Headline
CVE-2023-42467: FPE division by zero in scsi_disk_reset() [CVE-2023-42467] (#1813) · Issues · QEMU / QEMU · GitLab
QEMU through 8.0.0 could trigger a division by zero in scsi_disk_reset in hw/scsi/scsi-disk.c because scsi_disk_emulate_mode_select does not prevent s->qdev.blocksize from being 256. This stops QEMU and the guest immediately.
Skip to content
- Why GitLab
- Pricing
- Contact Sales
- Explore
Why GitLab
Pricing
Contact Sales
Explore
FPE division by zero in scsi_disk_reset() [CVE-2023-42467]
Host environment
Operating system: Ubuntu 20.04
OS/kernel version: Linux 5.4.0-148
Architecture: x86_64
QEMU flavor: qemu-system-x86_64
QEMU version: commit at c167c80b
QEMU command line:
QEMU_FUZZ_ARGS="-device am53c974,id=scsi -device scsi-hd,drive=disk0 -drive id=disk0,if=none,file=null-co://,format=raw -nodefaults" \ QEMU_FUZZ_OBJECTS="esp scsi am53c974" ./qemu-fuzz-x86_64 --fuzz-target=generic-fuzz
Description of problem
Got an FPE division by zero error when fuzzing the device am53c974.
Steps to reproduce
Minimized reproducer for the error:
cat << EOF | ./qemu-system-x86_64 -display none -machine accel=qtest, -m 512M -device \
am53c974,id=scsi -device scsi-hd,drive=disk0 -drive \
id=disk0,if=none,file=null-co://,format=raw -nodefaults -qtest /dev/null\
-qtest stdio
outl 0xcf8 0x80001010
outl 0xcfc 0xc000
outl 0xcf8 0x80001004
outw 0xcfc 0x05
outl 0xc047 0x065a9d01
write 0x65a9d 0x1 0x15
write 0x65a9e 0x1 0x10
write 0x65aa0 0x1 0x08
write 0x65aa1 0x1 0x0c
write 0x65aa7 0x1 0x01
outl 0xc03d 0x03000000
outl 0xc00a 0xc10000
outl 0xc03d 0x03000000
outl 0xc00a 0xc10000
outl 0xc00b 0x9000
outl 0xc00b 0x0300
EOF
Additional information
The crash report triggered by the reproducer is:
[I 0.000000] OPENED
[R +0.024387] outl 0xcf8 0x80001010
[S +0.024420] OK
OK
[R +0.024470] outl 0xcfc 0xc000
[S +0.024490] OK
OK
[R +0.024513] outl 0xcf8 0x80001004
[S +0.024521] OK
OK
[R +0.024527] outw 0xcfc 0x05
[S +0.022723] OK
OK
[R +0.022734] outl 0xc047 0x065a9d01
[S +0.022742] OK
OK
[R +0.022747] write 0x65a9d 0x1 0x15
[S +0.022932] OK
OK
[R +0.022941] write 0x65a9e 0x1 0x10
[S +0.022947] OK
OK
[R +0.022952] write 0x65aa0 0x1 0x08
[S +0.022958] OK
OK
[R +0.022965] write 0x65aa1 0x1 0x0c
[S +0.022973] OK
OK
[R +0.022983] write 0x65aa7 0x1 0x01
[S +0.022991] OK
OK
[R +0.023004] outl 0xc03d 0x03000000
[S +0.023014] OK
OK
[R +0.023021] outl 0xc00a 0xc10000
[S +0.023048] OK
OK
[R +0.023056] outl 0xc03d 0x03000000
[S +0.023065] OK
OK
[R +0.023072] outl 0xc00a 0xc10000
[S +0.023128] OK
OK
[R +0.023141] outl 0xc00b 0x9000
[S +0.023159] OK
OK
[R +0.023166] outl 0xc00b 0x0300
../hw/scsi/scsi-disk.c:2351:16: runtime error: division by zero
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../hw/scsi/scsi-disk.c:2351:16 in
AddressSanitizer:DEADLYSIGNAL
=================================================================
==1208622==ERROR: AddressSanitizer: FPE on unknown address 0x558e9c0a9386 (pc 0x558e9c0a9386 bp 0x7ffcc04aaf50 sp 0x7ffcc04aaec0 T0)
#0 0x558e9c0a9386 in scsi_disk_reset ../hw/scsi/scsi-disk.c:2351:16
#1 0x558e9cf23f23 in resettable_phase_hold ../hw/core/resettable.c
#2 0x558e9cf0a861 in bus_reset_child_foreach ../hw/core/bus.c:97:13
#3 0x558e9cf23c05 in resettable_phase_hold ../hw/core/resettable.c:173:5
#4 0x558e9cf21b69 in resettable_assert_reset ../hw/core/resettable.c:60:5
#5 0x558e9cf217aa in resettable_reset ../hw/core/resettable.c:45:5
#6 0x558e9c0facd7 in esp_reg_write ../hw/scsi/esp.c:1075:13
#7 0x558e9c10d74d in esp_pci_io_write ../hw/scsi/esp-pci.c:214:9
#8 0x558e9cd7df23 in memory_region_write_accessor ../softmmu/memory.c:493:5
#9 0x558e9cd7d6aa in access_with_adjusted_size ../softmmu/memory.c:569:18
#10 0x558e9cd7ca50 in memory_region_dispatch_write ../softmmu/memory.c
#11 0x558e9cdc6fbf in flatview_write_continue ../softmmu/physmem.c:2653:23
#12 0x558e9cdbe463 in flatview_write ../softmmu/physmem.c:2695:12
#13 0x558e9cdbe177 in address_space_write ../softmmu/physmem.c:2791:18
#14 0x558e9cd70208 in cpu_outl ../softmmu/ioport.c:85:5
#15 0x558e9c4f0e76 in qtest_process_command ../softmmu/qtest.c:485:13
#16 0x558e9c4ef95b in qtest_process_inbuf ../softmmu/qtest.c:788:9
#17 0x558e9d3201a6 in fd_chr_read ../chardev/char-fd.c:72:9
#18 0x7f974a7c904d in g_main_context_dispatch (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x5204d) (BuildId: 5fdb313daf182a33a858ba2cc945211b11d34561)
#19 0x558e9d58d40f in glib_pollfds_poll ../util/main-loop.c:290:9
#20 0x558e9d58d40f in os_host_main_loop_wait ../util/main-loop.c:313:5
#21 0x558e9d58d40f in main_loop_wait ../util/main-loop.c:592:11
#22 0x558e9c4fcf76 in qemu_main_loop ../softmmu/runstate.c:732:9
#23 0x558e9cf06835 in qemu_default_main ../softmmu/main.c:37:14
#24 0x7f97495f0082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
#25 0x558e9b6e809d in _start (./qemu-system-x86_64+0x1e9109d)
Edited Aug 06, 2023 by Will Lester
Related news
Ubuntu Security Notice 6567-2 - USN-6567-1 fixed vulnerabilities QEMU. The fix for CVE-2023-2861 was too restrictive and introduced a behavior change leading to a regression in certain environments. This update fixes the problem. Gaoning Pan and Xingwei Li discovered that QEMU incorrectly handled the USB xHCI controller device. A privileged guest attacker could possibly use this issue to cause QEMU to crash, leading to a denial of service. Various other issues were also addressed.
Ubuntu Security Notice 6567-1 - Gaoning Pan and Xingwei Li discovered that QEMU incorrectly handled the USB xHCI controller device. A privileged guest attacker could possibly use this issue to cause QEMU to crash, leading to a denial of service. This issue only affected Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. It was discovered that QEMU incorrectly handled the TCG Accelerator. A local attacker could use this issue to cause QEMU to crash, leading to a denial of service, or possibly execute arbitrary code and escalate privileges. This issue only affected Ubuntu 20.04 LTS.
QEMU through 8.0.0 could trigger a division by zero in scsi_disk_reset in hw/scsi/scsi-disk.c because scsi_disk_emulate_mode_select does not prevent s->qdev.blocksize from being 256. This stops QEMU and the guest immediately.