[Bug 1895310] Re: Heap-overflow (read) in sd

qemu-devel
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug 1895310] Re: Heap-overflow (read) in sd_erase

From:	Philippe Mathieu-Daudé
Subject:	[Bug 1895310] Re: Heap-overflow (read) in sd_erase
Date:	Fri, 18 Sep 2020 18:01:44 -0000
Tentative fix:
https://lists.gnu.org/archive/html/qemu-devel/2020-09/msg06828.html

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1895310

Title:
  Heap-overflow (read) in sd_erase

Status in QEMU:
  New

Bug description:
  Hello,
  One more bug in sd ...

  cat << EOF | ./qemu-system-i386 -nodefaults \
  -device sdhci-pci,sd-spec-version=3 \
  -device sd-card,drive=mydrive \
  -drive if=sd,index=0,file=null-co://,format=raw,id=mydrive \
  -nographic -qtest stdio -m 64m -trace 'sd*'
  outl 0xcf8 0x80001003
  outl 0xcfc 0xd735d735
  outl 0xcf8 0x80001011
  outl 0xcfc 0x3405064c
  write 0x5064c2c 0x1 0xd7
  write 0x5064c0f 0x1 0xf7
  write 0x5064c05 0x1 0xd7
  write 0x5064c0a 0x1 0x84
  write 0x5064c0b 0x1 0x4c
  write 0x5064c0c 0x1 0x11
  write 0x5064c0f 0x1 0xa9
  write 0x5064c0f 0x1 0x02
  write 0x5064c0f 0x1 0x03
  write 0x5064c0e 0x1 0x2c
  write 0x5064c0f 0x1 0x06
  write 0x5064c0f 0x1 0xe1
  write 0x5064c0f 0x1 0x60
  write 0x5064c0f 0x1 0x26
  EOF

  The crash:
  ==133840==ERROR: AddressSanitizer: heap-buffer-overflow on address 
0x607000059e78 at pc 0x55abd1d761e6 bp 0x7ffc12800630 sp 0x7ffc12800628
  READ of size 8 at 0x607000059e78 thread T0
      #0 0x55abd1d761e5 in test_bit 
/home/alxndr/Development/qemu/general-fuzz/include/qemu/bitops.h:135:19
      #1 0x55abd1d6cb1e in sd_erase 
/home/alxndr/Development/qemu/general-fuzz/build/../hw/sd/sd.c:771:13
      #2 0x55abd1d4c893 in sd_normal_command 
/home/alxndr/Development/qemu/general-fuzz/build/../hw/sd/sd.c:1412:13
      #3 0x55abd1d33c5d in sd_do_command 
/home/alxndr/Development/qemu/general-fuzz/build/../hw/sd/sd.c:1724:17
      #4 0x55abd20117a4 in sdbus_do_command 
/home/alxndr/Development/qemu/general-fuzz/build/../hw/sd/core.c:99:16
      #5 0x55abd27ecc90 in sdhci_send_command 
/home/alxndr/Development/qemu/general-fuzz/build/../hw/sd/sdhci.c:326:12
      #6 0x55abd27e16ed in sdhci_write 
/home/alxndr/Development/qemu/general-fuzz/build/../hw/sd/sdhci.c:1136:9
      #7 0x55abd43aacc0 in memory_region_write_accessor 
/home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:483:5
      #8 0x55abd43aa19d in access_with_adjusted_size 
/home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:544:18
      #9 0x55abd43a7e50 in memory_region_dispatch_write 
/home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:1466:16
      #10 0x55abd3de5dc6 in flatview_write_continue 
/home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3176:23
      #11 0x55abd3dced98 in flatview_write 
/home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3216:14
      #12 0x55abd3dce8c8 in address_space_write 
/home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3308:18
      #13 0x55abd3ffabbc in qtest_process_command 
/home/alxndr/Development/qemu/general-fuzz/build/../softmmu/qtest.c:567:9
      #14 0x55abd3feb8be in qtest_process_inbuf 
/home/alxndr/Development/qemu/general-fuzz/build/../softmmu/qtest.c:710:9
      #15 0x55abd3fea663 in qtest_read 
/home/alxndr/Development/qemu/general-fuzz/build/../softmmu/qtest.c:722:5
      #16 0x55abd51cb9a2 in qemu_chr_be_write_impl 
/home/alxndr/Development/qemu/general-fuzz/build/../chardev/char.c:188:9
      #17 0x55abd51cbaea in qemu_chr_be_write 
/home/alxndr/Development/qemu/general-fuzz/build/../chardev/char.c:200:9
      #18 0x55abd51e6264 in fd_chr_read 
/home/alxndr/Development/qemu/general-fuzz/build/../chardev/char-fd.c:68:9
      #19 0x55abd515bef6 in qio_channel_fd_source_dispatch 
/home/alxndr/Development/qemu/general-fuzz/build/../io/channel-watch.c:84:12
      #20 0x7fd5d58bd4cd in g_main_context_dispatch 
(/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x504cd)
      #21 0x55abd54db327 in glib_pollfds_poll 
/home/alxndr/Development/qemu/general-fuzz/build/../util/main-loop.c:217:9
      #22 0x55abd54d8c27 in os_host_main_loop_wait 
/home/alxndr/Development/qemu/general-fuzz/build/../util/main-loop.c:240:5
      #23 0x55abd54d8607 in main_loop_wait 
/home/alxndr/Development/qemu/general-fuzz/build/../util/main-loop.c:516:11
      #24 0x55abd3d55afd in qemu_main_loop 
/home/alxndr/Development/qemu/general-fuzz/build/../softmmu/vl.c:1676:9
      #25 0x55abd16df67c in main 
/home/alxndr/Development/qemu/general-fuzz/build/../softmmu/main.c:50:5
      #26 0x7fd5d4ec0cc9 in __libc_start_main csu/../csu/libc-start.c:308:16
      #27 0x55abd1634e59 in _start 
(/home/alxndr/Development/qemu/general-fuzz/build/qemu-system-i386+0x2d3ee59)

  0x607000059e78 is located 0 bytes to the right of 72-byte region 
[0x607000059e30,0x607000059e78)
  allocated by thread T0 here:
      #0 0x55abd16ad712 in calloc 
(/home/alxndr/Development/qemu/general-fuzz/build/qemu-system-i386+0x2db7712)
      #1 0x55abd1d75464 in bitmap_try_new 
/home/alxndr/Development/qemu/general-fuzz/include/qemu/bitmap.h:96:12
      #2 0x55abd1d74bd4 in bitmap_new 
/home/alxndr/Development/qemu/general-fuzz/include/qemu/bitmap.h:101:26
      #3 0x55abd1d67b68 in sd_reset 
/home/alxndr/Development/qemu/general-fuzz/build/../hw/sd/sd.c:576:21
      #4 0x55abd47f34b2 in device_transitional_reset 
/home/alxndr/Development/qemu/general-fuzz/build/../hw/core/qdev.c:1114:9
      #5 0x55abd47f8ca9 in resettable_phase_hold 
/home/alxndr/Development/qemu/general-fuzz/build/../hw/core/resettable.c:182:13
      #6 0x55abd47afdbd in bus_reset_child_foreach 
/home/alxndr/Development/qemu/general-fuzz/build/../hw/core/bus.c:94:9
      #7 0x55abd47fdac3 in resettable_child_foreach 
/home/alxndr/Development/qemu/general-fuzz/build/../hw/core/resettable.c:96:9
      #8 0x55abd47f8685 in resettable_phase_hold 
/home/alxndr/Development/qemu/general-fuzz/build/../hw/core/resettable.c:173:5
      #9 0x55abd47ec5f8 in device_reset_child_foreach 
/home/alxndr/Development/qemu/general-fuzz/build/../hw/core/qdev.c:358:9
      #10 0x55abd47fdac3 in resettable_child_foreach 
/home/alxndr/Development/qemu/general-fuzz/build/../hw/core/resettable.c:96:9
      #11 0x55abd47f8685 in resettable_phase_hold 
/home/alxndr/Development/qemu/general-fuzz/build/../hw/core/resettable.c:173:5
      #12 0x55abd47afdbd in bus_reset_child_foreach 
/home/alxndr/Development/qemu/general-fuzz/build/../hw/core/bus.c:94:9
      #13 0x55abd47fdac3 in resettable_child_foreach 
/home/alxndr/Development/qemu/general-fuzz/build/../hw/core/resettable.c:96:9
      #14 0x55abd47f8685 in resettable_phase_hold 
/home/alxndr/Development/qemu/general-fuzz/build/../hw/core/resettable.c:173:5
      #15 0x55abd47ec5f8 in device_reset_child_foreach 
/home/alxndr/Development/qemu/general-fuzz/build/../hw/core/qdev.c:358:9
      #16 0x55abd47fdac3 in resettable_child_foreach 
/home/alxndr/Development/qemu/general-fuzz/build/../hw/core/resettable.c:96:9
      #17 0x55abd47f8685 in resettable_phase_hold 
/home/alxndr/Development/qemu/general-fuzz/build/../hw/core/resettable.c:173:5
      #18 0x55abd47afdbd in bus_reset_child_foreach 
/home/alxndr/Development/qemu/general-fuzz/build/../hw/core/bus.c:94:9
      #19 0x55abd47fdac3 in resettable_child_foreach 
/home/alxndr/Development/qemu/general-fuzz/build/../hw/core/resettable.c:96:9
      #20 0x55abd47f8685 in resettable_phase_hold 
/home/alxndr/Development/qemu/general-fuzz/build/../hw/core/resettable.c:173:5
      #21 0x55abd47f6b28 in resettable_assert_reset 
/home/alxndr/Development/qemu/general-fuzz/build/../hw/core/resettable.c:60:5
      #22 0x55abd47f68cf in resettable_reset 
/home/alxndr/Development/qemu/general-fuzz/build/../hw/core/resettable.c:45:5
      #23 0x55abd47fb779 in resettable_cold_reset_fn 
/home/alxndr/Development/qemu/general-fuzz/build/../hw/core/resettable.c:269:5
      #24 0x55abd47f67e5 in qemu_devices_reset 
/home/alxndr/Development/qemu/general-fuzz/build/../hw/core/reset.c:69:9
      #25 0x55abd35a5c1e in pc_machine_reset 
/home/alxndr/Development/qemu/general-fuzz/build/../hw/i386/pc.c:1901:5
      #26 0x55abd3d52d9e in qemu_system_reset 
/home/alxndr/Development/qemu/general-fuzz/build/../softmmu/vl.c:1403:9
      #27 0x55abd3d67d2e in qemu_init 
/home/alxndr/Development/qemu/general-fuzz/build/../softmmu/vl.c:4458:5
      #28 0x55abd16df677 in main 
/home/alxndr/Development/qemu/general-fuzz/build/../softmmu/main.c:49:5
      #29 0x7fd5d4ec0cc9 in __libc_start_main csu/../csu/libc-start.c:308:16

  SUMMARY: AddressSanitizer: heap-buffer-overflow
  /home/alxndr/Development/qemu/general-
  fuzz/include/qemu/bitops.h:135:19 in test_bit

  -Alex

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1895310/+subscriptions
[Prev in Thread]
Current Thread
[Next in Thread]
[Bug 1895310] [NEW] Heap-overflow (read) in sd_erase, Alexander Bulekov, 2020/09/11
- [Bug 1895310] Re: Heap-overflow (read) in sd_erase, Philippe Mathieu-Daudé <=
Prev by Date: [PULL 2/2] analyze-migration.py: fix read_migration_debug_json() return type
Next by Date: Re: [PATCH 06/37] qapi: delint using flake8
Previous by thread: [Bug 1895310] [NEW] Heap-overflow (read) in sd_erase
Next by thread: Re: [PATCH] WHPX: vmware cpuid leaf for tsc and apic frequency
Index(es):
- Date
- Thread