Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- QEMU v4.2.0 and lower has a use-after-free vulnerability in the TCG backend which can lead to arbitrary code execution. The vulnerability has been fixed in v5.0.0. The issue is caused by cpu_exec_step_atomic acquiring a TB which is invalidated by a tb_flush before it is executed.
- Here is a brief description of the race that can take place with three concurrent threads:
- Thread A:
- A1. qemu_tcg_cpu_thread_fn runs work loop
- A2. qemu_wait_io_event => qemu_wait_io_event_common => process_queued_cpu_work
- A3. start_exclusive critical section entered
- A4. do_tb_flush is called, TB memory freed/re-allocated
- A5. end_exclusive exits critical section
- Thread B:
- B1. qemu_tcg_cpu_thread_fn runs work loop
- B2. tcg_cpu_exec => cpu_exec => tb_find => tb_gen_code
- B3. tcg_tb_alloc obtains a new TB
- Thread C:
- C1. qemu_tcg_cpu_thread_fn runs work loop
- C2. cpu_exec_step_atomic executes
- C3. TB obtained with tb_lookup__cpu_state or tb_gen_code
- C4. start_exclusive critical section entered
- C5. cpu_tb_exec executes the TB code
- C6. end_exclusive exits critical section
- Consider the following sequence of events:
- B2 => B3 => C3 (same TB as B2) => A3 => A4 (TB freed) => A5 => B2 =>
- B3 (re-allocates TB from B2) => C4 => C5 (freed/reused TB now executing) => C6
- In short, because thread C uses the TB in the critical section, there is no guarantee that the pointer has not been "freed" (rather the memory is marked as re-usable) and therefore a use-after-free occurs.
- Since the TCG generated code can be in the same memory as the TB data structure, it is possible for an attacker to overwrite the UAF pointer with code generated from TCG. This can overwrite key pointer values and could lead to code execution on the host outside of the TCG sandbox.
- The issue has been assigned CVE-2020-24165 and is tracked in https://bugs.launchpad.net/qemu/+bug/1863025
- It has been fixed in commit https://github.com/qemu/qemu/commit/886cc68943ebe8cf7e5f970be33459f95068a441
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement