• Home
  • Releases
  • Submit Vuln
  • Press
  • About
  • PGP
  • Contact
    • Contact
    • Submit Vuln
    • VDP
  • Tutorials
    • All Posts
    • Photoshop on Linux
    • macOS on Linux
  • Supporters
  • Projects
Sick Codes - Security Research, Hardware & Software Hacking, Consulting, Linux, IoT, Cloud, Embedded, Arch, Tweaks & Tips!
  • Home
  • Releases
  • Submit Vuln
  • Press
  • About
  • PGP
  • Contact
    • Contact
    • Submit Vuln
    • VDP
  • Tutorials
    • All Posts
    • Photoshop on Linux
    • macOS on Linux
  • Supporters
  • Projects
No Result
View All Result
Sick Codes - Security Research, Hardware & Software Hacking, Consulting, Linux, IoT, Cloud, Embedded, Arch, Tweaks & Tips!
  • Home
  • Releases
  • Submit Vuln
  • Press
  • About
  • PGP
  • Contact
    • Contact
    • Submit Vuln
    • VDP
  • Tutorials
    • All Posts
    • Photoshop on Linux
    • macOS on Linux
  • Supporters
  • Projects
No Result
View All Result
Sick Codes - Security Research, Hardware & Software Hacking, Consulting, Linux, IoT, Cloud, Embedded, Arch, Tweaks & Tips!
No Result
View All Result
Home Security

CVE-2022-35414 – QEMU 4.1.50 through QEMU 7.0.0 – address_space_translate_for_iotlb allows a guest user to crash a host resulting in a denial of service.

by Sick Codes
July 11, 2022
in Security
1

Title

CVE-2022-35414 – QEMU 4.1.50 through QEMU 7.0.0 – address_space_translate_for_iotlb allows a guest user to crash a host resulting in a denial of service.

CVE ID

CVE-2022-35414

CVSS Score

N/A

Internal IDs

SICK-2022-113

Vendor

QEMU Project

Product

QEMU

Product Versions

QEMU version 4.1.50 through 7.0.0

Vulnerability Details

A vulnerability in qemu-system-aarch64 in QEMU 4.1.50 through QEMU 7.0.0 allows a guest OS to crash a host when a guess attempts to access an unmapped IOMMU. An attacker can crash and potentially execute arbitrary code as a QEMU guest. An uninitialized local variable in cputlb tlb_set_page_with_attrs causes a SIGSEGV in io_readx/io_writex via address_space_translate_for_iotlb when a CPU accesses an unmapped IOMMU via memory_region_register_iommu_notifier.

Vendor Response

https://gitlab.com/qemu-project/qemu/-/issues/1065

https://www.mail-archive.com/qemu-devel@nongnu.org/msg895266.html

https://gitlab.com/qemu-project/qemu/-/commit/549d4005874f602e957b07459949ae514ea96f20

Proof of Concept

Attempted to run varying imx6 kernels on qemu-system-aarch64 & qemu-system-arm.

git clone https://github.com/ryzenlover/remarkable-mfgtools.git

# qemu-system-aarch64 -machine virt -cpu cortex-a57 \
#         -device virtio-net-device,netdev=net0 -netdev user,id=net0 \
#         -m 512 \
#         -bios qemu-u-boot-bcm-2xxx-rpi4.bin \
#         -device virtio-gpu-pci -serial stdio \
#         -device qemu-xhci -device usb-tablet -device usb-kbd \
#         -drive id=disk0,file=boot-image-qemu.hddimg,if=none,format=raw -device virtio-blk-device,drive=disk0

Jul 04 11:10:00.883873 hostname kernel: qemu-system-aar[191949]: segfault at a0 ip 000056298699d0bb sp 00007fe2bb9fde30 error 4 in qemu-system-aarch64[5629863bc000+97c000]
Jul 04 11:10:00.883965 hostname kernel: Code: 48 89 06 c7 46 08 01 00 00 00 44 89 66 20 0f 11 46 10 e8 b8 fc ff ff 48 8b 74 24 30 eb 53 90 48 8b 6c 24 28 0f 1f 00 48 89 ca <48> 8b 89 a0 00 00 00 48 85 c9 75 f1 80 7a 30 00 0f 84 9f 00 00 00

Disclosure Timeline

  • 2022-06-06 – Researcher discovers vulnerability
  • 2022-07-04 – Researcher encounters vulnerability

Links

https://gitlab.com/qemu-project/qemu/-/issues/1065

https://github.com/sickcodes/security/blob/master/advisories/SICK-2022-113.md

https://sick.codes/sick-2022-113

https://github.com/qemu/qemu/blob/f200ff158d5abcb974a6b597a962b6b2fbea2b06/softmmu/physmem.c

https://github.com/qemu/qemu/blob/v7.0.0/include/exec/cpu-all.h#L145-L148

https://github.com/qemu/qemu/commit/ 3517fb726741c109cae7995f9ea46f0cab6187d6#diff-83c563ed6330dc5d49876f1116e7518b5c16654bbc6e9b4ea8e28f5833d576fcR482

https://github.com/qemu/qemu/commit/ 3517fb726741c109cae7995f9ea46f0cab6187d6#diff-83c563ed6330dc5d49876f1116e7518b5c16654bbc6e9b4ea8e28f5833d576fcR482.aa

https://github.com/qemu/qemu/commit/418ade7849ce7641c0f7333718caf5091a02fd4c

https://www.mail-archive.com/qemu-devel@nongnu.org/msg895266.html

Researchers

  • Trung Nguyen https://gitlab.com/TrungNguyen1909
  • Sick Codes https://github.com/sickcodes || https://twitter.com/sickcodes

CVE Links

https://sick.codes/sick-2022-113

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35414

https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-35414

Next Post
CVE-2022-36123 asm_exc_page_fault

CVE-2022-36123 - A vulnerability in Linux kernel mainline v5.18-rc1 through v5.19-rc6 does not clear statically allocated variables in the block starting symbol (.bss) due to a failed early_xen_iret_patch leading to an asm_exc_page_fault, or arbitrary code execution

asrock ipmi bug

ASRock Rack Aspeed Ast2500 BMC/IPMI Reset Fixes (American Megatrends)

Hacking RAM Trucks

Live Event: Sick Codes presenting @ Automotive Cybersecurity Conference by Automotive-IQ: "Research on the Stellantis Platform" Santa Clara Marriott Hotel, CA, October 25 - 27, 2022

Comments 1

  1. Pingback: Vulnerabilidad en () - CVE-2022-35414 - Información y Soluciones

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

No Result
View All Result
  • Home
  • Releases
  • Submit Vuln
  • Press
  • About
  • PGP
  • Contact
    • Contact
    • Submit Vuln
    • VDP
  • Tutorials
    • All Posts
    • Photoshop on Linux
    • macOS on Linux
  • Supporters
  • Projects

© 2017-2021 Sick.Codes

@sickcodes

@sickcodes

@sickcodes

Discord Server

sickcodes.slack.com

t.me/sickcodeschat

./contact_form