QEMU Internal: PCI Device

Introduction

In this post, I will give an introduction of the PCI device emulation in QEMU. I will start from the function pci_register_bar. Then I will introduce the PCI bus initialization and update. Based on the information given above, I will explain how RTL8139 and MMIO are expected to work through DMA (Direct Memory Access).
I also strongly recommend reading the reference [1] and [2]. They give some other useful information for PCI device in QEMU.
Continue reading “QEMU Internal: PCI Device”

Advertisements

QEMU Internal: Memory Region, Address Space and QEMU IO

Introduction

In this post, I will introduce two significant data structures in QEMU: MemoryRegion and AddressSpace. Based on the information given above, I will give more details on the memory initialization in QEMU and address_space_rw, which is the core function of QEMU from my perspective. Furthermore, I give examples to explain what is STDIO and MMIO (memory-mapped IO).
Before reading this post, I strongly recommend reading /qemu/docs/memory.txt first. It will give a basic view of what I will talk about in this post.
Continue reading “QEMU Internal: Memory Region, Address Space and QEMU IO”

HITB XCTF 2017 BabyQEMU Write-up

Introduction

This post is completely based on the write-up [1] given by KITCTF. This post will give more details on io function in the binary, e.g. hitb_dma_timer, hitb_mmio_read and hitb_mmio_write.
Since a single post cannot cover everything involved in this challenge. I will put more focus on the vulnerability analysis and exploit development in this post. More topics about this challenge will be given in my post on QEMU internals.
Continue reading “HITB XCTF 2017 BabyQEMU Write-up”

QEMU Internal: RTL8139

Introduction

In my previous post, I give a basic introduction on pcnet emulation and display the stacktrace of execution flow of the emulation.
In this post I will give a introduction on RTL8139 emulation in QEMU. Different from the previous post, I will omit the execution flow of RTL8139 I/O operation. Instead, I want to put more focus on how the emulated registers are used and how user controlled data go into the vulnerable function and trigger the vulnerability.
In QEMU, all RTL8139 emulation is implemented in rtl8139.c.
The concept of DMA will be introduced in this post. But more details on that will be given in next post.
Continue reading “QEMU Internal: RTL8139”

QEMU Internal: PCNET

Introduction

This post will give a basic introduction on how QEMU emulates a pcnet network card from the view of source code. In QEMU, pcnet-pci.c and pcnet.c are the most important two files that are related with pcnet network card emulation. From my point of view, pcnet-pci.c is for emulating the operation between the QEMU and pcnet device, including device initialization and device IO communication; pcnet.c is for emulating the operation between QEMU and the guest machine, including packet transmission and data processing.
This post post will pick part of the source code of QEMU for explaining the internal of QEMU.
Continue reading “QEMU Internal: PCNET”

QEMU Escape: Part 6 Put Everything Together (another trial)

Introduction

In my previous blog, I mention that MADV_DONTFORK is set to the virtual memory region, which is used as the physical memory of guest machine. In another word, the memory set to MADV_DONTFORK will not be passed to the forked process. In this post, I will prove this hypothesis by undoing the MADV_DONTFORK flag of the memory region and display the flag.

In the exploit given in [1] and [2], the author first changes the protection flag of the PHY_MEM to RWX and prepares the shellcode in PHY_MEM to undo the MADV_DONTFORK flag of PHY_MEM. From my perspective, such a method is tedious for the purpose of this post. Alternatively, I choose to prove the hypothesis via code reuse attack directly.
Continue reading “QEMU Escape: Part 6 Put Everything Together (another trial)”

N1CTF 2018 PWN NULL Write-up

Introduction

Working in the wrong direction means going far away. After reading the write-up in [1], I think this is not a difficult challenge. During the contest, I was hesitating between House of Orange and House of Mind. After reaching dead end in both solutions, I hope to seek some hints from the title of the challenge. Therefore I turn to this post [2], seeking some possible hints in file stream on /dev/null. But the result shows that I think too much on that and I should start from the easier ones.
I need to record what I think during the contest and set a reminder for myself.
Continue reading “N1CTF 2018 PWN NULL Write-up”