aarch64-virt: heap-buffer-overflow in address_space_lookup_region

Bug #1913916 reported by Alexander Bulekov
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
QEMU
Undecided
Unassigned

Bug Description

Reproducer:
cat << EOF | ./qemu-system-aarch64 \
-machine virt,accel=qtest -qtest stdio
writel 0x8000f00 0xff4affb0
writel 0x8000f00 0xf2f8017f
writeq 0x801000e 0x5a5a5a6c8ff7004b
writeq 0x8010010 0x5a5a5a5a73ba2f00
writel 0x8000000 0x3bf5a03
writel 0x8000000 0x3bf5a03
writeq 0x8010000 0x10ffff03fbffffff
writel 0x8000f1f 0x5a55fc00
readl 0x8011f00
readl 0x80000d3
readl 0x80000d3
clock_step
writeq 0x4010008004 0x4604fffdffc54c01
writeq 0x4010008002 0xf7478b3f5aff5a55
writel 0x8000f00 0x2d6954
writel 0x800005a 0x2706fcf
readq 0x800002c
readw 0x9000004
readq 0x800002c
writeq 0x801000e 0x5555017f00017f00
writew 0x8010000 0x55
writew 0x8010000 0x465a
writew 0x8010000 0x55
writew 0x8010000 0xaf00
writeq 0x8010015 0x3b5a5a5555460000
writeq 0x8010015 0xd546002b2b000000
writeq 0x8010015 0xc44ea5aaaab9ffff
readq 0x8000a5a
EOF

Stacktrace:
==638893==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x629000022b84 at pc 0x55915c484d92 bp 0x7ffcde114a00 sp 0x7ffcde1149f8
READ of size 2 at 0x629000022b84 thread T0
    #0 0x55915c484d91 in address_space_lookup_region /home/alxndr/Development/qemu/build/../softmmu/physmem.c:345:36
    #1 0x55915c484d91 in address_space_translate_internal /home/alxndr/Development/qemu/build/../softmmu/physmem.c:359:15
    #2 0x55915c481d90 in flatview_do_translate /home/alxndr/Development/qemu/build/../softmmu/physmem.c:497:15
    #3 0x55915c48214e in flatview_translate /home/alxndr/Development/qemu/build/../softmmu/physmem.c:563:15
    #4 0x55915c107ff9 in address_space_read /home/alxndr/Development/qemu/include/exec/memory.h:2477:18
    #5 0x55915c107ff9 in qtest_process_command /home/alxndr/Development/qemu/build/../softmmu/qtest.c:572:13
    #6 0x55915c102b97 in qtest_process_inbuf /home/alxndr/Development/qemu/build/../softmmu/qtest.c:797:9
    #7 0x55915c953286 in fd_chr_read /home/alxndr/Development/qemu/build/../chardev/char-fd.c:68:9
    #8 0x7f02be25daae in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x51aae)
    #9 0x55915cfae363 in glib_pollfds_poll /home/alxndr/Development/qemu/build/../util/main-loop.c:232:9
    #10 0x55915cfae363 in os_host_main_loop_wait /home/alxndr/Development/qemu/build/../util/main-loop.c:255:5
    #11 0x55915cfae363 in main_loop_wait /home/alxndr/Development/qemu/build/../util/main-loop.c:531:11
    #12 0x55915c069599 in qemu_main_loop /home/alxndr/Development/qemu/build/../softmmu/runstate.c:721:9
    #13 0x55915a2f61fd in main /home/alxndr/Development/qemu/build/../softmmu/main.c:50:5
    #14 0x7f02bdd02cc9 in __libc_start_main csu/../csu/libc-start.c:308:16
    #15 0x55915a249bc9 in _start (/home/alxndr/Development/qemu/build/qemu-system-aarch64+0x3350bc9)

0x629000022b84 is located 660 bytes to the right of 18160-byte region [0x62900001e200,0x6290000228f0)
allocated by thread T0 here:
    #0 0x55915a2c3c3d in malloc (/home/alxndr/Development/qemu/build/qemu-system-aarch64+0x33cac3d)
    #1 0x7f02be263a88 in g_malloc (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x57a88)
    #2 0x55915c932cbd in qdev_new /home/alxndr/Development/qemu/build/../hw/core/qdev.c:153:19
    #3 0x55915b559360 in create_gic /home/alxndr/Development/qemu/build/../hw/arm/virt.c:631:16
    #4 0x55915b5449d2 in machvirt_init /home/alxndr/Development/qemu/build/../hw/arm/virt.c:1966:5
    #5 0x55915a62bac0 in machine_run_board_init /home/alxndr/Development/qemu/build/../hw/core/machine.c:1169:5
    #6 0x55915c02b8d8 in qemu_init_board /home/alxndr/Development/qemu/build/../softmmu/vl.c:2455:5
    #7 0x55915c02b8d8 in qmp_x_exit_preconfig /home/alxndr/Development/qemu/build/../softmmu/vl.c:2526:5
    #8 0x55915c035d91 in qemu_init /home/alxndr/Development/qemu/build/../softmmu/vl.c:3533:9
    #9 0x55915a2f61f8 in main /home/alxndr/Development/qemu/build/../softmmu/main.c:49:5
    #10 0x7f02bdd02cc9 in __libc_start_main csu/../csu/libc-start.c:308:16

Changed in qemu:
status: New → Confirmed
Revision history for this message
Philippe Mathieu-Daudé (philmd) wrote :
Revision history for this message
Peter Maydell (pmaydell) wrote :

This is a duplicate of the rather simpler bug 1913917. The overrun occurs on the first
writel 0x8000f00 0xff4affb0, which corrupts memory and eventually results in the crash described in the backtrace. I'm not sure why the fuzzer isn't just reporting the original overrun.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers