QEMU

Heap-overflow (read) in sd_erase

Bug #1895310 reported by Alexander Bulekov on 2020-09-11

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	QEMU	Fix Released	Undecided	Unassigned

Bug Description

Hello,
One more bug in sd ...

cat << EOF | ./qemu-system-i386 -nodefaults \
-device sdhci-pci,sd-spec-version=3 \
-device sd-card,drive=mydrive \
-drive if=sd,index=0,file=null-co://,format=raw,id=mydrive \
-nographic -qtest stdio -m 64m -trace 'sd*'
outl 0xcf8 0x80001003
outl 0xcfc 0xd735d735
outl 0xcf8 0x80001011
outl 0xcfc 0x3405064c
write 0x5064c2c 0x1 0xd7
write 0x5064c0f 0x1 0xf7
write 0x5064c05 0x1 0xd7
write 0x5064c0a 0x1 0x84
write 0x5064c0b 0x1 0x4c
write 0x5064c0c 0x1 0x11
write 0x5064c0f 0x1 0xa9
write 0x5064c0f 0x1 0x02
write 0x5064c0f 0x1 0x03
write 0x5064c0e 0x1 0x2c
write 0x5064c0f 0x1 0x06
write 0x5064c0f 0x1 0xe1
write 0x5064c0f 0x1 0x60
write 0x5064c0f 0x1 0x26
EOF

The crash:
==133840==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x607000059e78 at pc 0x55abd1d761e6 bp 0x7ffc12800630 sp 0x7ffc12800628
READ of size 8 at 0x607000059e78 thread T0
    #0 0x55abd1d761e5 in test_bit /home/alxndr/Development/qemu/general-fuzz/include/qemu/bitops.h:135:19
    #1 0x55abd1d6cb1e in sd_erase /home/alxndr/Development/qemu/general-fuzz/build/../hw/sd/sd.c:771:13
    #2 0x55abd1d4c893 in sd_normal_command /home/alxndr/Development/qemu/general-fuzz/build/../hw/sd/sd.c:1412:13
    #3 0x55abd1d33c5d in sd_do_command /home/alxndr/Development/qemu/general-fuzz/build/../hw/sd/sd.c:1724:17
    #4 0x55abd20117a4 in sdbus_do_command /home/alxndr/Development/qemu/general-fuzz/build/../hw/sd/core.c:99:16
    #5 0x55abd27ecc90 in sdhci_send_command /home/alxndr/Development/qemu/general-fuzz/build/../hw/sd/sdhci.c:326:12
    #6 0x55abd27e16ed in sdhci_write /home/alxndr/Development/qemu/general-fuzz/build/../hw/sd/sdhci.c:1136:9
    #7 0x55abd43aacc0 in memory_region_write_accessor /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:483:5
    #8 0x55abd43aa19d in access_with_adjusted_size /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:544:18
    #9 0x55abd43a7e50 in memory_region_dispatch_write /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:1466:16
    #10 0x55abd3de5dc6 in flatview_write_continue /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3176:23
    #11 0x55abd3dced98 in flatview_write /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3216:14
    #12 0x55abd3dce8c8 in address_space_write /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3308:18
    #13 0x55abd3ffabbc in qtest_process_command /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/qtest.c:567:9
    #14 0x55abd3feb8be in qtest_process_inbuf /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/qtest.c:710:9
    #15 0x55abd3fea663 in qtest_read /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/qtest.c:722:5
    #16 0x55abd51cb9a2 in qemu_chr_be_write_impl /home/alxndr/Development/qemu/general-fuzz/build/../chardev/char.c:188:9
    #17 0x55abd51cbaea in qemu_chr_be_write /home/alxndr/Development/qemu/general-fuzz/build/../chardev/char.c:200:9
    #18 0x55abd51e6264 in fd_chr_read /home/alxndr/Development/qemu/general-fuzz/build/../chardev/char-fd.c:68:9
    #19 0x55abd515bef6 in qio_channel_fd_source_dispatch /home/alxndr/Development/qemu/general-fuzz/build/../io/channel-watch.c:84:12
    #20 0x7fd5d58bd4cd in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x504cd)
    #21 0x55abd54db327 in glib_pollfds_poll /home/alxndr/Development/qemu/general-fuzz/build/../util/main-loop.c:217:9
    #22 0x55abd54d8c27 in os_host_main_loop_wait /home/alxndr/Development/qemu/general-fuzz/build/../util/main-loop.c:240:5
    #23 0x55abd54d8607 in main_loop_wait /home/alxndr/Development/qemu/general-fuzz/build/../util/main-loop.c:516:11
    #24 0x55abd3d55afd in qemu_main_loop /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/vl.c:1676:9
    #25 0x55abd16df67c in main /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/main.c:50:5
    #26 0x7fd5d4ec0cc9 in __libc_start_main csu/../csu/libc-start.c:308:16
    #27 0x55abd1634e59 in _start (/home/alxndr/Development/qemu/general-fuzz/build/qemu-system-i386+0x2d3ee59)

0x607000059e78 is located 0 bytes to the right of 72-byte region [0x607000059e30,0x607000059e78)
allocated by thread T0 here:
    #0 0x55abd16ad712 in calloc (/home/alxndr/Development/qemu/general-fuzz/build/qemu-system-i386+0x2db7712)
    #1 0x55abd1d75464 in bitmap_try_new /home/alxndr/Development/qemu/general-fuzz/include/qemu/bitmap.h:96:12
    #2 0x55abd1d74bd4 in bitmap_new /home/alxndr/Development/qemu/general-fuzz/include/qemu/bitmap.h:101:26
    #3 0x55abd1d67b68 in sd_reset /home/alxndr/Development/qemu/general-fuzz/build/../hw/sd/sd.c:576:21
    #4 0x55abd47f34b2 in device_transitional_reset /home/alxndr/Development/qemu/general-fuzz/build/../hw/core/qdev.c:1114:9
    #5 0x55abd47f8ca9 in resettable_phase_hold /home/alxndr/Development/qemu/general-fuzz/build/../hw/core/resettable.c:182:13
    #6 0x55abd47afdbd in bus_reset_child_foreach /home/alxndr/Development/qemu/general-fuzz/build/../hw/core/bus.c:94:9
    #7 0x55abd47fdac3 in resettable_child_foreach /home/alxndr/Development/qemu/general-fuzz/build/../hw/core/resettable.c:96:9
    #8 0x55abd47f8685 in resettable_phase_hold /home/alxndr/Development/qemu/general-fuzz/build/../hw/core/resettable.c:173:5
    #9 0x55abd47ec5f8 in device_reset_child_foreach /home/alxndr/Development/qemu/general-fuzz/build/../hw/core/qdev.c:358:9
    #10 0x55abd47fdac3 in resettable_child_foreach /home/alxndr/Development/qemu/general-fuzz/build/../hw/core/resettable.c:96:9
    #11 0x55abd47f8685 in resettable_phase_hold /home/alxndr/Development/qemu/general-fuzz/build/../hw/core/resettable.c:173:5
    #12 0x55abd47afdbd in bus_reset_child_foreach /home/alxndr/Development/qemu/general-fuzz/build/../hw/core/bus.c:94:9
    #13 0x55abd47fdac3 in resettable_child_foreach /home/alxndr/Development/qemu/general-fuzz/build/../hw/core/resettable.c:96:9
    #14 0x55abd47f8685 in resettable_phase_hold /home/alxndr/Development/qemu/general-fuzz/build/../hw/core/resettable.c:173:5
    #15 0x55abd47ec5f8 in device_reset_child_foreach /home/alxndr/Development/qemu/general-fuzz/build/../hw/core/qdev.c:358:9
    #16 0x55abd47fdac3 in resettable_child_foreach /home/alxndr/Development/qemu/general-fuzz/build/../hw/core/resettable.c:96:9
    #17 0x55abd47f8685 in resettable_phase_hold /home/alxndr/Development/qemu/general-fuzz/build/../hw/core/resettable.c:173:5
    #18 0x55abd47afdbd in bus_reset_child_foreach /home/alxndr/Development/qemu/general-fuzz/build/../hw/core/bus.c:94:9
    #19 0x55abd47fdac3 in resettable_child_foreach /home/alxndr/Development/qemu/general-fuzz/build/../hw/core/resettable.c:96:9
    #20 0x55abd47f8685 in resettable_phase_hold /home/alxndr/Development/qemu/general-fuzz/build/../hw/core/resettable.c:173:5
    #21 0x55abd47f6b28 in resettable_assert_reset /home/alxndr/Development/qemu/general-fuzz/build/../hw/core/resettable.c:60:5
    #22 0x55abd47f68cf in resettable_reset /home/alxndr/Development/qemu/general-fuzz/build/../hw/core/resettable.c:45:5
    #23 0x55abd47fb779 in resettable_cold_reset_fn /home/alxndr/Development/qemu/general-fuzz/build/../hw/core/resettable.c:269:5
    #24 0x55abd47f67e5 in qemu_devices_reset /home/alxndr/Development/qemu/general-fuzz/build/../hw/core/reset.c:69:9
    #25 0x55abd35a5c1e in pc_machine_reset /home/alxndr/Development/qemu/general-fuzz/build/../hw/i386/pc.c:1901:5
    #26 0x55abd3d52d9e in qemu_system_reset /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/vl.c:1403:9
    #27 0x55abd3d67d2e in qemu_init /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/vl.c:4458:5
    #28 0x55abd16df677 in main /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/main.c:49:5
    #29 0x7fd5d4ec0cc9 in __libc_start_main csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/alxndr/Development/qemu/general-fuzz/include/qemu/bitops.h:135:19 in test_bit

-Alex

See original description

Alexander Bulekov (a1xndr) on 2020-09-11

description:

updated

Revision history for this message

Philippe Mathieu-Daudé (philmd) wrote on 2020-09-18:

Tentative fix:
https://lists.gnu.org/archive/html/qemu-devel/2020-09/msg06828.html

Revision history for this message

Philippe Mathieu-Daudé (philmd) wrote on 2020-10-22:

Fixed in commit 1bd6fd8ed5933bfba53e5f5eadebd845094c3707.

Changed in qemu:
status:	New → Fix Committed

Revision history for this message

Thomas Huth (th-huth) wrote on 2020-12-10:

Released with QEMU v5.2.0.

Changed in qemu:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.