[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug 1878645] Re: null-ptr dereference in ich9_apm_ctrl_changed
|
From: |
Philippe Mathieu-Daudé |
|
Subject: |
[Bug 1878645] Re: null-ptr dereference in ich9_apm_ctrl_changed |
|
Date: |
Mon, 29 Jun 2020 17:57:45 -0000 |
** Summary changed:
- null-ptr dereference in tcg_handle_interrupt
+ null-ptr dereference in ich9_apm_ctrl_changed
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1878645
Title:
null-ptr dereference in ich9_apm_ctrl_changed
Status in QEMU:
New
Bug description:
Hello,
While fuzzing, I found an input which triggers a NULL pointer dereference in
tcg_handle_interrupt. It seems the culprint is a "cpu" pointer - maybe this
bug
is specific to QTest?
==23862==ERROR: AddressSanitizer: SEGV on unknown address 0x0000000000b4 (pc
0x55b9dc7c9dce bp 0x7ffc346a0900 sp 0x7ffc346a0880 T0)
==23862==The signal is caused by a READ memory access.
==23862==Hint: address points to the zero page.
#0 0x55b9dc7c9dce in tcg_handle_interrupt
/home/alxndr/Development/qemu/accel/tcg/tcg-all.c:57:21
#1 0x55b9dc904799 in cpu_interrupt
/home/alxndr/Development/qemu/include/hw/core/cpu.h:872:5
#2 0x55b9dc9085e8 in ich9_apm_ctrl_changed
/home/alxndr/Development/qemu/hw/isa/lpc_ich9.c:442:13
#3 0x55b9dd19cdc8 in apm_ioport_writeb
/home/alxndr/Development/qemu/hw/isa/apm.c:50:13
#4 0x55b9dc73f8b4 in memory_region_write_accessor
/home/alxndr/Development/qemu/memory.c:483:5
#5 0x55b9dc73f289 in access_with_adjusted_size
/home/alxndr/Development/qemu/memory.c:544:18
#6 0x55b9dc73ddf5 in memory_region_dispatch_write
/home/alxndr/Development/qemu/memory.c:1476:16
#7 0x55b9dc577bf3 in flatview_write_continue
/home/alxndr/Development/qemu/exec.c:3137:23
#8 0x55b9dc567ad8 in flatview_write
/home/alxndr/Development/qemu/exec.c:3177:14
#9 0x55b9dc567608 in address_space_write
/home/alxndr/Development/qemu/exec.c:3268:18
#10 0x55b9dc723fe7 in cpu_outb /home/alxndr/Development/qemu/ioport.c:60:5
#11 0x55b9dc72d3c0 in qtest_process_command
/home/alxndr/Development/qemu/qtest.c:392:13
#12 0x55b9dc72b186 in qtest_process_inbuf
/home/alxndr/Development/qemu/qtest.c:710:9
#13 0x55b9dc72a8b3 in qtest_read
/home/alxndr/Development/qemu/qtest.c:722:5
#14 0x55b9ddc6e60b in qemu_chr_be_write_impl
/home/alxndr/Development/qemu/chardev/char.c:183:9
#15 0x55b9ddc6e75a in qemu_chr_be_write
/home/alxndr/Development/qemu/chardev/char.c:195:9
#16 0x55b9ddc77979 in fd_chr_read
/home/alxndr/Development/qemu/chardev/char-fd.c:68:9
#17 0x55b9ddcff0e9 in qio_channel_fd_source_dispatch
/home/alxndr/Development/qemu/io/channel-watch.c:84:12
#18 0x7f7161eac897 in g_main_context_dispatch
(/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4e897)
#19 0x55b9ddebcb84 in glib_pollfds_poll
/home/alxndr/Development/qemu/util/main-loop.c:219:9
#20 0x55b9ddebb57d in os_host_main_loop_wait
/home/alxndr/Development/qemu/util/main-loop.c:242:5
#21 0x55b9ddebb176 in main_loop_wait
/home/alxndr/Development/qemu/util/main-loop.c:518:11
#22 0x55b9dcb4bd1d in qemu_main_loop
/home/alxndr/Development/qemu/softmmu/vl.c:1664:9
#23 0x55b9ddd1629c in main
/home/alxndr/Development/qemu/softmmu/main.c:49:5
#24 0x7f7160a5ce0a in __libc_start_main
/build/glibc-GwnBeO/glibc-2.30/csu/../csu/libc-start.c:308:16
#25 0x55b9dc49c819 in _start
(/home/alxndr/Development/qemu/build/i386-softmmu/qemu-system-i386+0xc9c819)
I can reproduce this in qemu 5.0 built with AddressSanitizer using these
qtest commands:
cat << EOF | ./qemu-system-i386 \
-qtest stdio -nographic -monitor none -serial none \
-M pc-q35-5.0
outl 0xcf8 0x8400f841
outl 0xcfc 0xaa215d6d
outl 0x6d30 0x2ef8ffbe
outb 0xb2 0x20
EOF
Please let me know if I can provide any further info.
-Alex
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1878645/+subscriptions
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Bug 1878645] Re: null-ptr dereference in ich9_apm_ctrl_changed,
Philippe Mathieu-Daudé <=