QEMU

[OSS-Fuzz] Issue 28435 qemu:qemu-fuzz-i386-target-generic-fuzz-intel-hda: Stack-overflow in ldl_le_dma

Bug #1907497 reported by Alexander Bulekov
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
QEMU
Invalid
Undecided
Unassigned

Bug Description

 affects qemu

=== Reproducer (build with --enable-sanitizers) ===

cat << EOF | ./qemu-system-i386 -machine q35 -nodefaults \
-device intel-hda,id=hda0 -device hda-output,bus=hda0.0 \
-device hda-micro,bus=hda0.0 -device hda-duplex,bus=hda0.0 \
-qtest stdio
outl 0xcf8 0x80000804
outw 0xcfc 0xffff
write 0x0 0x1 0x12
write 0x2 0x1 0x2f
outl 0xcf8 0x80000811
outl 0xcfc 0x5a6a4406
write 0x6a44005a 0x1 0x11
write 0x6a44005c 0x1 0x3f
write 0x6a442050 0x4 0x0000446a
write 0x6a44204a 0x1 0xf3
write 0x6a44204c 0x1 0xff
writeq 0x6a44005a 0x17b3f0011
write 0x6a442050 0x4 0x0000446a
write 0x6a44204a 0x1 0xf3
write 0x6a44204c 0x1 0xff
EOF

=== Stack Trace ===
==411958==ERROR: AddressSanitizer: stack-overflow on address 0x7ffcaeb8bc88 (pc 0x55c7c9dc1159 bp 0x7ffcaeb8c4d0 sp 0x7ffcaeb8bc90 T0)
    #0 0x55c7c9dc1159 in __asan_memcpy (u-system-i386+0x2a13159)
    #1 0x55c7cb2a457e in flatview_do_translate softmmu/physmem.c:513:12
    #2 0x55c7cb2bdab0 in flatview_translate softmmu/physmem.c:563:15
    #3 0x55c7cb2bdab0 in flatview_read softmmu/physmem.c:2861:10
    #4 0x55c7cb2bdab0 in address_space_read_full softmmu/physmem.c:2875:18
    #5 0x55c7caaec937 in dma_memory_rw_relaxed include/sysemu/dma.h:87:18
    #6 0x55c7caaec937 in dma_memory_rw include/sysemu/dma.h:110:12
    #7 0x55c7caaec937 in dma_memory_read include/sysemu/dma.h:116:12
    #8 0x55c7caaec937 in ldl_le_dma include/sysemu/dma.h:179:1
    #9 0x55c7caaec937 in ldl_le_pci_dma include/hw/pci/pci.h:816:1
    #10 0x55c7caaec937 in intel_hda_corb_run hw/audio/intel-hda.c:338:16
    #11 0x55c7cb2e7198 in memory_region_write_accessor softmmu/memory.c:491:5
    #12 0x55c7cb2e6bd3 in access_with_adjusted_size softmmu/memory.c:552:18
    #13 0x55c7cb2e646c in memory_region_dispatch_write softmmu/memory.c
    #14 0x55c7cb2c8445 in flatview_write_continue softmmu/physmem.c:2759:23
    #15 0x55c7cb2bdfb8 in flatview_write softmmu/physmem.c:2799:14
    #16 0x55c7cb2bdfb8 in address_space_write softmmu/physmem.c:2891:18
    #17 0x55c7caae2c54 in dma_memory_rw_relaxed include/sysemu/dma.h:87:18
    #18 0x55c7caae2c54 in dma_memory_rw include/sysemu/dma.h:110:12
    #19 0x55c7caae2c54 in dma_memory_write include/sysemu/dma.h:122:12
    #20 0x55c7caae2c54 in stl_le_dma include/sysemu/dma.h:179:1
    #21 0x55c7caae2c54 in stl_le_pci_dma include/hw/pci/pci.h:816:1
    #22 0x55c7caae2c54 in intel_hda_response hw/audio/intel-hda.c:370:5
    #23 0x55c7caaeca00 in intel_hda_corb_run hw/audio/intel-hda.c:342:9
    #24 0x55c7cb2e7198 in memory_region_write_accessor softmmu/memory.c:491:5
...

OSS-Fuzz Report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28435

Tags: fuzzer

CVE References

Peter Maydell (pmaydell)
tags: added: fuzzer
Thomas Huth (th-huth)
Changed in qemu:
status: New → Confirmed
Revision history for this message
Gianluca Gabruelli (crazy8yte) wrote :

I think this [0] commit actually fixes this bug, can someone please confirm it?

[0] https://github.com/qemu/qemu/commit/1bf8b88f144bee747e386c88d45d772e066bbb36

Revision history for this message
Thomas Huth (th-huth) wrote :

No, I can still reproduce this issue with current version from the git repo (commit 8f521741e1280f0957ac1) ... when I compile QEMU with Clang and --enable-sanitizers, the reproducer still crashes with "ERROR: AddressSanitizer: stack-overflow"

Revision history for this message
Mauro Matteo Cascella (mauro-cascella) wrote :

Just FYI, this issue was assigned CVE-2021-3611 by Red Hat.

Revision history for this message
Gianluca Gabruelli (crazy8yte) wrote :

@Thomas, could you try by compiling qemu with a commit close to the timeframe mentioned here [0]?

[0] https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28435#c2

Revision history for this message
Thomas Huth (th-huth) wrote :

@Gianluca: The problem still reproduces with the current master branch (commit 13d5f87cc3b94bfccc5), so the problem is definitely not fixed yet. So no, I certainly won't waste my time trying it on older versions.

Revision history for this message
Alexander Bulekov (a1xndr) wrote :

I moved this report over to QEMU's new bug tracker on gitlab.com.
Please continue with the discussion here:

https://gitlab.com/qemu-project/qemu/-/issues/542

Revision history for this message
Thomas Huth (th-huth) wrote :

Thanks for moving it over! ... let's close this one here on Launchpad now.

Changed in qemu:
status: Confirmed → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.