Vulmon
<!--X-Body-Begin-->
<!--X-User-Header-->
oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->
By Date
By Thread
</form>
<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
Re: CVE-2019-14835: QEMU-KVM Guest to Host Kernel Escape Vulnerability: vhost/vhost_net kernel buffer overflow
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->
From: peterpi(皮罡) <peterpi () tencent com>
Date: Tue, 24 Sep 2019 09:29:10 +0000
<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
Reproduce method of CVE-2019-14835 with Ubuntu and virt-manager.
The reproduce method will hit the log buffer overflow in function get_indirect and crash the host kernel.
We will use virt-manager to do live migrate. If you have your own live migrate method, then you only need the "setup
guest" step, then trigger live migrate to test the bug.
Two Hosts: A local host installed Ubuntu 18.04 LTS with [your target kernel] and with virt-manager installed, and can
create and start a QEMU-KVM VM by virt-manager. And a remote host with same setup (no need latest mainline stable
kernel) for live migrate.
Guest: Create a Ubuntu 16.04 LTS guest by virt-manager on local host.
We will setup virt-manager live migrate connection, and setup the guest kernel with indirect desc table, then trigger
live migrate by virt-manager, local host kernel will be crashed.
It seems virt-manger will use vhost/vhost_net as default virtio network backend on my environment.
1> Connect to remote host for live migrate
Start virt-manager on local host by : sudo virt-manager --no-fork
After using --no-fork, you can add connection to remote host using SSH.
In the virt-manager main window, select File -> Add Connection -> Connect to remote host (Method: SSH, Username :
[remote host ssh login username], Hostname : [remote host IP])
Click connect, then in the "sudo virt-manager --no-fork" shell will let you to input SSH login password.
2> setup guest
After connected to remote host, you can start your guest to setup it.
Start guest, virt-manager will new a VM window to start your guest vm.
In guest, I cloned Linux kernel from ubuntu kernel source git(git://kernel.ubuntu.com/ubuntu/ubuntu-xenial.git)
according to ubuntu wiki.
And "git checkout Ubuntu-hwe-4.15.0-50.54_16.04.1". Build the kernel with attached patches and install the built kernel.
In the guest with built kernel, do below steps:
root@pp-Standard-PC-i440FX-PIIX-1996:~# find /sys -name "*mergeable*"
/sys/devices/pci0000:00/0000:00:03.0/virtio0/net/ens3/queues/rx-0/virtio_net/mergeable_rx_buffer_size
root@pp-Standard-PC-i440FX-PIIX-1996:~# echo 60000 >
/sys/devices/pci0000:00/0000:00:03.0/virtio0/net/ens3/queues/rx-0/virtio_net/mergeable_rx_buffer_size
root@pp-Standard-PC-i440FX-PIIX-1996:~# modprobe -r virtio_net
root@pp-Standard-PC-i440FX-PIIX-1996:~# modprobe virtio_net
root@pp-Standard-PC-i440FX-PIIX-1996:~#
3> Trigger live migrate
In the virt-manager VM window, select Virtual Machine -> Migrate -> if the "Address" field displays remote host machine
name, change it to remote host IP.
When start migrate, it will cause local host kernel crash after some seconds.
Peter Pi of Tencent Blade Team
Attachment:
poc_guest_virtio_ring.diff
Description: poc_guest_virtio_ring.diff
Attachment:
poc_guest_virtio_net.diff
Description: poc_guest_virtio_net.diff
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
By Date
By Thread
Current thread:
CVE-2019-14835: QEMU-KVM Guest to Host Kernel Escape Vulnerability: vhost/vhost_net kernel buffer overflow 张博 (Sep 17)
<Possible follow-ups>
Re: CVE-2019-14835: QEMU-KVM Guest to Host Kernel Escape Vulnerability: vhost/vhost_net kernel buffer overflow 皮罡 (Sep 24)
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->