Skip to content

Latest commit

 

History

History
57 lines (42 loc) · 1.54 KB

README.md

File metadata and controls

57 lines (42 loc) · 1.54 KB

CVE-2021-3929-3947

VM escape PoC for CVE-2021-3929 and CVE-2021-3947. Educational purposes only.

You can read the white paper for more information.

Environment

OS: Ubuntu 21.10
Linux: 5.13.0
gcc: 11.2.0
glibc: 2.34
glib: 2.68.4
QEMU: 6.1.0
Guest OS: Ubuntu 21.04

Commands

Host

qemu-system-x86_64 run -machine type=q35,accel=kvm -cpu host \
-m 2G -hda /home/qiuhao/VMs_QEMU/ubuntu21.04/ubuntu21.04.qcow2 \
-device nvme,drive=disk0,serial=1234,cmb_size_mb=64 \
-drive file=null-co://,if=none,format=raw,id=disk0 \
-device ich9-intel-hda -vga qxl -device virtio-serial-pci \
-spice port=5900,disable-ticketing=on \
-device virtserialport,chardev=spicechannel0,name=com.redhat.spice.0 \
-chardev spicevmc,id=spicechannel0,name=vdagent

Guest

# Disable NVMe's Driver
echo "install nvme /bin/true" | sudo tee -a /etc/modprobe.d/blacklist.conf
sudo update-initramfs -u
sudo reboot

# You should first adjust the hardcoded constants in exp.c
# Add -DCONFIG_DEBUG_MUTEX to gcc if you compile QEMU with --enable-debug
gcc -o exp exp.c
sudo ./exp
# VM escape

If exp fails to leak the guest's ram address, restart QEMU and try again.

Demonstration

demo.mp4

Acknowledgments

We thank the QEMU community and the Red Hat Product Security team for their professional responses.