Post #1885

QEMUtiny is a memory corruption vulnerability in QEMU's implementation of CXL (Compute Express Link) Type-3 (Memory Device) device emulation. 1. OOB read: cmd_logs_get_log() treats the CEL log offset as an array index in the memmove() source expression even though the CXL mailbox offset is in bytes. 2. OOB write: cmd_features_set_feature() accepts byte offsets into several small feature write-attribute structures without checking that offset + bytes_to_copy stays inside the selected structure. poc.c is a working exploit that drives the emulated CXL mailbox from the guest through the device BAR. It depends on offsets for the specific QEMU build and host libc layout. The exploit can be weaponized to work reliably across many QEMU versions using the OOB read to scan memory. However this is out of scope for this PoC. https://github.com/v12-security/pocs/tree/main/qemu