* [Bug 1883739] [NEW] ide_dma_cb: Assertion `prep_size >= 0 && prep_size <= n * 512' failed.
@ 2020-06-16 15:56 Bugs SysSec
2020-06-23 17:45 ` [Bug 1883739] " John Snow
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Bugs SysSec @ 2020-06-16 15:56 UTC (permalink / raw)
To: qemu-devel
Public bug reported:
To reproduce run the QEMU with the following command line:
```
qemu-system-x86_64 -cdrom hypertrash.iso -nographic -m 100 -enable-kvm -net none -drive id=disk,file=hda.img,if=none -device ahci,id=ahci -device ide-hd,drive=disk,bus=ahci.0
```
QEMU Version:
```
# qemu-5.0.0
$ ./configure --target-list=x86_64-softmmu --enable-sanitizers; make
$ x86_64-softmmu/qemu-system-x86_64 --version
QEMU emulator version 5.0.0
Copyright (c) 2003-2020 Fabrice Bellard and the QEMU Project developers
```
To create disk image run:
```
dd if=/dev/zero of=hda.img bs=1024 count=1024
```
** Affects: qemu
Importance: Undecided
Status: New
** Attachment added: "ide_bug_2.zip"
https://bugs.launchpad.net/bugs/1883739/+attachment/5384438/+files/ide_bug_2.zip
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1883739
Title:
ide_dma_cb: Assertion `prep_size >= 0 && prep_size <= n * 512' failed.
Status in QEMU:
New
Bug description:
To reproduce run the QEMU with the following command line:
```
qemu-system-x86_64 -cdrom hypertrash.iso -nographic -m 100 -enable-kvm -net none -drive id=disk,file=hda.img,if=none -device ahci,id=ahci -device ide-hd,drive=disk,bus=ahci.0
```
QEMU Version:
```
# qemu-5.0.0
$ ./configure --target-list=x86_64-softmmu --enable-sanitizers; make
$ x86_64-softmmu/qemu-system-x86_64 --version
QEMU emulator version 5.0.0
Copyright (c) 2003-2020 Fabrice Bellard and the QEMU Project developers
```
To create disk image run:
```
dd if=/dev/zero of=hda.img bs=1024 count=1024
```
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1883739/+subscriptions
^ permalink raw reply [flat|nested] 4+ messages in thread
* [Bug 1883739] Re: ide_dma_cb: Assertion `prep_size >= 0 && prep_size <= n * 512' failed.
2020-06-16 15:56 [Bug 1883739] [NEW] ide_dma_cb: Assertion `prep_size >= 0 && prep_size <= n * 512' failed Bugs SysSec
@ 2020-06-23 17:45 ` John Snow
2020-07-27 22:22 ` John Snow
2020-07-28 1:27 ` John Snow
2 siblings, 0 replies; 4+ messages in thread
From: John Snow @ 2020-06-23 17:45 UTC (permalink / raw)
To: qemu-devel
ACK. I do not have time to fix this bug at the moment under the belief
that it's likely low-priority and only "misbehaving guests" can trigger
it. Some advice:
1. Do not use IDE in production deployments after initial installation,
if you can help it. Use a performant virtio solution.
2. If anyone would like to fix this problem, I will be more than happy
to point you to the exact lines of code that cause the problem. I think
the fix will be easy, but testing will be time-consuming as it involves
understanding error behavior of real hardware that I don't personally
have the setup to quickly test or verify.
>From memory: the problem is that ide_dma_cb expects that it was able to
prepare at least one sector's worth of scatter-gather list to begin DMA,
but it's possible to give malformed SG lists where IDE is unable to
process the remainder of a sector in a list.
It was not clear to me at the time when I first investigated this what a
real controller would do if it got an incomplete sector and how it
should signal that.
It was also not clear to me if the sg_prepare function for the pci bmdma
controller would ever encounter a situation where further entries in the
list might be received "later" and we should "wait" for them.
If this bug is more dangerous than a self-inflicted DOS, please let me
know and I'll re-prioritize. Patches, email and IRC chats welcome.
--js
** Changed in: qemu
Status: New => Confirmed
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1883739
Title:
ide_dma_cb: Assertion `prep_size >= 0 && prep_size <= n * 512' failed.
Status in QEMU:
Confirmed
Bug description:
To reproduce run the QEMU with the following command line:
```
qemu-system-x86_64 -cdrom hypertrash.iso -nographic -m 100 -enable-kvm -net none -drive id=disk,file=hda.img,if=none -device ahci,id=ahci -device ide-hd,drive=disk,bus=ahci.0
```
QEMU Version:
```
# qemu-5.0.0
$ ./configure --target-list=x86_64-softmmu --enable-sanitizers; make
$ x86_64-softmmu/qemu-system-x86_64 --version
QEMU emulator version 5.0.0
Copyright (c) 2003-2020 Fabrice Bellard and the QEMU Project developers
```
To create disk image run:
```
dd if=/dev/zero of=hda.img bs=1024 count=1024
```
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1883739/+subscriptions
^ permalink raw reply [flat|nested] 4+ messages in thread
* [Bug 1883739] Re: ide_dma_cb: Assertion `prep_size >= 0 && prep_size <= n * 512' failed.
2020-06-16 15:56 [Bug 1883739] [NEW] ide_dma_cb: Assertion `prep_size >= 0 && prep_size <= n * 512' failed Bugs SysSec
2020-06-23 17:45 ` [Bug 1883739] " John Snow
@ 2020-07-27 22:22 ` John Snow
2020-07-28 1:27 ` John Snow
2 siblings, 0 replies; 4+ messages in thread
From: John Snow @ 2020-07-27 22:22 UTC (permalink / raw)
To: qemu-devel
** Changed in: qemu
Assignee: (unassigned) => John Snow (jnsnow)
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1883739
Title:
ide_dma_cb: Assertion `prep_size >= 0 && prep_size <= n * 512' failed.
Status in QEMU:
Confirmed
Bug description:
To reproduce run the QEMU with the following command line:
```
qemu-system-x86_64 -cdrom hypertrash.iso -nographic -m 100 -enable-kvm -net none -drive id=disk,file=hda.img,if=none -device ahci,id=ahci -device ide-hd,drive=disk,bus=ahci.0
```
QEMU Version:
```
# qemu-5.0.0
$ ./configure --target-list=x86_64-softmmu --enable-sanitizers; make
$ x86_64-softmmu/qemu-system-x86_64 --version
QEMU emulator version 5.0.0
Copyright (c) 2003-2020 Fabrice Bellard and the QEMU Project developers
```
To create disk image run:
```
dd if=/dev/zero of=hda.img bs=1024 count=1024
```
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1883739/+subscriptions
^ permalink raw reply [flat|nested] 4+ messages in thread
* [Bug 1883739] Re: ide_dma_cb: Assertion `prep_size >= 0 && prep_size <= n * 512' failed.
2020-06-16 15:56 [Bug 1883739] [NEW] ide_dma_cb: Assertion `prep_size >= 0 && prep_size <= n * 512' failed Bugs SysSec
2020-06-23 17:45 ` [Bug 1883739] " John Snow
2020-07-27 22:22 ` John Snow
@ 2020-07-28 1:27 ` John Snow
2 siblings, 0 replies; 4+ messages in thread
From: John Snow @ 2020-07-28 1:27 UTC (permalink / raw)
To: qemu-devel
*** This bug is a duplicate of bug 1777315 ***
https://bugs.launchpad.net/bugs/1777315
** This bug has been marked a duplicate of bug 1777315
Denial of service
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1883739
Title:
ide_dma_cb: Assertion `prep_size >= 0 && prep_size <= n * 512' failed.
Status in QEMU:
Confirmed
Bug description:
To reproduce run the QEMU with the following command line:
```
qemu-system-x86_64 -cdrom hypertrash.iso -nographic -m 100 -enable-kvm -net none -drive id=disk,file=hda.img,if=none -device ahci,id=ahci -device ide-hd,drive=disk,bus=ahci.0
```
QEMU Version:
```
# qemu-5.0.0
$ ./configure --target-list=x86_64-softmmu --enable-sanitizers; make
$ x86_64-softmmu/qemu-system-x86_64 --version
QEMU emulator version 5.0.0
Copyright (c) 2003-2020 Fabrice Bellard and the QEMU Project developers
```
To create disk image run:
```
dd if=/dev/zero of=hda.img bs=1024 count=1024
```
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1883739/+subscriptions
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2020-07-28 1:36 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-06-16 15:56 [Bug 1883739] [NEW] ide_dma_cb: Assertion `prep_size >= 0 && prep_size <= n * 512' failed Bugs SysSec
2020-06-23 17:45 ` [Bug 1883739] " John Snow
2020-07-27 22:22 ` John Snow
2020-07-28 1:27 ` John Snow
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).