QEMU

aarc64-virt: Null-ptr dereference through virtio_write_config

Bug #1913915 reported by Alexander Bulekov on 2021-01-31

This bug report is a duplicate of: Bug #1914353: QEMU: aarch64: :GIC: out-of-bounds access via interrupt ID. Edit Remove

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	QEMU	New	Undecided	Unassigned

Bug Description

Reproducer:
cat << EOF | ./qemu-system-aarch64 \
-machine virt,accel=qtest -qtest stdio
writel 0x8000f00 0x81818191
write 0x4010008004 0x1 0x06
EOF

Stacktrace:
../hw/intc/arm_gic.c:1498:13: runtime error: index 401 out of bounds for type 'uint8_t [16][8]'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../hw/intc/arm_gic.c:1498:13 in
OK
[S +0.048579] OK
[R +0.048593] write 0x4010008004 0x1 0x06
../softmmu/memory.c:834:35: runtime error: member access within null pointer of type 'MemoryRegionIoeventfd' (aka 'struct MemoryRegionIoeventfd')
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../softmmu/memory.c:834:35 in
AddressSanitizer:DEADLYSIGNAL
=================================================================
==637204==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x55b2560417c1 bp 0x7ffefc928270 sp 0x7ffefc928020 T0)
==637204==The signal is caused by a READ memory access.
==637204==Hint: address points to the zero page.
    #0 0x55b2560417c1 in addrrange_shift /home/alxndr/Development/qemu/build/../softmmu/memory.c:80:44
    #1 0x55b2560417c1 in address_space_update_ioeventfds /home/alxndr/Development/qemu/build/../softmmu/memory.c:834:19
    #2 0x55b2560408c7 in memory_region_transaction_commit /home/alxndr/Development/qemu/build/../softmmu/memory.c:1100:17
    #3 0x55b25481e065 in pci_update_mappings /home/alxndr/Development/qemu/build/../hw/pci/pci.c:1363:13
    #4 0x55b25481cec7 in pci_default_write_config /home/alxndr/Development/qemu/build/../hw/pci/pci.c:1423:9
    #5 0x55b254806227 in virtio_write_config /home/alxndr/Development/qemu/build/../hw/virtio/virtio-pci.c:608:5
    #6 0x55b2551f6e65 in pci_host_config_write_common /home/alxndr/Development/qemu/build/../hw/pci/pci_host.c:83:5
    #7 0x55b2560481fe in memory_region_write_accessor /home/alxndr/Development/qemu/build/../softmmu/memory.c:491:5
    #8 0x55b256047bfb in access_with_adjusted_size /home/alxndr/Development/qemu/build/../softmmu/memory.c:552:18
    #9 0x55b256047467 in memory_region_dispatch_write /home/alxndr/Development/qemu/build/../softmmu/memory.c
    #10 0x55b2563d7ffb in flatview_write_continue /home/alxndr/Development/qemu/build/../softmmu/physmem.c:2759:23
    #11 0x55b2563cd71b in flatview_write /home/alxndr/Development/qemu/build/../softmmu/physmem.c:2799:14
    #12 0x55b2563cd71b in address_space_write /home/alxndr/Development/qemu/build/../softmmu/physmem.c:2891:18
    #13 0x55b256039d35 in qtest_process_command /home/alxndr/Development/qemu/build/../softmmu/qtest.c:654:9
    #14 0x55b256032b97 in qtest_process_inbuf /home/alxndr/Development/qemu/build/../softmmu/qtest.c:797:9
    #15 0x55b256883286 in fd_chr_read /home/alxndr/Development/qemu/build/../chardev/char-fd.c:68:9
    #16 0x7f8d8faf5aae in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x51aae)
    #17 0x55b256ede363 in glib_pollfds_poll /home/alxndr/Development/qemu/build/../util/main-loop.c:232:9
    #18 0x55b256ede363 in os_host_main_loop_wait /home/alxndr/Development/qemu/build/../util/main-loop.c:255:5
    #19 0x55b256ede363 in main_loop_wait /home/alxndr/Development/qemu/build/../util/main-loop.c:531:11
    #20 0x55b255f99599 in qemu_main_loop /home/alxndr/Development/qemu/build/../softmmu/runstate.c:721:9
    #21 0x55b2542261fd in main /home/alxndr/Development/qemu/build/../softmmu/main.c:50:5
    #22 0x7f8d8f59acc9 in __libc_start_main csu/../csu/libc-start.c:308:16
    #23 0x55b254179bc9 in _start (/home/alxndr/Development/qemu/build/qemu-system-aarch64+0x3350bc9)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/alxndr/Development/qemu/build/../softmmu/memory.c:80:44 in addrrange_shift
==637204==ABORTING

Tags: