* [Bug 1891354] [NEW] Heap-use-after-free in usb_packet_unmap
@ 2020-08-12 16:06 Alexander Bulekov
2020-08-12 16:24 ` Li Qiang
` (4 more replies)
0 siblings, 5 replies; 9+ messages in thread
From: Alexander Bulekov @ 2020-08-12 16:06 UTC (permalink / raw)
To: qemu-devel
Public bug reported:
Hello,
Reproducer:
cat << EOF | ./i386-softmmu/qemu-system-i386 -device nec-usb-xhci \
-trace usb\* -device usb-audio -device usb-storage,drive=mydrive \
-drive id=mydrive,file=null-co://,size=2M,format=raw,if=none \
-nodefaults -nographic -qtest stdio
outl 0xcf8 0x80001010
outl 0xcfc 0xc0202
outl 0xcf8 0x80001004
outl 0xcfc 0x1c77695e
writel 0xc0040 0xffffd855
writeq 0xc2000 0xff05140100000000
write 0x1d 0x1 0x27
write 0x2d 0x1 0x2e
write 0x17232 0x1 0x03
write 0x17254 0x1 0x05
write 0x17276 0x1 0x72
write 0x17278 0x1 0x02
write 0x3d 0x1 0x27
write 0x40 0x1 0x2e
write 0x41 0x1 0x72
write 0x42 0x1 0x01
write 0x4d 0x1 0x2e
write 0x4f 0x1 0x01
write 0x2007c 0x1 0xc7
writeq 0xc2000 0x5c05140100000000
write 0x20070 0x1 0x80
write 0x20078 0x1 0x08
write 0x2007c 0x1 0xfe
write 0x2007d 0x1 0x08
write 0x20081 0x1 0xff
write 0x20082 0x1 0x0b
write 0x20089 0x1 0x8c
write 0x2008d 0x1 0x04
write 0x2009d 0x1 0x10
writeq 0xc2000 0x2505ef019e092f00
EOF
20091==ERROR: AddressSanitizer: heap-use-after-free on address 0x611000045030 at pc 0x55db79edeef2 bp 0x7ffc4020b2b0 sp 0x7ffc4020b2a8
READ of size 4 at 0x611000045030 thread T0
#0 0x55db79edeef1 in usb_packet_unmap hw/usb/libhw.c:64:28
#1 0x55db79ede66f in usb_packet_map hw/usb/libhw.c:54:5
#2 0x55db79f6d5f1 in xhci_setup_packet hw/usb/hcd-xhci.c:1618:5
#3 0x55db79f67143 in xhci_fire_ctl_transfer hw/usb/hcd-xhci.c:1722:9
#4 0x55db79f67143 in xhci_kick_epctx hw/usb/hcd-xhci.c:1991:13
#5 0x55db79f8837d in xhci_doorbell_write hw/usb/hcd-xhci.c:3162:13
#6 0x55db792c6b8e in memory_region_write_accessor softmmu/memory.c:483:5
#7 0x55db792c658b in access_with_adjusted_size softmmu/memory.c:544:18
#8 0x55db792c5d9b in memory_region_dispatch_write softmmu/memory.c
#9 0x55db78d094d2 in flatview_write_continue exec.c:3176:23
#10 0x55db78cfee6b in flatview_write exec.c:3216:14
#11 0x55db78cfee6b in address_space_write exec.c:3308:18
#12 0x55db793072a9 in qtest_process_command softmmu/qtest.c:452:13
#13 0x55db79304087 in qtest_process_inbuf softmmu/qtest.c:710:9
#14 0x55db7a7d7293 in fd_chr_read chardev/char-fd.c:68:9
#15 0x7fc5d7f1a897 in g_main_context_dispatch
#16 0x55db7aa571b3 in glib_pollfds_poll util/main-loop.c:217:9
#17 0x55db7aa571b3 in os_host_main_loop_wait util/main-loop.c:240:5
#18 0x55db7aa571b3 in main_loop_wait util/main-loop.c:516:11
#19 0x55db79315008 in qemu_main_loop softmmu/vl.c:1676:9
#20 0x55db7a8860fd in main softmmu/main.c:49:5
0x611000045030 is located 48 bytes inside of 256-byte region [0x611000045000,0x611000045100)
freed by thread T0 here:
#0 0x55db78cac16d in free (build/i386-softmmu/qemu-system-i386+0x250e16d)
#1 0x55db79f7c0e8 in xhci_ep_nuke_xfers hw/usb/hcd-xhci.c:1252:9
#2 0x55db79f7b454 in xhci_disable_ep hw/usb/hcd-xhci.c:1279:5
#3 0x55db79f79af7 in xhci_disable_slot hw/usb/hcd-xhci.c:2048:13
#4 0x55db79f5aea3 in xhci_reset hw/usb/hcd-xhci.c:2706:9
#5 0x55db79f82f49 in xhci_oper_write hw/usb/hcd-xhci.c:2966:13
#6 0x55db792c6b8e in memory_region_write_accessor softmmu/memory.c:483:5
#7 0x55db792c658b in access_with_adjusted_size softmmu/memory.c:544:18
#8 0x55db792c5d9b in memory_region_dispatch_write softmmu/memory.c
#9 0x55db78d094d2 in flatview_write_continue exec.c:3176:23
#10 0x55db78cfee6b in flatview_write exec.c:3216:14
#11 0x55db78cfee6b in address_space_write exec.c:3308:18
#12 0x55db78d01fe7 in address_space_unmap exec.c:3634:9
#13 0x55db79edebbb in dma_memory_unmap include/sysemu/dma.h:145:5
#14 0x55db79edebbb in usb_packet_unmap hw/usb/libhw.c:65:9
#15 0x55db79ede66f in usb_packet_map hw/usb/libhw.c:54:5
#16 0x55db79f6d5f1 in xhci_setup_packet hw/usb/hcd-xhci.c:1618:5
#17 0x55db79f67143 in xhci_fire_ctl_transfer hw/usb/hcd-xhci.c:1722:9
#18 0x55db79f67143 in xhci_kick_epctx hw/usb/hcd-xhci.c:1991:13
#19 0x55db79f8837d in xhci_doorbell_write hw/usb/hcd-xhci.c:3162:13
#20 0x55db792c6b8e in memory_region_write_accessor softmmu/memory.c:483:5
#21 0x55db792c658b in access_with_adjusted_size softmmu/memory.c:544:18
#22 0x55db792c5d9b in memory_region_dispatch_write softmmu/memory.c
#23 0x55db78d094d2 in flatview_write_continue exec.c:3176:23
#24 0x55db78cfee6b in flatview_write exec.c:3216:14
#25 0x55db78cfee6b in address_space_write exec.c:3308:18
#26 0x55db793072a9 in qtest_process_command softmmu/qtest.c:452:13
#27 0x55db79304087 in qtest_process_inbuf softmmu/qtest.c:710:9
#28 0x55db7a7d7293 in fd_chr_read chardev/char-fd.c:68:9
#29 0x7fc5d7f1a897 in g_main_context_dispatch
previously allocated by thread T0 here:
#0 0x55db78cac562 in calloc (build/i386-softmmu/qemu-system-i386+0x250e562)
#1 0x7fc5d7f20548 in g_malloc0 (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x54548)
#2 0x55db79f8837d in xhci_doorbell_write hw/usb/hcd-xhci.c:3162:13
#3 0x55db792c6b8e in memory_region_write_accessor softmmu/memory.c:483:5
#4 0x55db792c658b in access_with_adjusted_size softmmu/memory.c:544:18
#5 0x55db792c5d9b in memory_region_dispatch_write softmmu/memory.c
#6 0x55db78d094d2 in flatview_write_continue exec.c:3176:23
#7 0x55db78cfee6b in flatview_write exec.c:3216:14
#8 0x55db78cfee6b in address_space_write exec.c:3308:18
#9 0x55db793072a9 in qtest_process_command softmmu/qtest.c:452:13
#10 0x55db79304087 in qtest_process_inbuf softmmu/qtest.c:710:9
#11 0x55db7a7d7293 in fd_chr_read chardev/char-fd.c:68:9
#12 0x7fc5d7f1a897 in g_main_context_dispatch
-Alex
** Affects: qemu
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1891354
Title:
Heap-use-after-free in usb_packet_unmap
Status in QEMU:
New
Bug description:
Hello,
Reproducer:
cat << EOF | ./i386-softmmu/qemu-system-i386 -device nec-usb-xhci \
-trace usb\* -device usb-audio -device usb-storage,drive=mydrive \
-drive id=mydrive,file=null-co://,size=2M,format=raw,if=none \
-nodefaults -nographic -qtest stdio
outl 0xcf8 0x80001010
outl 0xcfc 0xc0202
outl 0xcf8 0x80001004
outl 0xcfc 0x1c77695e
writel 0xc0040 0xffffd855
writeq 0xc2000 0xff05140100000000
write 0x1d 0x1 0x27
write 0x2d 0x1 0x2e
write 0x17232 0x1 0x03
write 0x17254 0x1 0x05
write 0x17276 0x1 0x72
write 0x17278 0x1 0x02
write 0x3d 0x1 0x27
write 0x40 0x1 0x2e
write 0x41 0x1 0x72
write 0x42 0x1 0x01
write 0x4d 0x1 0x2e
write 0x4f 0x1 0x01
write 0x2007c 0x1 0xc7
writeq 0xc2000 0x5c05140100000000
write 0x20070 0x1 0x80
write 0x20078 0x1 0x08
write 0x2007c 0x1 0xfe
write 0x2007d 0x1 0x08
write 0x20081 0x1 0xff
write 0x20082 0x1 0x0b
write 0x20089 0x1 0x8c
write 0x2008d 0x1 0x04
write 0x2009d 0x1 0x10
writeq 0xc2000 0x2505ef019e092f00
EOF
20091==ERROR: AddressSanitizer: heap-use-after-free on address 0x611000045030 at pc 0x55db79edeef2 bp 0x7ffc4020b2b0 sp 0x7ffc4020b2a8
READ of size 4 at 0x611000045030 thread T0
#0 0x55db79edeef1 in usb_packet_unmap hw/usb/libhw.c:64:28
#1 0x55db79ede66f in usb_packet_map hw/usb/libhw.c:54:5
#2 0x55db79f6d5f1 in xhci_setup_packet hw/usb/hcd-xhci.c:1618:5
#3 0x55db79f67143 in xhci_fire_ctl_transfer hw/usb/hcd-xhci.c:1722:9
#4 0x55db79f67143 in xhci_kick_epctx hw/usb/hcd-xhci.c:1991:13
#5 0x55db79f8837d in xhci_doorbell_write hw/usb/hcd-xhci.c:3162:13
#6 0x55db792c6b8e in memory_region_write_accessor softmmu/memory.c:483:5
#7 0x55db792c658b in access_with_adjusted_size softmmu/memory.c:544:18
#8 0x55db792c5d9b in memory_region_dispatch_write softmmu/memory.c
#9 0x55db78d094d2 in flatview_write_continue exec.c:3176:23
#10 0x55db78cfee6b in flatview_write exec.c:3216:14
#11 0x55db78cfee6b in address_space_write exec.c:3308:18
#12 0x55db793072a9 in qtest_process_command softmmu/qtest.c:452:13
#13 0x55db79304087 in qtest_process_inbuf softmmu/qtest.c:710:9
#14 0x55db7a7d7293 in fd_chr_read chardev/char-fd.c:68:9
#15 0x7fc5d7f1a897 in g_main_context_dispatch
#16 0x55db7aa571b3 in glib_pollfds_poll util/main-loop.c:217:9
#17 0x55db7aa571b3 in os_host_main_loop_wait util/main-loop.c:240:5
#18 0x55db7aa571b3 in main_loop_wait util/main-loop.c:516:11
#19 0x55db79315008 in qemu_main_loop softmmu/vl.c:1676:9
#20 0x55db7a8860fd in main softmmu/main.c:49:5
0x611000045030 is located 48 bytes inside of 256-byte region [0x611000045000,0x611000045100)
freed by thread T0 here:
#0 0x55db78cac16d in free (build/i386-softmmu/qemu-system-i386+0x250e16d)
#1 0x55db79f7c0e8 in xhci_ep_nuke_xfers hw/usb/hcd-xhci.c:1252:9
#2 0x55db79f7b454 in xhci_disable_ep hw/usb/hcd-xhci.c:1279:5
#3 0x55db79f79af7 in xhci_disable_slot hw/usb/hcd-xhci.c:2048:13
#4 0x55db79f5aea3 in xhci_reset hw/usb/hcd-xhci.c:2706:9
#5 0x55db79f82f49 in xhci_oper_write hw/usb/hcd-xhci.c:2966:13
#6 0x55db792c6b8e in memory_region_write_accessor softmmu/memory.c:483:5
#7 0x55db792c658b in access_with_adjusted_size softmmu/memory.c:544:18
#8 0x55db792c5d9b in memory_region_dispatch_write softmmu/memory.c
#9 0x55db78d094d2 in flatview_write_continue exec.c:3176:23
#10 0x55db78cfee6b in flatview_write exec.c:3216:14
#11 0x55db78cfee6b in address_space_write exec.c:3308:18
#12 0x55db78d01fe7 in address_space_unmap exec.c:3634:9
#13 0x55db79edebbb in dma_memory_unmap include/sysemu/dma.h:145:5
#14 0x55db79edebbb in usb_packet_unmap hw/usb/libhw.c:65:9
#15 0x55db79ede66f in usb_packet_map hw/usb/libhw.c:54:5
#16 0x55db79f6d5f1 in xhci_setup_packet hw/usb/hcd-xhci.c:1618:5
#17 0x55db79f67143 in xhci_fire_ctl_transfer hw/usb/hcd-xhci.c:1722:9
#18 0x55db79f67143 in xhci_kick_epctx hw/usb/hcd-xhci.c:1991:13
#19 0x55db79f8837d in xhci_doorbell_write hw/usb/hcd-xhci.c:3162:13
#20 0x55db792c6b8e in memory_region_write_accessor softmmu/memory.c:483:5
#21 0x55db792c658b in access_with_adjusted_size softmmu/memory.c:544:18
#22 0x55db792c5d9b in memory_region_dispatch_write softmmu/memory.c
#23 0x55db78d094d2 in flatview_write_continue exec.c:3176:23
#24 0x55db78cfee6b in flatview_write exec.c:3216:14
#25 0x55db78cfee6b in address_space_write exec.c:3308:18
#26 0x55db793072a9 in qtest_process_command softmmu/qtest.c:452:13
#27 0x55db79304087 in qtest_process_inbuf softmmu/qtest.c:710:9
#28 0x55db7a7d7293 in fd_chr_read chardev/char-fd.c:68:9
#29 0x7fc5d7f1a897 in g_main_context_dispatch
previously allocated by thread T0 here:
#0 0x55db78cac562 in calloc (build/i386-softmmu/qemu-system-i386+0x250e562)
#1 0x7fc5d7f20548 in g_malloc0 (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x54548)
#2 0x55db79f8837d in xhci_doorbell_write hw/usb/hcd-xhci.c:3162:13
#3 0x55db792c6b8e in memory_region_write_accessor softmmu/memory.c:483:5
#4 0x55db792c658b in access_with_adjusted_size softmmu/memory.c:544:18
#5 0x55db792c5d9b in memory_region_dispatch_write softmmu/memory.c
#6 0x55db78d094d2 in flatview_write_continue exec.c:3176:23
#7 0x55db78cfee6b in flatview_write exec.c:3216:14
#8 0x55db78cfee6b in address_space_write exec.c:3308:18
#9 0x55db793072a9 in qtest_process_command softmmu/qtest.c:452:13
#10 0x55db79304087 in qtest_process_inbuf softmmu/qtest.c:710:9
#11 0x55db7a7d7293 in fd_chr_read chardev/char-fd.c:68:9
#12 0x7fc5d7f1a897 in g_main_context_dispatch
-Alex
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1891354/+subscriptions
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [Bug 1891354] [NEW] Heap-use-after-free in usb_packet_unmap
2020-08-12 16:06 [Bug 1891354] [NEW] Heap-use-after-free in usb_packet_unmap Alexander Bulekov
@ 2020-08-12 16:24 ` Li Qiang
2020-08-12 16:55 ` Alexander Bulekov
2021-03-03 15:20 ` [Bug 1891354] " Alexander Bulekov
` (3 subsequent siblings)
4 siblings, 1 reply; 9+ messages in thread
From: Li Qiang @ 2020-08-12 16:24 UTC (permalink / raw)
To: Bug 1891354; +Cc: Qemu Developers
Alexander Bulekov <1891354@bugs.launchpad.net> 于2020年8月13日周四 上午12:21写道:
>
> Public bug reported:
>
> Hello,
> Reproducer:
>
> cat << EOF | ./i386-softmmu/qemu-system-i386 -device nec-usb-xhci \
> -trace usb\* -device usb-audio -device usb-storage,drive=mydrive \
> -drive id=mydrive,file=null-co://,size=2M,format=raw,if=none \
> -nodefaults -nographic -qtest stdio
> outl 0xcf8 0x80001010
> outl 0xcfc 0xc0202
> outl 0xcf8 0x80001004
> outl 0xcfc 0x1c77695e
> writel 0xc0040 0xffffd855
> writeq 0xc2000 0xff05140100000000
> write 0x1d 0x1 0x27
> write 0x2d 0x1 0x2e
> write 0x17232 0x1 0x03
> write 0x17254 0x1 0x05
> write 0x17276 0x1 0x72
> write 0x17278 0x1 0x02
> write 0x3d 0x1 0x27
> write 0x40 0x1 0x2e
> write 0x41 0x1 0x72
> write 0x42 0x1 0x01
> write 0x4d 0x1 0x2e
> write 0x4f 0x1 0x01
> write 0x2007c 0x1 0xc7
> writeq 0xc2000 0x5c05140100000000
> write 0x20070 0x1 0x80
> write 0x20078 0x1 0x08
> write 0x2007c 0x1 0xfe
> write 0x2007d 0x1 0x08
> write 0x20081 0x1 0xff
> write 0x20082 0x1 0x0b
> write 0x20089 0x1 0x8c
> write 0x2008d 0x1 0x04
> write 0x2009d 0x1 0x10
> writeq 0xc2000 0x2505ef019e092f00
> EOF
>
> 20091==ERROR: AddressSanitizer: heap-use-after-free on address 0x611000045030 at pc 0x55db79edeef2 bp 0x7ffc4020b2b0 sp 0x7ffc4020b2a8
> READ of size 4 at 0x611000045030 thread T0
> #0 0x55db79edeef1 in usb_packet_unmap hw/usb/libhw.c:64:28
> #1 0x55db79ede66f in usb_packet_map hw/usb/libhw.c:54:5
> #2 0x55db79f6d5f1 in xhci_setup_packet hw/usb/hcd-xhci.c:1618:5
> #3 0x55db79f67143 in xhci_fire_ctl_transfer hw/usb/hcd-xhci.c:1722:9
> #4 0x55db79f67143 in xhci_kick_epctx hw/usb/hcd-xhci.c:1991:13
> #5 0x55db79f8837d in xhci_doorbell_write hw/usb/hcd-xhci.c:3162:13
> #6 0x55db792c6b8e in memory_region_write_accessor softmmu/memory.c:483:5
> #7 0x55db792c658b in access_with_adjusted_size softmmu/memory.c:544:18
> #8 0x55db792c5d9b in memory_region_dispatch_write softmmu/memory.c
> #9 0x55db78d094d2 in flatview_write_continue exec.c:3176:23
> #10 0x55db78cfee6b in flatview_write exec.c:3216:14
> #11 0x55db78cfee6b in address_space_write exec.c:3308:18
> #12 0x55db793072a9 in qtest_process_command softmmu/qtest.c:452:13
> #13 0x55db79304087 in qtest_process_inbuf softmmu/qtest.c:710:9
> #14 0x55db7a7d7293 in fd_chr_read chardev/char-fd.c:68:9
> #15 0x7fc5d7f1a897 in g_main_context_dispatch
> #16 0x55db7aa571b3 in glib_pollfds_poll util/main-loop.c:217:9
> #17 0x55db7aa571b3 in os_host_main_loop_wait util/main-loop.c:240:5
> #18 0x55db7aa571b3 in main_loop_wait util/main-loop.c:516:11
> #19 0x55db79315008 in qemu_main_loop softmmu/vl.c:1676:9
> #20 0x55db7a8860fd in main softmmu/main.c:49:5
>
> 0x611000045030 is located 48 bytes inside of 256-byte region [0x611000045000,0x611000045100)
> freed by thread T0 here:
> #0 0x55db78cac16d in free (build/i386-softmmu/qemu-system-i386+0x250e16d)
> #1 0x55db79f7c0e8 in xhci_ep_nuke_xfers hw/usb/hcd-xhci.c:1252:9
> #2 0x55db79f7b454 in xhci_disable_ep hw/usb/hcd-xhci.c:1279:5
> #3 0x55db79f79af7 in xhci_disable_slot hw/usb/hcd-xhci.c:2048:13
> #4 0x55db79f5aea3 in xhci_reset hw/usb/hcd-xhci.c:2706:9
> #5 0x55db79f82f49 in xhci_oper_write hw/usb/hcd-xhci.c:2966:13
> #6 0x55db792c6b8e in memory_region_write_accessor softmmu/memory.c:483:5
> #7 0x55db792c658b in access_with_adjusted_size softmmu/memory.c:544:18
> #8 0x55db792c5d9b in memory_region_dispatch_write softmmu/memory.c
> #9 0x55db78d094d2 in flatview_write_continue exec.c:3176:23
> #10 0x55db78cfee6b in flatview_write exec.c:3216:14
> #11 0x55db78cfee6b in address_space_write exec.c:3308:18
> #12 0x55db78d01fe7 in address_space_unmap exec.c:3634:9
> #13 0x55db79edebbb in dma_memory_unmap include/sysemu/dma.h:145:5
> #14 0x55db79edebbb in usb_packet_unmap hw/usb/libhw.c:65:9
> #15 0x55db79ede66f in usb_packet_map hw/usb/libhw.c:54:5
> #16 0x55db79f6d5f1 in xhci_setup_packet hw/usb/hcd-xhci.c:1618:5
> #17 0x55db79f67143 in xhci_fire_ctl_transfer hw/usb/hcd-xhci.c:1722:9
> #18 0x55db79f67143 in xhci_kick_epctx hw/usb/hcd-xhci.c:1991:13
> #19 0x55db79f8837d in xhci_doorbell_write hw/usb/hcd-xhci.c:3162:13
> #20 0x55db792c6b8e in memory_region_write_accessor softmmu/memory.c:483:5
> #21 0x55db792c658b in access_with_adjusted_size softmmu/memory.c:544:18
> #22 0x55db792c5d9b in memory_region_dispatch_write softmmu/memory.c
> #23 0x55db78d094d2 in flatview_write_continue exec.c:3176:23
> #24 0x55db78cfee6b in flatview_write exec.c:3216:14
> #25 0x55db78cfee6b in address_space_write exec.c:3308:18
> #26 0x55db793072a9 in qtest_process_command softmmu/qtest.c:452:13
> #27 0x55db79304087 in qtest_process_inbuf softmmu/qtest.c:710:9
> #28 0x55db7a7d7293 in fd_chr_read chardev/char-fd.c:68:9
> #29 0x7fc5d7f1a897 in g_main_context_dispatch
>
This issue as far as I can see, is the DMA to MMIO issue.
Thanks,
Li Qiang
> previously allocated by thread T0 here:
> #0 0x55db78cac562 in calloc (build/i386-softmmu/qemu-system-i386+0x250e562)
> #1 0x7fc5d7f20548 in g_malloc0 (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x54548)
> #2 0x55db79f8837d in xhci_doorbell_write hw/usb/hcd-xhci.c:3162:13
> #3 0x55db792c6b8e in memory_region_write_accessor softmmu/memory.c:483:5
> #4 0x55db792c658b in access_with_adjusted_size softmmu/memory.c:544:18
> #5 0x55db792c5d9b in memory_region_dispatch_write softmmu/memory.c
> #6 0x55db78d094d2 in flatview_write_continue exec.c:3176:23
> #7 0x55db78cfee6b in flatview_write exec.c:3216:14
> #8 0x55db78cfee6b in address_space_write exec.c:3308:18
> #9 0x55db793072a9 in qtest_process_command softmmu/qtest.c:452:13
> #10 0x55db79304087 in qtest_process_inbuf softmmu/qtest.c:710:9
> #11 0x55db7a7d7293 in fd_chr_read chardev/char-fd.c:68:9
> #12 0x7fc5d7f1a897 in g_main_context_dispatch
>
> -Alex
>
> ** Affects: qemu
> Importance: Undecided
> Status: New
>
> --
> You received this bug notification because you are a member of qemu-
> devel-ml, which is subscribed to QEMU.
> https://bugs.launchpad.net/bugs/1891354
>
> Title:
> Heap-use-after-free in usb_packet_unmap
>
> Status in QEMU:
> New
>
> Bug description:
> Hello,
> Reproducer:
>
> cat << EOF | ./i386-softmmu/qemu-system-i386 -device nec-usb-xhci \
> -trace usb\* -device usb-audio -device usb-storage,drive=mydrive \
> -drive id=mydrive,file=null-co://,size=2M,format=raw,if=none \
> -nodefaults -nographic -qtest stdio
> outl 0xcf8 0x80001010
> outl 0xcfc 0xc0202
> outl 0xcf8 0x80001004
> outl 0xcfc 0x1c77695e
> writel 0xc0040 0xffffd855
> writeq 0xc2000 0xff05140100000000
> write 0x1d 0x1 0x27
> write 0x2d 0x1 0x2e
> write 0x17232 0x1 0x03
> write 0x17254 0x1 0x05
> write 0x17276 0x1 0x72
> write 0x17278 0x1 0x02
> write 0x3d 0x1 0x27
> write 0x40 0x1 0x2e
> write 0x41 0x1 0x72
> write 0x42 0x1 0x01
> write 0x4d 0x1 0x2e
> write 0x4f 0x1 0x01
> write 0x2007c 0x1 0xc7
> writeq 0xc2000 0x5c05140100000000
> write 0x20070 0x1 0x80
> write 0x20078 0x1 0x08
> write 0x2007c 0x1 0xfe
> write 0x2007d 0x1 0x08
> write 0x20081 0x1 0xff
> write 0x20082 0x1 0x0b
> write 0x20089 0x1 0x8c
> write 0x2008d 0x1 0x04
> write 0x2009d 0x1 0x10
> writeq 0xc2000 0x2505ef019e092f00
> EOF
>
> 20091==ERROR: AddressSanitizer: heap-use-after-free on address 0x611000045030 at pc 0x55db79edeef2 bp 0x7ffc4020b2b0 sp 0x7ffc4020b2a8
> READ of size 4 at 0x611000045030 thread T0
> #0 0x55db79edeef1 in usb_packet_unmap hw/usb/libhw.c:64:28
> #1 0x55db79ede66f in usb_packet_map hw/usb/libhw.c:54:5
> #2 0x55db79f6d5f1 in xhci_setup_packet hw/usb/hcd-xhci.c:1618:5
> #3 0x55db79f67143 in xhci_fire_ctl_transfer hw/usb/hcd-xhci.c:1722:9
> #4 0x55db79f67143 in xhci_kick_epctx hw/usb/hcd-xhci.c:1991:13
> #5 0x55db79f8837d in xhci_doorbell_write hw/usb/hcd-xhci.c:3162:13
> #6 0x55db792c6b8e in memory_region_write_accessor softmmu/memory.c:483:5
> #7 0x55db792c658b in access_with_adjusted_size softmmu/memory.c:544:18
> #8 0x55db792c5d9b in memory_region_dispatch_write softmmu/memory.c
> #9 0x55db78d094d2 in flatview_write_continue exec.c:3176:23
> #10 0x55db78cfee6b in flatview_write exec.c:3216:14
> #11 0x55db78cfee6b in address_space_write exec.c:3308:18
> #12 0x55db793072a9 in qtest_process_command softmmu/qtest.c:452:13
> #13 0x55db79304087 in qtest_process_inbuf softmmu/qtest.c:710:9
> #14 0x55db7a7d7293 in fd_chr_read chardev/char-fd.c:68:9
> #15 0x7fc5d7f1a897 in g_main_context_dispatch
> #16 0x55db7aa571b3 in glib_pollfds_poll util/main-loop.c:217:9
> #17 0x55db7aa571b3 in os_host_main_loop_wait util/main-loop.c:240:5
> #18 0x55db7aa571b3 in main_loop_wait util/main-loop.c:516:11
> #19 0x55db79315008 in qemu_main_loop softmmu/vl.c:1676:9
> #20 0x55db7a8860fd in main softmmu/main.c:49:5
>
> 0x611000045030 is located 48 bytes inside of 256-byte region [0x611000045000,0x611000045100)
> freed by thread T0 here:
> #0 0x55db78cac16d in free (build/i386-softmmu/qemu-system-i386+0x250e16d)
> #1 0x55db79f7c0e8 in xhci_ep_nuke_xfers hw/usb/hcd-xhci.c:1252:9
> #2 0x55db79f7b454 in xhci_disable_ep hw/usb/hcd-xhci.c:1279:5
> #3 0x55db79f79af7 in xhci_disable_slot hw/usb/hcd-xhci.c:2048:13
> #4 0x55db79f5aea3 in xhci_reset hw/usb/hcd-xhci.c:2706:9
> #5 0x55db79f82f49 in xhci_oper_write hw/usb/hcd-xhci.c:2966:13
> #6 0x55db792c6b8e in memory_region_write_accessor softmmu/memory.c:483:5
> #7 0x55db792c658b in access_with_adjusted_size softmmu/memory.c:544:18
> #8 0x55db792c5d9b in memory_region_dispatch_write softmmu/memory.c
> #9 0x55db78d094d2 in flatview_write_continue exec.c:3176:23
> #10 0x55db78cfee6b in flatview_write exec.c:3216:14
> #11 0x55db78cfee6b in address_space_write exec.c:3308:18
> #12 0x55db78d01fe7 in address_space_unmap exec.c:3634:9
> #13 0x55db79edebbb in dma_memory_unmap include/sysemu/dma.h:145:5
> #14 0x55db79edebbb in usb_packet_unmap hw/usb/libhw.c:65:9
> #15 0x55db79ede66f in usb_packet_map hw/usb/libhw.c:54:5
> #16 0x55db79f6d5f1 in xhci_setup_packet hw/usb/hcd-xhci.c:1618:5
> #17 0x55db79f67143 in xhci_fire_ctl_transfer hw/usb/hcd-xhci.c:1722:9
> #18 0x55db79f67143 in xhci_kick_epctx hw/usb/hcd-xhci.c:1991:13
> #19 0x55db79f8837d in xhci_doorbell_write hw/usb/hcd-xhci.c:3162:13
> #20 0x55db792c6b8e in memory_region_write_accessor softmmu/memory.c:483:5
> #21 0x55db792c658b in access_with_adjusted_size softmmu/memory.c:544:18
> #22 0x55db792c5d9b in memory_region_dispatch_write softmmu/memory.c
> #23 0x55db78d094d2 in flatview_write_continue exec.c:3176:23
> #24 0x55db78cfee6b in flatview_write exec.c:3216:14
> #25 0x55db78cfee6b in address_space_write exec.c:3308:18
> #26 0x55db793072a9 in qtest_process_command softmmu/qtest.c:452:13
> #27 0x55db79304087 in qtest_process_inbuf softmmu/qtest.c:710:9
> #28 0x55db7a7d7293 in fd_chr_read chardev/char-fd.c:68:9
> #29 0x7fc5d7f1a897 in g_main_context_dispatch
>
> previously allocated by thread T0 here:
> #0 0x55db78cac562 in calloc (build/i386-softmmu/qemu-system-i386+0x250e562)
> #1 0x7fc5d7f20548 in g_malloc0 (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x54548)
> #2 0x55db79f8837d in xhci_doorbell_write hw/usb/hcd-xhci.c:3162:13
> #3 0x55db792c6b8e in memory_region_write_accessor softmmu/memory.c:483:5
> #4 0x55db792c658b in access_with_adjusted_size softmmu/memory.c:544:18
> #5 0x55db792c5d9b in memory_region_dispatch_write softmmu/memory.c
> #6 0x55db78d094d2 in flatview_write_continue exec.c:3176:23
> #7 0x55db78cfee6b in flatview_write exec.c:3216:14
> #8 0x55db78cfee6b in address_space_write exec.c:3308:18
> #9 0x55db793072a9 in qtest_process_command softmmu/qtest.c:452:13
> #10 0x55db79304087 in qtest_process_inbuf softmmu/qtest.c:710:9
> #11 0x55db7a7d7293 in fd_chr_read chardev/char-fd.c:68:9
> #12 0x7fc5d7f1a897 in g_main_context_dispatch
>
> -Alex
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/qemu/+bug/1891354/+subscriptions
>
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [Bug 1891354] [NEW] Heap-use-after-free in usb_packet_unmap
@ 2020-08-12 16:55 ` Alexander Bulekov
0 siblings, 0 replies; 9+ messages in thread
From: Alexander Bulekov @ 2020-08-12 16:55 UTC (permalink / raw)
To: Li Qiang; +Cc: Paolo Bonzini, Bug 1891354, Qemu Developers, Gerd Hoffmann
On 200813 0024, Li Qiang wrote:
> Alexander Bulekov <1891354@bugs.launchpad.net> 于2020年8月13日周四 上午12:21写道:
> >
> > Public bug reported:
> >
> > Hello,
> > Reproducer:
> >
> > cat << EOF | ./i386-softmmu/qemu-system-i386 -device nec-usb-xhci \
> > -trace usb\* -device usb-audio -device usb-storage,drive=mydrive \
> > -drive id=mydrive,file=null-co://,size=2M,format=raw,if=none \
> > -nodefaults -nographic -qtest stdio
> > outl 0xcf8 0x80001010
> > outl 0xcfc 0xc0202
> > outl 0xcf8 0x80001004
> > outl 0xcfc 0x1c77695e
> > writel 0xc0040 0xffffd855
> > writeq 0xc2000 0xff05140100000000
> > write 0x1d 0x1 0x27
> > write 0x2d 0x1 0x2e
> > write 0x17232 0x1 0x03
> > write 0x17254 0x1 0x05
> > write 0x17276 0x1 0x72
> > write 0x17278 0x1 0x02
> > write 0x3d 0x1 0x27
> > write 0x40 0x1 0x2e
> > write 0x41 0x1 0x72
> > write 0x42 0x1 0x01
> > write 0x4d 0x1 0x2e
> > write 0x4f 0x1 0x01
> > write 0x2007c 0x1 0xc7
> > writeq 0xc2000 0x5c05140100000000
> > write 0x20070 0x1 0x80
> > write 0x20078 0x1 0x08
> > write 0x2007c 0x1 0xfe
> > write 0x2007d 0x1 0x08
> > write 0x20081 0x1 0xff
> > write 0x20082 0x1 0x0b
> > write 0x20089 0x1 0x8c
> > write 0x2008d 0x1 0x04
> > write 0x2009d 0x1 0x10
> > writeq 0xc2000 0x2505ef019e092f00
> > EOF
> >
> > 20091==ERROR: AddressSanitizer: heap-use-after-free on address 0x611000045030 at pc 0x55db79edeef2 bp 0x7ffc4020b2b0 sp 0x7ffc4020b2a8
> > READ of size 4 at 0x611000045030 thread T0
> > #0 0x55db79edeef1 in usb_packet_unmap hw/usb/libhw.c:64:28
> > #1 0x55db79ede66f in usb_packet_map hw/usb/libhw.c:54:5
> > #2 0x55db79f6d5f1 in xhci_setup_packet hw/usb/hcd-xhci.c:1618:5
> > #3 0x55db79f67143 in xhci_fire_ctl_transfer hw/usb/hcd-xhci.c:1722:9
> > #4 0x55db79f67143 in xhci_kick_epctx hw/usb/hcd-xhci.c:1991:13
> > #5 0x55db79f8837d in xhci_doorbell_write hw/usb/hcd-xhci.c:3162:13
> > #6 0x55db792c6b8e in memory_region_write_accessor softmmu/memory.c:483:5
> > #7 0x55db792c658b in access_with_adjusted_size softmmu/memory.c:544:18
> > #8 0x55db792c5d9b in memory_region_dispatch_write softmmu/memory.c
> > #9 0x55db78d094d2 in flatview_write_continue exec.c:3176:23
> > #10 0x55db78cfee6b in flatview_write exec.c:3216:14
> > #11 0x55db78cfee6b in address_space_write exec.c:3308:18
> > #12 0x55db793072a9 in qtest_process_command softmmu/qtest.c:452:13
> > #13 0x55db79304087 in qtest_process_inbuf softmmu/qtest.c:710:9
> > #14 0x55db7a7d7293 in fd_chr_read chardev/char-fd.c:68:9
> > #15 0x7fc5d7f1a897 in g_main_context_dispatch
> > #16 0x55db7aa571b3 in glib_pollfds_poll util/main-loop.c:217:9
> > #17 0x55db7aa571b3 in os_host_main_loop_wait util/main-loop.c:240:5
> > #18 0x55db7aa571b3 in main_loop_wait util/main-loop.c:516:11
> > #19 0x55db79315008 in qemu_main_loop softmmu/vl.c:1676:9
> > #20 0x55db7a8860fd in main softmmu/main.c:49:5
> >
> > 0x611000045030 is located 48 bytes inside of 256-byte region [0x611000045000,0x611000045100)
> > freed by thread T0 here:
> > #0 0x55db78cac16d in free (build/i386-softmmu/qemu-system-i386+0x250e16d)
> > #1 0x55db79f7c0e8 in xhci_ep_nuke_xfers hw/usb/hcd-xhci.c:1252:9
> > #2 0x55db79f7b454 in xhci_disable_ep hw/usb/hcd-xhci.c:1279:5
> > #3 0x55db79f79af7 in xhci_disable_slot hw/usb/hcd-xhci.c:2048:13
> > #4 0x55db79f5aea3 in xhci_reset hw/usb/hcd-xhci.c:2706:9
> > #5 0x55db79f82f49 in xhci_oper_write hw/usb/hcd-xhci.c:2966:13
> > #6 0x55db792c6b8e in memory_region_write_accessor softmmu/memory.c:483:5
> > #7 0x55db792c658b in access_with_adjusted_size softmmu/memory.c:544:18
> > #8 0x55db792c5d9b in memory_region_dispatch_write softmmu/memory.c
> > #9 0x55db78d094d2 in flatview_write_continue exec.c:3176:23
> > #10 0x55db78cfee6b in flatview_write exec.c:3216:14
> > #11 0x55db78cfee6b in address_space_write exec.c:3308:18
> > #12 0x55db78d01fe7 in address_space_unmap exec.c:3634:9
> > #13 0x55db79edebbb in dma_memory_unmap include/sysemu/dma.h:145:5
> > #14 0x55db79edebbb in usb_packet_unmap hw/usb/libhw.c:65:9
> > #15 0x55db79ede66f in usb_packet_map hw/usb/libhw.c:54:5
> > #16 0x55db79f6d5f1 in xhci_setup_packet hw/usb/hcd-xhci.c:1618:5
> > #17 0x55db79f67143 in xhci_fire_ctl_transfer hw/usb/hcd-xhci.c:1722:9
> > #18 0x55db79f67143 in xhci_kick_epctx hw/usb/hcd-xhci.c:1991:13
> > #19 0x55db79f8837d in xhci_doorbell_write hw/usb/hcd-xhci.c:3162:13
> > #20 0x55db792c6b8e in memory_region_write_accessor softmmu/memory.c:483:5
> > #21 0x55db792c658b in access_with_adjusted_size softmmu/memory.c:544:18
> > #22 0x55db792c5d9b in memory_region_dispatch_write softmmu/memory.c
> > #23 0x55db78d094d2 in flatview_write_continue exec.c:3176:23
> > #24 0x55db78cfee6b in flatview_write exec.c:3216:14
> > #25 0x55db78cfee6b in address_space_write exec.c:3308:18
> > #26 0x55db793072a9 in qtest_process_command softmmu/qtest.c:452:13
> > #27 0x55db79304087 in qtest_process_inbuf softmmu/qtest.c:710:9
> > #28 0x55db7a7d7293 in fd_chr_read chardev/char-fd.c:68:9
> > #29 0x7fc5d7f1a897 in g_main_context_dispatch
> >
>
> This issue as far as I can see, is the DMA to MMIO issue.
Another one - Interesting...
So it joins these:
https://bugs.launchpad.net/qemu/+bug/1888606
https://bugs.launchpad.net/qemu/+bug/1886362
Could this one be dealt with by moving xhci_reset into a BH?
-Alex
> Thanks,
> Li Qiang
>
>
> > previously allocated by thread T0 here:
> > #0 0x55db78cac562 in calloc (build/i386-softmmu/qemu-system-i386+0x250e562)
> > #1 0x7fc5d7f20548 in g_malloc0 (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x54548)
> > #2 0x55db79f8837d in xhci_doorbell_write hw/usb/hcd-xhci.c:3162:13
> > #3 0x55db792c6b8e in memory_region_write_accessor softmmu/memory.c:483:5
> > #4 0x55db792c658b in access_with_adjusted_size softmmu/memory.c:544:18
> > #5 0x55db792c5d9b in memory_region_dispatch_write softmmu/memory.c
> > #6 0x55db78d094d2 in flatview_write_continue exec.c:3176:23
> > #7 0x55db78cfee6b in flatview_write exec.c:3216:14
> > #8 0x55db78cfee6b in address_space_write exec.c:3308:18
> > #9 0x55db793072a9 in qtest_process_command softmmu/qtest.c:452:13
> > #10 0x55db79304087 in qtest_process_inbuf softmmu/qtest.c:710:9
> > #11 0x55db7a7d7293 in fd_chr_read chardev/char-fd.c:68:9
> > #12 0x7fc5d7f1a897 in g_main_context_dispatch
> >
> > -Alex
> >
> > ** Affects: qemu
> > Importance: Undecided
> > Status: New
> >
> > --
> > You received this bug notification because you are a member of qemu-
> > devel-ml, which is subscribed to QEMU.
> > https://bugs.launchpad.net/bugs/1891354
> >
> > Title:
> > Heap-use-after-free in usb_packet_unmap
> >
> > Status in QEMU:
> > New
> >
> > Bug description:
> > Hello,
> > Reproducer:
> >
> > cat << EOF | ./i386-softmmu/qemu-system-i386 -device nec-usb-xhci \
> > -trace usb\* -device usb-audio -device usb-storage,drive=mydrive \
> > -drive id=mydrive,file=null-co://,size=2M,format=raw,if=none \
> > -nodefaults -nographic -qtest stdio
> > outl 0xcf8 0x80001010
> > outl 0xcfc 0xc0202
> > outl 0xcf8 0x80001004
> > outl 0xcfc 0x1c77695e
> > writel 0xc0040 0xffffd855
> > writeq 0xc2000 0xff05140100000000
> > write 0x1d 0x1 0x27
> > write 0x2d 0x1 0x2e
> > write 0x17232 0x1 0x03
> > write 0x17254 0x1 0x05
> > write 0x17276 0x1 0x72
> > write 0x17278 0x1 0x02
> > write 0x3d 0x1 0x27
> > write 0x40 0x1 0x2e
> > write 0x41 0x1 0x72
> > write 0x42 0x1 0x01
> > write 0x4d 0x1 0x2e
> > write 0x4f 0x1 0x01
> > write 0x2007c 0x1 0xc7
> > writeq 0xc2000 0x5c05140100000000
> > write 0x20070 0x1 0x80
> > write 0x20078 0x1 0x08
> > write 0x2007c 0x1 0xfe
> > write 0x2007d 0x1 0x08
> > write 0x20081 0x1 0xff
> > write 0x20082 0x1 0x0b
> > write 0x20089 0x1 0x8c
> > write 0x2008d 0x1 0x04
> > write 0x2009d 0x1 0x10
> > writeq 0xc2000 0x2505ef019e092f00
> > EOF
> >
> > 20091==ERROR: AddressSanitizer: heap-use-after-free on address 0x611000045030 at pc 0x55db79edeef2 bp 0x7ffc4020b2b0 sp 0x7ffc4020b2a8
> > READ of size 4 at 0x611000045030 thread T0
> > #0 0x55db79edeef1 in usb_packet_unmap hw/usb/libhw.c:64:28
> > #1 0x55db79ede66f in usb_packet_map hw/usb/libhw.c:54:5
> > #2 0x55db79f6d5f1 in xhci_setup_packet hw/usb/hcd-xhci.c:1618:5
> > #3 0x55db79f67143 in xhci_fire_ctl_transfer hw/usb/hcd-xhci.c:1722:9
> > #4 0x55db79f67143 in xhci_kick_epctx hw/usb/hcd-xhci.c:1991:13
> > #5 0x55db79f8837d in xhci_doorbell_write hw/usb/hcd-xhci.c:3162:13
> > #6 0x55db792c6b8e in memory_region_write_accessor softmmu/memory.c:483:5
> > #7 0x55db792c658b in access_with_adjusted_size softmmu/memory.c:544:18
> > #8 0x55db792c5d9b in memory_region_dispatch_write softmmu/memory.c
> > #9 0x55db78d094d2 in flatview_write_continue exec.c:3176:23
> > #10 0x55db78cfee6b in flatview_write exec.c:3216:14
> > #11 0x55db78cfee6b in address_space_write exec.c:3308:18
> > #12 0x55db793072a9 in qtest_process_command softmmu/qtest.c:452:13
> > #13 0x55db79304087 in qtest_process_inbuf softmmu/qtest.c:710:9
> > #14 0x55db7a7d7293 in fd_chr_read chardev/char-fd.c:68:9
> > #15 0x7fc5d7f1a897 in g_main_context_dispatch
> > #16 0x55db7aa571b3 in glib_pollfds_poll util/main-loop.c:217:9
> > #17 0x55db7aa571b3 in os_host_main_loop_wait util/main-loop.c:240:5
> > #18 0x55db7aa571b3 in main_loop_wait util/main-loop.c:516:11
> > #19 0x55db79315008 in qemu_main_loop softmmu/vl.c:1676:9
> > #20 0x55db7a8860fd in main softmmu/main.c:49:5
> >
> > 0x611000045030 is located 48 bytes inside of 256-byte region [0x611000045000,0x611000045100)
> > freed by thread T0 here:
> > #0 0x55db78cac16d in free (build/i386-softmmu/qemu-system-i386+0x250e16d)
> > #1 0x55db79f7c0e8 in xhci_ep_nuke_xfers hw/usb/hcd-xhci.c:1252:9
> > #2 0x55db79f7b454 in xhci_disable_ep hw/usb/hcd-xhci.c:1279:5
> > #3 0x55db79f79af7 in xhci_disable_slot hw/usb/hcd-xhci.c:2048:13
> > #4 0x55db79f5aea3 in xhci_reset hw/usb/hcd-xhci.c:2706:9
> > #5 0x55db79f82f49 in xhci_oper_write hw/usb/hcd-xhci.c:2966:13
> > #6 0x55db792c6b8e in memory_region_write_accessor softmmu/memory.c:483:5
> > #7 0x55db792c658b in access_with_adjusted_size softmmu/memory.c:544:18
> > #8 0x55db792c5d9b in memory_region_dispatch_write softmmu/memory.c
> > #9 0x55db78d094d2 in flatview_write_continue exec.c:3176:23
> > #10 0x55db78cfee6b in flatview_write exec.c:3216:14
> > #11 0x55db78cfee6b in address_space_write exec.c:3308:18
> > #12 0x55db78d01fe7 in address_space_unmap exec.c:3634:9
> > #13 0x55db79edebbb in dma_memory_unmap include/sysemu/dma.h:145:5
> > #14 0x55db79edebbb in usb_packet_unmap hw/usb/libhw.c:65:9
> > #15 0x55db79ede66f in usb_packet_map hw/usb/libhw.c:54:5
> > #16 0x55db79f6d5f1 in xhci_setup_packet hw/usb/hcd-xhci.c:1618:5
> > #17 0x55db79f67143 in xhci_fire_ctl_transfer hw/usb/hcd-xhci.c:1722:9
> > #18 0x55db79f67143 in xhci_kick_epctx hw/usb/hcd-xhci.c:1991:13
> > #19 0x55db79f8837d in xhci_doorbell_write hw/usb/hcd-xhci.c:3162:13
> > #20 0x55db792c6b8e in memory_region_write_accessor softmmu/memory.c:483:5
> > #21 0x55db792c658b in access_with_adjusted_size softmmu/memory.c:544:18
> > #22 0x55db792c5d9b in memory_region_dispatch_write softmmu/memory.c
> > #23 0x55db78d094d2 in flatview_write_continue exec.c:3176:23
> > #24 0x55db78cfee6b in flatview_write exec.c:3216:14
> > #25 0x55db78cfee6b in address_space_write exec.c:3308:18
> > #26 0x55db793072a9 in qtest_process_command softmmu/qtest.c:452:13
> > #27 0x55db79304087 in qtest_process_inbuf softmmu/qtest.c:710:9
> > #28 0x55db7a7d7293 in fd_chr_read chardev/char-fd.c:68:9
> > #29 0x7fc5d7f1a897 in g_main_context_dispatch
> >
> > previously allocated by thread T0 here:
> > #0 0x55db78cac562 in calloc (build/i386-softmmu/qemu-system-i386+0x250e562)
> > #1 0x7fc5d7f20548 in g_malloc0 (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x54548)
> > #2 0x55db79f8837d in xhci_doorbell_write hw/usb/hcd-xhci.c:3162:13
> > #3 0x55db792c6b8e in memory_region_write_accessor softmmu/memory.c:483:5
> > #4 0x55db792c658b in access_with_adjusted_size softmmu/memory.c:544:18
> > #5 0x55db792c5d9b in memory_region_dispatch_write softmmu/memory.c
> > #6 0x55db78d094d2 in flatview_write_continue exec.c:3176:23
> > #7 0x55db78cfee6b in flatview_write exec.c:3216:14
> > #8 0x55db78cfee6b in address_space_write exec.c:3308:18
> > #9 0x55db793072a9 in qtest_process_command softmmu/qtest.c:452:13
> > #10 0x55db79304087 in qtest_process_inbuf softmmu/qtest.c:710:9
> > #11 0x55db7a7d7293 in fd_chr_read chardev/char-fd.c:68:9
> > #12 0x7fc5d7f1a897 in g_main_context_dispatch
> >
> > -Alex
> >
> > To manage notifications about this bug go to:
> > https://bugs.launchpad.net/qemu/+bug/1891354/+subscriptions
> >
>
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [Bug 1891354] [NEW] Heap-use-after-free in usb_packet_unmap
@ 2020-08-12 16:55 ` Alexander Bulekov
0 siblings, 0 replies; 9+ messages in thread
From: Alexander Bulekov @ 2020-08-12 16:55 UTC (permalink / raw)
To: qemu-devel
On 200813 0024, Li Qiang wrote:
> Alexander Bulekov <1891354@bugs.launchpad.net> 于2020年8月13日周四 上午12:21写道:
> >
> > Public bug reported:
> >
> > Hello,
> > Reproducer:
> >
> > cat << EOF | ./i386-softmmu/qemu-system-i386 -device nec-usb-xhci \
> > -trace usb\* -device usb-audio -device usb-storage,drive=mydrive \
> > -drive id=mydrive,file=null-co://,size=2M,format=raw,if=none \
> > -nodefaults -nographic -qtest stdio
> > outl 0xcf8 0x80001010
> > outl 0xcfc 0xc0202
> > outl 0xcf8 0x80001004
> > outl 0xcfc 0x1c77695e
> > writel 0xc0040 0xffffd855
> > writeq 0xc2000 0xff05140100000000
> > write 0x1d 0x1 0x27
> > write 0x2d 0x1 0x2e
> > write 0x17232 0x1 0x03
> > write 0x17254 0x1 0x05
> > write 0x17276 0x1 0x72
> > write 0x17278 0x1 0x02
> > write 0x3d 0x1 0x27
> > write 0x40 0x1 0x2e
> > write 0x41 0x1 0x72
> > write 0x42 0x1 0x01
> > write 0x4d 0x1 0x2e
> > write 0x4f 0x1 0x01
> > write 0x2007c 0x1 0xc7
> > writeq 0xc2000 0x5c05140100000000
> > write 0x20070 0x1 0x80
> > write 0x20078 0x1 0x08
> > write 0x2007c 0x1 0xfe
> > write 0x2007d 0x1 0x08
> > write 0x20081 0x1 0xff
> > write 0x20082 0x1 0x0b
> > write 0x20089 0x1 0x8c
> > write 0x2008d 0x1 0x04
> > write 0x2009d 0x1 0x10
> > writeq 0xc2000 0x2505ef019e092f00
> > EOF
> >
> > 20091==ERROR: AddressSanitizer: heap-use-after-free on address 0x611000045030 at pc 0x55db79edeef2 bp 0x7ffc4020b2b0 sp 0x7ffc4020b2a8
> > READ of size 4 at 0x611000045030 thread T0
> > #0 0x55db79edeef1 in usb_packet_unmap hw/usb/libhw.c:64:28
> > #1 0x55db79ede66f in usb_packet_map hw/usb/libhw.c:54:5
> > #2 0x55db79f6d5f1 in xhci_setup_packet hw/usb/hcd-xhci.c:1618:5
> > #3 0x55db79f67143 in xhci_fire_ctl_transfer hw/usb/hcd-xhci.c:1722:9
> > #4 0x55db79f67143 in xhci_kick_epctx hw/usb/hcd-xhci.c:1991:13
> > #5 0x55db79f8837d in xhci_doorbell_write hw/usb/hcd-xhci.c:3162:13
> > #6 0x55db792c6b8e in memory_region_write_accessor softmmu/memory.c:483:5
> > #7 0x55db792c658b in access_with_adjusted_size softmmu/memory.c:544:18
> > #8 0x55db792c5d9b in memory_region_dispatch_write softmmu/memory.c
> > #9 0x55db78d094d2 in flatview_write_continue exec.c:3176:23
> > #10 0x55db78cfee6b in flatview_write exec.c:3216:14
> > #11 0x55db78cfee6b in address_space_write exec.c:3308:18
> > #12 0x55db793072a9 in qtest_process_command softmmu/qtest.c:452:13
> > #13 0x55db79304087 in qtest_process_inbuf softmmu/qtest.c:710:9
> > #14 0x55db7a7d7293 in fd_chr_read chardev/char-fd.c:68:9
> > #15 0x7fc5d7f1a897 in g_main_context_dispatch
> > #16 0x55db7aa571b3 in glib_pollfds_poll util/main-loop.c:217:9
> > #17 0x55db7aa571b3 in os_host_main_loop_wait util/main-loop.c:240:5
> > #18 0x55db7aa571b3 in main_loop_wait util/main-loop.c:516:11
> > #19 0x55db79315008 in qemu_main_loop softmmu/vl.c:1676:9
> > #20 0x55db7a8860fd in main softmmu/main.c:49:5
> >
> > 0x611000045030 is located 48 bytes inside of 256-byte region [0x611000045000,0x611000045100)
> > freed by thread T0 here:
> > #0 0x55db78cac16d in free (build/i386-softmmu/qemu-system-i386+0x250e16d)
> > #1 0x55db79f7c0e8 in xhci_ep_nuke_xfers hw/usb/hcd-xhci.c:1252:9
> > #2 0x55db79f7b454 in xhci_disable_ep hw/usb/hcd-xhci.c:1279:5
> > #3 0x55db79f79af7 in xhci_disable_slot hw/usb/hcd-xhci.c:2048:13
> > #4 0x55db79f5aea3 in xhci_reset hw/usb/hcd-xhci.c:2706:9
> > #5 0x55db79f82f49 in xhci_oper_write hw/usb/hcd-xhci.c:2966:13
> > #6 0x55db792c6b8e in memory_region_write_accessor softmmu/memory.c:483:5
> > #7 0x55db792c658b in access_with_adjusted_size softmmu/memory.c:544:18
> > #8 0x55db792c5d9b in memory_region_dispatch_write softmmu/memory.c
> > #9 0x55db78d094d2 in flatview_write_continue exec.c:3176:23
> > #10 0x55db78cfee6b in flatview_write exec.c:3216:14
> > #11 0x55db78cfee6b in address_space_write exec.c:3308:18
> > #12 0x55db78d01fe7 in address_space_unmap exec.c:3634:9
> > #13 0x55db79edebbb in dma_memory_unmap include/sysemu/dma.h:145:5
> > #14 0x55db79edebbb in usb_packet_unmap hw/usb/libhw.c:65:9
> > #15 0x55db79ede66f in usb_packet_map hw/usb/libhw.c:54:5
> > #16 0x55db79f6d5f1 in xhci_setup_packet hw/usb/hcd-xhci.c:1618:5
> > #17 0x55db79f67143 in xhci_fire_ctl_transfer hw/usb/hcd-xhci.c:1722:9
> > #18 0x55db79f67143 in xhci_kick_epctx hw/usb/hcd-xhci.c:1991:13
> > #19 0x55db79f8837d in xhci_doorbell_write hw/usb/hcd-xhci.c:3162:13
> > #20 0x55db792c6b8e in memory_region_write_accessor softmmu/memory.c:483:5
> > #21 0x55db792c658b in access_with_adjusted_size softmmu/memory.c:544:18
> > #22 0x55db792c5d9b in memory_region_dispatch_write softmmu/memory.c
> > #23 0x55db78d094d2 in flatview_write_continue exec.c:3176:23
> > #24 0x55db78cfee6b in flatview_write exec.c:3216:14
> > #25 0x55db78cfee6b in address_space_write exec.c:3308:18
> > #26 0x55db793072a9 in qtest_process_command softmmu/qtest.c:452:13
> > #27 0x55db79304087 in qtest_process_inbuf softmmu/qtest.c:710:9
> > #28 0x55db7a7d7293 in fd_chr_read chardev/char-fd.c:68:9
> > #29 0x7fc5d7f1a897 in g_main_context_dispatch
> >
>
> This issue as far as I can see, is the DMA to MMIO issue.
Another one - Interesting...
So it joins these:
https://bugs.launchpad.net/qemu/+bug/1888606
https://bugs.launchpad.net/qemu/+bug/1886362
Could this one be dealt with by moving xhci_reset into a BH?
-Alex
> Thanks,
> Li Qiang
>
>
> > previously allocated by thread T0 here:
> > #0 0x55db78cac562 in calloc (build/i386-softmmu/qemu-system-i386+0x250e562)
> > #1 0x7fc5d7f20548 in g_malloc0 (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x54548)
> > #2 0x55db79f8837d in xhci_doorbell_write hw/usb/hcd-xhci.c:3162:13
> > #3 0x55db792c6b8e in memory_region_write_accessor softmmu/memory.c:483:5
> > #4 0x55db792c658b in access_with_adjusted_size softmmu/memory.c:544:18
> > #5 0x55db792c5d9b in memory_region_dispatch_write softmmu/memory.c
> > #6 0x55db78d094d2 in flatview_write_continue exec.c:3176:23
> > #7 0x55db78cfee6b in flatview_write exec.c:3216:14
> > #8 0x55db78cfee6b in address_space_write exec.c:3308:18
> > #9 0x55db793072a9 in qtest_process_command softmmu/qtest.c:452:13
> > #10 0x55db79304087 in qtest_process_inbuf softmmu/qtest.c:710:9
> > #11 0x55db7a7d7293 in fd_chr_read chardev/char-fd.c:68:9
> > #12 0x7fc5d7f1a897 in g_main_context_dispatch
> >
> > -Alex
> >
> > ** Affects: qemu
> > Importance: Undecided
> > Status: New
> >
> > --
> > You received this bug notification because you are a member of qemu-
> > devel-ml, which is subscribed to QEMU.
> > https://bugs.launchpad.net/bugs/1891354
> >
> > Title:
> > Heap-use-after-free in usb_packet_unmap
> >
> > Status in QEMU:
> > New
> >
> > Bug description:
> > Hello,
> > Reproducer:
> >
> > cat << EOF | ./i386-softmmu/qemu-system-i386 -device nec-usb-xhci \
> > -trace usb\* -device usb-audio -device usb-storage,drive=mydrive \
> > -drive id=mydrive,file=null-co://,size=2M,format=raw,if=none \
> > -nodefaults -nographic -qtest stdio
> > outl 0xcf8 0x80001010
> > outl 0xcfc 0xc0202
> > outl 0xcf8 0x80001004
> > outl 0xcfc 0x1c77695e
> > writel 0xc0040 0xffffd855
> > writeq 0xc2000 0xff05140100000000
> > write 0x1d 0x1 0x27
> > write 0x2d 0x1 0x2e
> > write 0x17232 0x1 0x03
> > write 0x17254 0x1 0x05
> > write 0x17276 0x1 0x72
> > write 0x17278 0x1 0x02
> > write 0x3d 0x1 0x27
> > write 0x40 0x1 0x2e
> > write 0x41 0x1 0x72
> > write 0x42 0x1 0x01
> > write 0x4d 0x1 0x2e
> > write 0x4f 0x1 0x01
> > write 0x2007c 0x1 0xc7
> > writeq 0xc2000 0x5c05140100000000
> > write 0x20070 0x1 0x80
> > write 0x20078 0x1 0x08
> > write 0x2007c 0x1 0xfe
> > write 0x2007d 0x1 0x08
> > write 0x20081 0x1 0xff
> > write 0x20082 0x1 0x0b
> > write 0x20089 0x1 0x8c
> > write 0x2008d 0x1 0x04
> > write 0x2009d 0x1 0x10
> > writeq 0xc2000 0x2505ef019e092f00
> > EOF
> >
> > 20091==ERROR: AddressSanitizer: heap-use-after-free on address 0x611000045030 at pc 0x55db79edeef2 bp 0x7ffc4020b2b0 sp 0x7ffc4020b2a8
> > READ of size 4 at 0x611000045030 thread T0
> > #0 0x55db79edeef1 in usb_packet_unmap hw/usb/libhw.c:64:28
> > #1 0x55db79ede66f in usb_packet_map hw/usb/libhw.c:54:5
> > #2 0x55db79f6d5f1 in xhci_setup_packet hw/usb/hcd-xhci.c:1618:5
> > #3 0x55db79f67143 in xhci_fire_ctl_transfer hw/usb/hcd-xhci.c:1722:9
> > #4 0x55db79f67143 in xhci_kick_epctx hw/usb/hcd-xhci.c:1991:13
> > #5 0x55db79f8837d in xhci_doorbell_write hw/usb/hcd-xhci.c:3162:13
> > #6 0x55db792c6b8e in memory_region_write_accessor softmmu/memory.c:483:5
> > #7 0x55db792c658b in access_with_adjusted_size softmmu/memory.c:544:18
> > #8 0x55db792c5d9b in memory_region_dispatch_write softmmu/memory.c
> > #9 0x55db78d094d2 in flatview_write_continue exec.c:3176:23
> > #10 0x55db78cfee6b in flatview_write exec.c:3216:14
> > #11 0x55db78cfee6b in address_space_write exec.c:3308:18
> > #12 0x55db793072a9 in qtest_process_command softmmu/qtest.c:452:13
> > #13 0x55db79304087 in qtest_process_inbuf softmmu/qtest.c:710:9
> > #14 0x55db7a7d7293 in fd_chr_read chardev/char-fd.c:68:9
> > #15 0x7fc5d7f1a897 in g_main_context_dispatch
> > #16 0x55db7aa571b3 in glib_pollfds_poll util/main-loop.c:217:9
> > #17 0x55db7aa571b3 in os_host_main_loop_wait util/main-loop.c:240:5
> > #18 0x55db7aa571b3 in main_loop_wait util/main-loop.c:516:11
> > #19 0x55db79315008 in qemu_main_loop softmmu/vl.c:1676:9
> > #20 0x55db7a8860fd in main softmmu/main.c:49:5
> >
> > 0x611000045030 is located 48 bytes inside of 256-byte region [0x611000045000,0x611000045100)
> > freed by thread T0 here:
> > #0 0x55db78cac16d in free (build/i386-softmmu/qemu-system-i386+0x250e16d)
> > #1 0x55db79f7c0e8 in xhci_ep_nuke_xfers hw/usb/hcd-xhci.c:1252:9
> > #2 0x55db79f7b454 in xhci_disable_ep hw/usb/hcd-xhci.c:1279:5
> > #3 0x55db79f79af7 in xhci_disable_slot hw/usb/hcd-xhci.c:2048:13
> > #4 0x55db79f5aea3 in xhci_reset hw/usb/hcd-xhci.c:2706:9
> > #5 0x55db79f82f49 in xhci_oper_write hw/usb/hcd-xhci.c:2966:13
> > #6 0x55db792c6b8e in memory_region_write_accessor softmmu/memory.c:483:5
> > #7 0x55db792c658b in access_with_adjusted_size softmmu/memory.c:544:18
> > #8 0x55db792c5d9b in memory_region_dispatch_write softmmu/memory.c
> > #9 0x55db78d094d2 in flatview_write_continue exec.c:3176:23
> > #10 0x55db78cfee6b in flatview_write exec.c:3216:14
> > #11 0x55db78cfee6b in address_space_write exec.c:3308:18
> > #12 0x55db78d01fe7 in address_space_unmap exec.c:3634:9
> > #13 0x55db79edebbb in dma_memory_unmap include/sysemu/dma.h:145:5
> > #14 0x55db79edebbb in usb_packet_unmap hw/usb/libhw.c:65:9
> > #15 0x55db79ede66f in usb_packet_map hw/usb/libhw.c:54:5
> > #16 0x55db79f6d5f1 in xhci_setup_packet hw/usb/hcd-xhci.c:1618:5
> > #17 0x55db79f67143 in xhci_fire_ctl_transfer hw/usb/hcd-xhci.c:1722:9
> > #18 0x55db79f67143 in xhci_kick_epctx hw/usb/hcd-xhci.c:1991:13
> > #19 0x55db79f8837d in xhci_doorbell_write hw/usb/hcd-xhci.c:3162:13
> > #20 0x55db792c6b8e in memory_region_write_accessor softmmu/memory.c:483:5
> > #21 0x55db792c658b in access_with_adjusted_size softmmu/memory.c:544:18
> > #22 0x55db792c5d9b in memory_region_dispatch_write softmmu/memory.c
> > #23 0x55db78d094d2 in flatview_write_continue exec.c:3176:23
> > #24 0x55db78cfee6b in flatview_write exec.c:3216:14
> > #25 0x55db78cfee6b in address_space_write exec.c:3308:18
> > #26 0x55db793072a9 in qtest_process_command softmmu/qtest.c:452:13
> > #27 0x55db79304087 in qtest_process_inbuf softmmu/qtest.c:710:9
> > #28 0x55db7a7d7293 in fd_chr_read chardev/char-fd.c:68:9
> > #29 0x7fc5d7f1a897 in g_main_context_dispatch
> >
> > previously allocated by thread T0 here:
> > #0 0x55db78cac562 in calloc (build/i386-softmmu/qemu-system-i386+0x250e562)
> > #1 0x7fc5d7f20548 in g_malloc0 (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x54548)
> > #2 0x55db79f8837d in xhci_doorbell_write hw/usb/hcd-xhci.c:3162:13
> > #3 0x55db792c6b8e in memory_region_write_accessor softmmu/memory.c:483:5
> > #4 0x55db792c658b in access_with_adjusted_size softmmu/memory.c:544:18
> > #5 0x55db792c5d9b in memory_region_dispatch_write softmmu/memory.c
> > #6 0x55db78d094d2 in flatview_write_continue exec.c:3176:23
> > #7 0x55db78cfee6b in flatview_write exec.c:3216:14
> > #8 0x55db78cfee6b in address_space_write exec.c:3308:18
> > #9 0x55db793072a9 in qtest_process_command softmmu/qtest.c:452:13
> > #10 0x55db79304087 in qtest_process_inbuf softmmu/qtest.c:710:9
> > #11 0x55db7a7d7293 in fd_chr_read chardev/char-fd.c:68:9
> > #12 0x7fc5d7f1a897 in g_main_context_dispatch
> >
> > -Alex
> >
> > To manage notifications about this bug go to:
> > https://bugs.launchpad.net/qemu/+bug/1891354/+subscriptions
> >
>
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1891354
Title:
Heap-use-after-free in usb_packet_unmap
Status in QEMU:
New
Bug description:
Hello,
Reproducer:
cat << EOF | ./i386-softmmu/qemu-system-i386 -device nec-usb-xhci \
-trace usb\* -device usb-audio -device usb-storage,drive=mydrive \
-drive id=mydrive,file=null-co://,size=2M,format=raw,if=none \
-nodefaults -nographic -qtest stdio
outl 0xcf8 0x80001010
outl 0xcfc 0xc0202
outl 0xcf8 0x80001004
outl 0xcfc 0x1c77695e
writel 0xc0040 0xffffd855
writeq 0xc2000 0xff05140100000000
write 0x1d 0x1 0x27
write 0x2d 0x1 0x2e
write 0x17232 0x1 0x03
write 0x17254 0x1 0x05
write 0x17276 0x1 0x72
write 0x17278 0x1 0x02
write 0x3d 0x1 0x27
write 0x40 0x1 0x2e
write 0x41 0x1 0x72
write 0x42 0x1 0x01
write 0x4d 0x1 0x2e
write 0x4f 0x1 0x01
write 0x2007c 0x1 0xc7
writeq 0xc2000 0x5c05140100000000
write 0x20070 0x1 0x80
write 0x20078 0x1 0x08
write 0x2007c 0x1 0xfe
write 0x2007d 0x1 0x08
write 0x20081 0x1 0xff
write 0x20082 0x1 0x0b
write 0x20089 0x1 0x8c
write 0x2008d 0x1 0x04
write 0x2009d 0x1 0x10
writeq 0xc2000 0x2505ef019e092f00
EOF
20091==ERROR: AddressSanitizer: heap-use-after-free on address 0x611000045030 at pc 0x55db79edeef2 bp 0x7ffc4020b2b0 sp 0x7ffc4020b2a8
READ of size 4 at 0x611000045030 thread T0
#0 0x55db79edeef1 in usb_packet_unmap hw/usb/libhw.c:64:28
#1 0x55db79ede66f in usb_packet_map hw/usb/libhw.c:54:5
#2 0x55db79f6d5f1 in xhci_setup_packet hw/usb/hcd-xhci.c:1618:5
#3 0x55db79f67143 in xhci_fire_ctl_transfer hw/usb/hcd-xhci.c:1722:9
#4 0x55db79f67143 in xhci_kick_epctx hw/usb/hcd-xhci.c:1991:13
#5 0x55db79f8837d in xhci_doorbell_write hw/usb/hcd-xhci.c:3162:13
#6 0x55db792c6b8e in memory_region_write_accessor softmmu/memory.c:483:5
#7 0x55db792c658b in access_with_adjusted_size softmmu/memory.c:544:18
#8 0x55db792c5d9b in memory_region_dispatch_write softmmu/memory.c
#9 0x55db78d094d2 in flatview_write_continue exec.c:3176:23
#10 0x55db78cfee6b in flatview_write exec.c:3216:14
#11 0x55db78cfee6b in address_space_write exec.c:3308:18
#12 0x55db793072a9 in qtest_process_command softmmu/qtest.c:452:13
#13 0x55db79304087 in qtest_process_inbuf softmmu/qtest.c:710:9
#14 0x55db7a7d7293 in fd_chr_read chardev/char-fd.c:68:9
#15 0x7fc5d7f1a897 in g_main_context_dispatch
#16 0x55db7aa571b3 in glib_pollfds_poll util/main-loop.c:217:9
#17 0x55db7aa571b3 in os_host_main_loop_wait util/main-loop.c:240:5
#18 0x55db7aa571b3 in main_loop_wait util/main-loop.c:516:11
#19 0x55db79315008 in qemu_main_loop softmmu/vl.c:1676:9
#20 0x55db7a8860fd in main softmmu/main.c:49:5
0x611000045030 is located 48 bytes inside of 256-byte region [0x611000045000,0x611000045100)
freed by thread T0 here:
#0 0x55db78cac16d in free (build/i386-softmmu/qemu-system-i386+0x250e16d)
#1 0x55db79f7c0e8 in xhci_ep_nuke_xfers hw/usb/hcd-xhci.c:1252:9
#2 0x55db79f7b454 in xhci_disable_ep hw/usb/hcd-xhci.c:1279:5
#3 0x55db79f79af7 in xhci_disable_slot hw/usb/hcd-xhci.c:2048:13
#4 0x55db79f5aea3 in xhci_reset hw/usb/hcd-xhci.c:2706:9
#5 0x55db79f82f49 in xhci_oper_write hw/usb/hcd-xhci.c:2966:13
#6 0x55db792c6b8e in memory_region_write_accessor softmmu/memory.c:483:5
#7 0x55db792c658b in access_with_adjusted_size softmmu/memory.c:544:18
#8 0x55db792c5d9b in memory_region_dispatch_write softmmu/memory.c
#9 0x55db78d094d2 in flatview_write_continue exec.c:3176:23
#10 0x55db78cfee6b in flatview_write exec.c:3216:14
#11 0x55db78cfee6b in address_space_write exec.c:3308:18
#12 0x55db78d01fe7 in address_space_unmap exec.c:3634:9
#13 0x55db79edebbb in dma_memory_unmap include/sysemu/dma.h:145:5
#14 0x55db79edebbb in usb_packet_unmap hw/usb/libhw.c:65:9
#15 0x55db79ede66f in usb_packet_map hw/usb/libhw.c:54:5
#16 0x55db79f6d5f1 in xhci_setup_packet hw/usb/hcd-xhci.c:1618:5
#17 0x55db79f67143 in xhci_fire_ctl_transfer hw/usb/hcd-xhci.c:1722:9
#18 0x55db79f67143 in xhci_kick_epctx hw/usb/hcd-xhci.c:1991:13
#19 0x55db79f8837d in xhci_doorbell_write hw/usb/hcd-xhci.c:3162:13
#20 0x55db792c6b8e in memory_region_write_accessor softmmu/memory.c:483:5
#21 0x55db792c658b in access_with_adjusted_size softmmu/memory.c:544:18
#22 0x55db792c5d9b in memory_region_dispatch_write softmmu/memory.c
#23 0x55db78d094d2 in flatview_write_continue exec.c:3176:23
#24 0x55db78cfee6b in flatview_write exec.c:3216:14
#25 0x55db78cfee6b in address_space_write exec.c:3308:18
#26 0x55db793072a9 in qtest_process_command softmmu/qtest.c:452:13
#27 0x55db79304087 in qtest_process_inbuf softmmu/qtest.c:710:9
#28 0x55db7a7d7293 in fd_chr_read chardev/char-fd.c:68:9
#29 0x7fc5d7f1a897 in g_main_context_dispatch
previously allocated by thread T0 here:
#0 0x55db78cac562 in calloc (build/i386-softmmu/qemu-system-i386+0x250e562)
#1 0x7fc5d7f20548 in g_malloc0 (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x54548)
#2 0x55db79f8837d in xhci_doorbell_write hw/usb/hcd-xhci.c:3162:13
#3 0x55db792c6b8e in memory_region_write_accessor softmmu/memory.c:483:5
#4 0x55db792c658b in access_with_adjusted_size softmmu/memory.c:544:18
#5 0x55db792c5d9b in memory_region_dispatch_write softmmu/memory.c
#6 0x55db78d094d2 in flatview_write_continue exec.c:3176:23
#7 0x55db78cfee6b in flatview_write exec.c:3216:14
#8 0x55db78cfee6b in address_space_write exec.c:3308:18
#9 0x55db793072a9 in qtest_process_command softmmu/qtest.c:452:13
#10 0x55db79304087 in qtest_process_inbuf softmmu/qtest.c:710:9
#11 0x55db7a7d7293 in fd_chr_read chardev/char-fd.c:68:9
#12 0x7fc5d7f1a897 in g_main_context_dispatch
-Alex
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1891354/+subscriptions
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [Bug 1891354] [NEW] Heap-use-after-free in usb_packet_unmap
2020-08-12 16:55 ` Alexander Bulekov
(?)
@ 2020-08-13 1:26 ` Li Qiang
-1 siblings, 0 replies; 9+ messages in thread
From: Li Qiang @ 2020-08-13 1:26 UTC (permalink / raw)
To: Alexander Bulekov
Cc: Paolo Bonzini, Bug 1891354, Qemu Developers, Gerd Hoffmann
Alexander Bulekov <alxndr@bu.edu> 于2020年8月13日周四 上午12:56写道:
>
> On 200813 0024, Li Qiang wrote:
> > Alexander Bulekov <1891354@bugs.launchpad.net> 于2020年8月13日周四 上午12:21写道:
> > >
> > > Public bug reported:
> > >
> > > Hello,
> > > Reproducer:
> > >
> > > cat << EOF | ./i386-softmmu/qemu-system-i386 -device nec-usb-xhci \
> > > -trace usb\* -device usb-audio -device usb-storage,drive=mydrive \
> > > -drive id=mydrive,file=null-co://,size=2M,format=raw,if=none \
> > > -nodefaults -nographic -qtest stdio
> > > outl 0xcf8 0x80001010
> > > outl 0xcfc 0xc0202
> > > outl 0xcf8 0x80001004
> > > outl 0xcfc 0x1c77695e
> > > writel 0xc0040 0xffffd855
> > > writeq 0xc2000 0xff05140100000000
> > > write 0x1d 0x1 0x27
> > > write 0x2d 0x1 0x2e
> > > write 0x17232 0x1 0x03
> > > write 0x17254 0x1 0x05
> > > write 0x17276 0x1 0x72
> > > write 0x17278 0x1 0x02
> > > write 0x3d 0x1 0x27
> > > write 0x40 0x1 0x2e
> > > write 0x41 0x1 0x72
> > > write 0x42 0x1 0x01
> > > write 0x4d 0x1 0x2e
> > > write 0x4f 0x1 0x01
> > > write 0x2007c 0x1 0xc7
> > > writeq 0xc2000 0x5c05140100000000
> > > write 0x20070 0x1 0x80
> > > write 0x20078 0x1 0x08
> > > write 0x2007c 0x1 0xfe
> > > write 0x2007d 0x1 0x08
> > > write 0x20081 0x1 0xff
> > > write 0x20082 0x1 0x0b
> > > write 0x20089 0x1 0x8c
> > > write 0x2008d 0x1 0x04
> > > write 0x2009d 0x1 0x10
> > > writeq 0xc2000 0x2505ef019e092f00
> > > EOF
> > >
> > > 20091==ERROR: AddressSanitizer: heap-use-after-free on address 0x611000045030 at pc 0x55db79edeef2 bp 0x7ffc4020b2b0 sp 0x7ffc4020b2a8
> > > READ of size 4 at 0x611000045030 thread T0
> > > #0 0x55db79edeef1 in usb_packet_unmap hw/usb/libhw.c:64:28
> > > #1 0x55db79ede66f in usb_packet_map hw/usb/libhw.c:54:5
> > > #2 0x55db79f6d5f1 in xhci_setup_packet hw/usb/hcd-xhci.c:1618:5
> > > #3 0x55db79f67143 in xhci_fire_ctl_transfer hw/usb/hcd-xhci.c:1722:9
> > > #4 0x55db79f67143 in xhci_kick_epctx hw/usb/hcd-xhci.c:1991:13
> > > #5 0x55db79f8837d in xhci_doorbell_write hw/usb/hcd-xhci.c:3162:13
> > > #6 0x55db792c6b8e in memory_region_write_accessor softmmu/memory.c:483:5
> > > #7 0x55db792c658b in access_with_adjusted_size softmmu/memory.c:544:18
> > > #8 0x55db792c5d9b in memory_region_dispatch_write softmmu/memory.c
> > > #9 0x55db78d094d2 in flatview_write_continue exec.c:3176:23
> > > #10 0x55db78cfee6b in flatview_write exec.c:3216:14
> > > #11 0x55db78cfee6b in address_space_write exec.c:3308:18
> > > #12 0x55db793072a9 in qtest_process_command softmmu/qtest.c:452:13
> > > #13 0x55db79304087 in qtest_process_inbuf softmmu/qtest.c:710:9
> > > #14 0x55db7a7d7293 in fd_chr_read chardev/char-fd.c:68:9
> > > #15 0x7fc5d7f1a897 in g_main_context_dispatch
> > > #16 0x55db7aa571b3 in glib_pollfds_poll util/main-loop.c:217:9
> > > #17 0x55db7aa571b3 in os_host_main_loop_wait util/main-loop.c:240:5
> > > #18 0x55db7aa571b3 in main_loop_wait util/main-loop.c:516:11
> > > #19 0x55db79315008 in qemu_main_loop softmmu/vl.c:1676:9
> > > #20 0x55db7a8860fd in main softmmu/main.c:49:5
> > >
> > > 0x611000045030 is located 48 bytes inside of 256-byte region [0x611000045000,0x611000045100)
> > > freed by thread T0 here:
> > > #0 0x55db78cac16d in free (build/i386-softmmu/qemu-system-i386+0x250e16d)
> > > #1 0x55db79f7c0e8 in xhci_ep_nuke_xfers hw/usb/hcd-xhci.c:1252:9
> > > #2 0x55db79f7b454 in xhci_disable_ep hw/usb/hcd-xhci.c:1279:5
> > > #3 0x55db79f79af7 in xhci_disable_slot hw/usb/hcd-xhci.c:2048:13
> > > #4 0x55db79f5aea3 in xhci_reset hw/usb/hcd-xhci.c:2706:9
> > > #5 0x55db79f82f49 in xhci_oper_write hw/usb/hcd-xhci.c:2966:13
> > > #6 0x55db792c6b8e in memory_region_write_accessor softmmu/memory.c:483:5
> > > #7 0x55db792c658b in access_with_adjusted_size softmmu/memory.c:544:18
> > > #8 0x55db792c5d9b in memory_region_dispatch_write softmmu/memory.c
> > > #9 0x55db78d094d2 in flatview_write_continue exec.c:3176:23
> > > #10 0x55db78cfee6b in flatview_write exec.c:3216:14
> > > #11 0x55db78cfee6b in address_space_write exec.c:3308:18
> > > #12 0x55db78d01fe7 in address_space_unmap exec.c:3634:9
> > > #13 0x55db79edebbb in dma_memory_unmap include/sysemu/dma.h:145:5
> > > #14 0x55db79edebbb in usb_packet_unmap hw/usb/libhw.c:65:9
> > > #15 0x55db79ede66f in usb_packet_map hw/usb/libhw.c:54:5
> > > #16 0x55db79f6d5f1 in xhci_setup_packet hw/usb/hcd-xhci.c:1618:5
> > > #17 0x55db79f67143 in xhci_fire_ctl_transfer hw/usb/hcd-xhci.c:1722:9
> > > #18 0x55db79f67143 in xhci_kick_epctx hw/usb/hcd-xhci.c:1991:13
> > > #19 0x55db79f8837d in xhci_doorbell_write hw/usb/hcd-xhci.c:3162:13
> > > #20 0x55db792c6b8e in memory_region_write_accessor softmmu/memory.c:483:5
> > > #21 0x55db792c658b in access_with_adjusted_size softmmu/memory.c:544:18
> > > #22 0x55db792c5d9b in memory_region_dispatch_write softmmu/memory.c
> > > #23 0x55db78d094d2 in flatview_write_continue exec.c:3176:23
> > > #24 0x55db78cfee6b in flatview_write exec.c:3216:14
> > > #25 0x55db78cfee6b in address_space_write exec.c:3308:18
> > > #26 0x55db793072a9 in qtest_process_command softmmu/qtest.c:452:13
> > > #27 0x55db79304087 in qtest_process_inbuf softmmu/qtest.c:710:9
> > > #28 0x55db7a7d7293 in fd_chr_read chardev/char-fd.c:68:9
> > > #29 0x7fc5d7f1a897 in g_main_context_dispatch
> > >
> >
> > This issue as far as I can see, is the DMA to MMIO issue.
>
> Another one - Interesting...
> So it joins these:
> https://bugs.launchpad.net/qemu/+bug/1888606
> https://bugs.launchpad.net/qemu/+bug/1886362
>
> Could this one be dealt with by moving xhci_reset into a BH?
If we would want to use BH to solve this issue using BH. I think we
should use it in the first MMIO write.
xhci_doorbell_write->xhci_kick_epctx. But we may think out a more
general method to solve these issues,
maybe in the core code other than per-device solution.
Thanks,
Li Qiang
#0 0x55db78cac16d in free (build/i386-softmmu/qemu-system-i386+0x250e16d)
#1 0x55db79f7c0e8 in xhci_ep_nuke_xfers hw/usb/hcd-xhci.c:1252:9
#2 0x55db79f7b454 in xhci_disable_ep hw/usb/hcd-xhci.c:1279:5
#3 0x55db79f79af7 in xhci_disable_slot hw/usb/hcd-xhci.c:2048:13
#4 0x55db79f5aea3 in xhci_reset hw/usb/hcd-xhci.c:2706:9
#5 0x55db79f82f49 in xhci_oper_write hw/usb/hcd-xhci.c:2966:13
#6 0x55db792c6b8e in memory_region_write_accessor softmmu/memory.c:483:5
#7 0x55db792c658b in access_with_adjusted_size softmmu/memory.c:544:18
#8 0x55db792c5d9b in memory_region_dispatch_write softmmu/memory.c
#9 0x55db78d094d2 in flatview_write_continue exec.c:3176:23
#10 0x55db78cfee6b in flatview_write exec.c:3216:14
#11 0x55db78cfee6b in address_space_write exec.c:3308:18
#12 0x55db78d01fe7 in address_space_unmap exec.c:3634:9
#13 0x55db79edebbb in dma_memory_unmap include/sysemu/dma.h:145:5
#14 0x55db79edebbb in usb_packet_unmap hw/usb/libhw.c:65:9
#15 0x55db79ede66f in usb_packet_map hw/usb/libhw.c:54:5
#16 0x55db79f6d5f1 in xhci_setup_packet hw/usb/hcd-xhci.c:1618:5
#17 0x55db79f67143 in xhci_fire_ctl_transfer hw/usb/hcd-xhci.c:1722:9
#18 0x55db79f67143 in xhci_kick_epctx hw/usb/hcd-xhci.c:1991:13
#19 0x55db79f8837d in xhci_doorbell_write hw/usb/hcd-xhci.c:3162:13
-->Here use a BH.
#20 0x55db792c6b8e in memory_region_write_accessor softmmu/memory.c:483:5
#21 0x55db792c658b in access_with_adjusted_size softmmu/memory.c:544:18
#22 0x55db792c5d9b in memory_region_dispatch_write softmmu/memory.c
#23 0x55db78d094d2 in flatview_write_continue exec.c:3176:23
#24 0x55db78cfee6b in flatview_write exec.c:3216:14
#25 0x55db78cfee6b in address_space_write exec.c:3308:18
#26 0x55db793072a9 in qtest_process_command softmmu/qtest.c:452:13
#27 0x55db79304087 in qtest_process_inbuf softmmu/qtest.c:710:9
#28 0x55db7a7d7293 in fd_chr_read chardev/char-fd.c:68:9
#29 0x7fc5d7f1a897 in g_main_context_dispatch
> -Alex
>
> > Thanks,
> > Li Qiang
> >
> >
> > > previously allocated by thread T0 here:
> > > #0 0x55db78cac562 in calloc (build/i386-softmmu/qemu-system-i386+0x250e562)
> > > #1 0x7fc5d7f20548 in g_malloc0 (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x54548)
> > > #2 0x55db79f8837d in xhci_doorbell_write hw/usb/hcd-xhci.c:3162:13
> > > #3 0x55db792c6b8e in memory_region_write_accessor softmmu/memory.c:483:5
> > > #4 0x55db792c658b in access_with_adjusted_size softmmu/memory.c:544:18
> > > #5 0x55db792c5d9b in memory_region_dispatch_write softmmu/memory.c
> > > #6 0x55db78d094d2 in flatview_write_continue exec.c:3176:23
> > > #7 0x55db78cfee6b in flatview_write exec.c:3216:14
> > > #8 0x55db78cfee6b in address_space_write exec.c:3308:18
> > > #9 0x55db793072a9 in qtest_process_command softmmu/qtest.c:452:13
> > > #10 0x55db79304087 in qtest_process_inbuf softmmu/qtest.c:710:9
> > > #11 0x55db7a7d7293 in fd_chr_read chardev/char-fd.c:68:9
> > > #12 0x7fc5d7f1a897 in g_main_context_dispatch
> > >
> > > -Alex
> > >
> > > ** Affects: qemu
> > > Importance: Undecided
> > > Status: New
> > >
> > > --
> > > You received this bug notification because you are a member of qemu-
> > > devel-ml, which is subscribed to QEMU.
> > > https://bugs.launchpad.net/bugs/1891354
> > >
> > > Title:
> > > Heap-use-after-free in usb_packet_unmap
> > >
> > > Status in QEMU:
> > > New
> > >
> > > Bug description:
> > > Hello,
> > > Reproducer:
> > >
> > > cat << EOF | ./i386-softmmu/qemu-system-i386 -device nec-usb-xhci \
> > > -trace usb\* -device usb-audio -device usb-storage,drive=mydrive \
> > > -drive id=mydrive,file=null-co://,size=2M,format=raw,if=none \
> > > -nodefaults -nographic -qtest stdio
> > > outl 0xcf8 0x80001010
> > > outl 0xcfc 0xc0202
> > > outl 0xcf8 0x80001004
> > > outl 0xcfc 0x1c77695e
> > > writel 0xc0040 0xffffd855
> > > writeq 0xc2000 0xff05140100000000
> > > write 0x1d 0x1 0x27
> > > write 0x2d 0x1 0x2e
> > > write 0x17232 0x1 0x03
> > > write 0x17254 0x1 0x05
> > > write 0x17276 0x1 0x72
> > > write 0x17278 0x1 0x02
> > > write 0x3d 0x1 0x27
> > > write 0x40 0x1 0x2e
> > > write 0x41 0x1 0x72
> > > write 0x42 0x1 0x01
> > > write 0x4d 0x1 0x2e
> > > write 0x4f 0x1 0x01
> > > write 0x2007c 0x1 0xc7
> > > writeq 0xc2000 0x5c05140100000000
> > > write 0x20070 0x1 0x80
> > > write 0x20078 0x1 0x08
> > > write 0x2007c 0x1 0xfe
> > > write 0x2007d 0x1 0x08
> > > write 0x20081 0x1 0xff
> > > write 0x20082 0x1 0x0b
> > > write 0x20089 0x1 0x8c
> > > write 0x2008d 0x1 0x04
> > > write 0x2009d 0x1 0x10
> > > writeq 0xc2000 0x2505ef019e092f00
> > > EOF
> > >
> > > 20091==ERROR: AddressSanitizer: heap-use-after-free on address 0x611000045030 at pc 0x55db79edeef2 bp 0x7ffc4020b2b0 sp 0x7ffc4020b2a8
> > > READ of size 4 at 0x611000045030 thread T0
> > > #0 0x55db79edeef1 in usb_packet_unmap hw/usb/libhw.c:64:28
> > > #1 0x55db79ede66f in usb_packet_map hw/usb/libhw.c:54:5
> > > #2 0x55db79f6d5f1 in xhci_setup_packet hw/usb/hcd-xhci.c:1618:5
> > > #3 0x55db79f67143 in xhci_fire_ctl_transfer hw/usb/hcd-xhci.c:1722:9
> > > #4 0x55db79f67143 in xhci_kick_epctx hw/usb/hcd-xhci.c:1991:13
> > > #5 0x55db79f8837d in xhci_doorbell_write hw/usb/hcd-xhci.c:3162:13
> > > #6 0x55db792c6b8e in memory_region_write_accessor softmmu/memory.c:483:5
> > > #7 0x55db792c658b in access_with_adjusted_size softmmu/memory.c:544:18
> > > #8 0x55db792c5d9b in memory_region_dispatch_write softmmu/memory.c
> > > #9 0x55db78d094d2 in flatview_write_continue exec.c:3176:23
> > > #10 0x55db78cfee6b in flatview_write exec.c:3216:14
> > > #11 0x55db78cfee6b in address_space_write exec.c:3308:18
> > > #12 0x55db793072a9 in qtest_process_command softmmu/qtest.c:452:13
> > > #13 0x55db79304087 in qtest_process_inbuf softmmu/qtest.c:710:9
> > > #14 0x55db7a7d7293 in fd_chr_read chardev/char-fd.c:68:9
> > > #15 0x7fc5d7f1a897 in g_main_context_dispatch
> > > #16 0x55db7aa571b3 in glib_pollfds_poll util/main-loop.c:217:9
> > > #17 0x55db7aa571b3 in os_host_main_loop_wait util/main-loop.c:240:5
> > > #18 0x55db7aa571b3 in main_loop_wait util/main-loop.c:516:11
> > > #19 0x55db79315008 in qemu_main_loop softmmu/vl.c:1676:9
> > > #20 0x55db7a8860fd in main softmmu/main.c:49:5
> > >
> > > 0x611000045030 is located 48 bytes inside of 256-byte region [0x611000045000,0x611000045100)
> > > freed by thread T0 here:
> > > #0 0x55db78cac16d in free (build/i386-softmmu/qemu-system-i386+0x250e16d)
> > > #1 0x55db79f7c0e8 in xhci_ep_nuke_xfers hw/usb/hcd-xhci.c:1252:9
> > > #2 0x55db79f7b454 in xhci_disable_ep hw/usb/hcd-xhci.c:1279:5
> > > #3 0x55db79f79af7 in xhci_disable_slot hw/usb/hcd-xhci.c:2048:13
> > > #4 0x55db79f5aea3 in xhci_reset hw/usb/hcd-xhci.c:2706:9
> > > #5 0x55db79f82f49 in xhci_oper_write hw/usb/hcd-xhci.c:2966:13
> > > #6 0x55db792c6b8e in memory_region_write_accessor softmmu/memory.c:483:5
> > > #7 0x55db792c658b in access_with_adjusted_size softmmu/memory.c:544:18
> > > #8 0x55db792c5d9b in memory_region_dispatch_write softmmu/memory.c
> > > #9 0x55db78d094d2 in flatview_write_continue exec.c:3176:23
> > > #10 0x55db78cfee6b in flatview_write exec.c:3216:14
> > > #11 0x55db78cfee6b in address_space_write exec.c:3308:18
> > > #12 0x55db78d01fe7 in address_space_unmap exec.c:3634:9
> > > #13 0x55db79edebbb in dma_memory_unmap include/sysemu/dma.h:145:5
> > > #14 0x55db79edebbb in usb_packet_unmap hw/usb/libhw.c:65:9
> > > #15 0x55db79ede66f in usb_packet_map hw/usb/libhw.c:54:5
> > > #16 0x55db79f6d5f1 in xhci_setup_packet hw/usb/hcd-xhci.c:1618:5
> > > #17 0x55db79f67143 in xhci_fire_ctl_transfer hw/usb/hcd-xhci.c:1722:9
> > > #18 0x55db79f67143 in xhci_kick_epctx hw/usb/hcd-xhci.c:1991:13
> > > #19 0x55db79f8837d in xhci_doorbell_write hw/usb/hcd-xhci.c:3162:13
> > > #20 0x55db792c6b8e in memory_region_write_accessor softmmu/memory.c:483:5
> > > #21 0x55db792c658b in access_with_adjusted_size softmmu/memory.c:544:18
> > > #22 0x55db792c5d9b in memory_region_dispatch_write softmmu/memory.c
> > > #23 0x55db78d094d2 in flatview_write_continue exec.c:3176:23
> > > #24 0x55db78cfee6b in flatview_write exec.c:3216:14
> > > #25 0x55db78cfee6b in address_space_write exec.c:3308:18
> > > #26 0x55db793072a9 in qtest_process_command softmmu/qtest.c:452:13
> > > #27 0x55db79304087 in qtest_process_inbuf softmmu/qtest.c:710:9
> > > #28 0x55db7a7d7293 in fd_chr_read chardev/char-fd.c:68:9
> > > #29 0x7fc5d7f1a897 in g_main_context_dispatch
> > >
> > > previously allocated by thread T0 here:
> > > #0 0x55db78cac562 in calloc (build/i386-softmmu/qemu-system-i386+0x250e562)
> > > #1 0x7fc5d7f20548 in g_malloc0 (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x54548)
> > > #2 0x55db79f8837d in xhci_doorbell_write hw/usb/hcd-xhci.c:3162:13
> > > #3 0x55db792c6b8e in memory_region_write_accessor softmmu/memory.c:483:5
> > > #4 0x55db792c658b in access_with_adjusted_size softmmu/memory.c:544:18
> > > #5 0x55db792c5d9b in memory_region_dispatch_write softmmu/memory.c
> > > #6 0x55db78d094d2 in flatview_write_continue exec.c:3176:23
> > > #7 0x55db78cfee6b in flatview_write exec.c:3216:14
> > > #8 0x55db78cfee6b in address_space_write exec.c:3308:18
> > > #9 0x55db793072a9 in qtest_process_command softmmu/qtest.c:452:13
> > > #10 0x55db79304087 in qtest_process_inbuf softmmu/qtest.c:710:9
> > > #11 0x55db7a7d7293 in fd_chr_read chardev/char-fd.c:68:9
> > > #12 0x7fc5d7f1a897 in g_main_context_dispatch
> > >
> > > -Alex
> > >
> > > To manage notifications about this bug go to:
> > > https://bugs.launchpad.net/qemu/+bug/1891354/+subscriptions
> > >
> >
^ permalink raw reply [flat|nested] 9+ messages in thread
* [Bug 1891354] Re: Heap-use-after-free in usb_packet_unmap
2020-08-12 16:06 [Bug 1891354] [NEW] Heap-use-after-free in usb_packet_unmap Alexander Bulekov
2020-08-12 16:24 ` Li Qiang
@ 2021-03-03 15:20 ` Alexander Bulekov
2021-05-26 15:15 ` Thomas Huth
` (2 subsequent siblings)
4 siblings, 0 replies; 9+ messages in thread
From: Alexander Bulekov @ 2021-03-03 15:20 UTC (permalink / raw)
To: qemu-devel
** Tags added: dma-reentrancy
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1891354
Title:
Heap-use-after-free in usb_packet_unmap
Status in QEMU:
New
Bug description:
Hello,
Reproducer:
cat << EOF | ./i386-softmmu/qemu-system-i386 -device nec-usb-xhci \
-trace usb\* -device usb-audio -device usb-storage,drive=mydrive \
-drive id=mydrive,file=null-co://,size=2M,format=raw,if=none \
-nodefaults -nographic -qtest stdio
outl 0xcf8 0x80001010
outl 0xcfc 0xc0202
outl 0xcf8 0x80001004
outl 0xcfc 0x1c77695e
writel 0xc0040 0xffffd855
writeq 0xc2000 0xff05140100000000
write 0x1d 0x1 0x27
write 0x2d 0x1 0x2e
write 0x17232 0x1 0x03
write 0x17254 0x1 0x05
write 0x17276 0x1 0x72
write 0x17278 0x1 0x02
write 0x3d 0x1 0x27
write 0x40 0x1 0x2e
write 0x41 0x1 0x72
write 0x42 0x1 0x01
write 0x4d 0x1 0x2e
write 0x4f 0x1 0x01
write 0x2007c 0x1 0xc7
writeq 0xc2000 0x5c05140100000000
write 0x20070 0x1 0x80
write 0x20078 0x1 0x08
write 0x2007c 0x1 0xfe
write 0x2007d 0x1 0x08
write 0x20081 0x1 0xff
write 0x20082 0x1 0x0b
write 0x20089 0x1 0x8c
write 0x2008d 0x1 0x04
write 0x2009d 0x1 0x10
writeq 0xc2000 0x2505ef019e092f00
EOF
20091==ERROR: AddressSanitizer: heap-use-after-free on address 0x611000045030 at pc 0x55db79edeef2 bp 0x7ffc4020b2b0 sp 0x7ffc4020b2a8
READ of size 4 at 0x611000045030 thread T0
#0 0x55db79edeef1 in usb_packet_unmap hw/usb/libhw.c:64:28
#1 0x55db79ede66f in usb_packet_map hw/usb/libhw.c:54:5
#2 0x55db79f6d5f1 in xhci_setup_packet hw/usb/hcd-xhci.c:1618:5
#3 0x55db79f67143 in xhci_fire_ctl_transfer hw/usb/hcd-xhci.c:1722:9
#4 0x55db79f67143 in xhci_kick_epctx hw/usb/hcd-xhci.c:1991:13
#5 0x55db79f8837d in xhci_doorbell_write hw/usb/hcd-xhci.c:3162:13
#6 0x55db792c6b8e in memory_region_write_accessor softmmu/memory.c:483:5
#7 0x55db792c658b in access_with_adjusted_size softmmu/memory.c:544:18
#8 0x55db792c5d9b in memory_region_dispatch_write softmmu/memory.c
#9 0x55db78d094d2 in flatview_write_continue exec.c:3176:23
#10 0x55db78cfee6b in flatview_write exec.c:3216:14
#11 0x55db78cfee6b in address_space_write exec.c:3308:18
#12 0x55db793072a9 in qtest_process_command softmmu/qtest.c:452:13
#13 0x55db79304087 in qtest_process_inbuf softmmu/qtest.c:710:9
#14 0x55db7a7d7293 in fd_chr_read chardev/char-fd.c:68:9
#15 0x7fc5d7f1a897 in g_main_context_dispatch
#16 0x55db7aa571b3 in glib_pollfds_poll util/main-loop.c:217:9
#17 0x55db7aa571b3 in os_host_main_loop_wait util/main-loop.c:240:5
#18 0x55db7aa571b3 in main_loop_wait util/main-loop.c:516:11
#19 0x55db79315008 in qemu_main_loop softmmu/vl.c:1676:9
#20 0x55db7a8860fd in main softmmu/main.c:49:5
0x611000045030 is located 48 bytes inside of 256-byte region [0x611000045000,0x611000045100)
freed by thread T0 here:
#0 0x55db78cac16d in free (build/i386-softmmu/qemu-system-i386+0x250e16d)
#1 0x55db79f7c0e8 in xhci_ep_nuke_xfers hw/usb/hcd-xhci.c:1252:9
#2 0x55db79f7b454 in xhci_disable_ep hw/usb/hcd-xhci.c:1279:5
#3 0x55db79f79af7 in xhci_disable_slot hw/usb/hcd-xhci.c:2048:13
#4 0x55db79f5aea3 in xhci_reset hw/usb/hcd-xhci.c:2706:9
#5 0x55db79f82f49 in xhci_oper_write hw/usb/hcd-xhci.c:2966:13
#6 0x55db792c6b8e in memory_region_write_accessor softmmu/memory.c:483:5
#7 0x55db792c658b in access_with_adjusted_size softmmu/memory.c:544:18
#8 0x55db792c5d9b in memory_region_dispatch_write softmmu/memory.c
#9 0x55db78d094d2 in flatview_write_continue exec.c:3176:23
#10 0x55db78cfee6b in flatview_write exec.c:3216:14
#11 0x55db78cfee6b in address_space_write exec.c:3308:18
#12 0x55db78d01fe7 in address_space_unmap exec.c:3634:9
#13 0x55db79edebbb in dma_memory_unmap include/sysemu/dma.h:145:5
#14 0x55db79edebbb in usb_packet_unmap hw/usb/libhw.c:65:9
#15 0x55db79ede66f in usb_packet_map hw/usb/libhw.c:54:5
#16 0x55db79f6d5f1 in xhci_setup_packet hw/usb/hcd-xhci.c:1618:5
#17 0x55db79f67143 in xhci_fire_ctl_transfer hw/usb/hcd-xhci.c:1722:9
#18 0x55db79f67143 in xhci_kick_epctx hw/usb/hcd-xhci.c:1991:13
#19 0x55db79f8837d in xhci_doorbell_write hw/usb/hcd-xhci.c:3162:13
#20 0x55db792c6b8e in memory_region_write_accessor softmmu/memory.c:483:5
#21 0x55db792c658b in access_with_adjusted_size softmmu/memory.c:544:18
#22 0x55db792c5d9b in memory_region_dispatch_write softmmu/memory.c
#23 0x55db78d094d2 in flatview_write_continue exec.c:3176:23
#24 0x55db78cfee6b in flatview_write exec.c:3216:14
#25 0x55db78cfee6b in address_space_write exec.c:3308:18
#26 0x55db793072a9 in qtest_process_command softmmu/qtest.c:452:13
#27 0x55db79304087 in qtest_process_inbuf softmmu/qtest.c:710:9
#28 0x55db7a7d7293 in fd_chr_read chardev/char-fd.c:68:9
#29 0x7fc5d7f1a897 in g_main_context_dispatch
previously allocated by thread T0 here:
#0 0x55db78cac562 in calloc (build/i386-softmmu/qemu-system-i386+0x250e562)
#1 0x7fc5d7f20548 in g_malloc0 (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x54548)
#2 0x55db79f8837d in xhci_doorbell_write hw/usb/hcd-xhci.c:3162:13
#3 0x55db792c6b8e in memory_region_write_accessor softmmu/memory.c:483:5
#4 0x55db792c658b in access_with_adjusted_size softmmu/memory.c:544:18
#5 0x55db792c5d9b in memory_region_dispatch_write softmmu/memory.c
#6 0x55db78d094d2 in flatview_write_continue exec.c:3176:23
#7 0x55db78cfee6b in flatview_write exec.c:3216:14
#8 0x55db78cfee6b in address_space_write exec.c:3308:18
#9 0x55db793072a9 in qtest_process_command softmmu/qtest.c:452:13
#10 0x55db79304087 in qtest_process_inbuf softmmu/qtest.c:710:9
#11 0x55db7a7d7293 in fd_chr_read chardev/char-fd.c:68:9
#12 0x7fc5d7f1a897 in g_main_context_dispatch
-Alex
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1891354/+subscriptions
^ permalink raw reply [flat|nested] 9+ messages in thread
* [Bug 1891354] Re: Heap-use-after-free in usb_packet_unmap
2020-08-12 16:06 [Bug 1891354] [NEW] Heap-use-after-free in usb_packet_unmap Alexander Bulekov
2020-08-12 16:24 ` Li Qiang
2021-03-03 15:20 ` [Bug 1891354] " Alexander Bulekov
@ 2021-05-26 15:15 ` Thomas Huth
2021-08-21 4:10 ` Alexander Bulekov
2021-08-21 6:16 ` Thomas Huth
4 siblings, 0 replies; 9+ messages in thread
From: Thomas Huth @ 2021-05-26 15:15 UTC (permalink / raw)
To: qemu-devel
Still reproduces with current version of QEMU (if it has been built with
Clang + asan enabled). Marking as "Confirmed"
** Changed in: qemu
Status: New => Confirmed
** Tags added: fuzzer usb
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1891354
Title:
Heap-use-after-free in usb_packet_unmap
Status in QEMU:
Confirmed
Bug description:
Hello,
Reproducer:
cat << EOF | ./i386-softmmu/qemu-system-i386 -device nec-usb-xhci \
-trace usb\* -device usb-audio -device usb-storage,drive=mydrive \
-drive id=mydrive,file=null-co://,size=2M,format=raw,if=none \
-nodefaults -nographic -qtest stdio
outl 0xcf8 0x80001010
outl 0xcfc 0xc0202
outl 0xcf8 0x80001004
outl 0xcfc 0x1c77695e
writel 0xc0040 0xffffd855
writeq 0xc2000 0xff05140100000000
write 0x1d 0x1 0x27
write 0x2d 0x1 0x2e
write 0x17232 0x1 0x03
write 0x17254 0x1 0x05
write 0x17276 0x1 0x72
write 0x17278 0x1 0x02
write 0x3d 0x1 0x27
write 0x40 0x1 0x2e
write 0x41 0x1 0x72
write 0x42 0x1 0x01
write 0x4d 0x1 0x2e
write 0x4f 0x1 0x01
write 0x2007c 0x1 0xc7
writeq 0xc2000 0x5c05140100000000
write 0x20070 0x1 0x80
write 0x20078 0x1 0x08
write 0x2007c 0x1 0xfe
write 0x2007d 0x1 0x08
write 0x20081 0x1 0xff
write 0x20082 0x1 0x0b
write 0x20089 0x1 0x8c
write 0x2008d 0x1 0x04
write 0x2009d 0x1 0x10
writeq 0xc2000 0x2505ef019e092f00
EOF
20091==ERROR: AddressSanitizer: heap-use-after-free on address 0x611000045030 at pc 0x55db79edeef2 bp 0x7ffc4020b2b0 sp 0x7ffc4020b2a8
READ of size 4 at 0x611000045030 thread T0
#0 0x55db79edeef1 in usb_packet_unmap hw/usb/libhw.c:64:28
#1 0x55db79ede66f in usb_packet_map hw/usb/libhw.c:54:5
#2 0x55db79f6d5f1 in xhci_setup_packet hw/usb/hcd-xhci.c:1618:5
#3 0x55db79f67143 in xhci_fire_ctl_transfer hw/usb/hcd-xhci.c:1722:9
#4 0x55db79f67143 in xhci_kick_epctx hw/usb/hcd-xhci.c:1991:13
#5 0x55db79f8837d in xhci_doorbell_write hw/usb/hcd-xhci.c:3162:13
#6 0x55db792c6b8e in memory_region_write_accessor softmmu/memory.c:483:5
#7 0x55db792c658b in access_with_adjusted_size softmmu/memory.c:544:18
#8 0x55db792c5d9b in memory_region_dispatch_write softmmu/memory.c
#9 0x55db78d094d2 in flatview_write_continue exec.c:3176:23
#10 0x55db78cfee6b in flatview_write exec.c:3216:14
#11 0x55db78cfee6b in address_space_write exec.c:3308:18
#12 0x55db793072a9 in qtest_process_command softmmu/qtest.c:452:13
#13 0x55db79304087 in qtest_process_inbuf softmmu/qtest.c:710:9
#14 0x55db7a7d7293 in fd_chr_read chardev/char-fd.c:68:9
#15 0x7fc5d7f1a897 in g_main_context_dispatch
#16 0x55db7aa571b3 in glib_pollfds_poll util/main-loop.c:217:9
#17 0x55db7aa571b3 in os_host_main_loop_wait util/main-loop.c:240:5
#18 0x55db7aa571b3 in main_loop_wait util/main-loop.c:516:11
#19 0x55db79315008 in qemu_main_loop softmmu/vl.c:1676:9
#20 0x55db7a8860fd in main softmmu/main.c:49:5
0x611000045030 is located 48 bytes inside of 256-byte region [0x611000045000,0x611000045100)
freed by thread T0 here:
#0 0x55db78cac16d in free (build/i386-softmmu/qemu-system-i386+0x250e16d)
#1 0x55db79f7c0e8 in xhci_ep_nuke_xfers hw/usb/hcd-xhci.c:1252:9
#2 0x55db79f7b454 in xhci_disable_ep hw/usb/hcd-xhci.c:1279:5
#3 0x55db79f79af7 in xhci_disable_slot hw/usb/hcd-xhci.c:2048:13
#4 0x55db79f5aea3 in xhci_reset hw/usb/hcd-xhci.c:2706:9
#5 0x55db79f82f49 in xhci_oper_write hw/usb/hcd-xhci.c:2966:13
#6 0x55db792c6b8e in memory_region_write_accessor softmmu/memory.c:483:5
#7 0x55db792c658b in access_with_adjusted_size softmmu/memory.c:544:18
#8 0x55db792c5d9b in memory_region_dispatch_write softmmu/memory.c
#9 0x55db78d094d2 in flatview_write_continue exec.c:3176:23
#10 0x55db78cfee6b in flatview_write exec.c:3216:14
#11 0x55db78cfee6b in address_space_write exec.c:3308:18
#12 0x55db78d01fe7 in address_space_unmap exec.c:3634:9
#13 0x55db79edebbb in dma_memory_unmap include/sysemu/dma.h:145:5
#14 0x55db79edebbb in usb_packet_unmap hw/usb/libhw.c:65:9
#15 0x55db79ede66f in usb_packet_map hw/usb/libhw.c:54:5
#16 0x55db79f6d5f1 in xhci_setup_packet hw/usb/hcd-xhci.c:1618:5
#17 0x55db79f67143 in xhci_fire_ctl_transfer hw/usb/hcd-xhci.c:1722:9
#18 0x55db79f67143 in xhci_kick_epctx hw/usb/hcd-xhci.c:1991:13
#19 0x55db79f8837d in xhci_doorbell_write hw/usb/hcd-xhci.c:3162:13
#20 0x55db792c6b8e in memory_region_write_accessor softmmu/memory.c:483:5
#21 0x55db792c658b in access_with_adjusted_size softmmu/memory.c:544:18
#22 0x55db792c5d9b in memory_region_dispatch_write softmmu/memory.c
#23 0x55db78d094d2 in flatview_write_continue exec.c:3176:23
#24 0x55db78cfee6b in flatview_write exec.c:3216:14
#25 0x55db78cfee6b in address_space_write exec.c:3308:18
#26 0x55db793072a9 in qtest_process_command softmmu/qtest.c:452:13
#27 0x55db79304087 in qtest_process_inbuf softmmu/qtest.c:710:9
#28 0x55db7a7d7293 in fd_chr_read chardev/char-fd.c:68:9
#29 0x7fc5d7f1a897 in g_main_context_dispatch
previously allocated by thread T0 here:
#0 0x55db78cac562 in calloc (build/i386-softmmu/qemu-system-i386+0x250e562)
#1 0x7fc5d7f20548 in g_malloc0 (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x54548)
#2 0x55db79f8837d in xhci_doorbell_write hw/usb/hcd-xhci.c:3162:13
#3 0x55db792c6b8e in memory_region_write_accessor softmmu/memory.c:483:5
#4 0x55db792c658b in access_with_adjusted_size softmmu/memory.c:544:18
#5 0x55db792c5d9b in memory_region_dispatch_write softmmu/memory.c
#6 0x55db78d094d2 in flatview_write_continue exec.c:3176:23
#7 0x55db78cfee6b in flatview_write exec.c:3216:14
#8 0x55db78cfee6b in address_space_write exec.c:3308:18
#9 0x55db793072a9 in qtest_process_command softmmu/qtest.c:452:13
#10 0x55db79304087 in qtest_process_inbuf softmmu/qtest.c:710:9
#11 0x55db7a7d7293 in fd_chr_read chardev/char-fd.c:68:9
#12 0x7fc5d7f1a897 in g_main_context_dispatch
-Alex
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1891354/+subscriptions
^ permalink raw reply [flat|nested] 9+ messages in thread
* [Bug 1891354] Re: Heap-use-after-free in usb_packet_unmap
2020-08-12 16:06 [Bug 1891354] [NEW] Heap-use-after-free in usb_packet_unmap Alexander Bulekov
` (2 preceding siblings ...)
2021-05-26 15:15 ` Thomas Huth
@ 2021-08-21 4:10 ` Alexander Bulekov
2021-08-21 6:16 ` Thomas Huth
4 siblings, 0 replies; 9+ messages in thread
From: Alexander Bulekov @ 2021-08-21 4:10 UTC (permalink / raw)
To: qemu-devel
I moved this report over to QEMU's new bug tracker on gitlab.com.
Please continue with the discussion here:
https://gitlab.com/qemu-project/qemu/-/issues/540
** Bug watch added: gitlab.com/qemu-project/qemu/-/issues #540
https://gitlab.com/qemu-project/qemu/-/issues/540
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1891354
Title:
Heap-use-after-free in usb_packet_unmap
Status in QEMU:
Confirmed
Bug description:
Hello,
Reproducer:
cat << EOF | ./i386-softmmu/qemu-system-i386 -device nec-usb-xhci \
-trace usb\* -device usb-audio -device usb-storage,drive=mydrive \
-drive id=mydrive,file=null-co://,size=2M,format=raw,if=none \
-nodefaults -nographic -qtest stdio
outl 0xcf8 0x80001010
outl 0xcfc 0xc0202
outl 0xcf8 0x80001004
outl 0xcfc 0x1c77695e
writel 0xc0040 0xffffd855
writeq 0xc2000 0xff05140100000000
write 0x1d 0x1 0x27
write 0x2d 0x1 0x2e
write 0x17232 0x1 0x03
write 0x17254 0x1 0x05
write 0x17276 0x1 0x72
write 0x17278 0x1 0x02
write 0x3d 0x1 0x27
write 0x40 0x1 0x2e
write 0x41 0x1 0x72
write 0x42 0x1 0x01
write 0x4d 0x1 0x2e
write 0x4f 0x1 0x01
write 0x2007c 0x1 0xc7
writeq 0xc2000 0x5c05140100000000
write 0x20070 0x1 0x80
write 0x20078 0x1 0x08
write 0x2007c 0x1 0xfe
write 0x2007d 0x1 0x08
write 0x20081 0x1 0xff
write 0x20082 0x1 0x0b
write 0x20089 0x1 0x8c
write 0x2008d 0x1 0x04
write 0x2009d 0x1 0x10
writeq 0xc2000 0x2505ef019e092f00
EOF
20091==ERROR: AddressSanitizer: heap-use-after-free on address 0x611000045030 at pc 0x55db79edeef2 bp 0x7ffc4020b2b0 sp 0x7ffc4020b2a8
READ of size 4 at 0x611000045030 thread T0
#0 0x55db79edeef1 in usb_packet_unmap hw/usb/libhw.c:64:28
#1 0x55db79ede66f in usb_packet_map hw/usb/libhw.c:54:5
#2 0x55db79f6d5f1 in xhci_setup_packet hw/usb/hcd-xhci.c:1618:5
#3 0x55db79f67143 in xhci_fire_ctl_transfer hw/usb/hcd-xhci.c:1722:9
#4 0x55db79f67143 in xhci_kick_epctx hw/usb/hcd-xhci.c:1991:13
#5 0x55db79f8837d in xhci_doorbell_write hw/usb/hcd-xhci.c:3162:13
#6 0x55db792c6b8e in memory_region_write_accessor softmmu/memory.c:483:5
#7 0x55db792c658b in access_with_adjusted_size softmmu/memory.c:544:18
#8 0x55db792c5d9b in memory_region_dispatch_write softmmu/memory.c
#9 0x55db78d094d2 in flatview_write_continue exec.c:3176:23
#10 0x55db78cfee6b in flatview_write exec.c:3216:14
#11 0x55db78cfee6b in address_space_write exec.c:3308:18
#12 0x55db793072a9 in qtest_process_command softmmu/qtest.c:452:13
#13 0x55db79304087 in qtest_process_inbuf softmmu/qtest.c:710:9
#14 0x55db7a7d7293 in fd_chr_read chardev/char-fd.c:68:9
#15 0x7fc5d7f1a897 in g_main_context_dispatch
#16 0x55db7aa571b3 in glib_pollfds_poll util/main-loop.c:217:9
#17 0x55db7aa571b3 in os_host_main_loop_wait util/main-loop.c:240:5
#18 0x55db7aa571b3 in main_loop_wait util/main-loop.c:516:11
#19 0x55db79315008 in qemu_main_loop softmmu/vl.c:1676:9
#20 0x55db7a8860fd in main softmmu/main.c:49:5
0x611000045030 is located 48 bytes inside of 256-byte region [0x611000045000,0x611000045100)
freed by thread T0 here:
#0 0x55db78cac16d in free (build/i386-softmmu/qemu-system-i386+0x250e16d)
#1 0x55db79f7c0e8 in xhci_ep_nuke_xfers hw/usb/hcd-xhci.c:1252:9
#2 0x55db79f7b454 in xhci_disable_ep hw/usb/hcd-xhci.c:1279:5
#3 0x55db79f79af7 in xhci_disable_slot hw/usb/hcd-xhci.c:2048:13
#4 0x55db79f5aea3 in xhci_reset hw/usb/hcd-xhci.c:2706:9
#5 0x55db79f82f49 in xhci_oper_write hw/usb/hcd-xhci.c:2966:13
#6 0x55db792c6b8e in memory_region_write_accessor softmmu/memory.c:483:5
#7 0x55db792c658b in access_with_adjusted_size softmmu/memory.c:544:18
#8 0x55db792c5d9b in memory_region_dispatch_write softmmu/memory.c
#9 0x55db78d094d2 in flatview_write_continue exec.c:3176:23
#10 0x55db78cfee6b in flatview_write exec.c:3216:14
#11 0x55db78cfee6b in address_space_write exec.c:3308:18
#12 0x55db78d01fe7 in address_space_unmap exec.c:3634:9
#13 0x55db79edebbb in dma_memory_unmap include/sysemu/dma.h:145:5
#14 0x55db79edebbb in usb_packet_unmap hw/usb/libhw.c:65:9
#15 0x55db79ede66f in usb_packet_map hw/usb/libhw.c:54:5
#16 0x55db79f6d5f1 in xhci_setup_packet hw/usb/hcd-xhci.c:1618:5
#17 0x55db79f67143 in xhci_fire_ctl_transfer hw/usb/hcd-xhci.c:1722:9
#18 0x55db79f67143 in xhci_kick_epctx hw/usb/hcd-xhci.c:1991:13
#19 0x55db79f8837d in xhci_doorbell_write hw/usb/hcd-xhci.c:3162:13
#20 0x55db792c6b8e in memory_region_write_accessor softmmu/memory.c:483:5
#21 0x55db792c658b in access_with_adjusted_size softmmu/memory.c:544:18
#22 0x55db792c5d9b in memory_region_dispatch_write softmmu/memory.c
#23 0x55db78d094d2 in flatview_write_continue exec.c:3176:23
#24 0x55db78cfee6b in flatview_write exec.c:3216:14
#25 0x55db78cfee6b in address_space_write exec.c:3308:18
#26 0x55db793072a9 in qtest_process_command softmmu/qtest.c:452:13
#27 0x55db79304087 in qtest_process_inbuf softmmu/qtest.c:710:9
#28 0x55db7a7d7293 in fd_chr_read chardev/char-fd.c:68:9
#29 0x7fc5d7f1a897 in g_main_context_dispatch
previously allocated by thread T0 here:
#0 0x55db78cac562 in calloc (build/i386-softmmu/qemu-system-i386+0x250e562)
#1 0x7fc5d7f20548 in g_malloc0 (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x54548)
#2 0x55db79f8837d in xhci_doorbell_write hw/usb/hcd-xhci.c:3162:13
#3 0x55db792c6b8e in memory_region_write_accessor softmmu/memory.c:483:5
#4 0x55db792c658b in access_with_adjusted_size softmmu/memory.c:544:18
#5 0x55db792c5d9b in memory_region_dispatch_write softmmu/memory.c
#6 0x55db78d094d2 in flatview_write_continue exec.c:3176:23
#7 0x55db78cfee6b in flatview_write exec.c:3216:14
#8 0x55db78cfee6b in address_space_write exec.c:3308:18
#9 0x55db793072a9 in qtest_process_command softmmu/qtest.c:452:13
#10 0x55db79304087 in qtest_process_inbuf softmmu/qtest.c:710:9
#11 0x55db7a7d7293 in fd_chr_read chardev/char-fd.c:68:9
#12 0x7fc5d7f1a897 in g_main_context_dispatch
-Alex
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1891354/+subscriptions
^ permalink raw reply [flat|nested] 9+ messages in thread
* [Bug 1891354] Re: Heap-use-after-free in usb_packet_unmap
2020-08-12 16:06 [Bug 1891354] [NEW] Heap-use-after-free in usb_packet_unmap Alexander Bulekov
` (3 preceding siblings ...)
2021-08-21 4:10 ` Alexander Bulekov
@ 2021-08-21 6:16 ` Thomas Huth
4 siblings, 0 replies; 9+ messages in thread
From: Thomas Huth @ 2021-08-21 6:16 UTC (permalink / raw)
To: qemu-devel
Thanks for moving it over! ... let's close this one here on Launchpad
now.
** Changed in: qemu
Status: Confirmed => Invalid
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1891354
Title:
Heap-use-after-free in usb_packet_unmap
Status in QEMU:
Invalid
Bug description:
Hello,
Reproducer:
cat << EOF | ./i386-softmmu/qemu-system-i386 -device nec-usb-xhci \
-trace usb\* -device usb-audio -device usb-storage,drive=mydrive \
-drive id=mydrive,file=null-co://,size=2M,format=raw,if=none \
-nodefaults -nographic -qtest stdio
outl 0xcf8 0x80001010
outl 0xcfc 0xc0202
outl 0xcf8 0x80001004
outl 0xcfc 0x1c77695e
writel 0xc0040 0xffffd855
writeq 0xc2000 0xff05140100000000
write 0x1d 0x1 0x27
write 0x2d 0x1 0x2e
write 0x17232 0x1 0x03
write 0x17254 0x1 0x05
write 0x17276 0x1 0x72
write 0x17278 0x1 0x02
write 0x3d 0x1 0x27
write 0x40 0x1 0x2e
write 0x41 0x1 0x72
write 0x42 0x1 0x01
write 0x4d 0x1 0x2e
write 0x4f 0x1 0x01
write 0x2007c 0x1 0xc7
writeq 0xc2000 0x5c05140100000000
write 0x20070 0x1 0x80
write 0x20078 0x1 0x08
write 0x2007c 0x1 0xfe
write 0x2007d 0x1 0x08
write 0x20081 0x1 0xff
write 0x20082 0x1 0x0b
write 0x20089 0x1 0x8c
write 0x2008d 0x1 0x04
write 0x2009d 0x1 0x10
writeq 0xc2000 0x2505ef019e092f00
EOF
20091==ERROR: AddressSanitizer: heap-use-after-free on address 0x611000045030 at pc 0x55db79edeef2 bp 0x7ffc4020b2b0 sp 0x7ffc4020b2a8
READ of size 4 at 0x611000045030 thread T0
#0 0x55db79edeef1 in usb_packet_unmap hw/usb/libhw.c:64:28
#1 0x55db79ede66f in usb_packet_map hw/usb/libhw.c:54:5
#2 0x55db79f6d5f1 in xhci_setup_packet hw/usb/hcd-xhci.c:1618:5
#3 0x55db79f67143 in xhci_fire_ctl_transfer hw/usb/hcd-xhci.c:1722:9
#4 0x55db79f67143 in xhci_kick_epctx hw/usb/hcd-xhci.c:1991:13
#5 0x55db79f8837d in xhci_doorbell_write hw/usb/hcd-xhci.c:3162:13
#6 0x55db792c6b8e in memory_region_write_accessor softmmu/memory.c:483:5
#7 0x55db792c658b in access_with_adjusted_size softmmu/memory.c:544:18
#8 0x55db792c5d9b in memory_region_dispatch_write softmmu/memory.c
#9 0x55db78d094d2 in flatview_write_continue exec.c:3176:23
#10 0x55db78cfee6b in flatview_write exec.c:3216:14
#11 0x55db78cfee6b in address_space_write exec.c:3308:18
#12 0x55db793072a9 in qtest_process_command softmmu/qtest.c:452:13
#13 0x55db79304087 in qtest_process_inbuf softmmu/qtest.c:710:9
#14 0x55db7a7d7293 in fd_chr_read chardev/char-fd.c:68:9
#15 0x7fc5d7f1a897 in g_main_context_dispatch
#16 0x55db7aa571b3 in glib_pollfds_poll util/main-loop.c:217:9
#17 0x55db7aa571b3 in os_host_main_loop_wait util/main-loop.c:240:5
#18 0x55db7aa571b3 in main_loop_wait util/main-loop.c:516:11
#19 0x55db79315008 in qemu_main_loop softmmu/vl.c:1676:9
#20 0x55db7a8860fd in main softmmu/main.c:49:5
0x611000045030 is located 48 bytes inside of 256-byte region [0x611000045000,0x611000045100)
freed by thread T0 here:
#0 0x55db78cac16d in free (build/i386-softmmu/qemu-system-i386+0x250e16d)
#1 0x55db79f7c0e8 in xhci_ep_nuke_xfers hw/usb/hcd-xhci.c:1252:9
#2 0x55db79f7b454 in xhci_disable_ep hw/usb/hcd-xhci.c:1279:5
#3 0x55db79f79af7 in xhci_disable_slot hw/usb/hcd-xhci.c:2048:13
#4 0x55db79f5aea3 in xhci_reset hw/usb/hcd-xhci.c:2706:9
#5 0x55db79f82f49 in xhci_oper_write hw/usb/hcd-xhci.c:2966:13
#6 0x55db792c6b8e in memory_region_write_accessor softmmu/memory.c:483:5
#7 0x55db792c658b in access_with_adjusted_size softmmu/memory.c:544:18
#8 0x55db792c5d9b in memory_region_dispatch_write softmmu/memory.c
#9 0x55db78d094d2 in flatview_write_continue exec.c:3176:23
#10 0x55db78cfee6b in flatview_write exec.c:3216:14
#11 0x55db78cfee6b in address_space_write exec.c:3308:18
#12 0x55db78d01fe7 in address_space_unmap exec.c:3634:9
#13 0x55db79edebbb in dma_memory_unmap include/sysemu/dma.h:145:5
#14 0x55db79edebbb in usb_packet_unmap hw/usb/libhw.c:65:9
#15 0x55db79ede66f in usb_packet_map hw/usb/libhw.c:54:5
#16 0x55db79f6d5f1 in xhci_setup_packet hw/usb/hcd-xhci.c:1618:5
#17 0x55db79f67143 in xhci_fire_ctl_transfer hw/usb/hcd-xhci.c:1722:9
#18 0x55db79f67143 in xhci_kick_epctx hw/usb/hcd-xhci.c:1991:13
#19 0x55db79f8837d in xhci_doorbell_write hw/usb/hcd-xhci.c:3162:13
#20 0x55db792c6b8e in memory_region_write_accessor softmmu/memory.c:483:5
#21 0x55db792c658b in access_with_adjusted_size softmmu/memory.c:544:18
#22 0x55db792c5d9b in memory_region_dispatch_write softmmu/memory.c
#23 0x55db78d094d2 in flatview_write_continue exec.c:3176:23
#24 0x55db78cfee6b in flatview_write exec.c:3216:14
#25 0x55db78cfee6b in address_space_write exec.c:3308:18
#26 0x55db793072a9 in qtest_process_command softmmu/qtest.c:452:13
#27 0x55db79304087 in qtest_process_inbuf softmmu/qtest.c:710:9
#28 0x55db7a7d7293 in fd_chr_read chardev/char-fd.c:68:9
#29 0x7fc5d7f1a897 in g_main_context_dispatch
previously allocated by thread T0 here:
#0 0x55db78cac562 in calloc (build/i386-softmmu/qemu-system-i386+0x250e562)
#1 0x7fc5d7f20548 in g_malloc0 (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x54548)
#2 0x55db79f8837d in xhci_doorbell_write hw/usb/hcd-xhci.c:3162:13
#3 0x55db792c6b8e in memory_region_write_accessor softmmu/memory.c:483:5
#4 0x55db792c658b in access_with_adjusted_size softmmu/memory.c:544:18
#5 0x55db792c5d9b in memory_region_dispatch_write softmmu/memory.c
#6 0x55db78d094d2 in flatview_write_continue exec.c:3176:23
#7 0x55db78cfee6b in flatview_write exec.c:3216:14
#8 0x55db78cfee6b in address_space_write exec.c:3308:18
#9 0x55db793072a9 in qtest_process_command softmmu/qtest.c:452:13
#10 0x55db79304087 in qtest_process_inbuf softmmu/qtest.c:710:9
#11 0x55db7a7d7293 in fd_chr_read chardev/char-fd.c:68:9
#12 0x7fc5d7f1a897 in g_main_context_dispatch
-Alex
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1891354/+subscriptions
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2021-08-21 6:29 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-08-12 16:06 [Bug 1891354] [NEW] Heap-use-after-free in usb_packet_unmap Alexander Bulekov
2020-08-12 16:24 ` Li Qiang
2020-08-12 16:55 ` Alexander Bulekov
2020-08-12 16:55 ` Alexander Bulekov
2020-08-13 1:26 ` Li Qiang
2021-03-03 15:20 ` [Bug 1891354] " Alexander Bulekov
2021-05-26 15:15 ` Thomas Huth
2021-08-21 4:10 ` Alexander Bulekov
2021-08-21 6:16 ` Thomas Huth
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.