QEMU Internal: RTL8139

Introduction

In my previous post, I give a basic introduction on pcnet emulation and display the stacktrace of execution flow of the emulation.
In this post I will give a introduction on RTL8139 emulation in QEMU. Different from the previous post, I will omit the execution flow of RTL8139 I/O operation. Instead, I want to put more focus on how the emulated registers are used and how user controlled data go into the vulnerable function and trigger the vulnerability.
In QEMU, all RTL8139 emulation is implemented in rtl8139.c.
The concept of DMA will be introduced in this post. But more details on that will be given in next post.

Device Initialization

Similar to PCNET, the device initialization is done in the following two function:
RTL8139 Class Initialization

static void rtl8139_class_init(ObjectClass *klass, void *data)
{
    DeviceClass *dc = DEVICE_CLASS(klass);
    PCIDeviceClass *k = PCI_DEVICE_CLASS(klass);

    k->realize = pci_rtl8139_realize;
    k->exit = pci_rtl8139_uninit;
    k->romfile = "efi-rtl8139.rom";
    k->vendor_id = PCI_VENDOR_ID_REALTEK;
    k->device_id = PCI_DEVICE_ID_REALTEK_8139;
    k->revision = RTL8139_PCI_REVID; /* >=0x20 is for 8139C+ */
    k->class_id = PCI_CLASS_NETWORK_ETHERNET;
    dc->reset = rtl8139_reset;
    dc->vmsd = &vmstate_rtl8139;
    dc->props = rtl8139_properties;
    set_bit(DEVICE_CATEGORY_NETWORK, dc->categories);
}

RTL8139 necessary function Initialization

static void pci_rtl8139_realize(PCIDevice *dev, Error **errp)
{
    RTL8139State *s = RTL8139(dev);
    DeviceState *d = DEVICE(dev);
    uint8_t *pci_conf;

    pci_conf = dev->config;
    pci_conf[PCI_INTERRUPT_PIN] = 1;    /* interrupt pin A */
    /* TODO: start of capability list, but no capability
     * list bit in status register, and offset 0xdc seems unused. */
    pci_conf[PCI_CAPABILITY_LIST] = 0xdc;

    memory_region_init_io(&s->bar_io, OBJECT(s), &rtl8139_io_ops, s,
                          "rtl8139", 0x100);
    memory_region_init_io(&s->bar_mem, OBJECT(s), &rtl8139_mmio_ops, s,
                          "rtl8139", 0x100);
    pci_register_bar(dev, 0, PCI_BASE_ADDRESS_SPACE_IO, &s->bar_io);
    pci_register_bar(dev, 1, PCI_BASE_ADDRESS_SPACE_MEMORY, &s->bar_mem);

    qemu_macaddr_default_if_unset(&s->conf.macaddr);

    /* prepare eeprom */
    s->eeprom.contents[0] = 0x8129;
#if 1
    /* PCI vendor and device ID should be mirrored here */
    s->eeprom.contents[1] = PCI_VENDOR_ID_REALTEK;
    s->eeprom.contents[2] = PCI_DEVICE_ID_REALTEK_8139;
#endif
    s->eeprom.contents[7] = s->conf.macaddr.a[0] | s->conf.macaddr.a[1] << 8;
    s->eeprom.contents[8] = s->conf.macaddr.a[2] | s->conf.macaddr.a[3] << 8;
    s->eeprom.contents[9] = s->conf.macaddr.a[4] | s->conf.macaddr.a[5] << 8;

    s->nic = qemu_new_nic(&net_rtl8139_info, &s->conf,
                          object_get_typename(OBJECT(dev)), d->id, s);
    qemu_format_nic_info_str(qemu_get_queue(s->nic), s->conf.macaddr.a);

    s->cplus_txbuffer = NULL;
    s->cplus_txbuffer_len = 0;
    s->cplus_txbuffer_offset = 0;

    s->timer = timer_new_ns(QEMU_CLOCK_VIRTUAL, rtl8139_timer, s);
}

Emulated Register

The emulated registers for RTL8139 is much more complicated than PCNET. More details on the meaning of the those registers will be given in next chapter.

typedef struct RTL8139State {
    /*< private >*/
    PCIDevice parent_obj;
    /*< public >*/

    uint8_t phys[8]; /* mac address */
    uint8_t mult[8]; /* multicast mask array */

    uint32_t TxStatus[4]; /* TxStatus0 in C mode*/ /* also DTCCR[0] and DTCCR[1] in C+ mode */
    uint32_t TxAddr[4];   /* TxAddr0 */
    uint32_t RxBuf;       /* Receive buffer */
    uint32_t RxBufferSize;/* internal variable, receive ring buffer size in C mode */
    uint32_t RxBufPtr;
    uint32_t RxBufAddr;

    uint16_t IntrStatus;
    uint16_t IntrMask;

    uint32_t TxConfig;
    uint32_t RxConfig;
    uint32_t RxMissed;

    uint16_t CSCR;

    uint8_t  Cfg9346;
    uint8_t  Config0;
    uint8_t  Config1;
    uint8_t  Config3;
    uint8_t  Config4;
    uint8_t  Config5;

    uint8_t  clock_enabled;
    uint8_t  bChipCmdState;

    uint16_t MultiIntr;

    uint16_t BasicModeCtrl;
    uint16_t BasicModeStatus;
    uint16_t NWayAdvert;
    uint16_t NWayLPAR;
    uint16_t NWayExpansion;

    uint16_t CpCmd;
    uint8_t  TxThresh;

    NICState *nic;
    NICConf conf;

    /* C ring mode */
    uint32_t   currTxDesc;

    /* C+ mode */
    uint32_t   cplus_enabled;

    uint32_t   currCPlusRxDesc;
    uint32_t   currCPlusTxDesc;

    uint32_t   RxRingAddrLO;
    uint32_t   RxRingAddrHI;

    EEprom9346 eeprom;

    uint32_t   TCTR;
    uint32_t   TimerInt;
    int64_t    TCTR_base;

    /* Tally counters */
    RTL8139TallyCounters tally_counters;

    /* Non-persistent data */
    uint8_t   *cplus_txbuffer;
    int        cplus_txbuffer_len;
    int        cplus_txbuffer_offset;

    /* PCI interrupt timer */
    QEMUTimer *timer;

    MemoryRegion bar_io;
    MemoryRegion bar_mem;

    /* Support migration to/from old versions */
    int rtl8139_mmio_io_addr_dummy;
} RTL8139State;

A more general and simple expression of the structure is already given in [1].

I/O Communication

According to our experience on PCNET, we can soon locate the critical function:

static void rtl8139_ioport_write(void *opaque, hwaddr addr,
                                 uint64_t val, unsigned size)
{
    switch (size) {
    case 1:
        rtl8139_io_writeb(opaque, addr, val);
        break;
    case 2:
        rtl8139_io_writew(opaque, addr, val);
        break;
    case 4:
        rtl8139_io_writel(opaque, addr, val);
        break;
    }
}

static uint64_t rtl8139_ioport_read(void *opaque, hwaddr addr,
                                    unsigned size)
{
    switch (size) {
    case 1:
        return rtl8139_io_readb(opaque, addr);
    case 2:
        return rtl8139_io_readw(opaque, addr);
    case 4:
        return rtl8139_io_readl(opaque, addr);
    }

    return -1;
}

Actually, only rtl8139_ioport_write, i.e. outb/outw/outl, is used in the exploit given in [2].

Set Receiver Ring

The first step in exploit is to initialize the receiver ring. Before setting the receiver ring, rtl8139_desc_config_rx function will prepare an array of rtl8139_ring with size 0x2c, then physical address of the array in the guest machine. Than it sets the receiver ring address to the physical address.

struct rtl8139_desc {
	uint32_t dw0;
	uint32_t dw1;
	uint32_t buf_lo;
	uint32_t buf_hi;
};

struct rtl8139_ring {
	struct rtl8139_desc *desc;
	void                *buffer;
};


addr = (uint32_t)gva_to_gpa(desc);
outl(addr, RTL8139_PORT + RxRingAddrLO);
outl(0x0, RTL8139_PORT + RxRingAddrHI);

In function rtl8139_io_writel, it will set the lower 32-bit address and higher 32-bit address of the receiver buffer.

RTL8139State *s = opaque;
switch (addr)
{
    case RxRingAddrLO:
         DPRINTF("C+ RxRing low bits write val=0x%08x\n", val);
         s->RxRingAddrLO = val;
         break;

    case RxRingAddrHI:
         DPRINTF("C+ RxRing high bits write val=0x%08x\n", val);
         s->RxRingAddrHI = val;
         break;
}

Set Transmit Description Buffer Address

The next step in exploit is to initialize the transmit address. More specifically, it is s->TxAddr[0] and s->TxAddr[1] that are set to the physical address of buffer in guest machine.

addr = (uint32_t)gva_to_gpa(desc);
outl(addr, RTL8139_PORT + TxAddr0);
outl(0x0, RTL8139_PORT + TxAddr0 + 0x4);
RTL8139State *s = opaque;
switch (addr)
{
     case TxAddr0 ... TxAddr0+4*4-1:
          rtl8139_TxAddr_write(s, addr-TxAddr0, val);
          break;
}

static void rtl8139_TxAddr_write(RTL8139State *s, uint32_t txAddrOffset, uint32_t val)
{
    DPRINTF("TxAddr write offset=0x%x val=0x%08x\n", txAddrOffset, val);

    s->TxAddr[txAddrOffset/4] = val;
}

Set RTL8139 Card

In the step of setting the configuration of RTL8139 card, s->TxConfig is set to TxLoopBack and s->RxConfig is set to AcceptMyPhys.

outl(TxLoopBack, RTL8139_PORT + TxConfig);
outl(AcceptMyPhys, RTL8139_PORT + RxConfig);
RTL8139State *s = opaque;
switch (addr)
{    
    case TxConfig:
         rtl8139_TxConfig_write(s, val);
         break;
    case RxConfig:
         rtl8139_RxConfig_write(s, val);
         break;
}

static void rtl8139_TxConfig_write(RTL8139State *s, uint32_t val)
{
    if (!rtl8139_transmitter_enabled(s))
    {
        return;
    }
    val = SET_MASKED(val, TxVersionMask | 0x8070f80f, s->TxConfig);
    s->TxConfig = val;
}

static void rtl8139_RxConfig_write(RTL8139State *s, uint32_t val)
{
    val = SET_MASKED(val, 0xf0fc0040, s->RxConfig);
    s->RxConfig = val;
    rtl8139_reset_rxring(s, 8192 << ((s->RxConfig >> 11) & 0x3));
}

Then s->CpCmd is set to CPlusRxEnb|CPlusTxEnb

outw(CPlusRxEnb|CPlusTxEnb, RTL8139_PORT + CpCmd);
static void rtl8139_CpCmd_write(RTL8139State *s, uint32_t val)
{
    val &= 0xffff;

    DPRINTF("C+ command register write(w) val=0x%04x\n", val);

    s->cplus_enabled = 1;

    /* mask unwritable bits */
    val = SET_MASKED(val, 0xff84, s->CpCmd);

    s->CpCmd = val;
}

Next, s->currCPlusRxDesc and s->currCPlusTxDesc are both set to 0.

outb(CmdRxEnb|CmdTxEnb, RTL8139_PORT + ChipCmd);
case ChipCmd:
     rtl8139_ChipCmd_write(s, val);
     break;
static void rtl8139_ChipCmd_write(RTL8139State *s, uint32_t val)
{
    DeviceState *d = DEVICE(s);
    val &= 0xff;
    if (val & CmdReset)
    {
        rtl8139_reset(d);
    }
    if (val & CmdRxEnb)
    {
        s->currCPlusRxDesc = 0;
    }
    if (val & CmdTxEnb)
    {
        s->currCPlusTxDesc = 0;
    }

    /* mask unwritable bits */
    val = SET_MASKED(val, 0xe3, s->bChipCmdState);

    /* Deassert reset pin before next read */
    val &= ~CmdReset;

    s->bChipCmdState = val;
}

Start to Trigger

The we come to the trigger function that will eventually invoke the vulnerable function.

outb(CPlus, RTL8139_PORT + TxPoll)

In function rtl8139_io_writeb, it will call rtl8139_cplus_transmit_one with the set values in s.

case TxPoll:
     if (val & (1 << 7))
     {
     }
     if (val & (1 << 6))
     {
         rtl8139_cplus_transmit(s);
     }

static void rtl8139_cplus_transmit(RTL8139State *s)
{
    int txcount = 0;

    while (rtl8139_cplus_transmit_one(s))
    {
        ++txcount;
    }
}

Vulnerable Code: rtl8139_cplus_transmit_one

Now let us dive into the vulnerable code and see how the code works.
Step 1
First of all, it will get the physical address of the transmit description buffer address

dma_addr_t cplus_tx_ring_desc = rtl8139_addr64(s->TxAddr[0], s->TxAddr[1]);

pci_dma_read(d, cplus_tx_ring_desc,    (uint8_t *)&val, 4);
txdw0 = le32_to_cpu(val);
pci_dma_read(d, cplus_tx_ring_desc+4,  (uint8_t *)&val, 4);
txdw1 = le32_to_cpu(val);
pci_dma_read(d, cplus_tx_ring_desc+8,  (uint8_t *)&val, 4);
txbufLO = le32_to_cpu(val);
pci_dma_read(d, cplus_tx_ring_desc+12, (uint8_t *)&val, 4);
txbufHI = le32_to_cpu(val);

A very important function here is pci_dma_read. DMA is the abbreviation of Direct Memory Access, which enables data transfer between memory and PCI device. Here, pci_dma_read emulates such data transfer between the PHY_MEM and the local variable in QEMU binary. The details on this will be given in next post.

Step 2
According to the data retracted from the transmit description buffer, it continues to retract the transmit buffer (s->cplus_txbuffer), which will be used to store the send packet data later..

int txsize = txdw0 & CP_TX_BUFFER_SIZE_MASK;
dma_addr_t tx_addr = rtl8139_addr64(txbufLO, txbufHI);

if (!s->cplus_txbuffer)
{
    s->cplus_txbuffer_len = CP_TX_BUFFER_SIZE;
    s->cplus_txbuffer = g_malloc(s->cplus_txbuffer_len);
    s->cplus_txbuffer_offset = 0;
}
if (s->cplus_txbuffer_offset + txsize >= s->cplus_txbuffer_len)
{
    txsize = s->cplus_txbuffer_len - s->cplus_txbuffer_offset;
}
pci_dma_read(d, tx_addr, s->cplus_txbuffer + s->cplus_txbuffer_offset, txsize);
s->cplus_txbuffer_offset += txsize;

Step 3
After getting those necessary information for receiving packet, it begins to resolve the packet. The operation later will continue via saved_buffer and saved_size.

uint8_t *saved_buffer  = s->cplus_txbuffer;
int      saved_size    = s->cplus_txbuffer_offset;
int      saved_buffer_len = s->cplus_txbuffer_len;

Since we have set desc->dw0 to CP_TX_OWN | CP_TX_EOR | CP_TX_LS | CP_TX_LGSEN | CP_TX_IPCS | CP_TX_TCPCS earlier, we then come the resolve the packet based on the set protocol.

if (txdw0 & (CP_TX_IPCS | CP_TX_UDPCS | CP_TX_TCPCS | CP_TX_LGSEN))
{

Step 4
Finally we come to the vulnerable code in CVE-2015-5165.

if (proto == ETH_P_IP)
{
    eth_payload_data = saved_buffer + ETH_HLEN;
    eth_payload_len  = saved_size   - ETH_HLEN;

    ip = (ip_header*)eth_payload_data;
    if (IP_HEADER_VERSION(ip) != IP_HEADER_VERSION_4) {
        ip = NULL;
    } else {
        hlen = IP_HEADER_LENGTH(ip);
        ip_protocol = ip->ip_p;
        ip_data_len = be16_to_cpu(ip->ip_len) - hlen;
    }
}

At this point, we can finally reach the point where the vulnerability takes place. ip->ip_len and hlen are both under control. Maliciously crafted data will trigger the out-of-bound read in the end.

Conclusion

In this post, I give a detailed explanation of RTL8139 emulation. More importantly, I give a mention of pci_dma_read in the source code of QEMU, which gives a new topic in my next post.

Reference

[1] http://www.phrack.org/papers/vm-escape-qemu-case-study.html
[2] https://github.com/dangokyo/QEMU_ESCAPE/blob/master/CVE_2015_5165_leak.c

Advertisements

One thought on “QEMU Internal: RTL8139

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.