* [Bug 1892966] [NEW] Null-pointer dereference in blk_bs through ide_cancel_dma_sync
@ 2020-08-26 2:40 Alexander Bulekov
2021-05-27 14:34 ` [Bug 1892966] " Thomas Huth
0 siblings, 1 reply; 3+ messages in thread
From: Alexander Bulekov @ 2020-08-26 2:40 UTC (permalink / raw)
To: qemu-devel
Public bug reported:
Hello,
Reproducer:
cat << EOF | ./qemu-system-i386 -M pc \
-drive file=null-co://,if=none,format=raw,id=disk0 \
-device ide-hd,drive=disk0,bus=ide.1,unit=1 \
-display none -nodefaults -display none -qtest stdio -accel qtest
outw 0x176 0x35b3
outb 0x376 0x5f
outb 0x376 0x40
outl 0xcf8 0x80000904
outl 0xcfc 0x5c0525b7
outb 0x176 0x0
outl 0xcf8 0x8000091e
outl 0xcfc 0xd7580584
write 0x187 0x1 0x34
write 0x277 0x1 0x34
write 0x44f 0x1 0x5c
write 0x53f 0x1 0x5c
write 0x717 0x1 0x34
write 0x807 0x1 0x34
write 0x9df 0x1 0x5c
write 0xbb7 0x1 0x34
write 0xca7 0x1 0x34
write 0xe7f 0x1 0x5c
write 0xf6f 0x1 0x5c
outb 0xd758 0x5f
outb 0xd758 0x40
EOF
Trace:
[S +0.083320] OK
[R +0.083328] outb 0xd758 0x5f
OK
[S +0.084167] OK
[R +0.084183] outb 0xd758 0x40
../block/block-backend.c:714:17: runtime error: member access within null pointer of type 'BlockBackend' (aka 'struct BlockBackend')
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../block/block-backend.c:714:17 in
AddressSanitizer:DEADLYSIGNAL
=================================================================
==843136==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000010 (pc 0x5593520d8ebc bp 0x7ffc0bb9e0b0 sp 0x7ffc0bb9e010 T0)
==843136==The signal is caused by a READ memory access.
==843136==Hint: address points to the zero page.
#0 0x5593520d8ebc in blk_bs /home/alxndr/Development/qemu/general-fuzz/build/../block/block-backend.c:714:12
#1 0x5593520d2d07 in blk_drain /home/alxndr/Development/qemu/general-fuzz/build/../block/block-backend.c:1715:28
#2 0x55935096e9dc in ide_cancel_dma_sync /home/alxndr/Development/qemu/general-fuzz/build/../hw/ide/core.c:723:9
#3 0x55934f96b9ed in bmdma_cmd_writeb /home/alxndr/Development/qemu/general-fuzz/build/../hw/ide/pci.c:298:13
#4 0x55934fea0547 in bmdma_write /home/alxndr/Development/qemu/general-fuzz/build/../hw/ide/piix.c:75:9
#5 0x55935175dde0 in memory_region_write_accessor /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:483:5
#6 0x55935175d2bd in access_with_adjusted_size /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:544:18
#7 0x55935175af70 in memory_region_dispatch_write /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:1466:16
#8 0x5593513b98a6 in flatview_write_continue /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3176:23
#9 0x5593513a2878 in flatview_write /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3216:14
#10 0x5593513a23a8 in address_space_write /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3308:18
#11 0x559351803e07 in cpu_outb /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/ioport.c:60:5
#12 0x5593516c7b6d in qtest_process_command /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/qtest.c:392:13
#13 0x5593516c363e in qtest_process_inbuf /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/qtest.c:710:9
#14 0x5593516c23e3 in qtest_read /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/qtest.c:722:5
#15 0x5593527c8762 in qemu_chr_be_write_impl /home/alxndr/Development/qemu/general-fuzz/build/../chardev/char.c:188:9
#16 0x5593527c88aa in qemu_chr_be_write /home/alxndr/Development/qemu/general-fuzz/build/../chardev/char.c:200:9
#17 0x5593527ee514 in fd_chr_read /home/alxndr/Development/qemu/general-fuzz/build/../chardev/char-fd.c:68:9
#18 0x5593526da736 in qio_channel_fd_source_dispatch /home/alxndr/Development/qemu/general-fuzz/build/../io/channel-watch.c:84:12
#19 0x7f3be18ef4cd in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x504cd)
#20 0x559352c65c67 in glib_pollfds_poll /home/alxndr/Development/qemu/general-fuzz/build/../util/main-loop.c:217:9
#21 0x559352c63567 in os_host_main_loop_wait /home/alxndr/Development/qemu/general-fuzz/build/../util/main-loop.c:240:5
#22 0x559352c62f47 in main_loop_wait /home/alxndr/Development/qemu/general-fuzz/build/../util/main-loop.c:516:11
#23 0x55935144108d in qemu_main_loop /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/vl.c:1676:9
#24 0x55934edd351c in main /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/main.c:50:5
#25 0x7f3be10f8cc9 in __libc_start_main csu/../csu/libc-start.c:308:16
#26 0x55934ed28cf9 in _start (/home/alxndr/Development/qemu/general-fuzz/build/qemu-system-i386+0x2cb0cf9)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/alxndr/Development/qemu/general-fuzz/build/../block/block-backend.c:714:12 in blk_bs
==843136==ABORTING
-Alex
** Affects: qemu
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1892966
Title:
Null-pointer dereference in blk_bs through ide_cancel_dma_sync
Status in QEMU:
New
Bug description:
Hello,
Reproducer:
cat << EOF | ./qemu-system-i386 -M pc \
-drive file=null-co://,if=none,format=raw,id=disk0 \
-device ide-hd,drive=disk0,bus=ide.1,unit=1 \
-display none -nodefaults -display none -qtest stdio -accel qtest
outw 0x176 0x35b3
outb 0x376 0x5f
outb 0x376 0x40
outl 0xcf8 0x80000904
outl 0xcfc 0x5c0525b7
outb 0x176 0x0
outl 0xcf8 0x8000091e
outl 0xcfc 0xd7580584
write 0x187 0x1 0x34
write 0x277 0x1 0x34
write 0x44f 0x1 0x5c
write 0x53f 0x1 0x5c
write 0x717 0x1 0x34
write 0x807 0x1 0x34
write 0x9df 0x1 0x5c
write 0xbb7 0x1 0x34
write 0xca7 0x1 0x34
write 0xe7f 0x1 0x5c
write 0xf6f 0x1 0x5c
outb 0xd758 0x5f
outb 0xd758 0x40
EOF
Trace:
[S +0.083320] OK
[R +0.083328] outb 0xd758 0x5f
OK
[S +0.084167] OK
[R +0.084183] outb 0xd758 0x40
../block/block-backend.c:714:17: runtime error: member access within null pointer of type 'BlockBackend' (aka 'struct BlockBackend')
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../block/block-backend.c:714:17 in
AddressSanitizer:DEADLYSIGNAL
=================================================================
==843136==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000010 (pc 0x5593520d8ebc bp 0x7ffc0bb9e0b0 sp 0x7ffc0bb9e010 T0)
==843136==The signal is caused by a READ memory access.
==843136==Hint: address points to the zero page.
#0 0x5593520d8ebc in blk_bs /home/alxndr/Development/qemu/general-fuzz/build/../block/block-backend.c:714:12
#1 0x5593520d2d07 in blk_drain /home/alxndr/Development/qemu/general-fuzz/build/../block/block-backend.c:1715:28
#2 0x55935096e9dc in ide_cancel_dma_sync /home/alxndr/Development/qemu/general-fuzz/build/../hw/ide/core.c:723:9
#3 0x55934f96b9ed in bmdma_cmd_writeb /home/alxndr/Development/qemu/general-fuzz/build/../hw/ide/pci.c:298:13
#4 0x55934fea0547 in bmdma_write /home/alxndr/Development/qemu/general-fuzz/build/../hw/ide/piix.c:75:9
#5 0x55935175dde0 in memory_region_write_accessor /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:483:5
#6 0x55935175d2bd in access_with_adjusted_size /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:544:18
#7 0x55935175af70 in memory_region_dispatch_write /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:1466:16
#8 0x5593513b98a6 in flatview_write_continue /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3176:23
#9 0x5593513a2878 in flatview_write /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3216:14
#10 0x5593513a23a8 in address_space_write /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3308:18
#11 0x559351803e07 in cpu_outb /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/ioport.c:60:5
#12 0x5593516c7b6d in qtest_process_command /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/qtest.c:392:13
#13 0x5593516c363e in qtest_process_inbuf /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/qtest.c:710:9
#14 0x5593516c23e3 in qtest_read /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/qtest.c:722:5
#15 0x5593527c8762 in qemu_chr_be_write_impl /home/alxndr/Development/qemu/general-fuzz/build/../chardev/char.c:188:9
#16 0x5593527c88aa in qemu_chr_be_write /home/alxndr/Development/qemu/general-fuzz/build/../chardev/char.c:200:9
#17 0x5593527ee514 in fd_chr_read /home/alxndr/Development/qemu/general-fuzz/build/../chardev/char-fd.c:68:9
#18 0x5593526da736 in qio_channel_fd_source_dispatch /home/alxndr/Development/qemu/general-fuzz/build/../io/channel-watch.c:84:12
#19 0x7f3be18ef4cd in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x504cd)
#20 0x559352c65c67 in glib_pollfds_poll /home/alxndr/Development/qemu/general-fuzz/build/../util/main-loop.c:217:9
#21 0x559352c63567 in os_host_main_loop_wait /home/alxndr/Development/qemu/general-fuzz/build/../util/main-loop.c:240:5
#22 0x559352c62f47 in main_loop_wait /home/alxndr/Development/qemu/general-fuzz/build/../util/main-loop.c:516:11
#23 0x55935144108d in qemu_main_loop /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/vl.c:1676:9
#24 0x55934edd351c in main /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/main.c:50:5
#25 0x7f3be10f8cc9 in __libc_start_main csu/../csu/libc-start.c:308:16
#26 0x55934ed28cf9 in _start (/home/alxndr/Development/qemu/general-fuzz/build/qemu-system-i386+0x2cb0cf9)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/alxndr/Development/qemu/general-fuzz/build/../block/block-backend.c:714:12 in blk_bs
==843136==ABORTING
-Alex
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1892966/+subscriptions
^ permalink raw reply [flat|nested] 3+ messages in thread
* [Bug 1892966] Re: Null-pointer dereference in blk_bs through ide_cancel_dma_sync
2020-08-26 2:40 [Bug 1892966] [NEW] Null-pointer dereference in blk_bs through ide_cancel_dma_sync Alexander Bulekov
@ 2021-05-27 14:34 ` Thomas Huth
2021-05-27 15:18 ` Alexander Bulekov
0 siblings, 1 reply; 3+ messages in thread
From: Thomas Huth @ 2021-05-27 14:34 UTC (permalink / raw)
To: qemu-devel
This problem does not trigger anymore for me with the current version of
QEMU. Could you please check whether you can still reproduce it somehow
with the latest version?
** Changed in: qemu
Status: New => Incomplete
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1892966
Title:
Null-pointer dereference in blk_bs through ide_cancel_dma_sync
Status in QEMU:
Incomplete
Bug description:
Hello,
Reproducer:
cat << EOF | ./qemu-system-i386 -M pc \
-drive file=null-co://,if=none,format=raw,id=disk0 \
-device ide-hd,drive=disk0,bus=ide.1,unit=1 \
-display none -nodefaults -display none -qtest stdio -accel qtest
outw 0x176 0x35b3
outb 0x376 0x5f
outb 0x376 0x40
outl 0xcf8 0x80000904
outl 0xcfc 0x5c0525b7
outb 0x176 0x0
outl 0xcf8 0x8000091e
outl 0xcfc 0xd7580584
write 0x187 0x1 0x34
write 0x277 0x1 0x34
write 0x44f 0x1 0x5c
write 0x53f 0x1 0x5c
write 0x717 0x1 0x34
write 0x807 0x1 0x34
write 0x9df 0x1 0x5c
write 0xbb7 0x1 0x34
write 0xca7 0x1 0x34
write 0xe7f 0x1 0x5c
write 0xf6f 0x1 0x5c
outb 0xd758 0x5f
outb 0xd758 0x40
EOF
Trace:
[S +0.083320] OK
[R +0.083328] outb 0xd758 0x5f
OK
[S +0.084167] OK
[R +0.084183] outb 0xd758 0x40
../block/block-backend.c:714:17: runtime error: member access within null pointer of type 'BlockBackend' (aka 'struct BlockBackend')
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../block/block-backend.c:714:17 in
AddressSanitizer:DEADLYSIGNAL
=================================================================
==843136==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000010 (pc 0x5593520d8ebc bp 0x7ffc0bb9e0b0 sp 0x7ffc0bb9e010 T0)
==843136==The signal is caused by a READ memory access.
==843136==Hint: address points to the zero page.
#0 0x5593520d8ebc in blk_bs /home/alxndr/Development/qemu/general-fuzz/build/../block/block-backend.c:714:12
#1 0x5593520d2d07 in blk_drain /home/alxndr/Development/qemu/general-fuzz/build/../block/block-backend.c:1715:28
#2 0x55935096e9dc in ide_cancel_dma_sync /home/alxndr/Development/qemu/general-fuzz/build/../hw/ide/core.c:723:9
#3 0x55934f96b9ed in bmdma_cmd_writeb /home/alxndr/Development/qemu/general-fuzz/build/../hw/ide/pci.c:298:13
#4 0x55934fea0547 in bmdma_write /home/alxndr/Development/qemu/general-fuzz/build/../hw/ide/piix.c:75:9
#5 0x55935175dde0 in memory_region_write_accessor /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:483:5
#6 0x55935175d2bd in access_with_adjusted_size /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:544:18
#7 0x55935175af70 in memory_region_dispatch_write /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:1466:16
#8 0x5593513b98a6 in flatview_write_continue /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3176:23
#9 0x5593513a2878 in flatview_write /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3216:14
#10 0x5593513a23a8 in address_space_write /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3308:18
#11 0x559351803e07 in cpu_outb /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/ioport.c:60:5
#12 0x5593516c7b6d in qtest_process_command /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/qtest.c:392:13
#13 0x5593516c363e in qtest_process_inbuf /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/qtest.c:710:9
#14 0x5593516c23e3 in qtest_read /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/qtest.c:722:5
#15 0x5593527c8762 in qemu_chr_be_write_impl /home/alxndr/Development/qemu/general-fuzz/build/../chardev/char.c:188:9
#16 0x5593527c88aa in qemu_chr_be_write /home/alxndr/Development/qemu/general-fuzz/build/../chardev/char.c:200:9
#17 0x5593527ee514 in fd_chr_read /home/alxndr/Development/qemu/general-fuzz/build/../chardev/char-fd.c:68:9
#18 0x5593526da736 in qio_channel_fd_source_dispatch /home/alxndr/Development/qemu/general-fuzz/build/../io/channel-watch.c:84:12
#19 0x7f3be18ef4cd in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x504cd)
#20 0x559352c65c67 in glib_pollfds_poll /home/alxndr/Development/qemu/general-fuzz/build/../util/main-loop.c:217:9
#21 0x559352c63567 in os_host_main_loop_wait /home/alxndr/Development/qemu/general-fuzz/build/../util/main-loop.c:240:5
#22 0x559352c62f47 in main_loop_wait /home/alxndr/Development/qemu/general-fuzz/build/../util/main-loop.c:516:11
#23 0x55935144108d in qemu_main_loop /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/vl.c:1676:9
#24 0x55934edd351c in main /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/main.c:50:5
#25 0x7f3be10f8cc9 in __libc_start_main csu/../csu/libc-start.c:308:16
#26 0x55934ed28cf9 in _start (/home/alxndr/Development/qemu/general-fuzz/build/qemu-system-i386+0x2cb0cf9)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/alxndr/Development/qemu/general-fuzz/build/../block/block-backend.c:714:12 in blk_bs
==843136==ABORTING
-Alex
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1892966/+subscriptions
^ permalink raw reply [flat|nested] 3+ messages in thread
* [Bug 1892966] Re: Null-pointer dereference in blk_bs through ide_cancel_dma_sync
2021-05-27 14:34 ` [Bug 1892966] " Thomas Huth
@ 2021-05-27 15:18 ` Alexander Bulekov
0 siblings, 0 replies; 3+ messages in thread
From: Alexander Bulekov @ 2021-05-27 15:18 UTC (permalink / raw)
To: qemu-devel
Probably fixed.. Appears there was some attempt, but I'm not sure if it
ever got merged:
https://lists.nongnu.org/archive/html/qemu-devel/2020-09/msg01568.html
OSS-Fuzz never saw it, so it was probably fixed sometime before November.
-Alex
On 210527 1434, Thomas Huth wrote:
> This problem does not trigger anymore for me with the current version of
> QEMU. Could you please check whether you can still reproduce it somehow
> with the latest version?
>
> ** Changed in: qemu
> Status: New => Incomplete
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1892966
>
> Title:
> Null-pointer dereference in blk_bs through ide_cancel_dma_sync
>
> Status in QEMU:
> Incomplete
>
> Bug description:
> Hello,
> Reproducer:
> cat << EOF | ./qemu-system-i386 -M pc \
> -drive file=null-co://,if=none,format=raw,id=disk0 \
> -device ide-hd,drive=disk0,bus=ide.1,unit=1 \
> -display none -nodefaults -display none -qtest stdio -accel qtest
> outw 0x176 0x35b3
> outb 0x376 0x5f
> outb 0x376 0x40
> outl 0xcf8 0x80000904
> outl 0xcfc 0x5c0525b7
> outb 0x176 0x0
> outl 0xcf8 0x8000091e
> outl 0xcfc 0xd7580584
> write 0x187 0x1 0x34
> write 0x277 0x1 0x34
> write 0x44f 0x1 0x5c
> write 0x53f 0x1 0x5c
> write 0x717 0x1 0x34
> write 0x807 0x1 0x34
> write 0x9df 0x1 0x5c
> write 0xbb7 0x1 0x34
> write 0xca7 0x1 0x34
> write 0xe7f 0x1 0x5c
> write 0xf6f 0x1 0x5c
> outb 0xd758 0x5f
> outb 0xd758 0x40
> EOF
>
>
> Trace:
> [S +0.083320] OK
> [R +0.083328] outb 0xd758 0x5f
> OK
> [S +0.084167] OK
> [R +0.084183] outb 0xd758 0x40
> ../block/block-backend.c:714:17: runtime error: member access within null pointer of type 'BlockBackend' (aka 'struct BlockBackend')
> SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../block/block-backend.c:714:17 in
> AddressSanitizer:DEADLYSIGNAL
> =================================================================
> ==843136==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000010 (pc 0x5593520d8ebc bp 0x7ffc0bb9e0b0 sp 0x7ffc0bb9e010 T0)
> ==843136==The signal is caused by a READ memory access.
> ==843136==Hint: address points to the zero page.
> #0 0x5593520d8ebc in blk_bs /home/alxndr/Development/qemu/general-fuzz/build/../block/block-backend.c:714:12
> #1 0x5593520d2d07 in blk_drain /home/alxndr/Development/qemu/general-fuzz/build/../block/block-backend.c:1715:28
> #2 0x55935096e9dc in ide_cancel_dma_sync /home/alxndr/Development/qemu/general-fuzz/build/../hw/ide/core.c:723:9
> #3 0x55934f96b9ed in bmdma_cmd_writeb /home/alxndr/Development/qemu/general-fuzz/build/../hw/ide/pci.c:298:13
> #4 0x55934fea0547 in bmdma_write /home/alxndr/Development/qemu/general-fuzz/build/../hw/ide/piix.c:75:9
> #5 0x55935175dde0 in memory_region_write_accessor /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:483:5
> #6 0x55935175d2bd in access_with_adjusted_size /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:544:18
> #7 0x55935175af70 in memory_region_dispatch_write /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:1466:16
> #8 0x5593513b98a6 in flatview_write_continue /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3176:23
> #9 0x5593513a2878 in flatview_write /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3216:14
> #10 0x5593513a23a8 in address_space_write /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3308:18
> #11 0x559351803e07 in cpu_outb /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/ioport.c:60:5
> #12 0x5593516c7b6d in qtest_process_command /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/qtest.c:392:13
> #13 0x5593516c363e in qtest_process_inbuf /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/qtest.c:710:9
> #14 0x5593516c23e3 in qtest_read /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/qtest.c:722:5
> #15 0x5593527c8762 in qemu_chr_be_write_impl /home/alxndr/Development/qemu/general-fuzz/build/../chardev/char.c:188:9
> #16 0x5593527c88aa in qemu_chr_be_write /home/alxndr/Development/qemu/general-fuzz/build/../chardev/char.c:200:9
> #17 0x5593527ee514 in fd_chr_read /home/alxndr/Development/qemu/general-fuzz/build/../chardev/char-fd.c:68:9
> #18 0x5593526da736 in qio_channel_fd_source_dispatch /home/alxndr/Development/qemu/general-fuzz/build/../io/channel-watch.c:84:12
> #19 0x7f3be18ef4cd in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x504cd)
> #20 0x559352c65c67 in glib_pollfds_poll /home/alxndr/Development/qemu/general-fuzz/build/../util/main-loop.c:217:9
> #21 0x559352c63567 in os_host_main_loop_wait /home/alxndr/Development/qemu/general-fuzz/build/../util/main-loop.c:240:5
> #22 0x559352c62f47 in main_loop_wait /home/alxndr/Development/qemu/general-fuzz/build/../util/main-loop.c:516:11
> #23 0x55935144108d in qemu_main_loop /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/vl.c:1676:9
> #24 0x55934edd351c in main /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/main.c:50:5
> #25 0x7f3be10f8cc9 in __libc_start_main csu/../csu/libc-start.c:308:16
> #26 0x55934ed28cf9 in _start (/home/alxndr/Development/qemu/general-fuzz/build/qemu-system-i386+0x2cb0cf9)
>
> AddressSanitizer can not provide additional info.
> SUMMARY: AddressSanitizer: SEGV /home/alxndr/Development/qemu/general-fuzz/build/../block/block-backend.c:714:12 in blk_bs
> ==843136==ABORTING
>
> -Alex
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/qemu/+bug/1892966/+subscriptions
** Changed in: qemu
Status: Incomplete => Fix Released
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1892966
Title:
Null-pointer dereference in blk_bs through ide_cancel_dma_sync
Status in QEMU:
Fix Released
Bug description:
Hello,
Reproducer:
cat << EOF | ./qemu-system-i386 -M pc \
-drive file=null-co://,if=none,format=raw,id=disk0 \
-device ide-hd,drive=disk0,bus=ide.1,unit=1 \
-display none -nodefaults -display none -qtest stdio -accel qtest
outw 0x176 0x35b3
outb 0x376 0x5f
outb 0x376 0x40
outl 0xcf8 0x80000904
outl 0xcfc 0x5c0525b7
outb 0x176 0x0
outl 0xcf8 0x8000091e
outl 0xcfc 0xd7580584
write 0x187 0x1 0x34
write 0x277 0x1 0x34
write 0x44f 0x1 0x5c
write 0x53f 0x1 0x5c
write 0x717 0x1 0x34
write 0x807 0x1 0x34
write 0x9df 0x1 0x5c
write 0xbb7 0x1 0x34
write 0xca7 0x1 0x34
write 0xe7f 0x1 0x5c
write 0xf6f 0x1 0x5c
outb 0xd758 0x5f
outb 0xd758 0x40
EOF
Trace:
[S +0.083320] OK
[R +0.083328] outb 0xd758 0x5f
OK
[S +0.084167] OK
[R +0.084183] outb 0xd758 0x40
../block/block-backend.c:714:17: runtime error: member access within null pointer of type 'BlockBackend' (aka 'struct BlockBackend')
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../block/block-backend.c:714:17 in
AddressSanitizer:DEADLYSIGNAL
=================================================================
==843136==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000010 (pc 0x5593520d8ebc bp 0x7ffc0bb9e0b0 sp 0x7ffc0bb9e010 T0)
==843136==The signal is caused by a READ memory access.
==843136==Hint: address points to the zero page.
#0 0x5593520d8ebc in blk_bs /home/alxndr/Development/qemu/general-fuzz/build/../block/block-backend.c:714:12
#1 0x5593520d2d07 in blk_drain /home/alxndr/Development/qemu/general-fuzz/build/../block/block-backend.c:1715:28
#2 0x55935096e9dc in ide_cancel_dma_sync /home/alxndr/Development/qemu/general-fuzz/build/../hw/ide/core.c:723:9
#3 0x55934f96b9ed in bmdma_cmd_writeb /home/alxndr/Development/qemu/general-fuzz/build/../hw/ide/pci.c:298:13
#4 0x55934fea0547 in bmdma_write /home/alxndr/Development/qemu/general-fuzz/build/../hw/ide/piix.c:75:9
#5 0x55935175dde0 in memory_region_write_accessor /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:483:5
#6 0x55935175d2bd in access_with_adjusted_size /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:544:18
#7 0x55935175af70 in memory_region_dispatch_write /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:1466:16
#8 0x5593513b98a6 in flatview_write_continue /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3176:23
#9 0x5593513a2878 in flatview_write /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3216:14
#10 0x5593513a23a8 in address_space_write /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3308:18
#11 0x559351803e07 in cpu_outb /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/ioport.c:60:5
#12 0x5593516c7b6d in qtest_process_command /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/qtest.c:392:13
#13 0x5593516c363e in qtest_process_inbuf /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/qtest.c:710:9
#14 0x5593516c23e3 in qtest_read /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/qtest.c:722:5
#15 0x5593527c8762 in qemu_chr_be_write_impl /home/alxndr/Development/qemu/general-fuzz/build/../chardev/char.c:188:9
#16 0x5593527c88aa in qemu_chr_be_write /home/alxndr/Development/qemu/general-fuzz/build/../chardev/char.c:200:9
#17 0x5593527ee514 in fd_chr_read /home/alxndr/Development/qemu/general-fuzz/build/../chardev/char-fd.c:68:9
#18 0x5593526da736 in qio_channel_fd_source_dispatch /home/alxndr/Development/qemu/general-fuzz/build/../io/channel-watch.c:84:12
#19 0x7f3be18ef4cd in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x504cd)
#20 0x559352c65c67 in glib_pollfds_poll /home/alxndr/Development/qemu/general-fuzz/build/../util/main-loop.c:217:9
#21 0x559352c63567 in os_host_main_loop_wait /home/alxndr/Development/qemu/general-fuzz/build/../util/main-loop.c:240:5
#22 0x559352c62f47 in main_loop_wait /home/alxndr/Development/qemu/general-fuzz/build/../util/main-loop.c:516:11
#23 0x55935144108d in qemu_main_loop /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/vl.c:1676:9
#24 0x55934edd351c in main /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/main.c:50:5
#25 0x7f3be10f8cc9 in __libc_start_main csu/../csu/libc-start.c:308:16
#26 0x55934ed28cf9 in _start (/home/alxndr/Development/qemu/general-fuzz/build/qemu-system-i386+0x2cb0cf9)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/alxndr/Development/qemu/general-fuzz/build/../block/block-backend.c:714:12 in blk_bs
==843136==ABORTING
-Alex
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1892966/+subscriptions
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-05-27 15:26 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-08-26 2:40 [Bug 1892966] [NEW] Null-pointer dereference in blk_bs through ide_cancel_dma_sync Alexander Bulekov
2021-05-27 14:34 ` [Bug 1892966] " Thomas Huth
2021-05-27 15:18 ` Alexander Bulekov
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.