Qemu gdb stub security
Posted: Mon Oct 12, 2015 6:55 am
Hi all,
A combination of ranting and warning all you guys... Buy the guys over at Qemu really show to care about their product...
The following code is found in gdbstub.c:
p is a string sent through the gdb socket, mem_buf here is fixed at 4096 bytes, and target_memory_rw_debug reads into that buffer "len" bytes, even though that may exceed these 4096 bytes. A trivial buffer overflow, trivial to exploit, should you ever be connected to a gdbstub.
Doesn't sound too bad, though, does it? I mean, it's only a gdbstub, you should only have access to it yourself. Except, unless you specifically block it in your firewall, you don't. They're friendly enough to let the socket bind to a hard-coded address of 0.0.0.0, thank you very much! So, unless you block it with a firewall, anyone who manages to connect at the right time is given the permission of the user running Qemu.
Now, simple fix, right? Except, after 4.5 months, I finally got a reply saying the "upstream Qemu folks" do not consider gdbstub vulnerabilities security relevant. Seriously. 4.5 months. I could've written a fix (albeit maybe not the best, but definitely not worse than now) in about 5 minutes.
I don't get that they refuse to treat a security vulnerability as such. Perhaps it's unlikely to get exploited, but there are certainly attack scenario's. Plenty of people at my uni knew I'm working on an OS, running it with Qemu, and continuously trying to connect to the proper port of my IP would definitely at some point win the race to my own connect (until I blocked it, of course).
So, anyone else running gdbstub without a firewall?
A combination of ranting and warning all you guys... Buy the guys over at Qemu really show to care about their product...
The following code is found in gdbstub.c:
Code: Select all
case 'm':
addr = strtoull(p, (char **)&p, 16);
if (*p == ',')
p++;
len = strtoull(p, NULL, 16);
if (target_memory_rw_debug(s->g_cpu, addr, mem_buf, len, false) != 0) {
put_packet (s, "E14");
} else {
memtohex(buf, mem_buf, len);
put_packet(s, buf);
}
break;
Doesn't sound too bad, though, does it? I mean, it's only a gdbstub, you should only have access to it yourself. Except, unless you specifically block it in your firewall, you don't. They're friendly enough to let the socket bind to a hard-coded address of 0.0.0.0, thank you very much! So, unless you block it with a firewall, anyone who manages to connect at the right time is given the permission of the user running Qemu.
Now, simple fix, right? Except, after 4.5 months, I finally got a reply saying the "upstream Qemu folks" do not consider gdbstub vulnerabilities security relevant. Seriously. 4.5 months. I could've written a fix (albeit maybe not the best, but definitely not worse than now) in about 5 minutes.
I don't get that they refuse to treat a security vulnerability as such. Perhaps it's unlikely to get exploited, but there are certainly attack scenario's. Plenty of people at my uni knew I'm working on an OS, running it with Qemu, and continuously trying to connect to the proper port of my IP would definitely at some point win the race to my own connect (until I blocked it, of course).
So, anyone else running gdbstub without a firewall?