORT of the bus, try to release disk X. 3. Pause the guest and attach disk X. 4. Resume the guest. Now bh callback and the IOPORT write should run at the same time, and cause UAF by chance. If it is not succeeded, repeat steps 3-4. b. If your guest system cannot be paused, you can try (I haven't tested this yet, I think there could be some chance to do this but I'm not very sure about that. Meant for reference only.): 1. Know the slot of the disk X being attached. 2. Build a custom system kernel, IOPORT writes in the last time before the machine is rebooted. 3. Attach disk X. 4. Reboot the guest machine. If it is not succeeded, repeat steps 3-4.

sqlite3_shadow_table_fuzzer was commited

I have committed my sqlite3_shadow_table_fuzzer to Chromium base, the code can be found here: Commit: https://chromium.googlesource.com/chromium/src/third_party/sqlite/+/4bdcad26cbde7791d53cf7f15715b2805fddf889 Code: https://chromium.googlesource.com/chromium/src/third_party/sqlite/+/4bdcad26cbde7791d53cf7f15715b2805fddf889/fuzz/shadow_table_fuzzer.cc So far, a bunch of bugs or vulnerabilities were found in chromium, some of those issues IDs are 1. Issue 1028722: sqlite3_shadow_table_fuzzer: Heap-buffer-overflow in sqlite3Fts3GetVarint 2. Issue 1029002: sqlite3_shadow_table_fuzzer: ASSERT: pWriter || bIgnoreEmpty 3. Issue 1029027: sqlite3_shadow_table_fuzzer: Heap-buffer-overflow in sqlite3Fts3GetVarint 4. Issue 1029210: sqlite3_shadow_table_fuzzer: Heap-buffer-overflow in sqlite3Fts3Incrmerge 5. Issue 1029506: sqlite3_shadow_table_fuzzer: Use-of-uninitialized-value in fts3IncrmergeHintPop 6. Issue 1030709: sqlite3_shadow_table_fuzzer: Integer-overflow in fts3ChecksumIndex 7. Issue 1035663: sqlite3_shadow_table_fuzzer: Heap-buffer-overflow in fts3IncrmergeHintPop 8. Issue 1035710: sqlite3_shadow_table_fuzzer: Heap-buffer-overflow in sqlite3Fts3GetVarint32 9. Issue 1037786: sqlite3_shadow_table_fuzzer: Undefined-shift in fts3BestSnippet 10. Issue 1038213: sqlite3_shadow_table_fuzzer: Out-of-memory in sqlite3_shadow_table_fuzzer (OOM in SQLite) 11. Issue 1049131: sqlite3_shadow_table_fuzzer: Integer-overflow in fts3SegmentIsMaxLevel 12. Issue 1057441: sqlite3_shadow_table_fuzzer: Use-of-uninitialized-value in fts3ScanInteriorNode 13. Issue 1062965: sqlite3_shadow_table_fuzzer: Integer-overflow in fts3IncrmergeOutputIdx 14. Issue 1204066 in chromium: sqlite3_shadow_table_fuzzer: Integer-overflow in fts3SelectLeaf

[CVE-2019-13753] Out of bounds read in SQLite

Reported on : 16 Nov 2019 Shipped on : 11 Dec 2019 Type : Out-of-bounds Read In Function : .. Out of bounds read in SQLite in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. 
https://nvd.nist.gov/vuln/detail/CVE-2019-13753

[CVE-2019-13752] Out of bounds read in SQLite

Reported on : 16 Nov 2019 Shipped on : 11 Dec 2019 Type : Out-of-bounds Read In Function : .. Out of bounds read in SQLite in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. 
https://nvd.nist.gov/vuln/detail/CVE-2019-13752

[CVE-2019-13751] Uninitialized data in SQLite

Reported on : 16 Nov 2019 Shipped on : 11 Dec 2019 Type : Uninitialized Use In Function : .. Uninitialized data in SQLite in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. 
https://nvd.nist.gov/vuln/detail/CVE-2019-13751

[CVE-2019-13750] Insufficient data validation in SQLite

Reported on : 16 Nov 2019 Shipped on : 11 Dec 2019 Type : Protection Bypass In Function : .. Insufficient data validation in SQLite in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to bypass defense-in-depth measures via a crafted HTML page. 
https://nvd.nist.gov/vuln/detail/CVE-2019-13750

[CVE-2019-13734] Out of bounds write in SQLite

Reported on : 16 Nov 2019 Shipped on : 11 Dec 2019 Type : Out-of-bounds Write In Function : .. Out of bounds write in SQLite in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. 
https://nvd.nist.gov/vuln/detail/CVE-2019-13734

[CVE-2020-19646] ffmpeg, Out-of-Bounds Read and Information Leak in ftp.c:393

Reported on : 21 Aug 2018 Shipped on : 13 Feb 2019 Type : Out-of-bounds Read In Function : ftp_file_size If the server response data with 213\0, the `filesize` will be a value converted from out side the buffer. And there's a small chance to leak the data, if the heap being reused is containing chars: 0-9,+,-,e since the filesize is used to communicate with server to download later. 
https://patchwork.ffmpeg.org/patch/12060/

[CVE-2020-19645] ffmpeg, Out-of-Bounds access in process_line()

Reported on : 21 Aug 2018 Shipped on : 13 Feb 2019 Type : Out-of-bounds Write In Function : process_line while(!av_isspace(*p)) p++; *(p++) = 0; If the server response data with no space after it, the p will go beyond the buffer end. Then it will write a zero out-of-bound to some place. 
https://patchwork.ffmpeg.org/patch/12061/

[CVE-2019-5835] chromium-browser: Out of bounds read in Swiftshader

Reported on : 7 Mar 2019 Shipped on : 4 Jun 2019 Type : Type Confusion (Arbitrary Memory Read) In Function : parseLayoutQualifier chromium-browser: Out of bounds read in Swiftshader Vulnerability in Swiftshader could allow an attacker to read arbitrary memory via a Type Confusion from unsigned integer to TString object. 
https://bugs.chromium.org/p/chromium/issues/detail?id=939239

#version 300 es
layout(location=0x86868686u
1  2  3  4