[Bug 1863025] Re: Use-after-free after flush in TCG accelerator

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug 1863025] Re: Use-after-free after flush in TCG accelerator

From:	Samuel Henrique
Subject:	[Bug 1863025] Re: Use-after-free after flush in TCG accelerator
Date:	Thu, 31 Aug 2023 12:48:34 -0000

CVE-2020-24165 was assigned to this:
https://nvd.nist.gov/vuln/detail/CVE-2020-24165

I had no involvement in the assignment, posting here for reference only.

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-24165

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1863025

Title:
  Use-after-free after flush in TCG accelerator

Status in QEMU:
  Fix Released

Bug description:
  I believe I found a UAF in TCG that can lead to a guest VM escape. The
  security list informed me "This can not be treated as a security
  issue." and to post it here. I am looking at the 4.2.0 source code.
  The issue requires a race and I will try to describe it in terms of
  three concurrent threads.

  Thread A:

  A1. qemu_tcg_cpu_thread_fn runs work loop
  A2. qemu_wait_io_event => qemu_wait_io_event_common => process_queued_cpu_work
  A3. start_exclusive critical section entered
  A4. do_tb_flush is called, TB memory freed/re-allocated
  A5. end_exclusive exits critical section

  Thread B:

  B1. qemu_tcg_cpu_thread_fn runs work loop
  B2. tcg_cpu_exec => cpu_exec => tb_find => tb_gen_code
  B3. tcg_tb_alloc obtains a new TB

  Thread C:

  C1. qemu_tcg_cpu_thread_fn runs work loop
  C2. cpu_exec_step_atomic executes
  C3. TB obtained with tb_lookup__cpu_state or tb_gen_code
  C4. start_exclusive critical section entered
  C5. cpu_tb_exec executes the TB code
  C6. end_exclusive exits critical section

  Consider the following sequence of events:
    B2 => B3 => C3 (same TB as B2) => A3 => A4 (TB freed) => A5 => B2 =>
    B3 (re-allocates TB from B2) => C4 => C5 (freed/reused TB now executing) => 
C6

  In short, because thread C uses the TB in the critical section, there
  is no guarantee that the pointer has not been "freed" (rather the
  memory is marked as re-usable) and therefore a use-after-free occurs.

  Since the TCG generated code can be in the same memory as the TB data
  structure, it is possible for an attacker to overwrite the UAF pointer
  with code generated from TCG. This can overwrite key pointer values
  and could lead to code execution on the host outside of the TCG
  sandbox.

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1863025/+subscriptions

[Prev in Thread]

Current Thread

[Next in Thread]

[Bug 1863025] Re: Use-after-free after flush in TCG accelerator, Samuel Henrique <=
- Re: [Bug 1863025] Re: Use-after-free after flush in TCG accelerator, Philippe Mathieu-Daudé, 2023/08/31
  - Re: [Bug 1863025] Re: Use-after-free after flush in TCG accelerator, Daniel P . Berrangé, 2023/08/31
    - Re: [Bug 1863025] Re: Use-after-free after flush in TCG accelerator, Mauro Matteo Cascella, 2023/08/31
- [Bug 1863025] Re: Use-after-free after flush in TCG accelerator, Mauro Matteo Cascella, 2023/08/31

Prev by Date: [PULL 20/41] hw/char: Have FEWatchFunc handlers return G_SOURCE_CONTINUE/REMOVE
Next by Date: [PULL 22/41] hw/char/pl011: Display register name in trace events
Previous by thread: [PATCH v2 0/5] vfio/migration: Block VFIO migration with postcopy and background snapshot
Next by thread: Re: [Bug 1863025] Re: Use-after-free after flush in TCG accelerator
Index(es):
- Date
- Thread