Advertisement
Guest User

CVE-2020-24165

a guest
Aug 25th, 2023
2,694
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 1.95 KB | Cybersecurity | 0 0
  1. QEMU v4.2.0 and lower has a use-after-free vulnerability in the TCG backend which can lead to arbitrary code execution. The vulnerability has been fixed in v5.0.0. The issue is caused by cpu_exec_step_atomic acquiring a TB which is invalidated by a tb_flush before it is executed.
  2.  
  3. Here is a brief description of the race that can take place with three concurrent threads:
  4.  
  5. Thread A:
  6.  
  7. A1. qemu_tcg_cpu_thread_fn runs work loop
  8. A2. qemu_wait_io_event => qemu_wait_io_event_common => process_queued_cpu_work
  9. A3. start_exclusive critical section entered
  10. A4. do_tb_flush is called, TB memory freed/re-allocated
  11. A5. end_exclusive exits critical section
  12.  
  13. Thread B:
  14.  
  15. B1. qemu_tcg_cpu_thread_fn runs work loop
  16. B2. tcg_cpu_exec => cpu_exec => tb_find => tb_gen_code
  17. B3. tcg_tb_alloc obtains a new TB
  18.  
  19. Thread C:
  20.  
  21. C1. qemu_tcg_cpu_thread_fn runs work loop
  22. C2. cpu_exec_step_atomic executes
  23. C3. TB obtained with tb_lookup__cpu_state or tb_gen_code
  24. C4. start_exclusive critical section entered
  25. C5. cpu_tb_exec executes the TB code
  26. C6. end_exclusive exits critical section
  27.  
  28. Consider the following sequence of events:
  29. B2 => B3 => C3 (same TB as B2) => A3 => A4 (TB freed) => A5 => B2 =>
  30. B3 (re-allocates TB from B2) => C4 => C5 (freed/reused TB now executing) => C6
  31.  
  32. In short, because thread C uses the TB in the critical section, there is no guarantee that the pointer has not been "freed" (rather the memory is marked as re-usable) and therefore a use-after-free occurs.
  33.  
  34. Since the TCG generated code can be in the same memory as the TB data structure, it is possible for an attacker to overwrite the UAF pointer with code generated from TCG. This can overwrite key pointer values and could lead to code execution on the host outside of the TCG sandbox.
  35.  
  36. The issue has been assigned CVE-2020-24165 and is tracked in https://bugs.launchpad.net/qemu/+bug/1863025
  37.  
  38. It has been fixed in commit https://github.com/qemu/qemu/commit/886cc68943ebe8cf7e5f970be33459f95068a441
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement