Real World

• produce
  • CVE-2019-6788 (about slirp handle TCP/IP heap overflow)
  • CVE-2020-14364 (USB core out of bounds read and write)
  • TianfuCup2020-QEMU-Error-Handling-Bug (nvme device uninitialized variable and uninitialized free)
  • vitio-2.6.0 (null pointer reference)
  • vga-2.6.0 (out of bounds read and write)
  • pcnet-2.2.0 (out of bounds read and write)

Document

• Device Specification

  • USB
    • EHCI (ehci specifiction)
    • xHCI (xhci specifiction)
    • UHCI (uhci specifiction)
  • TCP/IP
    • Overview of TCP/IP (relation to qemu-slirp)
  • ATA/ATAPI
    • ATA/ATAPI-5
    • ATAPI-Removable-Rewritable-Specification
    • Working-Draft-ATA/ATAPI-Command-Set-3
    • ATA-Packet-Interface-for-CD-ROMs
  • NVMe
    • A-NVMe-Storage-Virtualization-Sloution

• fuzz

  • usbfuzz
    • fuzz usb drivers by device emulation
  • AFLfuzz
    • 《When-Virtualization-Encounters-AFL-A-Portable-Virtual-Device-Fuzzing-Framework-With-AFL》

• exploit

  • 虚拟化安全之QEMU与KVM
    • QEMU (relate to this)
    • KVM
  • Misuse-Error-Handling-Leading-To-QEMU-KVM-Escape

• kernel driver

  • kernel-driver-development
    • Linux设备驱动
    • Linux设备驱动开发详解
  • usb-driver
    • USB设备驱动

Vedio/Web URL

• fuzz
  • Libfuzzer
    • Virtual Device Fuzzing Support in QEMU
    • Fuzzing Virtual Devices in Cloud Hypervisors
  • QTest
    • QTest Device Emulation Testing Framework
    • Qtest Driver Framework
• exploit
  • Scavenger: Misuse Error Handling Leading to Qemu/KVM Escape

ctf

• done
  • 2017-Blizzard-strng
  • 2018-Defcon-Quals-EC3
  • 2019-qwb-quals-qwct
  • 2019-qwb-final-ExecChrome
  • 2021-RealWorld-quals-Easy_Escape
• original
  • 2020-GeekPwn-Quals-Vimu
  • 2020-GeekPwn-Quals-Kemu（2020-N1CTF-Kemu）
  • 2020-GeekPwn-Final-V1NKe's QEMU