CVE-2024-24474: Integer Underflow and Buffer Overflow in QEMU before version 8.2.

In this week I have been researching a new vulnerability that was identified in QEMU (short for Quick EMUlator) which is tagged as CVE-2024-24474. For those who are unaware, QEMU is a widely-used open-source emulator and virtualizer that allows users to run multiple operating systems on a single machine.

The vulnerability arises due to an integer underflow, and resultant buffer overflow, via a TI command when an expected non-DMA transfer length is less than the length of the available FIFO data. This critical vulnerability exists in esp_do_nodma in hw/scsi/esp.c because of an underflow of async_len.

I will be detailing the vulnerability and explaining how it can be exploited throughout this post. Moreover, I will be providing some relevant code snippets and linking to original references to help paint a clearer picture.

Exploit Details

QEMU versions before 8.2. are vulnerable due to an integer underflow and buffer overflow vulnerability. The problem occurs when the emulator processes a SCSI command that lacks DMA and has a non-DMA transfer length smaller than the length of the available FIFO data. The issue arises in the function 'esp_do_nodma' in the source file hw/scsi/esp.c, which doesn't correctly check for an underflow of async_len.

To exploit this vulnerability, an attacker would need to control the non-DMA transfer length value in such a way that it triggers the integer underflow and subsequently causes the buffer overflow. This could potentially allow an attacker to execute arbitrary code on the host machine.

Here's the code snippet in hw/scsi/esp.c where the issue occurs

static void esp_do_nodma(EspState *s)
{
    int count, n;

    count = s->ti_size;
    if (count > s->async_len) {
        count = s->async_len;
    }

    n = s->ti_buf->len - s->ti_rptr;
    count = (count + 3) & ~3;

    if (count > n) {
        count = n;
    }

    memcpy(s->ti_buf->buf + s->ti_rptr, s->ti_buf_data, count);

    s->ti_rptr += count;
    s->async_len -= count;
    s->ti_size -= count;

    if (s->ti_buf->len == s->ti_rptr) {
        if (s->ti_command == TI_COMMAND_WRITE) {

...
}

As you can see from the code snippet above, there is no proper validation to check whether the non-DMA transfer length value (s->async_len) is larger than the available FIFO data (s->ti_size), thus leading to the integer underflow and buffer overflow.

References

For more in-depth information on this vulnerability, you can refer to the original disclosure, patches and related information found in the links below:

1. QEMU Official Website: https://www.qemu.org/
2. CVE Details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24474
3. QEMU Git Repository (esp.c source file): https://git.qemu.org/?p=qemu.git;a=blob;f=hw/scsi/esp.c

Conclusion

To summarize, the CVE-2024-24474 vulnerability in QEMU before 8.2. is a potentially critical issue that can lead to arbitrary code execution on the host machine. It is strongly advised to update to the latest version of QEMU to safeguard your environment from any potential exploitation of this vulnerability.

Timeline

Published on: 02/20/2024 18:15:52 UTC
Last modified on: 02/21/2024 01:15:07 UTC