* [Bug 1892963] [NEW] Heap-use-after-free in put_dwords through ehci_flush_qh
@ 2020-08-26 2:04 Alexander Bulekov
2021-05-27 14:43 ` [Bug 1892963] " Thomas Huth
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Alexander Bulekov @ 2020-08-26 2:04 UTC (permalink / raw)
To: qemu-devel
Public bug reported:
Hello,
Reproducer:
cat << EOF | ./qemu-system-i386 -machine q35 \
-device ich9-usb-ehci1,bus=pcie.0,addr=1d.7,\
multifunction=on,id=ich9-ehci-1 \
-drive if=none,id=usbcdrom,media=cdrom \
-device usb-storage,bus=ich9-ehci-1.0,\
port=2,drive=usbcdrom \
-display none -nodefaults -qtest stdio -accel qtest
outl 0xcf8 0x8000ef02
outl 0xcfc 0xfbff0061
outl 0xcf8 0x8000ef11
outl 0xcfc 0x60606060
writeq 0x60606065 0xb70560ff84ffff7f
writeq 0x60606065 0xff0004fe050000ff
writeq 0x60606020 0xff015e5c057b0039
writeq 0x60606033 0x846c8a0200000611
write 0x2000004 0x4 0x4a606060
write 0x8 0x4 0x97a98095
write 0x0 0x4 0x4a606060
write 0x4 0x4 0x97a98095
write 0xc 0x4 0x4a606060
write 0x10 0x4 0x97a98095
write 0x14 0x4 0x4a606060
write 0x18 0x4 0x97a98095
write 0x1c 0x4 0x4a606060
clock_step
EOF
The trace:
797726@1598407357.169284:usb_port_claim bus 0, port 2
797726@1598407357.169585:usb_port_attach bus 0, port 2, devspeed full+high+super, portspeed high
797726@1598407357.169598:usb_ehci_port_attach attach port #1, owner ehci, device QEMU USB MSD
797726@1598407357.169608:usb_ehci_irq level 0, frindex 0x0000, sts 0x4, mask 0x0
797726@1598407357.186943:usb_ehci_reset === RESET ===
797726@1598407357.186960:usb_ehci_port_detach detach port #1, owner ehci
797726@1598407357.186968:usb_ehci_irq level 0, frindex 0x0000, sts 0x4, mask 0x0
797726@1598407357.186976:usb_ehci_irq level 0, frindex 0x0000, sts 0x1000, mask 0x0
797726@1598407357.186984:usb_ehci_port_attach attach port #1, owner ehci, device QEMU USB MSD
797726@1598407357.186989:usb_ehci_irq level 0, frindex 0x0000, sts 0x1004, mask 0x0
[R +0.073737] outl 0xcf8 0x8000ef02
OK
[S +0.073774] OK
[R +0.073801] outl 0xcfc 0xfbff0061
OK
[S +0.075074] OK
[R +0.075108] outl 0xcf8 0x8000ef11
OK
[S +0.075126] OK
[R +0.075135] outl 0xcfc 0x60606060
OK
[S +0.076290] OK
[R +0.076317] writeq 0x60606065 0xb70560ff84ffff7f
797726@1598407357.194959:usb_ehci_portsc_write wr mmio 0x0048 [port 1] = 0x560ff84
797726@1598407357.194967:usb_ehci_port_reset reset port #1 - 1
797726@1598407357.194971:usb_ehci_port_suspend port #1
797726@1598407357.194975:usb_ehci_portsc_change ch mmio 0x0048 [port 1] = 0x601183 (old: 0x1003)
OK
[S +0.076363] OK
[R +0.076377] writeq 0x60606065 0xff0004fe050000ff
797726@1598407357.195005:usb_ehci_portsc_write wr mmio 0x0048 [port 1] = 0x4fe05
797726@1598407357.195011:usb_ehci_port_reset reset port #1 - 0
797726@1598407357.195019:usb_ehci_port_detach detach port #1, owner ehci
797726@1598407357.195026:usb_ehci_irq level 0, frindex 0x0000, sts 0x1004, mask 0x0
797726@1598407357.195034:usb_ehci_port_attach attach port #1, owner ehci, device QEMU USB MSD
797726@1598407357.195038:usb_ehci_irq level 0, frindex 0x0000, sts 0x1004, mask 0x0
797726@1598407357.195049:usb_ehci_portsc_change ch mmio 0x0048 [port 1] = 0x1005 (old: 0x601183)
OK
[S +0.076439] OK
[R +0.076457] writeq 0x60606020 0xff015e5c057b0039
797726@1598407357.195087:usb_ehci_opreg_write wr mmio 0x0020 [USBCMD] = 0x57b0039
attempt to set frame list size -- value 8
797726@1598407357.195097:usb_ehci_usbsts usbsts HALT 0
797726@1598407357.195105:usb_ehci_opreg_change ch mmio 0x0020 [USBCMD] = 0x57b0031 (old: 0x80000)
797726@1598407357.195111:usb_ehci_opreg_write wr mmio 0x0024 [USBSTS] = 0xff015e5c
797726@1598407357.195117:usb_ehci_usbsts usbsts PCD 0
797726@1598407357.195120:usb_ehci_usbsts usbsts FLR 0
797726@1598407357.195124:usb_ehci_usbsts usbsts HSE 0
797726@1598407357.195127:usb_ehci_irq level 0, frindex 0x0000, sts 0x0, mask 0x0
797726@1598407357.195132:usb_ehci_opreg_change ch mmio 0x0024 [USBSTS] = 0x0 (old: 0x4)
OK
[S +0.076519] OK
[R +0.076534] writeq 0x60606033 0x846c8a0200000611
797726@1598407357.195164:usb_ehci_opreg_write wr mmio 0x0034 [P-LIST BASE] = 0x2000006
ehci: PERIODIC list base register set while periodic schedule
is enabled and HC is enabled
797726@1598407357.195174:usb_ehci_opreg_change ch mmio 0x0034 [P-LIST BASE] = 0x2000006 (old: 0x0)
OK
[S +0.076562] OK
[R +0.076574] write 0x2000004 0x4 0x4a606060
OK
[S +0.076855] OK
[R +0.076869] write 0x8 0x4 0x97a98095
OK
[S +0.077214] OK
[R +0.077225] write 0x0 0x4 0x4a606060
OK
[S +0.077233] OK
[R +0.077242] write 0x4 0x4 0x97a98095
OK
[S +0.077250] OK
[R +0.077258] write 0xc 0x4 0x4a606060
OK
[S +0.077266] OK
[R +0.077274] write 0x10 0x4 0x97a98095
OK
[S +0.077281] OK
[R +0.077289] write 0x14 0x4 0x4a606060
OK
[S +0.077295] OK
[R +0.077304] write 0x18 0x4 0x97a98095
OK
[S +0.077310] OK
[R +0.077325] write 0x1c 0x4 0x4a606060
OK
[S +0.077333] OK
[R +0.077340] clock_step
OK 27462700
[S +0.077415] OK 27462700
797726@1598407357.196115:usb_ehci_state periodic schedule ACTIVE
797726@1598407357.196123:usb_ehci_usbsts usbsts PSS 1
797726@1598407357.196137:usb_ehci_state periodic schedule FETCH ENTRY
797726@1598407357.196145:usb_ehci_state periodic schedule FETCH QH
797726@1598407357.196154:usb_ehci_queue_action q 0x60d0000050b0: alloc
797726@1598407357.196168:usb_ehci_opreg_read rd mmio 0x0040 [unknown] = 0x0
797726@1598407357.196176:usb_ehci_opreg_read rd mmio 0x0044 [unknown] = 0x0
797726@1598407357.196182:usb_ehci_opreg_read rd mmio 0x0048 [unknown] = 0x0
797726@1598407357.196188:usb_ehci_opreg_read rd mmio 0x004c [unknown] = 0x0
797726@1598407357.196195:usb_ehci_opreg_read rd mmio 0x0050 [unknown] = 0x0
797726@1598407357.196201:usb_ehci_opreg_read rd mmio 0x0054 [unknown] = 0x0
797726@1598407357.196206:usb_ehci_opreg_read rd mmio 0x0058 [unknown] = 0x0
797726@1598407357.196211:usb_ehci_opreg_read rd mmio 0x005c [unknown] = 0x0
797726@1598407357.196217:usb_ehci_opreg_read rd mmio 0x0060 [CONFIGFLAG] = 0x0
797726@1598407357.196224:usb_ehci_portsc_read rd mmio 0x0044 [port 0] = 0x1000
797726@1598407357.196230:usb_ehci_portsc_read rd mmio 0x0048 [port 1] = 0x1005
797726@1598407357.196237:usb_ehci_portsc_read rd mmio 0x004c [port 2] = 0x1000
797726@1598407357.196243:usb_ehci_qh_ptrs q 0x60d0000050b0 - QH @ 0x60606040: next 0x00000000 qtds 0x00000000,0x00000000,0x00000000
797726@1598407357.196249:usb_ehci_qh_fields QH @ 0x60606040 - rl 0, mplen 0, eps 0, ep 0, dev 0
797726@1598407357.196255:usb_ehci_qh_bits QH @ 0x60606040 - c 0, h 0, dtc 0, i 0
797726@1598407357.196262:usb_ehci_queue_action q 0x60d0000050b0: reset
797726@1598407357.196275:usb_ehci_state periodic schedule ADVANCEQUEUE
797726@1598407357.196281:usb_ehci_state periodic schedule FETCH QTD
797726@1598407357.196300:usb_ehci_qtd_ptrs q 0x60d0000050b0 - QTD @ 0x00000000: next 0x6060604a altnext 0x9580a997
797726@1598407357.196306:usb_ehci_qtd_fields QTD @ 0x00000000 - tbytes 5504, cpage 2, cerr 2, pid 1
797726@1598407357.196311:usb_ehci_qtd_bits QTD @ 0x00000000 - ioc 1, active 1, halt 0, babble 1, xacterr 0
797726@1598407357.196323:usb_ehci_packet_action q 0x60d0000050b0 p 0x611000044380: alloc
797726@1598407357.196327:usb_ehci_state periodic schedule EXECUTE
797726@1598407357.196346:usb_ehci_opreg_write wr mmio 0x004c [unknown] = 0x0
797726@1598407357.196351:usb_ehci_opreg_change ch mmio 0x004c [unknown] = 0x0 (old: 0x0)
797726@1598407357.196359:usb_ehci_opreg_write wr mmio 0x0050 [unknown] = 0x6060604a
797726@1598407357.196363:usb_ehci_opreg_change ch mmio 0x0050 [unknown] = 0x6060604a (old: 0x0)
797726@1598407357.196370:usb_ehci_opreg_write wr mmio 0x0054 [unknown] = 0x9580a981
797726@1598407357.196374:usb_ehci_opreg_change ch mmio 0x0054 [unknown] = 0x9580a981 (old: 0x0)
797726@1598407357.196380:usb_ehci_opreg_write wr mmio 0x0058 [unknown] = 0x1580a997
797726@1598407357.196385:usb_ehci_opreg_change ch mmio 0x0058 [unknown] = 0x1580a997 (old: 0x0)
797726@1598407357.196392:usb_ehci_opreg_write wr mmio 0x005c [unknown] = 0x6060604a
797726@1598407357.196396:usb_ehci_opreg_change ch mmio 0x005c [unknown] = 0x6060604a (old: 0x0)
797726@1598407357.196403:usb_ehci_opreg_write wr mmio 0x0060 [CONFIGFLAG] = 0x9580a900
797726@1598407357.196407:usb_ehci_opreg_change ch mmio 0x0060 [CONFIGFLAG] = 0x0 (old: 0x0)
797726@1598407357.196415:usb_ehci_portsc_write wr mmio 0x0044 [port 0] = 0x60606040
797726@1598407357.196422:usb_ehci_portsc_change ch mmio 0x0044 [port 0] = 0x601040 (old: 0x1000)
797726@1598407357.196428:usb_ehci_portsc_write wr mmio 0x0048 [port 1] = 0x9580a997
797726@1598407357.196432:usb_ehci_port_reset reset port #1 - 1
797726@1598407357.196437:usb_ehci_port_suspend port #1
797726@1598407357.196441:usb_ehci_portsc_change ch mmio 0x0048 [port 1] = 0x1185 (old: 0x1005)
797726@1598407357.196448:usb_ehci_portsc_write wr mmio 0x004c [port 2] = 0x6060604a
797726@1598407357.196453:usb_ehci_portsc_change ch mmio 0x004c [port 2] = 0x601040 (old: 0x1000)
797726@1598407357.196474:usb_packet_state_change bus 0, port 2, ep 0, packet 0x6110000443c0, state undef -> setup
797726@1598407357.196505:usb_ehci_opreg_write wr mmio 0x004c [unknown] = 0xbebebebe
797726@1598407357.196509:usb_ehci_opreg_change ch mmio 0x004c [unknown] = 0xbebebebe (old: 0x0)
797726@1598407357.196516:usb_ehci_opreg_write wr mmio 0x0050 [unknown] = 0xbebebebe
797726@1598407357.196520:usb_ehci_opreg_change ch mmio 0x0050 [unknown] = 0xbebebebe (old: 0x6060604a)
797726@1598407357.196527:usb_ehci_opreg_write wr mmio 0x0054 [unknown] = 0xbebebebe
797726@1598407357.196530:usb_ehci_opreg_change ch mmio 0x0054 [unknown] = 0xbebebebe (old: 0x9580a981)
797726@1598407357.196540:usb_ehci_opreg_write wr mmio 0x0058 [unknown] = 0xbebebebe
797726@1598407357.196544:usb_ehci_opreg_change ch mmio 0x0058 [unknown] = 0xbebebebe (old: 0x1580a997)
797726@1598407357.196550:usb_ehci_opreg_write wr mmio 0x005c [unknown] = 0xbebebebe
797726@1598407357.196554:usb_ehci_opreg_change ch mmio 0x005c [unknown] = 0xbebebebe (old: 0x6060604a)
797726@1598407357.196560:usb_ehci_opreg_write wr mmio 0x0060 [CONFIGFLAG] = 0xbebebebe
797726@1598407357.196563:usb_ehci_opreg_change ch mmio 0x0060 [CONFIGFLAG] = 0x0 (old: 0x0)
797726@1598407357.196569:usb_ehci_portsc_write wr mmio 0x0044 [port 0] = 0xbebebebe
797726@1598407357.196573:usb_ehci_port_suspend port #0
797726@1598407357.196577:usb_ehci_port_resume port #0
797726@1598407357.196580:usb_ehci_portsc_change ch mmio 0x0044 [port 0] = 0x301000 (old: 0x601040)
797726@1598407357.196586:usb_ehci_portsc_write wr mmio 0x0048 [port 1] = 0xbebebebe
797726@1598407357.196590:usb_ehci_port_reset reset port #1 - 0
797726@1598407357.196596:usb_ehci_port_detach detach port #1, owner ehci
797726@1598407357.196602:usb_ehci_queue_action q 0x60d0000050b0: free
797726@1598407357.196606:usb_ehci_queue_action q 0x60d0000050b0: cancel
797726@1598407357.196610:usb_ehci_packet_action q 0x60d0000050b0 p 0x611000044380: free
797726@1598407357.196626:usb_ehci_irq level 0, frindex 0x0008, sts 0x4004, mask 0x0
797726@1598407357.196636:usb_ehci_port_attach attach port #1, owner ehci, device QEMU USB MSD
797726@1598407357.196642:usb_ehci_irq level 0, frindex 0x0008, sts 0x4004, mask 0x0
797726@1598407357.196655:usb_ehci_port_suspend port #1
797726@1598407357.196659:usb_ehci_portsc_change ch mmio 0x0048 [port 1] = 0x301085 (old: 0x1185)
797726@1598407357.196669:usb_ehci_portsc_write wr mmio 0x004c [port 2] = 0xbebebebe
797726@1598407357.196674:usb_ehci_port_suspend port #2
797726@1598407357.196679:usb_ehci_port_resume port #2
797726@1598407357.196684:usb_ehci_portsc_change ch mmio 0x004c [port 2] = 0x301000 (old: 0x601040)
797726@1598407357.196694:usb_ehci_portsc_write wr mmio 0x0050 [port 3] = 0xbebebebe
797726@1598407357.196699:usb_ehci_port_suspend port #3
797726@1598407357.196704:usb_ehci_portsc_change ch mmio 0x0050 [port 3] = 0x301080 (old: 0x1000)
797726@1598407357.196712:usb_ehci_portsc_write wr mmio 0x0054 [port 4] = 0xbebebebe
797726@1598407357.196716:usb_ehci_port_suspend port #4
797726@1598407357.196718:usb_ehci_portsc_change ch mmio 0x0054 [port 4] = 0x301080 (old: 0x1000)
797726@1598407357.196724:usb_ehci_portsc_write wr mmio 0x0058 [port 5] = 0xbebebebe
797726@1598407357.196729:usb_ehci_port_suspend port #5
797726@1598407357.196733:usb_ehci_portsc_change ch mmio 0x0058 [port 5] = 0x301080 (old: 0x1000)
=================================================================
==797726==ERROR: AddressSanitizer: heap-use-after-free on address 0x6110000443e8 at pc 0x5574af0ef59d bp 0x7fff5b343a00 sp 0x7fff5b3439f8
READ of size 4 at 0x6110000443e8 thread T0
#0 0x5574af0ef59c in usb_packet_unmap /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/libhw.c:64:28
#1 0x5574af0ee924 in usb_packet_map /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/libhw.c:54:5
#2 0x5574ae630c2f in ehci_execute /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:1376:9
#3 0x5574ae619cfe in ehci_state_execute /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:1942:13
#4 0x5574ae60e8d9 in ehci_advance_state /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:2083:21
#5 0x5574ae60c753 in ehci_advance_periodic_state /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:2213:9
#6 0x5574ae5d9df3 in ehci_work_bh /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:2299:17
#7 0x5574b21013c2 in aio_bh_call /home/alxndr/Development/qemu/general-fuzz/build/../util/async.c:136:5
#8 0x5574b2102dc2 in aio_bh_poll /home/alxndr/Development/qemu/general-fuzz/build/../util/async.c:164:13
#9 0x5574b211a84b in aio_dispatch /home/alxndr/Development/qemu/general-fuzz/build/../util/aio-posix.c:380:5
#10 0x5574b210c29e in aio_ctx_dispatch /home/alxndr/Development/qemu/general-fuzz/build/../util/async.c:306:5
#11 0x7f44ce9dc5fc in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x505fc)
#12 0x5574b2339c67 in glib_pollfds_poll /home/alxndr/Development/qemu/general-fuzz/build/../util/main-loop.c:217:9
#13 0x5574b2337567 in os_host_main_loop_wait /home/alxndr/Development/qemu/general-fuzz/build/../util/main-loop.c:240:5
#14 0x5574b2336f47 in main_loop_wait /home/alxndr/Development/qemu/general-fuzz/build/../util/main-loop.c:516:11
#15 0x5574b0b1508d in qemu_main_loop /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/vl.c:1676:9
#16 0x5574ae4a751c in main /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/main.c:50:5
#17 0x7f44ce1e5cc9 in __libc_start_main csu/../csu/libc-start.c:308:16
#18 0x5574ae3fccf9 in _start (/home/alxndr/Development/qemu/general-fuzz/build/qemu-system-i386+0x2cb0cf9)
0x6110000443e8 is located 104 bytes inside of 248-byte region [0x611000044380,0x611000044478)
freed by thread T0 here:
#0 0x5574ae4751bd in free (/home/alxndr/Development/qemu/general-fuzz/build/qemu-system-i386+0x2d291bd)
#1 0x5574ae5e71a1 in ehci_free_packet /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:541:5
#2 0x5574ae5e3662 in ehci_cancel_queue /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:584:9
#3 0x5574ae5e174c in ehci_free_queue /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:611:17
#4 0x5574ae608300 in ehci_queues_rip_device /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:674:9
#5 0x5574ae6034ba in ehci_detach /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:732:5
#6 0x5574af06427f in usb_detach /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/core.c:70:5
#7 0x5574af064607 in usb_port_reset /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/core.c:79:5
#8 0x5574ae63af7a in ehci_port_write /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:993:13
#9 0x5574b0e31de0 in memory_region_write_accessor /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:483:5
#10 0x5574b0e312bd in access_with_adjusted_size /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:544:18
#11 0x5574b0e2ef70 in memory_region_dispatch_write /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:1466:16
#12 0x5574b0a8d8a6 in flatview_write_continue /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3176:23
#13 0x5574b0a76878 in flatview_write /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3216:14
#14 0x5574b0a763a8 in address_space_write /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3308:18
#15 0x5574b0a7dff7 in address_space_unmap /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3634:9
#16 0x5574af0f0262 in dma_memory_unmap /home/alxndr/Development/qemu/general-fuzz/include/sysemu/dma.h:145:5
#17 0x5574af0f0143 in usb_packet_unmap /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/libhw.c:65:9
#18 0x5574af0ee924 in usb_packet_map /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/libhw.c:54:5
#19 0x5574ae630c2f in ehci_execute /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:1376:9
#20 0x5574ae619cfe in ehci_state_execute /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:1942:13
#21 0x5574ae60e8d9 in ehci_advance_state /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:2083:21
#22 0x5574ae60c753 in ehci_advance_periodic_state /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:2213:9
#23 0x5574ae5d9df3 in ehci_work_bh /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:2299:17
#24 0x5574b21013c2 in aio_bh_call /home/alxndr/Development/qemu/general-fuzz/build/../util/async.c:136:5
#25 0x5574b2102dc2 in aio_bh_poll /home/alxndr/Development/qemu/general-fuzz/build/../util/async.c:164:13
#26 0x5574b211a84b in aio_dispatch /home/alxndr/Development/qemu/general-fuzz/build/../util/aio-posix.c:380:5
#27 0x5574b210c29e in aio_ctx_dispatch /home/alxndr/Development/qemu/general-fuzz/build/../util/async.c:306:5
#28 0x7f44ce9dc5fc in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x505fc)
previously allocated by thread T0 here:
#0 0x5574ae4755b2 in calloc (/home/alxndr/Development/qemu/general-fuzz/build/qemu-system-i386+0x2d295b2)
#1 0x7f44ce9e2210 in g_malloc0 (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x56210)
#2 0x5574ae6175be in ehci_state_fetchqtd /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:1844:13
#3 0x5574ae60e7f1 in ehci_advance_state /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:2073:21
#4 0x5574ae60c753 in ehci_advance_periodic_state /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:2213:9
#5 0x5574ae5d9df3 in ehci_work_bh /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:2299:17
#6 0x5574b21013c2 in aio_bh_call /home/alxndr/Development/qemu/general-fuzz/build/../util/async.c:136:5
#7 0x5574b2102dc2 in aio_bh_poll /home/alxndr/Development/qemu/general-fuzz/build/../util/async.c:164:13
#8 0x5574b211a84b in aio_dispatch /home/alxndr/Development/qemu/general-fuzz/build/../util/aio-posix.c:380:5
#9 0x5574b210c29e in aio_ctx_dispatch /home/alxndr/Development/qemu/general-fuzz/build/../util/async.c:306:5
#10 0x7f44ce9dc5fc in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x505fc)
SUMMARY: AddressSanitizer: heap-use-after-free /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/libhw.c:64:28 in usb_packet_unmap
Shadow bytes around the buggy address:
0x0c2280000820: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2280000830: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2280000840: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c2280000850: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2280000860: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
=>0x0c2280000870: fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd
0x0c2280000880: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
0x0c2280000890: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c22800008a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c22800008b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c22800008c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==797726==ABORTING
-Alex
** Affects: qemu
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1892963
Title:
Heap-use-after-free in put_dwords through ehci_flush_qh
Status in QEMU:
New
Bug description:
Hello,
Reproducer:
cat << EOF | ./qemu-system-i386 -machine q35 \
-device ich9-usb-ehci1,bus=pcie.0,addr=1d.7,\
multifunction=on,id=ich9-ehci-1 \
-drive if=none,id=usbcdrom,media=cdrom \
-device usb-storage,bus=ich9-ehci-1.0,\
port=2,drive=usbcdrom \
-display none -nodefaults -qtest stdio -accel qtest
outl 0xcf8 0x8000ef02
outl 0xcfc 0xfbff0061
outl 0xcf8 0x8000ef11
outl 0xcfc 0x60606060
writeq 0x60606065 0xb70560ff84ffff7f
writeq 0x60606065 0xff0004fe050000ff
writeq 0x60606020 0xff015e5c057b0039
writeq 0x60606033 0x846c8a0200000611
write 0x2000004 0x4 0x4a606060
write 0x8 0x4 0x97a98095
write 0x0 0x4 0x4a606060
write 0x4 0x4 0x97a98095
write 0xc 0x4 0x4a606060
write 0x10 0x4 0x97a98095
write 0x14 0x4 0x4a606060
write 0x18 0x4 0x97a98095
write 0x1c 0x4 0x4a606060
clock_step
EOF
The trace:
797726@1598407357.169284:usb_port_claim bus 0, port 2
797726@1598407357.169585:usb_port_attach bus 0, port 2, devspeed full+high+super, portspeed high
797726@1598407357.169598:usb_ehci_port_attach attach port #1, owner ehci, device QEMU USB MSD
797726@1598407357.169608:usb_ehci_irq level 0, frindex 0x0000, sts 0x4, mask 0x0
797726@1598407357.186943:usb_ehci_reset === RESET ===
797726@1598407357.186960:usb_ehci_port_detach detach port #1, owner ehci
797726@1598407357.186968:usb_ehci_irq level 0, frindex 0x0000, sts 0x4, mask 0x0
797726@1598407357.186976:usb_ehci_irq level 0, frindex 0x0000, sts 0x1000, mask 0x0
797726@1598407357.186984:usb_ehci_port_attach attach port #1, owner ehci, device QEMU USB MSD
797726@1598407357.186989:usb_ehci_irq level 0, frindex 0x0000, sts 0x1004, mask 0x0
[R +0.073737] outl 0xcf8 0x8000ef02
OK
[S +0.073774] OK
[R +0.073801] outl 0xcfc 0xfbff0061
OK
[S +0.075074] OK
[R +0.075108] outl 0xcf8 0x8000ef11
OK
[S +0.075126] OK
[R +0.075135] outl 0xcfc 0x60606060
OK
[S +0.076290] OK
[R +0.076317] writeq 0x60606065 0xb70560ff84ffff7f
797726@1598407357.194959:usb_ehci_portsc_write wr mmio 0x0048 [port 1] = 0x560ff84
797726@1598407357.194967:usb_ehci_port_reset reset port #1 - 1
797726@1598407357.194971:usb_ehci_port_suspend port #1
797726@1598407357.194975:usb_ehci_portsc_change ch mmio 0x0048 [port 1] = 0x601183 (old: 0x1003)
OK
[S +0.076363] OK
[R +0.076377] writeq 0x60606065 0xff0004fe050000ff
797726@1598407357.195005:usb_ehci_portsc_write wr mmio 0x0048 [port 1] = 0x4fe05
797726@1598407357.195011:usb_ehci_port_reset reset port #1 - 0
797726@1598407357.195019:usb_ehci_port_detach detach port #1, owner ehci
797726@1598407357.195026:usb_ehci_irq level 0, frindex 0x0000, sts 0x1004, mask 0x0
797726@1598407357.195034:usb_ehci_port_attach attach port #1, owner ehci, device QEMU USB MSD
797726@1598407357.195038:usb_ehci_irq level 0, frindex 0x0000, sts 0x1004, mask 0x0
797726@1598407357.195049:usb_ehci_portsc_change ch mmio 0x0048 [port 1] = 0x1005 (old: 0x601183)
OK
[S +0.076439] OK
[R +0.076457] writeq 0x60606020 0xff015e5c057b0039
797726@1598407357.195087:usb_ehci_opreg_write wr mmio 0x0020 [USBCMD] = 0x57b0039
attempt to set frame list size -- value 8
797726@1598407357.195097:usb_ehci_usbsts usbsts HALT 0
797726@1598407357.195105:usb_ehci_opreg_change ch mmio 0x0020 [USBCMD] = 0x57b0031 (old: 0x80000)
797726@1598407357.195111:usb_ehci_opreg_write wr mmio 0x0024 [USBSTS] = 0xff015e5c
797726@1598407357.195117:usb_ehci_usbsts usbsts PCD 0
797726@1598407357.195120:usb_ehci_usbsts usbsts FLR 0
797726@1598407357.195124:usb_ehci_usbsts usbsts HSE 0
797726@1598407357.195127:usb_ehci_irq level 0, frindex 0x0000, sts 0x0, mask 0x0
797726@1598407357.195132:usb_ehci_opreg_change ch mmio 0x0024 [USBSTS] = 0x0 (old: 0x4)
OK
[S +0.076519] OK
[R +0.076534] writeq 0x60606033 0x846c8a0200000611
797726@1598407357.195164:usb_ehci_opreg_write wr mmio 0x0034 [P-LIST BASE] = 0x2000006
ehci: PERIODIC list base register set while periodic schedule
is enabled and HC is enabled
797726@1598407357.195174:usb_ehci_opreg_change ch mmio 0x0034 [P-LIST BASE] = 0x2000006 (old: 0x0)
OK
[S +0.076562] OK
[R +0.076574] write 0x2000004 0x4 0x4a606060
OK
[S +0.076855] OK
[R +0.076869] write 0x8 0x4 0x97a98095
OK
[S +0.077214] OK
[R +0.077225] write 0x0 0x4 0x4a606060
OK
[S +0.077233] OK
[R +0.077242] write 0x4 0x4 0x97a98095
OK
[S +0.077250] OK
[R +0.077258] write 0xc 0x4 0x4a606060
OK
[S +0.077266] OK
[R +0.077274] write 0x10 0x4 0x97a98095
OK
[S +0.077281] OK
[R +0.077289] write 0x14 0x4 0x4a606060
OK
[S +0.077295] OK
[R +0.077304] write 0x18 0x4 0x97a98095
OK
[S +0.077310] OK
[R +0.077325] write 0x1c 0x4 0x4a606060
OK
[S +0.077333] OK
[R +0.077340] clock_step
OK 27462700
[S +0.077415] OK 27462700
797726@1598407357.196115:usb_ehci_state periodic schedule ACTIVE
797726@1598407357.196123:usb_ehci_usbsts usbsts PSS 1
797726@1598407357.196137:usb_ehci_state periodic schedule FETCH ENTRY
797726@1598407357.196145:usb_ehci_state periodic schedule FETCH QH
797726@1598407357.196154:usb_ehci_queue_action q 0x60d0000050b0: alloc
797726@1598407357.196168:usb_ehci_opreg_read rd mmio 0x0040 [unknown] = 0x0
797726@1598407357.196176:usb_ehci_opreg_read rd mmio 0x0044 [unknown] = 0x0
797726@1598407357.196182:usb_ehci_opreg_read rd mmio 0x0048 [unknown] = 0x0
797726@1598407357.196188:usb_ehci_opreg_read rd mmio 0x004c [unknown] = 0x0
797726@1598407357.196195:usb_ehci_opreg_read rd mmio 0x0050 [unknown] = 0x0
797726@1598407357.196201:usb_ehci_opreg_read rd mmio 0x0054 [unknown] = 0x0
797726@1598407357.196206:usb_ehci_opreg_read rd mmio 0x0058 [unknown] = 0x0
797726@1598407357.196211:usb_ehci_opreg_read rd mmio 0x005c [unknown] = 0x0
797726@1598407357.196217:usb_ehci_opreg_read rd mmio 0x0060 [CONFIGFLAG] = 0x0
797726@1598407357.196224:usb_ehci_portsc_read rd mmio 0x0044 [port 0] = 0x1000
797726@1598407357.196230:usb_ehci_portsc_read rd mmio 0x0048 [port 1] = 0x1005
797726@1598407357.196237:usb_ehci_portsc_read rd mmio 0x004c [port 2] = 0x1000
797726@1598407357.196243:usb_ehci_qh_ptrs q 0x60d0000050b0 - QH @ 0x60606040: next 0x00000000 qtds 0x00000000,0x00000000,0x00000000
797726@1598407357.196249:usb_ehci_qh_fields QH @ 0x60606040 - rl 0, mplen 0, eps 0, ep 0, dev 0
797726@1598407357.196255:usb_ehci_qh_bits QH @ 0x60606040 - c 0, h 0, dtc 0, i 0
797726@1598407357.196262:usb_ehci_queue_action q 0x60d0000050b0: reset
797726@1598407357.196275:usb_ehci_state periodic schedule ADVANCEQUEUE
797726@1598407357.196281:usb_ehci_state periodic schedule FETCH QTD
797726@1598407357.196300:usb_ehci_qtd_ptrs q 0x60d0000050b0 - QTD @ 0x00000000: next 0x6060604a altnext 0x9580a997
797726@1598407357.196306:usb_ehci_qtd_fields QTD @ 0x00000000 - tbytes 5504, cpage 2, cerr 2, pid 1
797726@1598407357.196311:usb_ehci_qtd_bits QTD @ 0x00000000 - ioc 1, active 1, halt 0, babble 1, xacterr 0
797726@1598407357.196323:usb_ehci_packet_action q 0x60d0000050b0 p 0x611000044380: alloc
797726@1598407357.196327:usb_ehci_state periodic schedule EXECUTE
797726@1598407357.196346:usb_ehci_opreg_write wr mmio 0x004c [unknown] = 0x0
797726@1598407357.196351:usb_ehci_opreg_change ch mmio 0x004c [unknown] = 0x0 (old: 0x0)
797726@1598407357.196359:usb_ehci_opreg_write wr mmio 0x0050 [unknown] = 0x6060604a
797726@1598407357.196363:usb_ehci_opreg_change ch mmio 0x0050 [unknown] = 0x6060604a (old: 0x0)
797726@1598407357.196370:usb_ehci_opreg_write wr mmio 0x0054 [unknown] = 0x9580a981
797726@1598407357.196374:usb_ehci_opreg_change ch mmio 0x0054 [unknown] = 0x9580a981 (old: 0x0)
797726@1598407357.196380:usb_ehci_opreg_write wr mmio 0x0058 [unknown] = 0x1580a997
797726@1598407357.196385:usb_ehci_opreg_change ch mmio 0x0058 [unknown] = 0x1580a997 (old: 0x0)
797726@1598407357.196392:usb_ehci_opreg_write wr mmio 0x005c [unknown] = 0x6060604a
797726@1598407357.196396:usb_ehci_opreg_change ch mmio 0x005c [unknown] = 0x6060604a (old: 0x0)
797726@1598407357.196403:usb_ehci_opreg_write wr mmio 0x0060 [CONFIGFLAG] = 0x9580a900
797726@1598407357.196407:usb_ehci_opreg_change ch mmio 0x0060 [CONFIGFLAG] = 0x0 (old: 0x0)
797726@1598407357.196415:usb_ehci_portsc_write wr mmio 0x0044 [port 0] = 0x60606040
797726@1598407357.196422:usb_ehci_portsc_change ch mmio 0x0044 [port 0] = 0x601040 (old: 0x1000)
797726@1598407357.196428:usb_ehci_portsc_write wr mmio 0x0048 [port 1] = 0x9580a997
797726@1598407357.196432:usb_ehci_port_reset reset port #1 - 1
797726@1598407357.196437:usb_ehci_port_suspend port #1
797726@1598407357.196441:usb_ehci_portsc_change ch mmio 0x0048 [port 1] = 0x1185 (old: 0x1005)
797726@1598407357.196448:usb_ehci_portsc_write wr mmio 0x004c [port 2] = 0x6060604a
797726@1598407357.196453:usb_ehci_portsc_change ch mmio 0x004c [port 2] = 0x601040 (old: 0x1000)
797726@1598407357.196474:usb_packet_state_change bus 0, port 2, ep 0, packet 0x6110000443c0, state undef -> setup
797726@1598407357.196505:usb_ehci_opreg_write wr mmio 0x004c [unknown] = 0xbebebebe
797726@1598407357.196509:usb_ehci_opreg_change ch mmio 0x004c [unknown] = 0xbebebebe (old: 0x0)
797726@1598407357.196516:usb_ehci_opreg_write wr mmio 0x0050 [unknown] = 0xbebebebe
797726@1598407357.196520:usb_ehci_opreg_change ch mmio 0x0050 [unknown] = 0xbebebebe (old: 0x6060604a)
797726@1598407357.196527:usb_ehci_opreg_write wr mmio 0x0054 [unknown] = 0xbebebebe
797726@1598407357.196530:usb_ehci_opreg_change ch mmio 0x0054 [unknown] = 0xbebebebe (old: 0x9580a981)
797726@1598407357.196540:usb_ehci_opreg_write wr mmio 0x0058 [unknown] = 0xbebebebe
797726@1598407357.196544:usb_ehci_opreg_change ch mmio 0x0058 [unknown] = 0xbebebebe (old: 0x1580a997)
797726@1598407357.196550:usb_ehci_opreg_write wr mmio 0x005c [unknown] = 0xbebebebe
797726@1598407357.196554:usb_ehci_opreg_change ch mmio 0x005c [unknown] = 0xbebebebe (old: 0x6060604a)
797726@1598407357.196560:usb_ehci_opreg_write wr mmio 0x0060 [CONFIGFLAG] = 0xbebebebe
797726@1598407357.196563:usb_ehci_opreg_change ch mmio 0x0060 [CONFIGFLAG] = 0x0 (old: 0x0)
797726@1598407357.196569:usb_ehci_portsc_write wr mmio 0x0044 [port 0] = 0xbebebebe
797726@1598407357.196573:usb_ehci_port_suspend port #0
797726@1598407357.196577:usb_ehci_port_resume port #0
797726@1598407357.196580:usb_ehci_portsc_change ch mmio 0x0044 [port 0] = 0x301000 (old: 0x601040)
797726@1598407357.196586:usb_ehci_portsc_write wr mmio 0x0048 [port 1] = 0xbebebebe
797726@1598407357.196590:usb_ehci_port_reset reset port #1 - 0
797726@1598407357.196596:usb_ehci_port_detach detach port #1, owner ehci
797726@1598407357.196602:usb_ehci_queue_action q 0x60d0000050b0: free
797726@1598407357.196606:usb_ehci_queue_action q 0x60d0000050b0: cancel
797726@1598407357.196610:usb_ehci_packet_action q 0x60d0000050b0 p 0x611000044380: free
797726@1598407357.196626:usb_ehci_irq level 0, frindex 0x0008, sts 0x4004, mask 0x0
797726@1598407357.196636:usb_ehci_port_attach attach port #1, owner ehci, device QEMU USB MSD
797726@1598407357.196642:usb_ehci_irq level 0, frindex 0x0008, sts 0x4004, mask 0x0
797726@1598407357.196655:usb_ehci_port_suspend port #1
797726@1598407357.196659:usb_ehci_portsc_change ch mmio 0x0048 [port 1] = 0x301085 (old: 0x1185)
797726@1598407357.196669:usb_ehci_portsc_write wr mmio 0x004c [port 2] = 0xbebebebe
797726@1598407357.196674:usb_ehci_port_suspend port #2
797726@1598407357.196679:usb_ehci_port_resume port #2
797726@1598407357.196684:usb_ehci_portsc_change ch mmio 0x004c [port 2] = 0x301000 (old: 0x601040)
797726@1598407357.196694:usb_ehci_portsc_write wr mmio 0x0050 [port 3] = 0xbebebebe
797726@1598407357.196699:usb_ehci_port_suspend port #3
797726@1598407357.196704:usb_ehci_portsc_change ch mmio 0x0050 [port 3] = 0x301080 (old: 0x1000)
797726@1598407357.196712:usb_ehci_portsc_write wr mmio 0x0054 [port 4] = 0xbebebebe
797726@1598407357.196716:usb_ehci_port_suspend port #4
797726@1598407357.196718:usb_ehci_portsc_change ch mmio 0x0054 [port 4] = 0x301080 (old: 0x1000)
797726@1598407357.196724:usb_ehci_portsc_write wr mmio 0x0058 [port 5] = 0xbebebebe
797726@1598407357.196729:usb_ehci_port_suspend port #5
797726@1598407357.196733:usb_ehci_portsc_change ch mmio 0x0058 [port 5] = 0x301080 (old: 0x1000)
=================================================================
==797726==ERROR: AddressSanitizer: heap-use-after-free on address 0x6110000443e8 at pc 0x5574af0ef59d bp 0x7fff5b343a00 sp 0x7fff5b3439f8
READ of size 4 at 0x6110000443e8 thread T0
#0 0x5574af0ef59c in usb_packet_unmap /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/libhw.c:64:28
#1 0x5574af0ee924 in usb_packet_map /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/libhw.c:54:5
#2 0x5574ae630c2f in ehci_execute /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:1376:9
#3 0x5574ae619cfe in ehci_state_execute /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:1942:13
#4 0x5574ae60e8d9 in ehci_advance_state /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:2083:21
#5 0x5574ae60c753 in ehci_advance_periodic_state /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:2213:9
#6 0x5574ae5d9df3 in ehci_work_bh /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:2299:17
#7 0x5574b21013c2 in aio_bh_call /home/alxndr/Development/qemu/general-fuzz/build/../util/async.c:136:5
#8 0x5574b2102dc2 in aio_bh_poll /home/alxndr/Development/qemu/general-fuzz/build/../util/async.c:164:13
#9 0x5574b211a84b in aio_dispatch /home/alxndr/Development/qemu/general-fuzz/build/../util/aio-posix.c:380:5
#10 0x5574b210c29e in aio_ctx_dispatch /home/alxndr/Development/qemu/general-fuzz/build/../util/async.c:306:5
#11 0x7f44ce9dc5fc in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x505fc)
#12 0x5574b2339c67 in glib_pollfds_poll /home/alxndr/Development/qemu/general-fuzz/build/../util/main-loop.c:217:9
#13 0x5574b2337567 in os_host_main_loop_wait /home/alxndr/Development/qemu/general-fuzz/build/../util/main-loop.c:240:5
#14 0x5574b2336f47 in main_loop_wait /home/alxndr/Development/qemu/general-fuzz/build/../util/main-loop.c:516:11
#15 0x5574b0b1508d in qemu_main_loop /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/vl.c:1676:9
#16 0x5574ae4a751c in main /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/main.c:50:5
#17 0x7f44ce1e5cc9 in __libc_start_main csu/../csu/libc-start.c:308:16
#18 0x5574ae3fccf9 in _start (/home/alxndr/Development/qemu/general-fuzz/build/qemu-system-i386+0x2cb0cf9)
0x6110000443e8 is located 104 bytes inside of 248-byte region [0x611000044380,0x611000044478)
freed by thread T0 here:
#0 0x5574ae4751bd in free (/home/alxndr/Development/qemu/general-fuzz/build/qemu-system-i386+0x2d291bd)
#1 0x5574ae5e71a1 in ehci_free_packet /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:541:5
#2 0x5574ae5e3662 in ehci_cancel_queue /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:584:9
#3 0x5574ae5e174c in ehci_free_queue /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:611:17
#4 0x5574ae608300 in ehci_queues_rip_device /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:674:9
#5 0x5574ae6034ba in ehci_detach /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:732:5
#6 0x5574af06427f in usb_detach /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/core.c:70:5
#7 0x5574af064607 in usb_port_reset /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/core.c:79:5
#8 0x5574ae63af7a in ehci_port_write /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:993:13
#9 0x5574b0e31de0 in memory_region_write_accessor /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:483:5
#10 0x5574b0e312bd in access_with_adjusted_size /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:544:18
#11 0x5574b0e2ef70 in memory_region_dispatch_write /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:1466:16
#12 0x5574b0a8d8a6 in flatview_write_continue /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3176:23
#13 0x5574b0a76878 in flatview_write /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3216:14
#14 0x5574b0a763a8 in address_space_write /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3308:18
#15 0x5574b0a7dff7 in address_space_unmap /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3634:9
#16 0x5574af0f0262 in dma_memory_unmap /home/alxndr/Development/qemu/general-fuzz/include/sysemu/dma.h:145:5
#17 0x5574af0f0143 in usb_packet_unmap /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/libhw.c:65:9
#18 0x5574af0ee924 in usb_packet_map /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/libhw.c:54:5
#19 0x5574ae630c2f in ehci_execute /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:1376:9
#20 0x5574ae619cfe in ehci_state_execute /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:1942:13
#21 0x5574ae60e8d9 in ehci_advance_state /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:2083:21
#22 0x5574ae60c753 in ehci_advance_periodic_state /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:2213:9
#23 0x5574ae5d9df3 in ehci_work_bh /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:2299:17
#24 0x5574b21013c2 in aio_bh_call /home/alxndr/Development/qemu/general-fuzz/build/../util/async.c:136:5
#25 0x5574b2102dc2 in aio_bh_poll /home/alxndr/Development/qemu/general-fuzz/build/../util/async.c:164:13
#26 0x5574b211a84b in aio_dispatch /home/alxndr/Development/qemu/general-fuzz/build/../util/aio-posix.c:380:5
#27 0x5574b210c29e in aio_ctx_dispatch /home/alxndr/Development/qemu/general-fuzz/build/../util/async.c:306:5
#28 0x7f44ce9dc5fc in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x505fc)
previously allocated by thread T0 here:
#0 0x5574ae4755b2 in calloc (/home/alxndr/Development/qemu/general-fuzz/build/qemu-system-i386+0x2d295b2)
#1 0x7f44ce9e2210 in g_malloc0 (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x56210)
#2 0x5574ae6175be in ehci_state_fetchqtd /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:1844:13
#3 0x5574ae60e7f1 in ehci_advance_state /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:2073:21
#4 0x5574ae60c753 in ehci_advance_periodic_state /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:2213:9
#5 0x5574ae5d9df3 in ehci_work_bh /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:2299:17
#6 0x5574b21013c2 in aio_bh_call /home/alxndr/Development/qemu/general-fuzz/build/../util/async.c:136:5
#7 0x5574b2102dc2 in aio_bh_poll /home/alxndr/Development/qemu/general-fuzz/build/../util/async.c:164:13
#8 0x5574b211a84b in aio_dispatch /home/alxndr/Development/qemu/general-fuzz/build/../util/aio-posix.c:380:5
#9 0x5574b210c29e in aio_ctx_dispatch /home/alxndr/Development/qemu/general-fuzz/build/../util/async.c:306:5
#10 0x7f44ce9dc5fc in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x505fc)
SUMMARY: AddressSanitizer: heap-use-after-free /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/libhw.c:64:28 in usb_packet_unmap
Shadow bytes around the buggy address:
0x0c2280000820: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2280000830: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2280000840: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c2280000850: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2280000860: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
=>0x0c2280000870: fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd
0x0c2280000880: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
0x0c2280000890: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c22800008a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c22800008b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c22800008c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==797726==ABORTING
-Alex
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1892963/+subscriptions
^ permalink raw reply [flat|nested] 4+ messages in thread
* [Bug 1892963] Re: Heap-use-after-free in put_dwords through ehci_flush_qh
2020-08-26 2:04 [Bug 1892963] [NEW] Heap-use-after-free in put_dwords through ehci_flush_qh Alexander Bulekov
@ 2021-05-27 14:43 ` Thomas Huth
2021-08-21 4:11 ` Alexander Bulekov
2021-08-21 6:17 ` Thomas Huth
2 siblings, 0 replies; 4+ messages in thread
From: Thomas Huth @ 2021-05-27 14:43 UTC (permalink / raw)
To: qemu-devel
I can still reproduce this issue when compiling the current version of
QEMU with Clang + asan. Marking as "Confirmed".
** Tags added: fuzzer usb
** Changed in: qemu
Status: New => Confirmed
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1892963
Title:
Heap-use-after-free in put_dwords through ehci_flush_qh
Status in QEMU:
Confirmed
Bug description:
Hello,
Reproducer:
cat << EOF | ./qemu-system-i386 -machine q35 \
-device ich9-usb-ehci1,bus=pcie.0,addr=1d.7,\
multifunction=on,id=ich9-ehci-1 \
-drive if=none,id=usbcdrom,media=cdrom \
-device usb-storage,bus=ich9-ehci-1.0,\
port=2,drive=usbcdrom \
-display none -nodefaults -qtest stdio -accel qtest
outl 0xcf8 0x8000ef02
outl 0xcfc 0xfbff0061
outl 0xcf8 0x8000ef11
outl 0xcfc 0x60606060
writeq 0x60606065 0xb70560ff84ffff7f
writeq 0x60606065 0xff0004fe050000ff
writeq 0x60606020 0xff015e5c057b0039
writeq 0x60606033 0x846c8a0200000611
write 0x2000004 0x4 0x4a606060
write 0x8 0x4 0x97a98095
write 0x0 0x4 0x4a606060
write 0x4 0x4 0x97a98095
write 0xc 0x4 0x4a606060
write 0x10 0x4 0x97a98095
write 0x14 0x4 0x4a606060
write 0x18 0x4 0x97a98095
write 0x1c 0x4 0x4a606060
clock_step
EOF
The trace:
797726@1598407357.169284:usb_port_claim bus 0, port 2
797726@1598407357.169585:usb_port_attach bus 0, port 2, devspeed full+high+super, portspeed high
797726@1598407357.169598:usb_ehci_port_attach attach port #1, owner ehci, device QEMU USB MSD
797726@1598407357.169608:usb_ehci_irq level 0, frindex 0x0000, sts 0x4, mask 0x0
797726@1598407357.186943:usb_ehci_reset === RESET ===
797726@1598407357.186960:usb_ehci_port_detach detach port #1, owner ehci
797726@1598407357.186968:usb_ehci_irq level 0, frindex 0x0000, sts 0x4, mask 0x0
797726@1598407357.186976:usb_ehci_irq level 0, frindex 0x0000, sts 0x1000, mask 0x0
797726@1598407357.186984:usb_ehci_port_attach attach port #1, owner ehci, device QEMU USB MSD
797726@1598407357.186989:usb_ehci_irq level 0, frindex 0x0000, sts 0x1004, mask 0x0
[R +0.073737] outl 0xcf8 0x8000ef02
OK
[S +0.073774] OK
[R +0.073801] outl 0xcfc 0xfbff0061
OK
[S +0.075074] OK
[R +0.075108] outl 0xcf8 0x8000ef11
OK
[S +0.075126] OK
[R +0.075135] outl 0xcfc 0x60606060
OK
[S +0.076290] OK
[R +0.076317] writeq 0x60606065 0xb70560ff84ffff7f
797726@1598407357.194959:usb_ehci_portsc_write wr mmio 0x0048 [port 1] = 0x560ff84
797726@1598407357.194967:usb_ehci_port_reset reset port #1 - 1
797726@1598407357.194971:usb_ehci_port_suspend port #1
797726@1598407357.194975:usb_ehci_portsc_change ch mmio 0x0048 [port 1] = 0x601183 (old: 0x1003)
OK
[S +0.076363] OK
[R +0.076377] writeq 0x60606065 0xff0004fe050000ff
797726@1598407357.195005:usb_ehci_portsc_write wr mmio 0x0048 [port 1] = 0x4fe05
797726@1598407357.195011:usb_ehci_port_reset reset port #1 - 0
797726@1598407357.195019:usb_ehci_port_detach detach port #1, owner ehci
797726@1598407357.195026:usb_ehci_irq level 0, frindex 0x0000, sts 0x1004, mask 0x0
797726@1598407357.195034:usb_ehci_port_attach attach port #1, owner ehci, device QEMU USB MSD
797726@1598407357.195038:usb_ehci_irq level 0, frindex 0x0000, sts 0x1004, mask 0x0
797726@1598407357.195049:usb_ehci_portsc_change ch mmio 0x0048 [port 1] = 0x1005 (old: 0x601183)
OK
[S +0.076439] OK
[R +0.076457] writeq 0x60606020 0xff015e5c057b0039
797726@1598407357.195087:usb_ehci_opreg_write wr mmio 0x0020 [USBCMD] = 0x57b0039
attempt to set frame list size -- value 8
797726@1598407357.195097:usb_ehci_usbsts usbsts HALT 0
797726@1598407357.195105:usb_ehci_opreg_change ch mmio 0x0020 [USBCMD] = 0x57b0031 (old: 0x80000)
797726@1598407357.195111:usb_ehci_opreg_write wr mmio 0x0024 [USBSTS] = 0xff015e5c
797726@1598407357.195117:usb_ehci_usbsts usbsts PCD 0
797726@1598407357.195120:usb_ehci_usbsts usbsts FLR 0
797726@1598407357.195124:usb_ehci_usbsts usbsts HSE 0
797726@1598407357.195127:usb_ehci_irq level 0, frindex 0x0000, sts 0x0, mask 0x0
797726@1598407357.195132:usb_ehci_opreg_change ch mmio 0x0024 [USBSTS] = 0x0 (old: 0x4)
OK
[S +0.076519] OK
[R +0.076534] writeq 0x60606033 0x846c8a0200000611
797726@1598407357.195164:usb_ehci_opreg_write wr mmio 0x0034 [P-LIST BASE] = 0x2000006
ehci: PERIODIC list base register set while periodic schedule
is enabled and HC is enabled
797726@1598407357.195174:usb_ehci_opreg_change ch mmio 0x0034 [P-LIST BASE] = 0x2000006 (old: 0x0)
OK
[S +0.076562] OK
[R +0.076574] write 0x2000004 0x4 0x4a606060
OK
[S +0.076855] OK
[R +0.076869] write 0x8 0x4 0x97a98095
OK
[S +0.077214] OK
[R +0.077225] write 0x0 0x4 0x4a606060
OK
[S +0.077233] OK
[R +0.077242] write 0x4 0x4 0x97a98095
OK
[S +0.077250] OK
[R +0.077258] write 0xc 0x4 0x4a606060
OK
[S +0.077266] OK
[R +0.077274] write 0x10 0x4 0x97a98095
OK
[S +0.077281] OK
[R +0.077289] write 0x14 0x4 0x4a606060
OK
[S +0.077295] OK
[R +0.077304] write 0x18 0x4 0x97a98095
OK
[S +0.077310] OK
[R +0.077325] write 0x1c 0x4 0x4a606060
OK
[S +0.077333] OK
[R +0.077340] clock_step
OK 27462700
[S +0.077415] OK 27462700
797726@1598407357.196115:usb_ehci_state periodic schedule ACTIVE
797726@1598407357.196123:usb_ehci_usbsts usbsts PSS 1
797726@1598407357.196137:usb_ehci_state periodic schedule FETCH ENTRY
797726@1598407357.196145:usb_ehci_state periodic schedule FETCH QH
797726@1598407357.196154:usb_ehci_queue_action q 0x60d0000050b0: alloc
797726@1598407357.196168:usb_ehci_opreg_read rd mmio 0x0040 [unknown] = 0x0
797726@1598407357.196176:usb_ehci_opreg_read rd mmio 0x0044 [unknown] = 0x0
797726@1598407357.196182:usb_ehci_opreg_read rd mmio 0x0048 [unknown] = 0x0
797726@1598407357.196188:usb_ehci_opreg_read rd mmio 0x004c [unknown] = 0x0
797726@1598407357.196195:usb_ehci_opreg_read rd mmio 0x0050 [unknown] = 0x0
797726@1598407357.196201:usb_ehci_opreg_read rd mmio 0x0054 [unknown] = 0x0
797726@1598407357.196206:usb_ehci_opreg_read rd mmio 0x0058 [unknown] = 0x0
797726@1598407357.196211:usb_ehci_opreg_read rd mmio 0x005c [unknown] = 0x0
797726@1598407357.196217:usb_ehci_opreg_read rd mmio 0x0060 [CONFIGFLAG] = 0x0
797726@1598407357.196224:usb_ehci_portsc_read rd mmio 0x0044 [port 0] = 0x1000
797726@1598407357.196230:usb_ehci_portsc_read rd mmio 0x0048 [port 1] = 0x1005
797726@1598407357.196237:usb_ehci_portsc_read rd mmio 0x004c [port 2] = 0x1000
797726@1598407357.196243:usb_ehci_qh_ptrs q 0x60d0000050b0 - QH @ 0x60606040: next 0x00000000 qtds 0x00000000,0x00000000,0x00000000
797726@1598407357.196249:usb_ehci_qh_fields QH @ 0x60606040 - rl 0, mplen 0, eps 0, ep 0, dev 0
797726@1598407357.196255:usb_ehci_qh_bits QH @ 0x60606040 - c 0, h 0, dtc 0, i 0
797726@1598407357.196262:usb_ehci_queue_action q 0x60d0000050b0: reset
797726@1598407357.196275:usb_ehci_state periodic schedule ADVANCEQUEUE
797726@1598407357.196281:usb_ehci_state periodic schedule FETCH QTD
797726@1598407357.196300:usb_ehci_qtd_ptrs q 0x60d0000050b0 - QTD @ 0x00000000: next 0x6060604a altnext 0x9580a997
797726@1598407357.196306:usb_ehci_qtd_fields QTD @ 0x00000000 - tbytes 5504, cpage 2, cerr 2, pid 1
797726@1598407357.196311:usb_ehci_qtd_bits QTD @ 0x00000000 - ioc 1, active 1, halt 0, babble 1, xacterr 0
797726@1598407357.196323:usb_ehci_packet_action q 0x60d0000050b0 p 0x611000044380: alloc
797726@1598407357.196327:usb_ehci_state periodic schedule EXECUTE
797726@1598407357.196346:usb_ehci_opreg_write wr mmio 0x004c [unknown] = 0x0
797726@1598407357.196351:usb_ehci_opreg_change ch mmio 0x004c [unknown] = 0x0 (old: 0x0)
797726@1598407357.196359:usb_ehci_opreg_write wr mmio 0x0050 [unknown] = 0x6060604a
797726@1598407357.196363:usb_ehci_opreg_change ch mmio 0x0050 [unknown] = 0x6060604a (old: 0x0)
797726@1598407357.196370:usb_ehci_opreg_write wr mmio 0x0054 [unknown] = 0x9580a981
797726@1598407357.196374:usb_ehci_opreg_change ch mmio 0x0054 [unknown] = 0x9580a981 (old: 0x0)
797726@1598407357.196380:usb_ehci_opreg_write wr mmio 0x0058 [unknown] = 0x1580a997
797726@1598407357.196385:usb_ehci_opreg_change ch mmio 0x0058 [unknown] = 0x1580a997 (old: 0x0)
797726@1598407357.196392:usb_ehci_opreg_write wr mmio 0x005c [unknown] = 0x6060604a
797726@1598407357.196396:usb_ehci_opreg_change ch mmio 0x005c [unknown] = 0x6060604a (old: 0x0)
797726@1598407357.196403:usb_ehci_opreg_write wr mmio 0x0060 [CONFIGFLAG] = 0x9580a900
797726@1598407357.196407:usb_ehci_opreg_change ch mmio 0x0060 [CONFIGFLAG] = 0x0 (old: 0x0)
797726@1598407357.196415:usb_ehci_portsc_write wr mmio 0x0044 [port 0] = 0x60606040
797726@1598407357.196422:usb_ehci_portsc_change ch mmio 0x0044 [port 0] = 0x601040 (old: 0x1000)
797726@1598407357.196428:usb_ehci_portsc_write wr mmio 0x0048 [port 1] = 0x9580a997
797726@1598407357.196432:usb_ehci_port_reset reset port #1 - 1
797726@1598407357.196437:usb_ehci_port_suspend port #1
797726@1598407357.196441:usb_ehci_portsc_change ch mmio 0x0048 [port 1] = 0x1185 (old: 0x1005)
797726@1598407357.196448:usb_ehci_portsc_write wr mmio 0x004c [port 2] = 0x6060604a
797726@1598407357.196453:usb_ehci_portsc_change ch mmio 0x004c [port 2] = 0x601040 (old: 0x1000)
797726@1598407357.196474:usb_packet_state_change bus 0, port 2, ep 0, packet 0x6110000443c0, state undef -> setup
797726@1598407357.196505:usb_ehci_opreg_write wr mmio 0x004c [unknown] = 0xbebebebe
797726@1598407357.196509:usb_ehci_opreg_change ch mmio 0x004c [unknown] = 0xbebebebe (old: 0x0)
797726@1598407357.196516:usb_ehci_opreg_write wr mmio 0x0050 [unknown] = 0xbebebebe
797726@1598407357.196520:usb_ehci_opreg_change ch mmio 0x0050 [unknown] = 0xbebebebe (old: 0x6060604a)
797726@1598407357.196527:usb_ehci_opreg_write wr mmio 0x0054 [unknown] = 0xbebebebe
797726@1598407357.196530:usb_ehci_opreg_change ch mmio 0x0054 [unknown] = 0xbebebebe (old: 0x9580a981)
797726@1598407357.196540:usb_ehci_opreg_write wr mmio 0x0058 [unknown] = 0xbebebebe
797726@1598407357.196544:usb_ehci_opreg_change ch mmio 0x0058 [unknown] = 0xbebebebe (old: 0x1580a997)
797726@1598407357.196550:usb_ehci_opreg_write wr mmio 0x005c [unknown] = 0xbebebebe
797726@1598407357.196554:usb_ehci_opreg_change ch mmio 0x005c [unknown] = 0xbebebebe (old: 0x6060604a)
797726@1598407357.196560:usb_ehci_opreg_write wr mmio 0x0060 [CONFIGFLAG] = 0xbebebebe
797726@1598407357.196563:usb_ehci_opreg_change ch mmio 0x0060 [CONFIGFLAG] = 0x0 (old: 0x0)
797726@1598407357.196569:usb_ehci_portsc_write wr mmio 0x0044 [port 0] = 0xbebebebe
797726@1598407357.196573:usb_ehci_port_suspend port #0
797726@1598407357.196577:usb_ehci_port_resume port #0
797726@1598407357.196580:usb_ehci_portsc_change ch mmio 0x0044 [port 0] = 0x301000 (old: 0x601040)
797726@1598407357.196586:usb_ehci_portsc_write wr mmio 0x0048 [port 1] = 0xbebebebe
797726@1598407357.196590:usb_ehci_port_reset reset port #1 - 0
797726@1598407357.196596:usb_ehci_port_detach detach port #1, owner ehci
797726@1598407357.196602:usb_ehci_queue_action q 0x60d0000050b0: free
797726@1598407357.196606:usb_ehci_queue_action q 0x60d0000050b0: cancel
797726@1598407357.196610:usb_ehci_packet_action q 0x60d0000050b0 p 0x611000044380: free
797726@1598407357.196626:usb_ehci_irq level 0, frindex 0x0008, sts 0x4004, mask 0x0
797726@1598407357.196636:usb_ehci_port_attach attach port #1, owner ehci, device QEMU USB MSD
797726@1598407357.196642:usb_ehci_irq level 0, frindex 0x0008, sts 0x4004, mask 0x0
797726@1598407357.196655:usb_ehci_port_suspend port #1
797726@1598407357.196659:usb_ehci_portsc_change ch mmio 0x0048 [port 1] = 0x301085 (old: 0x1185)
797726@1598407357.196669:usb_ehci_portsc_write wr mmio 0x004c [port 2] = 0xbebebebe
797726@1598407357.196674:usb_ehci_port_suspend port #2
797726@1598407357.196679:usb_ehci_port_resume port #2
797726@1598407357.196684:usb_ehci_portsc_change ch mmio 0x004c [port 2] = 0x301000 (old: 0x601040)
797726@1598407357.196694:usb_ehci_portsc_write wr mmio 0x0050 [port 3] = 0xbebebebe
797726@1598407357.196699:usb_ehci_port_suspend port #3
797726@1598407357.196704:usb_ehci_portsc_change ch mmio 0x0050 [port 3] = 0x301080 (old: 0x1000)
797726@1598407357.196712:usb_ehci_portsc_write wr mmio 0x0054 [port 4] = 0xbebebebe
797726@1598407357.196716:usb_ehci_port_suspend port #4
797726@1598407357.196718:usb_ehci_portsc_change ch mmio 0x0054 [port 4] = 0x301080 (old: 0x1000)
797726@1598407357.196724:usb_ehci_portsc_write wr mmio 0x0058 [port 5] = 0xbebebebe
797726@1598407357.196729:usb_ehci_port_suspend port #5
797726@1598407357.196733:usb_ehci_portsc_change ch mmio 0x0058 [port 5] = 0x301080 (old: 0x1000)
=================================================================
==797726==ERROR: AddressSanitizer: heap-use-after-free on address 0x6110000443e8 at pc 0x5574af0ef59d bp 0x7fff5b343a00 sp 0x7fff5b3439f8
READ of size 4 at 0x6110000443e8 thread T0
#0 0x5574af0ef59c in usb_packet_unmap /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/libhw.c:64:28
#1 0x5574af0ee924 in usb_packet_map /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/libhw.c:54:5
#2 0x5574ae630c2f in ehci_execute /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:1376:9
#3 0x5574ae619cfe in ehci_state_execute /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:1942:13
#4 0x5574ae60e8d9 in ehci_advance_state /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:2083:21
#5 0x5574ae60c753 in ehci_advance_periodic_state /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:2213:9
#6 0x5574ae5d9df3 in ehci_work_bh /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:2299:17
#7 0x5574b21013c2 in aio_bh_call /home/alxndr/Development/qemu/general-fuzz/build/../util/async.c:136:5
#8 0x5574b2102dc2 in aio_bh_poll /home/alxndr/Development/qemu/general-fuzz/build/../util/async.c:164:13
#9 0x5574b211a84b in aio_dispatch /home/alxndr/Development/qemu/general-fuzz/build/../util/aio-posix.c:380:5
#10 0x5574b210c29e in aio_ctx_dispatch /home/alxndr/Development/qemu/general-fuzz/build/../util/async.c:306:5
#11 0x7f44ce9dc5fc in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x505fc)
#12 0x5574b2339c67 in glib_pollfds_poll /home/alxndr/Development/qemu/general-fuzz/build/../util/main-loop.c:217:9
#13 0x5574b2337567 in os_host_main_loop_wait /home/alxndr/Development/qemu/general-fuzz/build/../util/main-loop.c:240:5
#14 0x5574b2336f47 in main_loop_wait /home/alxndr/Development/qemu/general-fuzz/build/../util/main-loop.c:516:11
#15 0x5574b0b1508d in qemu_main_loop /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/vl.c:1676:9
#16 0x5574ae4a751c in main /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/main.c:50:5
#17 0x7f44ce1e5cc9 in __libc_start_main csu/../csu/libc-start.c:308:16
#18 0x5574ae3fccf9 in _start (/home/alxndr/Development/qemu/general-fuzz/build/qemu-system-i386+0x2cb0cf9)
0x6110000443e8 is located 104 bytes inside of 248-byte region [0x611000044380,0x611000044478)
freed by thread T0 here:
#0 0x5574ae4751bd in free (/home/alxndr/Development/qemu/general-fuzz/build/qemu-system-i386+0x2d291bd)
#1 0x5574ae5e71a1 in ehci_free_packet /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:541:5
#2 0x5574ae5e3662 in ehci_cancel_queue /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:584:9
#3 0x5574ae5e174c in ehci_free_queue /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:611:17
#4 0x5574ae608300 in ehci_queues_rip_device /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:674:9
#5 0x5574ae6034ba in ehci_detach /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:732:5
#6 0x5574af06427f in usb_detach /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/core.c:70:5
#7 0x5574af064607 in usb_port_reset /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/core.c:79:5
#8 0x5574ae63af7a in ehci_port_write /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:993:13
#9 0x5574b0e31de0 in memory_region_write_accessor /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:483:5
#10 0x5574b0e312bd in access_with_adjusted_size /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:544:18
#11 0x5574b0e2ef70 in memory_region_dispatch_write /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:1466:16
#12 0x5574b0a8d8a6 in flatview_write_continue /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3176:23
#13 0x5574b0a76878 in flatview_write /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3216:14
#14 0x5574b0a763a8 in address_space_write /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3308:18
#15 0x5574b0a7dff7 in address_space_unmap /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3634:9
#16 0x5574af0f0262 in dma_memory_unmap /home/alxndr/Development/qemu/general-fuzz/include/sysemu/dma.h:145:5
#17 0x5574af0f0143 in usb_packet_unmap /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/libhw.c:65:9
#18 0x5574af0ee924 in usb_packet_map /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/libhw.c:54:5
#19 0x5574ae630c2f in ehci_execute /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:1376:9
#20 0x5574ae619cfe in ehci_state_execute /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:1942:13
#21 0x5574ae60e8d9 in ehci_advance_state /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:2083:21
#22 0x5574ae60c753 in ehci_advance_periodic_state /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:2213:9
#23 0x5574ae5d9df3 in ehci_work_bh /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:2299:17
#24 0x5574b21013c2 in aio_bh_call /home/alxndr/Development/qemu/general-fuzz/build/../util/async.c:136:5
#25 0x5574b2102dc2 in aio_bh_poll /home/alxndr/Development/qemu/general-fuzz/build/../util/async.c:164:13
#26 0x5574b211a84b in aio_dispatch /home/alxndr/Development/qemu/general-fuzz/build/../util/aio-posix.c:380:5
#27 0x5574b210c29e in aio_ctx_dispatch /home/alxndr/Development/qemu/general-fuzz/build/../util/async.c:306:5
#28 0x7f44ce9dc5fc in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x505fc)
previously allocated by thread T0 here:
#0 0x5574ae4755b2 in calloc (/home/alxndr/Development/qemu/general-fuzz/build/qemu-system-i386+0x2d295b2)
#1 0x7f44ce9e2210 in g_malloc0 (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x56210)
#2 0x5574ae6175be in ehci_state_fetchqtd /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:1844:13
#3 0x5574ae60e7f1 in ehci_advance_state /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:2073:21
#4 0x5574ae60c753 in ehci_advance_periodic_state /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:2213:9
#5 0x5574ae5d9df3 in ehci_work_bh /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:2299:17
#6 0x5574b21013c2 in aio_bh_call /home/alxndr/Development/qemu/general-fuzz/build/../util/async.c:136:5
#7 0x5574b2102dc2 in aio_bh_poll /home/alxndr/Development/qemu/general-fuzz/build/../util/async.c:164:13
#8 0x5574b211a84b in aio_dispatch /home/alxndr/Development/qemu/general-fuzz/build/../util/aio-posix.c:380:5
#9 0x5574b210c29e in aio_ctx_dispatch /home/alxndr/Development/qemu/general-fuzz/build/../util/async.c:306:5
#10 0x7f44ce9dc5fc in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x505fc)
SUMMARY: AddressSanitizer: heap-use-after-free /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/libhw.c:64:28 in usb_packet_unmap
Shadow bytes around the buggy address:
0x0c2280000820: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2280000830: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2280000840: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c2280000850: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2280000860: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
=>0x0c2280000870: fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd
0x0c2280000880: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
0x0c2280000890: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c22800008a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c22800008b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c22800008c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==797726==ABORTING
-Alex
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1892963/+subscriptions
^ permalink raw reply [flat|nested] 4+ messages in thread
* [Bug 1892963] Re: Heap-use-after-free in put_dwords through ehci_flush_qh
2020-08-26 2:04 [Bug 1892963] [NEW] Heap-use-after-free in put_dwords through ehci_flush_qh Alexander Bulekov
2021-05-27 14:43 ` [Bug 1892963] " Thomas Huth
@ 2021-08-21 4:11 ` Alexander Bulekov
2021-08-21 6:17 ` Thomas Huth
2 siblings, 0 replies; 4+ messages in thread
From: Alexander Bulekov @ 2021-08-21 4:11 UTC (permalink / raw)
To: qemu-devel
I moved this report over to QEMU's new bug tracker on gitlab.com.
Please continue with the discussion here:
https://gitlab.com/qemu-project/qemu/-/issues/541
** Bug watch added: gitlab.com/qemu-project/qemu/-/issues #541
https://gitlab.com/qemu-project/qemu/-/issues/541
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1892963
Title:
Heap-use-after-free in put_dwords through ehci_flush_qh
Status in QEMU:
Confirmed
Bug description:
Hello,
Reproducer:
cat << EOF | ./qemu-system-i386 -machine q35 \
-device ich9-usb-ehci1,bus=pcie.0,addr=1d.7,\
multifunction=on,id=ich9-ehci-1 \
-drive if=none,id=usbcdrom,media=cdrom \
-device usb-storage,bus=ich9-ehci-1.0,\
port=2,drive=usbcdrom \
-display none -nodefaults -qtest stdio -accel qtest
outl 0xcf8 0x8000ef02
outl 0xcfc 0xfbff0061
outl 0xcf8 0x8000ef11
outl 0xcfc 0x60606060
writeq 0x60606065 0xb70560ff84ffff7f
writeq 0x60606065 0xff0004fe050000ff
writeq 0x60606020 0xff015e5c057b0039
writeq 0x60606033 0x846c8a0200000611
write 0x2000004 0x4 0x4a606060
write 0x8 0x4 0x97a98095
write 0x0 0x4 0x4a606060
write 0x4 0x4 0x97a98095
write 0xc 0x4 0x4a606060
write 0x10 0x4 0x97a98095
write 0x14 0x4 0x4a606060
write 0x18 0x4 0x97a98095
write 0x1c 0x4 0x4a606060
clock_step
EOF
The trace:
797726@1598407357.169284:usb_port_claim bus 0, port 2
797726@1598407357.169585:usb_port_attach bus 0, port 2, devspeed full+high+super, portspeed high
797726@1598407357.169598:usb_ehci_port_attach attach port #1, owner ehci, device QEMU USB MSD
797726@1598407357.169608:usb_ehci_irq level 0, frindex 0x0000, sts 0x4, mask 0x0
797726@1598407357.186943:usb_ehci_reset === RESET ===
797726@1598407357.186960:usb_ehci_port_detach detach port #1, owner ehci
797726@1598407357.186968:usb_ehci_irq level 0, frindex 0x0000, sts 0x4, mask 0x0
797726@1598407357.186976:usb_ehci_irq level 0, frindex 0x0000, sts 0x1000, mask 0x0
797726@1598407357.186984:usb_ehci_port_attach attach port #1, owner ehci, device QEMU USB MSD
797726@1598407357.186989:usb_ehci_irq level 0, frindex 0x0000, sts 0x1004, mask 0x0
[R +0.073737] outl 0xcf8 0x8000ef02
OK
[S +0.073774] OK
[R +0.073801] outl 0xcfc 0xfbff0061
OK
[S +0.075074] OK
[R +0.075108] outl 0xcf8 0x8000ef11
OK
[S +0.075126] OK
[R +0.075135] outl 0xcfc 0x60606060
OK
[S +0.076290] OK
[R +0.076317] writeq 0x60606065 0xb70560ff84ffff7f
797726@1598407357.194959:usb_ehci_portsc_write wr mmio 0x0048 [port 1] = 0x560ff84
797726@1598407357.194967:usb_ehci_port_reset reset port #1 - 1
797726@1598407357.194971:usb_ehci_port_suspend port #1
797726@1598407357.194975:usb_ehci_portsc_change ch mmio 0x0048 [port 1] = 0x601183 (old: 0x1003)
OK
[S +0.076363] OK
[R +0.076377] writeq 0x60606065 0xff0004fe050000ff
797726@1598407357.195005:usb_ehci_portsc_write wr mmio 0x0048 [port 1] = 0x4fe05
797726@1598407357.195011:usb_ehci_port_reset reset port #1 - 0
797726@1598407357.195019:usb_ehci_port_detach detach port #1, owner ehci
797726@1598407357.195026:usb_ehci_irq level 0, frindex 0x0000, sts 0x1004, mask 0x0
797726@1598407357.195034:usb_ehci_port_attach attach port #1, owner ehci, device QEMU USB MSD
797726@1598407357.195038:usb_ehci_irq level 0, frindex 0x0000, sts 0x1004, mask 0x0
797726@1598407357.195049:usb_ehci_portsc_change ch mmio 0x0048 [port 1] = 0x1005 (old: 0x601183)
OK
[S +0.076439] OK
[R +0.076457] writeq 0x60606020 0xff015e5c057b0039
797726@1598407357.195087:usb_ehci_opreg_write wr mmio 0x0020 [USBCMD] = 0x57b0039
attempt to set frame list size -- value 8
797726@1598407357.195097:usb_ehci_usbsts usbsts HALT 0
797726@1598407357.195105:usb_ehci_opreg_change ch mmio 0x0020 [USBCMD] = 0x57b0031 (old: 0x80000)
797726@1598407357.195111:usb_ehci_opreg_write wr mmio 0x0024 [USBSTS] = 0xff015e5c
797726@1598407357.195117:usb_ehci_usbsts usbsts PCD 0
797726@1598407357.195120:usb_ehci_usbsts usbsts FLR 0
797726@1598407357.195124:usb_ehci_usbsts usbsts HSE 0
797726@1598407357.195127:usb_ehci_irq level 0, frindex 0x0000, sts 0x0, mask 0x0
797726@1598407357.195132:usb_ehci_opreg_change ch mmio 0x0024 [USBSTS] = 0x0 (old: 0x4)
OK
[S +0.076519] OK
[R +0.076534] writeq 0x60606033 0x846c8a0200000611
797726@1598407357.195164:usb_ehci_opreg_write wr mmio 0x0034 [P-LIST BASE] = 0x2000006
ehci: PERIODIC list base register set while periodic schedule
is enabled and HC is enabled
797726@1598407357.195174:usb_ehci_opreg_change ch mmio 0x0034 [P-LIST BASE] = 0x2000006 (old: 0x0)
OK
[S +0.076562] OK
[R +0.076574] write 0x2000004 0x4 0x4a606060
OK
[S +0.076855] OK
[R +0.076869] write 0x8 0x4 0x97a98095
OK
[S +0.077214] OK
[R +0.077225] write 0x0 0x4 0x4a606060
OK
[S +0.077233] OK
[R +0.077242] write 0x4 0x4 0x97a98095
OK
[S +0.077250] OK
[R +0.077258] write 0xc 0x4 0x4a606060
OK
[S +0.077266] OK
[R +0.077274] write 0x10 0x4 0x97a98095
OK
[S +0.077281] OK
[R +0.077289] write 0x14 0x4 0x4a606060
OK
[S +0.077295] OK
[R +0.077304] write 0x18 0x4 0x97a98095
OK
[S +0.077310] OK
[R +0.077325] write 0x1c 0x4 0x4a606060
OK
[S +0.077333] OK
[R +0.077340] clock_step
OK 27462700
[S +0.077415] OK 27462700
797726@1598407357.196115:usb_ehci_state periodic schedule ACTIVE
797726@1598407357.196123:usb_ehci_usbsts usbsts PSS 1
797726@1598407357.196137:usb_ehci_state periodic schedule FETCH ENTRY
797726@1598407357.196145:usb_ehci_state periodic schedule FETCH QH
797726@1598407357.196154:usb_ehci_queue_action q 0x60d0000050b0: alloc
797726@1598407357.196168:usb_ehci_opreg_read rd mmio 0x0040 [unknown] = 0x0
797726@1598407357.196176:usb_ehci_opreg_read rd mmio 0x0044 [unknown] = 0x0
797726@1598407357.196182:usb_ehci_opreg_read rd mmio 0x0048 [unknown] = 0x0
797726@1598407357.196188:usb_ehci_opreg_read rd mmio 0x004c [unknown] = 0x0
797726@1598407357.196195:usb_ehci_opreg_read rd mmio 0x0050 [unknown] = 0x0
797726@1598407357.196201:usb_ehci_opreg_read rd mmio 0x0054 [unknown] = 0x0
797726@1598407357.196206:usb_ehci_opreg_read rd mmio 0x0058 [unknown] = 0x0
797726@1598407357.196211:usb_ehci_opreg_read rd mmio 0x005c [unknown] = 0x0
797726@1598407357.196217:usb_ehci_opreg_read rd mmio 0x0060 [CONFIGFLAG] = 0x0
797726@1598407357.196224:usb_ehci_portsc_read rd mmio 0x0044 [port 0] = 0x1000
797726@1598407357.196230:usb_ehci_portsc_read rd mmio 0x0048 [port 1] = 0x1005
797726@1598407357.196237:usb_ehci_portsc_read rd mmio 0x004c [port 2] = 0x1000
797726@1598407357.196243:usb_ehci_qh_ptrs q 0x60d0000050b0 - QH @ 0x60606040: next 0x00000000 qtds 0x00000000,0x00000000,0x00000000
797726@1598407357.196249:usb_ehci_qh_fields QH @ 0x60606040 - rl 0, mplen 0, eps 0, ep 0, dev 0
797726@1598407357.196255:usb_ehci_qh_bits QH @ 0x60606040 - c 0, h 0, dtc 0, i 0
797726@1598407357.196262:usb_ehci_queue_action q 0x60d0000050b0: reset
797726@1598407357.196275:usb_ehci_state periodic schedule ADVANCEQUEUE
797726@1598407357.196281:usb_ehci_state periodic schedule FETCH QTD
797726@1598407357.196300:usb_ehci_qtd_ptrs q 0x60d0000050b0 - QTD @ 0x00000000: next 0x6060604a altnext 0x9580a997
797726@1598407357.196306:usb_ehci_qtd_fields QTD @ 0x00000000 - tbytes 5504, cpage 2, cerr 2, pid 1
797726@1598407357.196311:usb_ehci_qtd_bits QTD @ 0x00000000 - ioc 1, active 1, halt 0, babble 1, xacterr 0
797726@1598407357.196323:usb_ehci_packet_action q 0x60d0000050b0 p 0x611000044380: alloc
797726@1598407357.196327:usb_ehci_state periodic schedule EXECUTE
797726@1598407357.196346:usb_ehci_opreg_write wr mmio 0x004c [unknown] = 0x0
797726@1598407357.196351:usb_ehci_opreg_change ch mmio 0x004c [unknown] = 0x0 (old: 0x0)
797726@1598407357.196359:usb_ehci_opreg_write wr mmio 0x0050 [unknown] = 0x6060604a
797726@1598407357.196363:usb_ehci_opreg_change ch mmio 0x0050 [unknown] = 0x6060604a (old: 0x0)
797726@1598407357.196370:usb_ehci_opreg_write wr mmio 0x0054 [unknown] = 0x9580a981
797726@1598407357.196374:usb_ehci_opreg_change ch mmio 0x0054 [unknown] = 0x9580a981 (old: 0x0)
797726@1598407357.196380:usb_ehci_opreg_write wr mmio 0x0058 [unknown] = 0x1580a997
797726@1598407357.196385:usb_ehci_opreg_change ch mmio 0x0058 [unknown] = 0x1580a997 (old: 0x0)
797726@1598407357.196392:usb_ehci_opreg_write wr mmio 0x005c [unknown] = 0x6060604a
797726@1598407357.196396:usb_ehci_opreg_change ch mmio 0x005c [unknown] = 0x6060604a (old: 0x0)
797726@1598407357.196403:usb_ehci_opreg_write wr mmio 0x0060 [CONFIGFLAG] = 0x9580a900
797726@1598407357.196407:usb_ehci_opreg_change ch mmio 0x0060 [CONFIGFLAG] = 0x0 (old: 0x0)
797726@1598407357.196415:usb_ehci_portsc_write wr mmio 0x0044 [port 0] = 0x60606040
797726@1598407357.196422:usb_ehci_portsc_change ch mmio 0x0044 [port 0] = 0x601040 (old: 0x1000)
797726@1598407357.196428:usb_ehci_portsc_write wr mmio 0x0048 [port 1] = 0x9580a997
797726@1598407357.196432:usb_ehci_port_reset reset port #1 - 1
797726@1598407357.196437:usb_ehci_port_suspend port #1
797726@1598407357.196441:usb_ehci_portsc_change ch mmio 0x0048 [port 1] = 0x1185 (old: 0x1005)
797726@1598407357.196448:usb_ehci_portsc_write wr mmio 0x004c [port 2] = 0x6060604a
797726@1598407357.196453:usb_ehci_portsc_change ch mmio 0x004c [port 2] = 0x601040 (old: 0x1000)
797726@1598407357.196474:usb_packet_state_change bus 0, port 2, ep 0, packet 0x6110000443c0, state undef -> setup
797726@1598407357.196505:usb_ehci_opreg_write wr mmio 0x004c [unknown] = 0xbebebebe
797726@1598407357.196509:usb_ehci_opreg_change ch mmio 0x004c [unknown] = 0xbebebebe (old: 0x0)
797726@1598407357.196516:usb_ehci_opreg_write wr mmio 0x0050 [unknown] = 0xbebebebe
797726@1598407357.196520:usb_ehci_opreg_change ch mmio 0x0050 [unknown] = 0xbebebebe (old: 0x6060604a)
797726@1598407357.196527:usb_ehci_opreg_write wr mmio 0x0054 [unknown] = 0xbebebebe
797726@1598407357.196530:usb_ehci_opreg_change ch mmio 0x0054 [unknown] = 0xbebebebe (old: 0x9580a981)
797726@1598407357.196540:usb_ehci_opreg_write wr mmio 0x0058 [unknown] = 0xbebebebe
797726@1598407357.196544:usb_ehci_opreg_change ch mmio 0x0058 [unknown] = 0xbebebebe (old: 0x1580a997)
797726@1598407357.196550:usb_ehci_opreg_write wr mmio 0x005c [unknown] = 0xbebebebe
797726@1598407357.196554:usb_ehci_opreg_change ch mmio 0x005c [unknown] = 0xbebebebe (old: 0x6060604a)
797726@1598407357.196560:usb_ehci_opreg_write wr mmio 0x0060 [CONFIGFLAG] = 0xbebebebe
797726@1598407357.196563:usb_ehci_opreg_change ch mmio 0x0060 [CONFIGFLAG] = 0x0 (old: 0x0)
797726@1598407357.196569:usb_ehci_portsc_write wr mmio 0x0044 [port 0] = 0xbebebebe
797726@1598407357.196573:usb_ehci_port_suspend port #0
797726@1598407357.196577:usb_ehci_port_resume port #0
797726@1598407357.196580:usb_ehci_portsc_change ch mmio 0x0044 [port 0] = 0x301000 (old: 0x601040)
797726@1598407357.196586:usb_ehci_portsc_write wr mmio 0x0048 [port 1] = 0xbebebebe
797726@1598407357.196590:usb_ehci_port_reset reset port #1 - 0
797726@1598407357.196596:usb_ehci_port_detach detach port #1, owner ehci
797726@1598407357.196602:usb_ehci_queue_action q 0x60d0000050b0: free
797726@1598407357.196606:usb_ehci_queue_action q 0x60d0000050b0: cancel
797726@1598407357.196610:usb_ehci_packet_action q 0x60d0000050b0 p 0x611000044380: free
797726@1598407357.196626:usb_ehci_irq level 0, frindex 0x0008, sts 0x4004, mask 0x0
797726@1598407357.196636:usb_ehci_port_attach attach port #1, owner ehci, device QEMU USB MSD
797726@1598407357.196642:usb_ehci_irq level 0, frindex 0x0008, sts 0x4004, mask 0x0
797726@1598407357.196655:usb_ehci_port_suspend port #1
797726@1598407357.196659:usb_ehci_portsc_change ch mmio 0x0048 [port 1] = 0x301085 (old: 0x1185)
797726@1598407357.196669:usb_ehci_portsc_write wr mmio 0x004c [port 2] = 0xbebebebe
797726@1598407357.196674:usb_ehci_port_suspend port #2
797726@1598407357.196679:usb_ehci_port_resume port #2
797726@1598407357.196684:usb_ehci_portsc_change ch mmio 0x004c [port 2] = 0x301000 (old: 0x601040)
797726@1598407357.196694:usb_ehci_portsc_write wr mmio 0x0050 [port 3] = 0xbebebebe
797726@1598407357.196699:usb_ehci_port_suspend port #3
797726@1598407357.196704:usb_ehci_portsc_change ch mmio 0x0050 [port 3] = 0x301080 (old: 0x1000)
797726@1598407357.196712:usb_ehci_portsc_write wr mmio 0x0054 [port 4] = 0xbebebebe
797726@1598407357.196716:usb_ehci_port_suspend port #4
797726@1598407357.196718:usb_ehci_portsc_change ch mmio 0x0054 [port 4] = 0x301080 (old: 0x1000)
797726@1598407357.196724:usb_ehci_portsc_write wr mmio 0x0058 [port 5] = 0xbebebebe
797726@1598407357.196729:usb_ehci_port_suspend port #5
797726@1598407357.196733:usb_ehci_portsc_change ch mmio 0x0058 [port 5] = 0x301080 (old: 0x1000)
=================================================================
==797726==ERROR: AddressSanitizer: heap-use-after-free on address 0x6110000443e8 at pc 0x5574af0ef59d bp 0x7fff5b343a00 sp 0x7fff5b3439f8
READ of size 4 at 0x6110000443e8 thread T0
#0 0x5574af0ef59c in usb_packet_unmap /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/libhw.c:64:28
#1 0x5574af0ee924 in usb_packet_map /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/libhw.c:54:5
#2 0x5574ae630c2f in ehci_execute /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:1376:9
#3 0x5574ae619cfe in ehci_state_execute /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:1942:13
#4 0x5574ae60e8d9 in ehci_advance_state /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:2083:21
#5 0x5574ae60c753 in ehci_advance_periodic_state /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:2213:9
#6 0x5574ae5d9df3 in ehci_work_bh /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:2299:17
#7 0x5574b21013c2 in aio_bh_call /home/alxndr/Development/qemu/general-fuzz/build/../util/async.c:136:5
#8 0x5574b2102dc2 in aio_bh_poll /home/alxndr/Development/qemu/general-fuzz/build/../util/async.c:164:13
#9 0x5574b211a84b in aio_dispatch /home/alxndr/Development/qemu/general-fuzz/build/../util/aio-posix.c:380:5
#10 0x5574b210c29e in aio_ctx_dispatch /home/alxndr/Development/qemu/general-fuzz/build/../util/async.c:306:5
#11 0x7f44ce9dc5fc in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x505fc)
#12 0x5574b2339c67 in glib_pollfds_poll /home/alxndr/Development/qemu/general-fuzz/build/../util/main-loop.c:217:9
#13 0x5574b2337567 in os_host_main_loop_wait /home/alxndr/Development/qemu/general-fuzz/build/../util/main-loop.c:240:5
#14 0x5574b2336f47 in main_loop_wait /home/alxndr/Development/qemu/general-fuzz/build/../util/main-loop.c:516:11
#15 0x5574b0b1508d in qemu_main_loop /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/vl.c:1676:9
#16 0x5574ae4a751c in main /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/main.c:50:5
#17 0x7f44ce1e5cc9 in __libc_start_main csu/../csu/libc-start.c:308:16
#18 0x5574ae3fccf9 in _start (/home/alxndr/Development/qemu/general-fuzz/build/qemu-system-i386+0x2cb0cf9)
0x6110000443e8 is located 104 bytes inside of 248-byte region [0x611000044380,0x611000044478)
freed by thread T0 here:
#0 0x5574ae4751bd in free (/home/alxndr/Development/qemu/general-fuzz/build/qemu-system-i386+0x2d291bd)
#1 0x5574ae5e71a1 in ehci_free_packet /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:541:5
#2 0x5574ae5e3662 in ehci_cancel_queue /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:584:9
#3 0x5574ae5e174c in ehci_free_queue /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:611:17
#4 0x5574ae608300 in ehci_queues_rip_device /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:674:9
#5 0x5574ae6034ba in ehci_detach /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:732:5
#6 0x5574af06427f in usb_detach /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/core.c:70:5
#7 0x5574af064607 in usb_port_reset /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/core.c:79:5
#8 0x5574ae63af7a in ehci_port_write /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:993:13
#9 0x5574b0e31de0 in memory_region_write_accessor /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:483:5
#10 0x5574b0e312bd in access_with_adjusted_size /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:544:18
#11 0x5574b0e2ef70 in memory_region_dispatch_write /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:1466:16
#12 0x5574b0a8d8a6 in flatview_write_continue /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3176:23
#13 0x5574b0a76878 in flatview_write /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3216:14
#14 0x5574b0a763a8 in address_space_write /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3308:18
#15 0x5574b0a7dff7 in address_space_unmap /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3634:9
#16 0x5574af0f0262 in dma_memory_unmap /home/alxndr/Development/qemu/general-fuzz/include/sysemu/dma.h:145:5
#17 0x5574af0f0143 in usb_packet_unmap /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/libhw.c:65:9
#18 0x5574af0ee924 in usb_packet_map /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/libhw.c:54:5
#19 0x5574ae630c2f in ehci_execute /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:1376:9
#20 0x5574ae619cfe in ehci_state_execute /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:1942:13
#21 0x5574ae60e8d9 in ehci_advance_state /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:2083:21
#22 0x5574ae60c753 in ehci_advance_periodic_state /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:2213:9
#23 0x5574ae5d9df3 in ehci_work_bh /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:2299:17
#24 0x5574b21013c2 in aio_bh_call /home/alxndr/Development/qemu/general-fuzz/build/../util/async.c:136:5
#25 0x5574b2102dc2 in aio_bh_poll /home/alxndr/Development/qemu/general-fuzz/build/../util/async.c:164:13
#26 0x5574b211a84b in aio_dispatch /home/alxndr/Development/qemu/general-fuzz/build/../util/aio-posix.c:380:5
#27 0x5574b210c29e in aio_ctx_dispatch /home/alxndr/Development/qemu/general-fuzz/build/../util/async.c:306:5
#28 0x7f44ce9dc5fc in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x505fc)
previously allocated by thread T0 here:
#0 0x5574ae4755b2 in calloc (/home/alxndr/Development/qemu/general-fuzz/build/qemu-system-i386+0x2d295b2)
#1 0x7f44ce9e2210 in g_malloc0 (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x56210)
#2 0x5574ae6175be in ehci_state_fetchqtd /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:1844:13
#3 0x5574ae60e7f1 in ehci_advance_state /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:2073:21
#4 0x5574ae60c753 in ehci_advance_periodic_state /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:2213:9
#5 0x5574ae5d9df3 in ehci_work_bh /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:2299:17
#6 0x5574b21013c2 in aio_bh_call /home/alxndr/Development/qemu/general-fuzz/build/../util/async.c:136:5
#7 0x5574b2102dc2 in aio_bh_poll /home/alxndr/Development/qemu/general-fuzz/build/../util/async.c:164:13
#8 0x5574b211a84b in aio_dispatch /home/alxndr/Development/qemu/general-fuzz/build/../util/aio-posix.c:380:5
#9 0x5574b210c29e in aio_ctx_dispatch /home/alxndr/Development/qemu/general-fuzz/build/../util/async.c:306:5
#10 0x7f44ce9dc5fc in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x505fc)
SUMMARY: AddressSanitizer: heap-use-after-free /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/libhw.c:64:28 in usb_packet_unmap
Shadow bytes around the buggy address:
0x0c2280000820: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2280000830: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2280000840: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c2280000850: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2280000860: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
=>0x0c2280000870: fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd
0x0c2280000880: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
0x0c2280000890: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c22800008a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c22800008b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c22800008c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==797726==ABORTING
-Alex
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1892963/+subscriptions
^ permalink raw reply [flat|nested] 4+ messages in thread
* [Bug 1892963] Re: Heap-use-after-free in put_dwords through ehci_flush_qh
2020-08-26 2:04 [Bug 1892963] [NEW] Heap-use-after-free in put_dwords through ehci_flush_qh Alexander Bulekov
2021-05-27 14:43 ` [Bug 1892963] " Thomas Huth
2021-08-21 4:11 ` Alexander Bulekov
@ 2021-08-21 6:17 ` Thomas Huth
2 siblings, 0 replies; 4+ messages in thread
From: Thomas Huth @ 2021-08-21 6:17 UTC (permalink / raw)
To: qemu-devel
Thanks for moving it over! ... let's close this one here on Launchpad
now.
** Changed in: qemu
Status: Confirmed => Invalid
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1892963
Title:
Heap-use-after-free in put_dwords through ehci_flush_qh
Status in QEMU:
Invalid
Bug description:
Hello,
Reproducer:
cat << EOF | ./qemu-system-i386 -machine q35 \
-device ich9-usb-ehci1,bus=pcie.0,addr=1d.7,\
multifunction=on,id=ich9-ehci-1 \
-drive if=none,id=usbcdrom,media=cdrom \
-device usb-storage,bus=ich9-ehci-1.0,\
port=2,drive=usbcdrom \
-display none -nodefaults -qtest stdio -accel qtest
outl 0xcf8 0x8000ef02
outl 0xcfc 0xfbff0061
outl 0xcf8 0x8000ef11
outl 0xcfc 0x60606060
writeq 0x60606065 0xb70560ff84ffff7f
writeq 0x60606065 0xff0004fe050000ff
writeq 0x60606020 0xff015e5c057b0039
writeq 0x60606033 0x846c8a0200000611
write 0x2000004 0x4 0x4a606060
write 0x8 0x4 0x97a98095
write 0x0 0x4 0x4a606060
write 0x4 0x4 0x97a98095
write 0xc 0x4 0x4a606060
write 0x10 0x4 0x97a98095
write 0x14 0x4 0x4a606060
write 0x18 0x4 0x97a98095
write 0x1c 0x4 0x4a606060
clock_step
EOF
The trace:
797726@1598407357.169284:usb_port_claim bus 0, port 2
797726@1598407357.169585:usb_port_attach bus 0, port 2, devspeed full+high+super, portspeed high
797726@1598407357.169598:usb_ehci_port_attach attach port #1, owner ehci, device QEMU USB MSD
797726@1598407357.169608:usb_ehci_irq level 0, frindex 0x0000, sts 0x4, mask 0x0
797726@1598407357.186943:usb_ehci_reset === RESET ===
797726@1598407357.186960:usb_ehci_port_detach detach port #1, owner ehci
797726@1598407357.186968:usb_ehci_irq level 0, frindex 0x0000, sts 0x4, mask 0x0
797726@1598407357.186976:usb_ehci_irq level 0, frindex 0x0000, sts 0x1000, mask 0x0
797726@1598407357.186984:usb_ehci_port_attach attach port #1, owner ehci, device QEMU USB MSD
797726@1598407357.186989:usb_ehci_irq level 0, frindex 0x0000, sts 0x1004, mask 0x0
[R +0.073737] outl 0xcf8 0x8000ef02
OK
[S +0.073774] OK
[R +0.073801] outl 0xcfc 0xfbff0061
OK
[S +0.075074] OK
[R +0.075108] outl 0xcf8 0x8000ef11
OK
[S +0.075126] OK
[R +0.075135] outl 0xcfc 0x60606060
OK
[S +0.076290] OK
[R +0.076317] writeq 0x60606065 0xb70560ff84ffff7f
797726@1598407357.194959:usb_ehci_portsc_write wr mmio 0x0048 [port 1] = 0x560ff84
797726@1598407357.194967:usb_ehci_port_reset reset port #1 - 1
797726@1598407357.194971:usb_ehci_port_suspend port #1
797726@1598407357.194975:usb_ehci_portsc_change ch mmio 0x0048 [port 1] = 0x601183 (old: 0x1003)
OK
[S +0.076363] OK
[R +0.076377] writeq 0x60606065 0xff0004fe050000ff
797726@1598407357.195005:usb_ehci_portsc_write wr mmio 0x0048 [port 1] = 0x4fe05
797726@1598407357.195011:usb_ehci_port_reset reset port #1 - 0
797726@1598407357.195019:usb_ehci_port_detach detach port #1, owner ehci
797726@1598407357.195026:usb_ehci_irq level 0, frindex 0x0000, sts 0x1004, mask 0x0
797726@1598407357.195034:usb_ehci_port_attach attach port #1, owner ehci, device QEMU USB MSD
797726@1598407357.195038:usb_ehci_irq level 0, frindex 0x0000, sts 0x1004, mask 0x0
797726@1598407357.195049:usb_ehci_portsc_change ch mmio 0x0048 [port 1] = 0x1005 (old: 0x601183)
OK
[S +0.076439] OK
[R +0.076457] writeq 0x60606020 0xff015e5c057b0039
797726@1598407357.195087:usb_ehci_opreg_write wr mmio 0x0020 [USBCMD] = 0x57b0039
attempt to set frame list size -- value 8
797726@1598407357.195097:usb_ehci_usbsts usbsts HALT 0
797726@1598407357.195105:usb_ehci_opreg_change ch mmio 0x0020 [USBCMD] = 0x57b0031 (old: 0x80000)
797726@1598407357.195111:usb_ehci_opreg_write wr mmio 0x0024 [USBSTS] = 0xff015e5c
797726@1598407357.195117:usb_ehci_usbsts usbsts PCD 0
797726@1598407357.195120:usb_ehci_usbsts usbsts FLR 0
797726@1598407357.195124:usb_ehci_usbsts usbsts HSE 0
797726@1598407357.195127:usb_ehci_irq level 0, frindex 0x0000, sts 0x0, mask 0x0
797726@1598407357.195132:usb_ehci_opreg_change ch mmio 0x0024 [USBSTS] = 0x0 (old: 0x4)
OK
[S +0.076519] OK
[R +0.076534] writeq 0x60606033 0x846c8a0200000611
797726@1598407357.195164:usb_ehci_opreg_write wr mmio 0x0034 [P-LIST BASE] = 0x2000006
ehci: PERIODIC list base register set while periodic schedule
is enabled and HC is enabled
797726@1598407357.195174:usb_ehci_opreg_change ch mmio 0x0034 [P-LIST BASE] = 0x2000006 (old: 0x0)
OK
[S +0.076562] OK
[R +0.076574] write 0x2000004 0x4 0x4a606060
OK
[S +0.076855] OK
[R +0.076869] write 0x8 0x4 0x97a98095
OK
[S +0.077214] OK
[R +0.077225] write 0x0 0x4 0x4a606060
OK
[S +0.077233] OK
[R +0.077242] write 0x4 0x4 0x97a98095
OK
[S +0.077250] OK
[R +0.077258] write 0xc 0x4 0x4a606060
OK
[S +0.077266] OK
[R +0.077274] write 0x10 0x4 0x97a98095
OK
[S +0.077281] OK
[R +0.077289] write 0x14 0x4 0x4a606060
OK
[S +0.077295] OK
[R +0.077304] write 0x18 0x4 0x97a98095
OK
[S +0.077310] OK
[R +0.077325] write 0x1c 0x4 0x4a606060
OK
[S +0.077333] OK
[R +0.077340] clock_step
OK 27462700
[S +0.077415] OK 27462700
797726@1598407357.196115:usb_ehci_state periodic schedule ACTIVE
797726@1598407357.196123:usb_ehci_usbsts usbsts PSS 1
797726@1598407357.196137:usb_ehci_state periodic schedule FETCH ENTRY
797726@1598407357.196145:usb_ehci_state periodic schedule FETCH QH
797726@1598407357.196154:usb_ehci_queue_action q 0x60d0000050b0: alloc
797726@1598407357.196168:usb_ehci_opreg_read rd mmio 0x0040 [unknown] = 0x0
797726@1598407357.196176:usb_ehci_opreg_read rd mmio 0x0044 [unknown] = 0x0
797726@1598407357.196182:usb_ehci_opreg_read rd mmio 0x0048 [unknown] = 0x0
797726@1598407357.196188:usb_ehci_opreg_read rd mmio 0x004c [unknown] = 0x0
797726@1598407357.196195:usb_ehci_opreg_read rd mmio 0x0050 [unknown] = 0x0
797726@1598407357.196201:usb_ehci_opreg_read rd mmio 0x0054 [unknown] = 0x0
797726@1598407357.196206:usb_ehci_opreg_read rd mmio 0x0058 [unknown] = 0x0
797726@1598407357.196211:usb_ehci_opreg_read rd mmio 0x005c [unknown] = 0x0
797726@1598407357.196217:usb_ehci_opreg_read rd mmio 0x0060 [CONFIGFLAG] = 0x0
797726@1598407357.196224:usb_ehci_portsc_read rd mmio 0x0044 [port 0] = 0x1000
797726@1598407357.196230:usb_ehci_portsc_read rd mmio 0x0048 [port 1] = 0x1005
797726@1598407357.196237:usb_ehci_portsc_read rd mmio 0x004c [port 2] = 0x1000
797726@1598407357.196243:usb_ehci_qh_ptrs q 0x60d0000050b0 - QH @ 0x60606040: next 0x00000000 qtds 0x00000000,0x00000000,0x00000000
797726@1598407357.196249:usb_ehci_qh_fields QH @ 0x60606040 - rl 0, mplen 0, eps 0, ep 0, dev 0
797726@1598407357.196255:usb_ehci_qh_bits QH @ 0x60606040 - c 0, h 0, dtc 0, i 0
797726@1598407357.196262:usb_ehci_queue_action q 0x60d0000050b0: reset
797726@1598407357.196275:usb_ehci_state periodic schedule ADVANCEQUEUE
797726@1598407357.196281:usb_ehci_state periodic schedule FETCH QTD
797726@1598407357.196300:usb_ehci_qtd_ptrs q 0x60d0000050b0 - QTD @ 0x00000000: next 0x6060604a altnext 0x9580a997
797726@1598407357.196306:usb_ehci_qtd_fields QTD @ 0x00000000 - tbytes 5504, cpage 2, cerr 2, pid 1
797726@1598407357.196311:usb_ehci_qtd_bits QTD @ 0x00000000 - ioc 1, active 1, halt 0, babble 1, xacterr 0
797726@1598407357.196323:usb_ehci_packet_action q 0x60d0000050b0 p 0x611000044380: alloc
797726@1598407357.196327:usb_ehci_state periodic schedule EXECUTE
797726@1598407357.196346:usb_ehci_opreg_write wr mmio 0x004c [unknown] = 0x0
797726@1598407357.196351:usb_ehci_opreg_change ch mmio 0x004c [unknown] = 0x0 (old: 0x0)
797726@1598407357.196359:usb_ehci_opreg_write wr mmio 0x0050 [unknown] = 0x6060604a
797726@1598407357.196363:usb_ehci_opreg_change ch mmio 0x0050 [unknown] = 0x6060604a (old: 0x0)
797726@1598407357.196370:usb_ehci_opreg_write wr mmio 0x0054 [unknown] = 0x9580a981
797726@1598407357.196374:usb_ehci_opreg_change ch mmio 0x0054 [unknown] = 0x9580a981 (old: 0x0)
797726@1598407357.196380:usb_ehci_opreg_write wr mmio 0x0058 [unknown] = 0x1580a997
797726@1598407357.196385:usb_ehci_opreg_change ch mmio 0x0058 [unknown] = 0x1580a997 (old: 0x0)
797726@1598407357.196392:usb_ehci_opreg_write wr mmio 0x005c [unknown] = 0x6060604a
797726@1598407357.196396:usb_ehci_opreg_change ch mmio 0x005c [unknown] = 0x6060604a (old: 0x0)
797726@1598407357.196403:usb_ehci_opreg_write wr mmio 0x0060 [CONFIGFLAG] = 0x9580a900
797726@1598407357.196407:usb_ehci_opreg_change ch mmio 0x0060 [CONFIGFLAG] = 0x0 (old: 0x0)
797726@1598407357.196415:usb_ehci_portsc_write wr mmio 0x0044 [port 0] = 0x60606040
797726@1598407357.196422:usb_ehci_portsc_change ch mmio 0x0044 [port 0] = 0x601040 (old: 0x1000)
797726@1598407357.196428:usb_ehci_portsc_write wr mmio 0x0048 [port 1] = 0x9580a997
797726@1598407357.196432:usb_ehci_port_reset reset port #1 - 1
797726@1598407357.196437:usb_ehci_port_suspend port #1
797726@1598407357.196441:usb_ehci_portsc_change ch mmio 0x0048 [port 1] = 0x1185 (old: 0x1005)
797726@1598407357.196448:usb_ehci_portsc_write wr mmio 0x004c [port 2] = 0x6060604a
797726@1598407357.196453:usb_ehci_portsc_change ch mmio 0x004c [port 2] = 0x601040 (old: 0x1000)
797726@1598407357.196474:usb_packet_state_change bus 0, port 2, ep 0, packet 0x6110000443c0, state undef -> setup
797726@1598407357.196505:usb_ehci_opreg_write wr mmio 0x004c [unknown] = 0xbebebebe
797726@1598407357.196509:usb_ehci_opreg_change ch mmio 0x004c [unknown] = 0xbebebebe (old: 0x0)
797726@1598407357.196516:usb_ehci_opreg_write wr mmio 0x0050 [unknown] = 0xbebebebe
797726@1598407357.196520:usb_ehci_opreg_change ch mmio 0x0050 [unknown] = 0xbebebebe (old: 0x6060604a)
797726@1598407357.196527:usb_ehci_opreg_write wr mmio 0x0054 [unknown] = 0xbebebebe
797726@1598407357.196530:usb_ehci_opreg_change ch mmio 0x0054 [unknown] = 0xbebebebe (old: 0x9580a981)
797726@1598407357.196540:usb_ehci_opreg_write wr mmio 0x0058 [unknown] = 0xbebebebe
797726@1598407357.196544:usb_ehci_opreg_change ch mmio 0x0058 [unknown] = 0xbebebebe (old: 0x1580a997)
797726@1598407357.196550:usb_ehci_opreg_write wr mmio 0x005c [unknown] = 0xbebebebe
797726@1598407357.196554:usb_ehci_opreg_change ch mmio 0x005c [unknown] = 0xbebebebe (old: 0x6060604a)
797726@1598407357.196560:usb_ehci_opreg_write wr mmio 0x0060 [CONFIGFLAG] = 0xbebebebe
797726@1598407357.196563:usb_ehci_opreg_change ch mmio 0x0060 [CONFIGFLAG] = 0x0 (old: 0x0)
797726@1598407357.196569:usb_ehci_portsc_write wr mmio 0x0044 [port 0] = 0xbebebebe
797726@1598407357.196573:usb_ehci_port_suspend port #0
797726@1598407357.196577:usb_ehci_port_resume port #0
797726@1598407357.196580:usb_ehci_portsc_change ch mmio 0x0044 [port 0] = 0x301000 (old: 0x601040)
797726@1598407357.196586:usb_ehci_portsc_write wr mmio 0x0048 [port 1] = 0xbebebebe
797726@1598407357.196590:usb_ehci_port_reset reset port #1 - 0
797726@1598407357.196596:usb_ehci_port_detach detach port #1, owner ehci
797726@1598407357.196602:usb_ehci_queue_action q 0x60d0000050b0: free
797726@1598407357.196606:usb_ehci_queue_action q 0x60d0000050b0: cancel
797726@1598407357.196610:usb_ehci_packet_action q 0x60d0000050b0 p 0x611000044380: free
797726@1598407357.196626:usb_ehci_irq level 0, frindex 0x0008, sts 0x4004, mask 0x0
797726@1598407357.196636:usb_ehci_port_attach attach port #1, owner ehci, device QEMU USB MSD
797726@1598407357.196642:usb_ehci_irq level 0, frindex 0x0008, sts 0x4004, mask 0x0
797726@1598407357.196655:usb_ehci_port_suspend port #1
797726@1598407357.196659:usb_ehci_portsc_change ch mmio 0x0048 [port 1] = 0x301085 (old: 0x1185)
797726@1598407357.196669:usb_ehci_portsc_write wr mmio 0x004c [port 2] = 0xbebebebe
797726@1598407357.196674:usb_ehci_port_suspend port #2
797726@1598407357.196679:usb_ehci_port_resume port #2
797726@1598407357.196684:usb_ehci_portsc_change ch mmio 0x004c [port 2] = 0x301000 (old: 0x601040)
797726@1598407357.196694:usb_ehci_portsc_write wr mmio 0x0050 [port 3] = 0xbebebebe
797726@1598407357.196699:usb_ehci_port_suspend port #3
797726@1598407357.196704:usb_ehci_portsc_change ch mmio 0x0050 [port 3] = 0x301080 (old: 0x1000)
797726@1598407357.196712:usb_ehci_portsc_write wr mmio 0x0054 [port 4] = 0xbebebebe
797726@1598407357.196716:usb_ehci_port_suspend port #4
797726@1598407357.196718:usb_ehci_portsc_change ch mmio 0x0054 [port 4] = 0x301080 (old: 0x1000)
797726@1598407357.196724:usb_ehci_portsc_write wr mmio 0x0058 [port 5] = 0xbebebebe
797726@1598407357.196729:usb_ehci_port_suspend port #5
797726@1598407357.196733:usb_ehci_portsc_change ch mmio 0x0058 [port 5] = 0x301080 (old: 0x1000)
=================================================================
==797726==ERROR: AddressSanitizer: heap-use-after-free on address 0x6110000443e8 at pc 0x5574af0ef59d bp 0x7fff5b343a00 sp 0x7fff5b3439f8
READ of size 4 at 0x6110000443e8 thread T0
#0 0x5574af0ef59c in usb_packet_unmap /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/libhw.c:64:28
#1 0x5574af0ee924 in usb_packet_map /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/libhw.c:54:5
#2 0x5574ae630c2f in ehci_execute /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:1376:9
#3 0x5574ae619cfe in ehci_state_execute /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:1942:13
#4 0x5574ae60e8d9 in ehci_advance_state /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:2083:21
#5 0x5574ae60c753 in ehci_advance_periodic_state /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:2213:9
#6 0x5574ae5d9df3 in ehci_work_bh /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:2299:17
#7 0x5574b21013c2 in aio_bh_call /home/alxndr/Development/qemu/general-fuzz/build/../util/async.c:136:5
#8 0x5574b2102dc2 in aio_bh_poll /home/alxndr/Development/qemu/general-fuzz/build/../util/async.c:164:13
#9 0x5574b211a84b in aio_dispatch /home/alxndr/Development/qemu/general-fuzz/build/../util/aio-posix.c:380:5
#10 0x5574b210c29e in aio_ctx_dispatch /home/alxndr/Development/qemu/general-fuzz/build/../util/async.c:306:5
#11 0x7f44ce9dc5fc in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x505fc)
#12 0x5574b2339c67 in glib_pollfds_poll /home/alxndr/Development/qemu/general-fuzz/build/../util/main-loop.c:217:9
#13 0x5574b2337567 in os_host_main_loop_wait /home/alxndr/Development/qemu/general-fuzz/build/../util/main-loop.c:240:5
#14 0x5574b2336f47 in main_loop_wait /home/alxndr/Development/qemu/general-fuzz/build/../util/main-loop.c:516:11
#15 0x5574b0b1508d in qemu_main_loop /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/vl.c:1676:9
#16 0x5574ae4a751c in main /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/main.c:50:5
#17 0x7f44ce1e5cc9 in __libc_start_main csu/../csu/libc-start.c:308:16
#18 0x5574ae3fccf9 in _start (/home/alxndr/Development/qemu/general-fuzz/build/qemu-system-i386+0x2cb0cf9)
0x6110000443e8 is located 104 bytes inside of 248-byte region [0x611000044380,0x611000044478)
freed by thread T0 here:
#0 0x5574ae4751bd in free (/home/alxndr/Development/qemu/general-fuzz/build/qemu-system-i386+0x2d291bd)
#1 0x5574ae5e71a1 in ehci_free_packet /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:541:5
#2 0x5574ae5e3662 in ehci_cancel_queue /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:584:9
#3 0x5574ae5e174c in ehci_free_queue /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:611:17
#4 0x5574ae608300 in ehci_queues_rip_device /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:674:9
#5 0x5574ae6034ba in ehci_detach /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:732:5
#6 0x5574af06427f in usb_detach /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/core.c:70:5
#7 0x5574af064607 in usb_port_reset /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/core.c:79:5
#8 0x5574ae63af7a in ehci_port_write /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:993:13
#9 0x5574b0e31de0 in memory_region_write_accessor /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:483:5
#10 0x5574b0e312bd in access_with_adjusted_size /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:544:18
#11 0x5574b0e2ef70 in memory_region_dispatch_write /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:1466:16
#12 0x5574b0a8d8a6 in flatview_write_continue /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3176:23
#13 0x5574b0a76878 in flatview_write /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3216:14
#14 0x5574b0a763a8 in address_space_write /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3308:18
#15 0x5574b0a7dff7 in address_space_unmap /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3634:9
#16 0x5574af0f0262 in dma_memory_unmap /home/alxndr/Development/qemu/general-fuzz/include/sysemu/dma.h:145:5
#17 0x5574af0f0143 in usb_packet_unmap /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/libhw.c:65:9
#18 0x5574af0ee924 in usb_packet_map /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/libhw.c:54:5
#19 0x5574ae630c2f in ehci_execute /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:1376:9
#20 0x5574ae619cfe in ehci_state_execute /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:1942:13
#21 0x5574ae60e8d9 in ehci_advance_state /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:2083:21
#22 0x5574ae60c753 in ehci_advance_periodic_state /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:2213:9
#23 0x5574ae5d9df3 in ehci_work_bh /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:2299:17
#24 0x5574b21013c2 in aio_bh_call /home/alxndr/Development/qemu/general-fuzz/build/../util/async.c:136:5
#25 0x5574b2102dc2 in aio_bh_poll /home/alxndr/Development/qemu/general-fuzz/build/../util/async.c:164:13
#26 0x5574b211a84b in aio_dispatch /home/alxndr/Development/qemu/general-fuzz/build/../util/aio-posix.c:380:5
#27 0x5574b210c29e in aio_ctx_dispatch /home/alxndr/Development/qemu/general-fuzz/build/../util/async.c:306:5
#28 0x7f44ce9dc5fc in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x505fc)
previously allocated by thread T0 here:
#0 0x5574ae4755b2 in calloc (/home/alxndr/Development/qemu/general-fuzz/build/qemu-system-i386+0x2d295b2)
#1 0x7f44ce9e2210 in g_malloc0 (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x56210)
#2 0x5574ae6175be in ehci_state_fetchqtd /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:1844:13
#3 0x5574ae60e7f1 in ehci_advance_state /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:2073:21
#4 0x5574ae60c753 in ehci_advance_periodic_state /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:2213:9
#5 0x5574ae5d9df3 in ehci_work_bh /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:2299:17
#6 0x5574b21013c2 in aio_bh_call /home/alxndr/Development/qemu/general-fuzz/build/../util/async.c:136:5
#7 0x5574b2102dc2 in aio_bh_poll /home/alxndr/Development/qemu/general-fuzz/build/../util/async.c:164:13
#8 0x5574b211a84b in aio_dispatch /home/alxndr/Development/qemu/general-fuzz/build/../util/aio-posix.c:380:5
#9 0x5574b210c29e in aio_ctx_dispatch /home/alxndr/Development/qemu/general-fuzz/build/../util/async.c:306:5
#10 0x7f44ce9dc5fc in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x505fc)
SUMMARY: AddressSanitizer: heap-use-after-free /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/libhw.c:64:28 in usb_packet_unmap
Shadow bytes around the buggy address:
0x0c2280000820: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2280000830: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2280000840: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c2280000850: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2280000860: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
=>0x0c2280000870: fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd
0x0c2280000880: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
0x0c2280000890: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c22800008a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c22800008b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c22800008c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==797726==ABORTING
-Alex
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1892963/+subscriptions
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2021-08-21 6:28 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-08-26 2:04 [Bug 1892963] [NEW] Heap-use-after-free in put_dwords through ehci_flush_qh Alexander Bulekov
2021-05-27 14:43 ` [Bug 1892963] " Thomas Huth
2021-08-21 4:11 ` Alexander Bulekov
2021-08-21 6:17 ` Thomas Huth
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.