Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2021-3929 PoC — QEMU 资源管理错误漏洞

Source
https://github.com/QiuhaoLi/CVE-2021-3929-3947
Associated Vulnerability
Title:QEMU 资源管理错误漏洞 (CVE-2021-3929)
Description:A DMA reentrancy issue was found in the NVM Express Controller (NVME) emulation in QEMU. This CVE is similar to CVE-2021-3750 and, just like it, when the reentrancy write triggers the reset function nvme_ctrl_reset(), data structs will be freed leading to a use-after-free issue. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition or, potentially, executing arbitrary code within the context of the QEMU process on the host.
Description
Recursive MMIO VM Escape PoC
Readme
# CVE-2021-3929-3947

VM escape PoC for [CVE-2021-3929](https://access.redhat.com/security/cve/cve-2021-3929) and [CVE-2021-3947](https://access.redhat.com/security/cve/cve-2021-3947). Educational purposes only.

You can read the **[white paper](https://qiuhao.org/Matryoshka_Trap.pdf)** for more information.

## Environment

```
OS: Ubuntu 21.10
Linux: 5.13.0
gcc: 11.2.0
glibc: 2.34
glib: 2.68.4
QEMU: 6.1.0
Guest OS: Ubuntu 21.04
```

## Commands

### Host

```bash
qemu-system-x86_64 run -machine type=q35,accel=kvm -cpu host \
-m 2G -hda /home/qiuhao/VMs_QEMU/ubuntu21.04/ubuntu21.04.qcow2 \
-device nvme,drive=disk0,serial=1234,cmb_size_mb=64 \
-drive file=null-co://,if=none,format=raw,id=disk0 \
-device ich9-intel-hda -vga qxl -device virtio-serial-pci \
-spice port=5900,disable-ticketing=on \
-device virtserialport,chardev=spicechannel0,name=com.redhat.spice.0 \
-chardev spicevmc,id=spicechannel0,name=vdagent
```

### Guest

```bash
# Disable NVMe's Driver
echo "install nvme /bin/true" | sudo tee -a /etc/modprobe.d/blacklist.conf
sudo update-initramfs -u
sudo reboot

# You should first adjust the hardcoded constants in exp.c
# Add -DCONFIG_DEBUG_MUTEX to gcc if you compile QEMU with --enable-debug
gcc -o exp exp.c
sudo ./exp
# VM escape
```

If exp fails to leak the guest's ram address, restart QEMU and try again.

## Demonstration

https://user-images.githubusercontent.com/45557084/145674292-c32af28f-e206-4b07-aa16-56d8e8dbe27e.mp4

## Acknowledgments

We thank the QEMU community and the Red Hat Product Security team for their professional responses.
File Snapshot

 [4.0K]  /data/pocs/42aa8cb6cc80e746cf5cc52ad65538e28c49bb45
├── [ 16K]  exp.c
├── [2.7K]  helpers.h
├── [3.7K]  qemu.h
└── [1.5K]  README.md

0 directories, 4 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →