From: Hanna Reitz <hreitz@redhat.com>
To: "Philippe Mathieu-Daudé" <philmd@redhat.com>, qemu-devel@nongnu.org
Cc: Laurent Vivier <lvivier@redhat.com>,
Kevin Wolf <kwolf@redhat.com>, Thomas Huth <thuth@redhat.com>,
qemu-block@nongnu.org, Darren Kenny <darren.kenny@oracle.com>,
Alexander Bulekov <alxndr@bu.edu>,
Paolo Bonzini <pbonzini@redhat.com>, John Snow <jsnow@redhat.com>
Subject: Re: [PATCH v4 3/3] tests/qtest/fdc-test: Add a regression test for CVE-2021-20196
Date: Thu, 25 Nov 2021 12:57:30 +0100 [thread overview]
Message-ID: <ba0a545d-4877-20f9-e5fb-39d730bf8c90@redhat.com> (raw)
In-Reply-To: <20211124161536.631563-4-philmd@redhat.com>
On 24.11.21 17:15, Philippe Mathieu-Daudé wrote:
> Without the previous commit, when running 'make check-qtest-i386'
> with QEMU configured with '--enable-sanitizers' we get:
>
> AddressSanitizer:DEADLYSIGNAL
> =================================================================
> ==287878==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000344
> ==287878==The signal is caused by a WRITE memory access.
> ==287878==Hint: address points to the zero page.
> #0 0x564b2e5bac27 in blk_inc_in_flight block/block-backend.c:1346:5
> #1 0x564b2e5bb228 in blk_pwritev_part block/block-backend.c:1317:5
> #2 0x564b2e5bcd57 in blk_pwrite block/block-backend.c:1498:11
> #3 0x564b2ca1cdd3 in fdctrl_write_data hw/block/fdc.c:2221:17
> #4 0x564b2ca1b2f7 in fdctrl_write hw/block/fdc.c:829:9
> #5 0x564b2dc49503 in portio_write softmmu/ioport.c:201:9
>
> Add the reproducer for CVE-2021-20196.
>
> Suggested-by: Alexander Bulekov <alxndr@bu.edu>
> Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
> Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
> ---
> tests/qtest/fdc-test.c | 38 ++++++++++++++++++++++++++++++++++++++
> 1 file changed, 38 insertions(+)
>
> diff --git a/tests/qtest/fdc-test.c b/tests/qtest/fdc-test.c
> index 26b69f7c5cd..8f6eee84a47 100644
> --- a/tests/qtest/fdc-test.c
> +++ b/tests/qtest/fdc-test.c
> @@ -32,6 +32,9 @@
> /* TODO actually test the results and get rid of this */
> #define qmp_discard_response(...) qobject_unref(qmp(__VA_ARGS__))
>
> +#define DRIVE_FLOPPY_BLANK \
> + "-drive if=floppy,file=null-co://,file.read-zeroes=on,format=raw,size=1440k"
> +
> #define TEST_IMAGE_SIZE 1440 * 1024
>
> #define FLOPPY_BASE 0x3f0
> @@ -546,6 +549,40 @@ static void fuzz_registers(void)
> }
> }
>
> +static bool qtest_check_clang_sanitizer(void)
> +{
> +#if defined(__SANITIZE_ADDRESS__) || __has_feature(address_sanitizer)
> + return true;
> +#else
> + g_test_skip("QEMU not configured using --enable-sanitizers");
> + return false;
> +#endif
> +}
> +static void test_cve_2021_20196(void)
> +{
> + QTestState *s;
> +
> + if (!qtest_check_clang_sanitizer()) {
> + return;
> + }
> +
> + s = qtest_initf("-nographic -m 32M -nodefaults " DRIVE_FLOPPY_BLANK);
> +
> + qtest_outw(s, 0x3f4, 0x0500);
> + qtest_outb(s, 0x3f5, 0x00);
> + qtest_outb(s, 0x3f5, 0x00);
> + qtest_outw(s, 0x3f4, 0x0000);
> + qtest_outb(s, 0x3f5, 0x00);
> + qtest_outw(s, 0x3f1, 0x0400);
> + qtest_outw(s, 0x3f4, 0x0000);
> + qtest_outw(s, 0x3f4, 0x0000);
> + qtest_outb(s, 0x3f5, 0x00);
> + qtest_outb(s, 0x3f5, 0x01);
> + qtest_outw(s, 0x3f1, 0x0500);
> + qtest_outb(s, 0x3f5, 0x00);
> + qtest_quit(s);
> +}
> +
Now this works as a reproducer for me, but... this is a completely
different I/O sequence now, right?
Can’t complain, though, I didn’t understand the previous one, I can’t
claim I need to understand this one or why they’re different.
All the rest looks good to me, so all in all:
Reviewed-by: Hanna Reitz <hreitz@redhat.com>
next prev parent reply other threads:[~2021-11-25 11:59 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-11-24 16:15 [PATCH v4 0/3] hw/block/fdc: Fix CVE-2021-20196 Philippe Mathieu-Daudé
2021-11-24 16:15 ` [PATCH v4 1/3] hw/block/fdc: Extract blk_create_empty_drive() Philippe Mathieu-Daudé
2021-11-25 11:43 ` Hanna Reitz
2021-11-24 16:15 ` [PATCH v4 2/3] hw/block/fdc: Kludge missing floppy drive to fix CVE-2021-20196 Philippe Mathieu-Daudé
2021-11-24 16:15 ` [PATCH v4 3/3] tests/qtest/fdc-test: Add a regression test for CVE-2021-20196 Philippe Mathieu-Daudé
2021-11-25 11:57 ` Hanna Reitz [this message]
2021-11-25 12:20 ` Philippe Mathieu-Daudé
2021-11-24 23:12 ` [PATCH v4 0/3] hw/block/fdc: Fix CVE-2021-20196 John Snow
2021-12-10 13:42 ` Kevin Wolf
2021-12-16 9:54 ` Philippe Mathieu-Daudé
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ba0a545d-4877-20f9-e5fb-39d730bf8c90@redhat.com \
--to=hreitz@redhat.com \
--cc=alxndr@bu.edu \
--cc=darren.kenny@oracle.com \
--cc=jsnow@redhat.com \
--cc=kwolf@redhat.com \
--cc=lvivier@redhat.com \
--cc=pbonzini@redhat.com \
--cc=philmd@redhat.com \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
--cc=thuth@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.