* [Bug 1910723] [NEW] NULL pointer dereference issues in am53c974 SCSI host bus adapter
@ 2021-01-08 10:34 Mauro Matteo Cascella
2021-03-15 2:52 ` [Bug 1910723] " Alexander Bulekov
` (8 more replies)
0 siblings, 9 replies; 10+ messages in thread
From: Mauro Matteo Cascella @ 2021-01-08 10:34 UTC (permalink / raw)
To: qemu-devel
Public bug reported:
Two NULL pointer dereference issues were found in the am53c974 SCSI host
bus adapter emulation of QEMU. They could occur while handling the
'Information Transfer' command (CMD_TI) in function handle_ti() in
hw/scsi/esp.c, and could be abused by a malicious guest to crash the
QEMU process on the host resulting in a denial of service.
Both issues were reported by Cheolwoo Myung (Seoul National University).
To reproduce them, configure and run QEMU as follows. Please find
attached the required disk images.
$ ./configure --target-list=x86_64-softmmu --enable-kvm --enable-sanitizers
$ make
$ ./qemu-system-x86_64 -m 512 -drive file=./hyfuzz.img,index=0,media=disk,format=raw \
-device am53c974,id=scsi -device scsi-hd,drive=SysDisk \
-drive id=SysDisk,if=none,file=./disk.img
Additional info:
RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1909766
RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1909769
ASAN logs:
==672133==
hw/scsi/scsi-bus.c:1385:12: runtime error: member access within null pointer of type 'struct SCSIRequest'
AddressSanitizer:DEADLYSIGNAL
=================================================================
==672133==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000171 (pc 0x55bd63e20b85 bp 0x7f4b6fffdfa0 sp 0x7f4b6fffdf70 T7)
==672133==The signal is caused by a READ memory access.
==672133==Hint: address points to the zero page.
#0 0x55bd63e20b85 in scsi_req_continue hw/scsi/scsi-bus.c:1385
#1 0x55bd63ab34fb in esp_do_dma hw/scsi/esp.c:453
#2 0x55bd63ab4b3c in handle_ti hw/scsi/esp.c:549
#3 0x55bd63ab72a9 in esp_reg_write hw/scsi/esp.c:691
#4 0x55bd63d7b5dd in esp_pci_io_write hw/scsi/esp-pci.c:206
#5 0x55bd645d55a3 in memory_region_write_accessor softmmu/memory.c:491
#6 0x55bd645d5a24 in access_with_adjusted_size softmmu/memory.c:552
#7 0x55bd645e2baa in memory_region_dispatch_write softmmu/memory.c:1501
#8 0x55bd646b75ff in flatview_write_continue softmmu/physmem.c:2759
#9 0x55bd646b79d1 in flatview_write softmmu/physmem.c:2799
#10 0x55bd646b8341 in address_space_write softmmu/physmem.c:2891
#11 0x55bd646b83f9 in address_space_rw softmmu/physmem.c:2901
#12 0x55bd648c4736 in kvm_handle_io accel/kvm/kvm-all.c:2285
#13 0x55bd648c69c8 in kvm_cpu_exec accel/kvm/kvm-all.c:2531
#14 0x55bd647b2413 in kvm_vcpu_thread_fn accel/kvm/kvm-cpus.c:49
#15 0x55bd64f560de in qemu_thread_start util/qemu-thread-posix.c:521
#16 0x7f4b981763f8 in start_thread (/lib64/libpthread.so.0+0x93f8)
#17 0x7f4b980a3902 in __GI___clone (/lib64/libc.so.6+0x101902)
---
==672020==
hw/scsi/esp.c:196:62: runtime error: member access within null pointer of type 'struct SCSIDevice'
AddressSanitizer:DEADLYSIGNAL
=================================================================
==672020==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000098 (pc 0x559bc99946fd bp 0x7f08bd737fb0 sp 0x7f08bd737f70 T7)
==672020==The signal is caused by a READ memory access.
==672020==Hint: address points to the zero page.
#0 0x559bc99946fd in do_busid_cmd hw/scsi/esp.c:196
#1 0x559bc9994e71 in do_cmd hw/scsi/esp.c:220
#2 0x559bc999ae81 in handle_ti hw/scsi/esp.c:555
#3 0x559bc999d2a9 in esp_reg_write hw/scsi/esp.c:691
#4 0x559bc9c615dd in esp_pci_io_write hw/scsi/esp-pci.c:206
#5 0x559bca4bb5a3 in memory_region_write_accessor softmmu/memory.c:491
#6 0x559bca4bba24 in access_with_adjusted_size softmmu/memory.c:552
#7 0x559bca4c8baa in memory_region_dispatch_write softmmu/memory.c:1501
#8 0x559bca59d5ff in flatview_write_continue softmmu/physmem.c:2759
#9 0x559bca59d9d1 in flatview_write softmmu/physmem.c:2799
#10 0x559bca59e341 in address_space_write softmmu/physmem.c:2891
#11 0x559bca59e3f9 in address_space_rw softmmu/physmem.c:2901
#12 0x559bca7aa736 in kvm_handle_io accel/kvm/kvm-all.c:2285
#13 0x559bca7ac9c8 in kvm_cpu_exec accel/kvm/kvm-all.c:2531
#14 0x559bca698413 in kvm_vcpu_thread_fn accel/kvm/kvm-cpus.c:49
#15 0x559bcae3c0de in qemu_thread_start util/qemu-thread-posix.c:521
#16 0x7f08e57ba3f8 in start_thread (/lib64/libpthread.so.0+0x93f8)
#17 0x7f08e56e7902 in __GI___clone (/lib64/libc.so.6+0x101902)
** Affects: qemu
Importance: Undecided
Status: New
** Tags: cve qemu security
** Attachment added: "null-derefs-am53c974.tar.gz"
https://bugs.launchpad.net/bugs/1910723/+attachment/5450693/+files/null-derefs-am53c974.tar.gz
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1910723
Title:
NULL pointer dereference issues in am53c974 SCSI host bus adapter
Status in QEMU:
New
Bug description:
Two NULL pointer dereference issues were found in the am53c974 SCSI
host bus adapter emulation of QEMU. They could occur while handling
the 'Information Transfer' command (CMD_TI) in function handle_ti() in
hw/scsi/esp.c, and could be abused by a malicious guest to crash the
QEMU process on the host resulting in a denial of service.
Both issues were reported by Cheolwoo Myung (Seoul National
University). To reproduce them, configure and run QEMU as follows.
Please find attached the required disk images.
$ ./configure --target-list=x86_64-softmmu --enable-kvm --enable-sanitizers
$ make
$ ./qemu-system-x86_64 -m 512 -drive file=./hyfuzz.img,index=0,media=disk,format=raw \
-device am53c974,id=scsi -device scsi-hd,drive=SysDisk \
-drive id=SysDisk,if=none,file=./disk.img
Additional info:
RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1909766
RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1909769
ASAN logs:
==672133==
hw/scsi/scsi-bus.c:1385:12: runtime error: member access within null pointer of type 'struct SCSIRequest'
AddressSanitizer:DEADLYSIGNAL
=================================================================
==672133==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000171 (pc 0x55bd63e20b85 bp 0x7f4b6fffdfa0 sp 0x7f4b6fffdf70 T7)
==672133==The signal is caused by a READ memory access.
==672133==Hint: address points to the zero page.
#0 0x55bd63e20b85 in scsi_req_continue hw/scsi/scsi-bus.c:1385
#1 0x55bd63ab34fb in esp_do_dma hw/scsi/esp.c:453
#2 0x55bd63ab4b3c in handle_ti hw/scsi/esp.c:549
#3 0x55bd63ab72a9 in esp_reg_write hw/scsi/esp.c:691
#4 0x55bd63d7b5dd in esp_pci_io_write hw/scsi/esp-pci.c:206
#5 0x55bd645d55a3 in memory_region_write_accessor softmmu/memory.c:491
#6 0x55bd645d5a24 in access_with_adjusted_size softmmu/memory.c:552
#7 0x55bd645e2baa in memory_region_dispatch_write softmmu/memory.c:1501
#8 0x55bd646b75ff in flatview_write_continue softmmu/physmem.c:2759
#9 0x55bd646b79d1 in flatview_write softmmu/physmem.c:2799
#10 0x55bd646b8341 in address_space_write softmmu/physmem.c:2891
#11 0x55bd646b83f9 in address_space_rw softmmu/physmem.c:2901
#12 0x55bd648c4736 in kvm_handle_io accel/kvm/kvm-all.c:2285
#13 0x55bd648c69c8 in kvm_cpu_exec accel/kvm/kvm-all.c:2531
#14 0x55bd647b2413 in kvm_vcpu_thread_fn accel/kvm/kvm-cpus.c:49
#15 0x55bd64f560de in qemu_thread_start util/qemu-thread-posix.c:521
#16 0x7f4b981763f8 in start_thread (/lib64/libpthread.so.0+0x93f8)
#17 0x7f4b980a3902 in __GI___clone (/lib64/libc.so.6+0x101902)
---
==672020==
hw/scsi/esp.c:196:62: runtime error: member access within null pointer of type 'struct SCSIDevice'
AddressSanitizer:DEADLYSIGNAL
=================================================================
==672020==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000098 (pc 0x559bc99946fd bp 0x7f08bd737fb0 sp 0x7f08bd737f70 T7)
==672020==The signal is caused by a READ memory access.
==672020==Hint: address points to the zero page.
#0 0x559bc99946fd in do_busid_cmd hw/scsi/esp.c:196
#1 0x559bc9994e71 in do_cmd hw/scsi/esp.c:220
#2 0x559bc999ae81 in handle_ti hw/scsi/esp.c:555
#3 0x559bc999d2a9 in esp_reg_write hw/scsi/esp.c:691
#4 0x559bc9c615dd in esp_pci_io_write hw/scsi/esp-pci.c:206
#5 0x559bca4bb5a3 in memory_region_write_accessor softmmu/memory.c:491
#6 0x559bca4bba24 in access_with_adjusted_size softmmu/memory.c:552
#7 0x559bca4c8baa in memory_region_dispatch_write softmmu/memory.c:1501
#8 0x559bca59d5ff in flatview_write_continue softmmu/physmem.c:2759
#9 0x559bca59d9d1 in flatview_write softmmu/physmem.c:2799
#10 0x559bca59e341 in address_space_write softmmu/physmem.c:2891
#11 0x559bca59e3f9 in address_space_rw softmmu/physmem.c:2901
#12 0x559bca7aa736 in kvm_handle_io accel/kvm/kvm-all.c:2285
#13 0x559bca7ac9c8 in kvm_cpu_exec accel/kvm/kvm-all.c:2531
#14 0x559bca698413 in kvm_vcpu_thread_fn accel/kvm/kvm-cpus.c:49
#15 0x559bcae3c0de in qemu_thread_start util/qemu-thread-posix.c:521
#16 0x7f08e57ba3f8 in start_thread (/lib64/libpthread.so.0+0x93f8)
#17 0x7f08e56e7902 in __GI___clone (/lib64/libc.so.6+0x101902)
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1910723/+subscriptions
^ permalink raw reply [flat|nested] 10+ messages in thread
* [Bug 1910723] Re: NULL pointer dereference issues in am53c974 SCSI host bus adapter
2021-01-08 10:34 [Bug 1910723] [NEW] NULL pointer dereference issues in am53c974 SCSI host bus adapter Mauro Matteo Cascella
@ 2021-03-15 2:52 ` Alexander Bulekov
2021-03-15 2:53 ` Alexander Bulekov
` (7 subsequent siblings)
8 siblings, 0 replies; 10+ messages in thread
From: Alexander Bulekov @ 2021-03-15 2:52 UTC (permalink / raw)
To: qemu-devel
QTest Reproducer for the first:
/*
* Autogenerated Fuzzer Test Case
*
* This work is licensed under the terms of the GNU GPL, version 2 or later.
* See the COPYING file in the top-level directory.
*/
#include "qemu/osdep.h"
#include "libqos/libqtest.h"
/*
* cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, -m \
* 512M -device am53c974,id=scsi -device scsi-hd,drive=disk0 -drive \
* id=disk0,if=none,file=null-co://,format=raw -nodefaults -qtest stdio
* outl 0xcf8 0x80001010
* outl 0xcfc 0xc000
* outl 0xcf8 0x80001004
* outw 0xcfc 0x05
* outb 0xc046 0x02
* outl 0xc00b 0xc100
* outl 0xc040 0x03
* outl 0xc040 0x03
* write 0x0 0x1 0x41
* outl 0xc00b 0xc100
* outw 0xc040 0x02
* outw 0xc040 0x81
* outl 0xc00b 0x9000
* EOF
*/
static void test_fuzz(void)
{
QTestState *s = qtest_init(
"-display none , -m 512M -device am53c974,id=scsi -device "
"scsi-hd,drive=disk0 -drive "
"id=disk0,if=none,file=null-co://,format=raw -nodefaults");
qtest_outl(s, 0xcf8, 0x80001010);
qtest_outl(s, 0xcfc, 0xc000);
qtest_outl(s, 0xcf8, 0x80001004);
qtest_outw(s, 0xcfc, 0x05);
qtest_outb(s, 0xc046, 0x02);
qtest_outl(s, 0xc00b, 0xc100);
qtest_outl(s, 0xc040, 0x03);
qtest_outl(s, 0xc040, 0x03);
qtest_bufwrite(s, 0x0, "\x41", 0x1);
qtest_outl(s, 0xc00b, 0xc100);
qtest_outw(s, 0xc040, 0x02);
qtest_outw(s, 0xc040, 0x81);
qtest_outl(s, 0xc00b, 0x9000);
qtest_quit(s);
}
int main(int argc, char **argv)
{
const char *arch = qtest_get_arch();
g_test_init(&argc, &argv, NULL);
if (strcmp(arch, "i386") == 0) {
qtest_add_func("fuzz/test_fuzz", test_fuzz);
}
return g_test_run();
}
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1910723
Title:
NULL pointer dereference issues in am53c974 SCSI host bus adapter
Status in QEMU:
New
Bug description:
Two NULL pointer dereference issues were found in the am53c974 SCSI
host bus adapter emulation of QEMU. They could occur while handling
the 'Information Transfer' command (CMD_TI) in function handle_ti() in
hw/scsi/esp.c, and could be abused by a malicious guest to crash the
QEMU process on the host resulting in a denial of service.
Both issues were reported by Cheolwoo Myung (Seoul National
University). To reproduce them, configure and run QEMU as follows.
Please find attached the required disk images.
$ ./configure --target-list=x86_64-softmmu --enable-kvm --enable-sanitizers
$ make
$ ./qemu-system-x86_64 -m 512 -drive file=./hyfuzz.img,index=0,media=disk,format=raw \
-device am53c974,id=scsi -device scsi-hd,drive=SysDisk \
-drive id=SysDisk,if=none,file=./disk.img
Additional info:
RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1909766
RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1909769
ASAN logs:
==672133==
hw/scsi/scsi-bus.c:1385:12: runtime error: member access within null pointer of type 'struct SCSIRequest'
AddressSanitizer:DEADLYSIGNAL
=================================================================
==672133==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000171 (pc 0x55bd63e20b85 bp 0x7f4b6fffdfa0 sp 0x7f4b6fffdf70 T7)
==672133==The signal is caused by a READ memory access.
==672133==Hint: address points to the zero page.
#0 0x55bd63e20b85 in scsi_req_continue hw/scsi/scsi-bus.c:1385
#1 0x55bd63ab34fb in esp_do_dma hw/scsi/esp.c:453
#2 0x55bd63ab4b3c in handle_ti hw/scsi/esp.c:549
#3 0x55bd63ab72a9 in esp_reg_write hw/scsi/esp.c:691
#4 0x55bd63d7b5dd in esp_pci_io_write hw/scsi/esp-pci.c:206
#5 0x55bd645d55a3 in memory_region_write_accessor softmmu/memory.c:491
#6 0x55bd645d5a24 in access_with_adjusted_size softmmu/memory.c:552
#7 0x55bd645e2baa in memory_region_dispatch_write softmmu/memory.c:1501
#8 0x55bd646b75ff in flatview_write_continue softmmu/physmem.c:2759
#9 0x55bd646b79d1 in flatview_write softmmu/physmem.c:2799
#10 0x55bd646b8341 in address_space_write softmmu/physmem.c:2891
#11 0x55bd646b83f9 in address_space_rw softmmu/physmem.c:2901
#12 0x55bd648c4736 in kvm_handle_io accel/kvm/kvm-all.c:2285
#13 0x55bd648c69c8 in kvm_cpu_exec accel/kvm/kvm-all.c:2531
#14 0x55bd647b2413 in kvm_vcpu_thread_fn accel/kvm/kvm-cpus.c:49
#15 0x55bd64f560de in qemu_thread_start util/qemu-thread-posix.c:521
#16 0x7f4b981763f8 in start_thread (/lib64/libpthread.so.0+0x93f8)
#17 0x7f4b980a3902 in __GI___clone (/lib64/libc.so.6+0x101902)
---
==672020==
hw/scsi/esp.c:196:62: runtime error: member access within null pointer of type 'struct SCSIDevice'
AddressSanitizer:DEADLYSIGNAL
=================================================================
==672020==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000098 (pc 0x559bc99946fd bp 0x7f08bd737fb0 sp 0x7f08bd737f70 T7)
==672020==The signal is caused by a READ memory access.
==672020==Hint: address points to the zero page.
#0 0x559bc99946fd in do_busid_cmd hw/scsi/esp.c:196
#1 0x559bc9994e71 in do_cmd hw/scsi/esp.c:220
#2 0x559bc999ae81 in handle_ti hw/scsi/esp.c:555
#3 0x559bc999d2a9 in esp_reg_write hw/scsi/esp.c:691
#4 0x559bc9c615dd in esp_pci_io_write hw/scsi/esp-pci.c:206
#5 0x559bca4bb5a3 in memory_region_write_accessor softmmu/memory.c:491
#6 0x559bca4bba24 in access_with_adjusted_size softmmu/memory.c:552
#7 0x559bca4c8baa in memory_region_dispatch_write softmmu/memory.c:1501
#8 0x559bca59d5ff in flatview_write_continue softmmu/physmem.c:2759
#9 0x559bca59d9d1 in flatview_write softmmu/physmem.c:2799
#10 0x559bca59e341 in address_space_write softmmu/physmem.c:2891
#11 0x559bca59e3f9 in address_space_rw softmmu/physmem.c:2901
#12 0x559bca7aa736 in kvm_handle_io accel/kvm/kvm-all.c:2285
#13 0x559bca7ac9c8 in kvm_cpu_exec accel/kvm/kvm-all.c:2531
#14 0x559bca698413 in kvm_vcpu_thread_fn accel/kvm/kvm-cpus.c:49
#15 0x559bcae3c0de in qemu_thread_start util/qemu-thread-posix.c:521
#16 0x7f08e57ba3f8 in start_thread (/lib64/libpthread.so.0+0x93f8)
#17 0x7f08e56e7902 in __GI___clone (/lib64/libc.so.6+0x101902)
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1910723/+subscriptions
^ permalink raw reply [flat|nested] 10+ messages in thread
* [Bug 1910723] Re: NULL pointer dereference issues in am53c974 SCSI host bus adapter
2021-01-08 10:34 [Bug 1910723] [NEW] NULL pointer dereference issues in am53c974 SCSI host bus adapter Mauro Matteo Cascella
2021-03-15 2:52 ` [Bug 1910723] " Alexander Bulekov
@ 2021-03-15 2:53 ` Alexander Bulekov
2021-03-15 14:07 ` Mauro Matteo Cascella
` (6 subsequent siblings)
8 siblings, 0 replies; 10+ messages in thread
From: Alexander Bulekov @ 2021-03-15 2:53 UTC (permalink / raw)
To: qemu-devel
QTest Reproducer for the second:
/*
* Autogenerated Fuzzer Test Case
*
* This work is licensed under the terms of the GNU GPL, version 2 or
* later. See the COPYING file in the top-level directory.
*/
#include "qemu/osdep.h"
#include "libqos/libqtest.h"
/*
* cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, \
* -m 512M -device am53c974,id=scsi -device scsi-hd,drive=disk0 -drive \
* id=disk0,if=none,file=null-co://,format=raw -nodefaults -qtest stdio
* outl 0xcf8 0x80001001
* outl 0xcfc 0x01000000
* outl 0xcf8 0x8000100e
* outl 0xcfc 0xef800000
* outl 0xef8b 0x4100
* outw 0xef80 0x01
* outl 0xefc0 0x03
* outl 0xef8b 0xc100
* outl 0xef8b 0x9000
* EOF
*/
static void test_fuzz(void)
{
QTestState *s = qtest_init(
"-display none , -m 512M -device am53c974,id=scsi -device "
"scsi-hd,drive=disk0 -drive "
"id=disk0,if=none,file=null-co://,format=raw -nodefaults");
qtest_outl(s, 0xcf8, 0x80001001);
qtest_outl(s, 0xcfc, 0x01000000);
qtest_outl(s, 0xcf8, 0x8000100e);
qtest_outl(s, 0xcfc, 0xef800000);
qtest_outl(s, 0xef8b, 0x4100);
qtest_outw(s, 0xef80, 0x01);
qtest_outl(s, 0xefc0, 0x03);
qtest_outl(s, 0xef8b, 0xc100);
qtest_outl(s, 0xef8b, 0x9000);
qtest_quit(s);
}
int main(int argc, char **argv)
{
const char *arch = qtest_get_arch();
g_test_init(&argc, &argv, NULL);
if (strcmp(arch, "i386") == 0) {
qtest_add_func("fuzz/test_fuzz", test_fuzz);
}
return g_test_run();
}
** Tags added: fuzzer
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1910723
Title:
NULL pointer dereference issues in am53c974 SCSI host bus adapter
Status in QEMU:
New
Bug description:
Two NULL pointer dereference issues were found in the am53c974 SCSI
host bus adapter emulation of QEMU. They could occur while handling
the 'Information Transfer' command (CMD_TI) in function handle_ti() in
hw/scsi/esp.c, and could be abused by a malicious guest to crash the
QEMU process on the host resulting in a denial of service.
Both issues were reported by Cheolwoo Myung (Seoul National
University). To reproduce them, configure and run QEMU as follows.
Please find attached the required disk images.
$ ./configure --target-list=x86_64-softmmu --enable-kvm --enable-sanitizers
$ make
$ ./qemu-system-x86_64 -m 512 -drive file=./hyfuzz.img,index=0,media=disk,format=raw \
-device am53c974,id=scsi -device scsi-hd,drive=SysDisk \
-drive id=SysDisk,if=none,file=./disk.img
Additional info:
RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1909766
RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1909769
ASAN logs:
==672133==
hw/scsi/scsi-bus.c:1385:12: runtime error: member access within null pointer of type 'struct SCSIRequest'
AddressSanitizer:DEADLYSIGNAL
=================================================================
==672133==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000171 (pc 0x55bd63e20b85 bp 0x7f4b6fffdfa0 sp 0x7f4b6fffdf70 T7)
==672133==The signal is caused by a READ memory access.
==672133==Hint: address points to the zero page.
#0 0x55bd63e20b85 in scsi_req_continue hw/scsi/scsi-bus.c:1385
#1 0x55bd63ab34fb in esp_do_dma hw/scsi/esp.c:453
#2 0x55bd63ab4b3c in handle_ti hw/scsi/esp.c:549
#3 0x55bd63ab72a9 in esp_reg_write hw/scsi/esp.c:691
#4 0x55bd63d7b5dd in esp_pci_io_write hw/scsi/esp-pci.c:206
#5 0x55bd645d55a3 in memory_region_write_accessor softmmu/memory.c:491
#6 0x55bd645d5a24 in access_with_adjusted_size softmmu/memory.c:552
#7 0x55bd645e2baa in memory_region_dispatch_write softmmu/memory.c:1501
#8 0x55bd646b75ff in flatview_write_continue softmmu/physmem.c:2759
#9 0x55bd646b79d1 in flatview_write softmmu/physmem.c:2799
#10 0x55bd646b8341 in address_space_write softmmu/physmem.c:2891
#11 0x55bd646b83f9 in address_space_rw softmmu/physmem.c:2901
#12 0x55bd648c4736 in kvm_handle_io accel/kvm/kvm-all.c:2285
#13 0x55bd648c69c8 in kvm_cpu_exec accel/kvm/kvm-all.c:2531
#14 0x55bd647b2413 in kvm_vcpu_thread_fn accel/kvm/kvm-cpus.c:49
#15 0x55bd64f560de in qemu_thread_start util/qemu-thread-posix.c:521
#16 0x7f4b981763f8 in start_thread (/lib64/libpthread.so.0+0x93f8)
#17 0x7f4b980a3902 in __GI___clone (/lib64/libc.so.6+0x101902)
---
==672020==
hw/scsi/esp.c:196:62: runtime error: member access within null pointer of type 'struct SCSIDevice'
AddressSanitizer:DEADLYSIGNAL
=================================================================
==672020==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000098 (pc 0x559bc99946fd bp 0x7f08bd737fb0 sp 0x7f08bd737f70 T7)
==672020==The signal is caused by a READ memory access.
==672020==Hint: address points to the zero page.
#0 0x559bc99946fd in do_busid_cmd hw/scsi/esp.c:196
#1 0x559bc9994e71 in do_cmd hw/scsi/esp.c:220
#2 0x559bc999ae81 in handle_ti hw/scsi/esp.c:555
#3 0x559bc999d2a9 in esp_reg_write hw/scsi/esp.c:691
#4 0x559bc9c615dd in esp_pci_io_write hw/scsi/esp-pci.c:206
#5 0x559bca4bb5a3 in memory_region_write_accessor softmmu/memory.c:491
#6 0x559bca4bba24 in access_with_adjusted_size softmmu/memory.c:552
#7 0x559bca4c8baa in memory_region_dispatch_write softmmu/memory.c:1501
#8 0x559bca59d5ff in flatview_write_continue softmmu/physmem.c:2759
#9 0x559bca59d9d1 in flatview_write softmmu/physmem.c:2799
#10 0x559bca59e341 in address_space_write softmmu/physmem.c:2891
#11 0x559bca59e3f9 in address_space_rw softmmu/physmem.c:2901
#12 0x559bca7aa736 in kvm_handle_io accel/kvm/kvm-all.c:2285
#13 0x559bca7ac9c8 in kvm_cpu_exec accel/kvm/kvm-all.c:2531
#14 0x559bca698413 in kvm_vcpu_thread_fn accel/kvm/kvm-cpus.c:49
#15 0x559bcae3c0de in qemu_thread_start util/qemu-thread-posix.c:521
#16 0x7f08e57ba3f8 in start_thread (/lib64/libpthread.so.0+0x93f8)
#17 0x7f08e56e7902 in __GI___clone (/lib64/libc.so.6+0x101902)
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1910723/+subscriptions
^ permalink raw reply [flat|nested] 10+ messages in thread
* [Bug 1910723] Re: NULL pointer dereference issues in am53c974 SCSI host bus adapter
2021-01-08 10:34 [Bug 1910723] [NEW] NULL pointer dereference issues in am53c974 SCSI host bus adapter Mauro Matteo Cascella
2021-03-15 2:52 ` [Bug 1910723] " Alexander Bulekov
2021-03-15 2:53 ` Alexander Bulekov
@ 2021-03-15 14:07 ` Mauro Matteo Cascella
2021-03-17 7:42 ` Mark Cave-Ayland
` (5 subsequent siblings)
8 siblings, 0 replies; 10+ messages in thread
From: Mauro Matteo Cascella @ 2021-03-15 14:07 UTC (permalink / raw)
To: qemu-devel
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-35504
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-35505
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1910723
Title:
NULL pointer dereference issues in am53c974 SCSI host bus adapter
Status in QEMU:
New
Bug description:
Two NULL pointer dereference issues were found in the am53c974 SCSI
host bus adapter emulation of QEMU. They could occur while handling
the 'Information Transfer' command (CMD_TI) in function handle_ti() in
hw/scsi/esp.c, and could be abused by a malicious guest to crash the
QEMU process on the host resulting in a denial of service.
Both issues were reported by Cheolwoo Myung (Seoul National
University). To reproduce them, configure and run QEMU as follows.
Please find attached the required disk images.
$ ./configure --target-list=x86_64-softmmu --enable-kvm --enable-sanitizers
$ make
$ ./qemu-system-x86_64 -m 512 -drive file=./hyfuzz.img,index=0,media=disk,format=raw \
-device am53c974,id=scsi -device scsi-hd,drive=SysDisk \
-drive id=SysDisk,if=none,file=./disk.img
Additional info:
RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1909766
RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1909769
ASAN logs:
==672133==
hw/scsi/scsi-bus.c:1385:12: runtime error: member access within null pointer of type 'struct SCSIRequest'
AddressSanitizer:DEADLYSIGNAL
=================================================================
==672133==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000171 (pc 0x55bd63e20b85 bp 0x7f4b6fffdfa0 sp 0x7f4b6fffdf70 T7)
==672133==The signal is caused by a READ memory access.
==672133==Hint: address points to the zero page.
#0 0x55bd63e20b85 in scsi_req_continue hw/scsi/scsi-bus.c:1385
#1 0x55bd63ab34fb in esp_do_dma hw/scsi/esp.c:453
#2 0x55bd63ab4b3c in handle_ti hw/scsi/esp.c:549
#3 0x55bd63ab72a9 in esp_reg_write hw/scsi/esp.c:691
#4 0x55bd63d7b5dd in esp_pci_io_write hw/scsi/esp-pci.c:206
#5 0x55bd645d55a3 in memory_region_write_accessor softmmu/memory.c:491
#6 0x55bd645d5a24 in access_with_adjusted_size softmmu/memory.c:552
#7 0x55bd645e2baa in memory_region_dispatch_write softmmu/memory.c:1501
#8 0x55bd646b75ff in flatview_write_continue softmmu/physmem.c:2759
#9 0x55bd646b79d1 in flatview_write softmmu/physmem.c:2799
#10 0x55bd646b8341 in address_space_write softmmu/physmem.c:2891
#11 0x55bd646b83f9 in address_space_rw softmmu/physmem.c:2901
#12 0x55bd648c4736 in kvm_handle_io accel/kvm/kvm-all.c:2285
#13 0x55bd648c69c8 in kvm_cpu_exec accel/kvm/kvm-all.c:2531
#14 0x55bd647b2413 in kvm_vcpu_thread_fn accel/kvm/kvm-cpus.c:49
#15 0x55bd64f560de in qemu_thread_start util/qemu-thread-posix.c:521
#16 0x7f4b981763f8 in start_thread (/lib64/libpthread.so.0+0x93f8)
#17 0x7f4b980a3902 in __GI___clone (/lib64/libc.so.6+0x101902)
---
==672020==
hw/scsi/esp.c:196:62: runtime error: member access within null pointer of type 'struct SCSIDevice'
AddressSanitizer:DEADLYSIGNAL
=================================================================
==672020==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000098 (pc 0x559bc99946fd bp 0x7f08bd737fb0 sp 0x7f08bd737f70 T7)
==672020==The signal is caused by a READ memory access.
==672020==Hint: address points to the zero page.
#0 0x559bc99946fd in do_busid_cmd hw/scsi/esp.c:196
#1 0x559bc9994e71 in do_cmd hw/scsi/esp.c:220
#2 0x559bc999ae81 in handle_ti hw/scsi/esp.c:555
#3 0x559bc999d2a9 in esp_reg_write hw/scsi/esp.c:691
#4 0x559bc9c615dd in esp_pci_io_write hw/scsi/esp-pci.c:206
#5 0x559bca4bb5a3 in memory_region_write_accessor softmmu/memory.c:491
#6 0x559bca4bba24 in access_with_adjusted_size softmmu/memory.c:552
#7 0x559bca4c8baa in memory_region_dispatch_write softmmu/memory.c:1501
#8 0x559bca59d5ff in flatview_write_continue softmmu/physmem.c:2759
#9 0x559bca59d9d1 in flatview_write softmmu/physmem.c:2799
#10 0x559bca59e341 in address_space_write softmmu/physmem.c:2891
#11 0x559bca59e3f9 in address_space_rw softmmu/physmem.c:2901
#12 0x559bca7aa736 in kvm_handle_io accel/kvm/kvm-all.c:2285
#13 0x559bca7ac9c8 in kvm_cpu_exec accel/kvm/kvm-all.c:2531
#14 0x559bca698413 in kvm_vcpu_thread_fn accel/kvm/kvm-cpus.c:49
#15 0x559bcae3c0de in qemu_thread_start util/qemu-thread-posix.c:521
#16 0x7f08e57ba3f8 in start_thread (/lib64/libpthread.so.0+0x93f8)
#17 0x7f08e56e7902 in __GI___clone (/lib64/libc.so.6+0x101902)
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1910723/+subscriptions
^ permalink raw reply [flat|nested] 10+ messages in thread
* [Bug 1910723] Re: NULL pointer dereference issues in am53c974 SCSI host bus adapter
2021-01-08 10:34 [Bug 1910723] [NEW] NULL pointer dereference issues in am53c974 SCSI host bus adapter Mauro Matteo Cascella
` (2 preceding siblings ...)
2021-03-15 14:07 ` Mauro Matteo Cascella
@ 2021-03-17 7:42 ` Mark Cave-Ayland
2021-03-24 10:08 ` Mauro Matteo Cascella
` (4 subsequent siblings)
8 siblings, 0 replies; 10+ messages in thread
From: Mark Cave-Ayland @ 2021-03-17 7:42 UTC (permalink / raw)
To: qemu-devel
Thank you both for the reproducers. Please see the proposed patchset
here:
https://lists.gnu.org/archive/html/qemu-devel/2021-03/msg06063.html
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1910723
Title:
NULL pointer dereference issues in am53c974 SCSI host bus adapter
Status in QEMU:
New
Bug description:
Two NULL pointer dereference issues were found in the am53c974 SCSI
host bus adapter emulation of QEMU. They could occur while handling
the 'Information Transfer' command (CMD_TI) in function handle_ti() in
hw/scsi/esp.c, and could be abused by a malicious guest to crash the
QEMU process on the host resulting in a denial of service.
Both issues were reported by Cheolwoo Myung (Seoul National
University). To reproduce them, configure and run QEMU as follows.
Please find attached the required disk images.
$ ./configure --target-list=x86_64-softmmu --enable-kvm --enable-sanitizers
$ make
$ ./qemu-system-x86_64 -m 512 -drive file=./hyfuzz.img,index=0,media=disk,format=raw \
-device am53c974,id=scsi -device scsi-hd,drive=SysDisk \
-drive id=SysDisk,if=none,file=./disk.img
Additional info:
RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1909766
RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1909769
ASAN logs:
==672133==
hw/scsi/scsi-bus.c:1385:12: runtime error: member access within null pointer of type 'struct SCSIRequest'
AddressSanitizer:DEADLYSIGNAL
=================================================================
==672133==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000171 (pc 0x55bd63e20b85 bp 0x7f4b6fffdfa0 sp 0x7f4b6fffdf70 T7)
==672133==The signal is caused by a READ memory access.
==672133==Hint: address points to the zero page.
#0 0x55bd63e20b85 in scsi_req_continue hw/scsi/scsi-bus.c:1385
#1 0x55bd63ab34fb in esp_do_dma hw/scsi/esp.c:453
#2 0x55bd63ab4b3c in handle_ti hw/scsi/esp.c:549
#3 0x55bd63ab72a9 in esp_reg_write hw/scsi/esp.c:691
#4 0x55bd63d7b5dd in esp_pci_io_write hw/scsi/esp-pci.c:206
#5 0x55bd645d55a3 in memory_region_write_accessor softmmu/memory.c:491
#6 0x55bd645d5a24 in access_with_adjusted_size softmmu/memory.c:552
#7 0x55bd645e2baa in memory_region_dispatch_write softmmu/memory.c:1501
#8 0x55bd646b75ff in flatview_write_continue softmmu/physmem.c:2759
#9 0x55bd646b79d1 in flatview_write softmmu/physmem.c:2799
#10 0x55bd646b8341 in address_space_write softmmu/physmem.c:2891
#11 0x55bd646b83f9 in address_space_rw softmmu/physmem.c:2901
#12 0x55bd648c4736 in kvm_handle_io accel/kvm/kvm-all.c:2285
#13 0x55bd648c69c8 in kvm_cpu_exec accel/kvm/kvm-all.c:2531
#14 0x55bd647b2413 in kvm_vcpu_thread_fn accel/kvm/kvm-cpus.c:49
#15 0x55bd64f560de in qemu_thread_start util/qemu-thread-posix.c:521
#16 0x7f4b981763f8 in start_thread (/lib64/libpthread.so.0+0x93f8)
#17 0x7f4b980a3902 in __GI___clone (/lib64/libc.so.6+0x101902)
---
==672020==
hw/scsi/esp.c:196:62: runtime error: member access within null pointer of type 'struct SCSIDevice'
AddressSanitizer:DEADLYSIGNAL
=================================================================
==672020==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000098 (pc 0x559bc99946fd bp 0x7f08bd737fb0 sp 0x7f08bd737f70 T7)
==672020==The signal is caused by a READ memory access.
==672020==Hint: address points to the zero page.
#0 0x559bc99946fd in do_busid_cmd hw/scsi/esp.c:196
#1 0x559bc9994e71 in do_cmd hw/scsi/esp.c:220
#2 0x559bc999ae81 in handle_ti hw/scsi/esp.c:555
#3 0x559bc999d2a9 in esp_reg_write hw/scsi/esp.c:691
#4 0x559bc9c615dd in esp_pci_io_write hw/scsi/esp-pci.c:206
#5 0x559bca4bb5a3 in memory_region_write_accessor softmmu/memory.c:491
#6 0x559bca4bba24 in access_with_adjusted_size softmmu/memory.c:552
#7 0x559bca4c8baa in memory_region_dispatch_write softmmu/memory.c:1501
#8 0x559bca59d5ff in flatview_write_continue softmmu/physmem.c:2759
#9 0x559bca59d9d1 in flatview_write softmmu/physmem.c:2799
#10 0x559bca59e341 in address_space_write softmmu/physmem.c:2891
#11 0x559bca59e3f9 in address_space_rw softmmu/physmem.c:2901
#12 0x559bca7aa736 in kvm_handle_io accel/kvm/kvm-all.c:2285
#13 0x559bca7ac9c8 in kvm_cpu_exec accel/kvm/kvm-all.c:2531
#14 0x559bca698413 in kvm_vcpu_thread_fn accel/kvm/kvm-cpus.c:49
#15 0x559bcae3c0de in qemu_thread_start util/qemu-thread-posix.c:521
#16 0x7f08e57ba3f8 in start_thread (/lib64/libpthread.so.0+0x93f8)
#17 0x7f08e56e7902 in __GI___clone (/lib64/libc.so.6+0x101902)
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1910723/+subscriptions
^ permalink raw reply [flat|nested] 10+ messages in thread
* [Bug 1910723] Re: NULL pointer dereference issues in am53c974 SCSI host bus adapter
2021-01-08 10:34 [Bug 1910723] [NEW] NULL pointer dereference issues in am53c974 SCSI host bus adapter Mauro Matteo Cascella
` (3 preceding siblings ...)
2021-03-17 7:42 ` Mark Cave-Ayland
@ 2021-03-24 10:08 ` Mauro Matteo Cascella
2021-04-14 13:31 ` Mauro Matteo Cascella
` (3 subsequent siblings)
8 siblings, 0 replies; 10+ messages in thread
From: Mauro Matteo Cascella @ 2021-03-24 10:08 UTC (permalink / raw)
To: qemu-devel
I can confirm this is fixed now, thank you Mark.
Patchset v2:
https://lists.gnu.org/archive/html/qemu-devel/2021-03/msg06550.html
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1910723
Title:
NULL pointer dereference issues in am53c974 SCSI host bus adapter
Status in QEMU:
New
Bug description:
Two NULL pointer dereference issues were found in the am53c974 SCSI
host bus adapter emulation of QEMU. They could occur while handling
the 'Information Transfer' command (CMD_TI) in function handle_ti() in
hw/scsi/esp.c, and could be abused by a malicious guest to crash the
QEMU process on the host resulting in a denial of service.
Both issues were reported by Cheolwoo Myung (Seoul National
University). To reproduce them, configure and run QEMU as follows.
Please find attached the required disk images.
$ ./configure --target-list=x86_64-softmmu --enable-kvm --enable-sanitizers
$ make
$ ./qemu-system-x86_64 -m 512 -drive file=./hyfuzz.img,index=0,media=disk,format=raw \
-device am53c974,id=scsi -device scsi-hd,drive=SysDisk \
-drive id=SysDisk,if=none,file=./disk.img
Additional info:
RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1909766
RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1909769
ASAN logs:
==672133==
hw/scsi/scsi-bus.c:1385:12: runtime error: member access within null pointer of type 'struct SCSIRequest'
AddressSanitizer:DEADLYSIGNAL
=================================================================
==672133==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000171 (pc 0x55bd63e20b85 bp 0x7f4b6fffdfa0 sp 0x7f4b6fffdf70 T7)
==672133==The signal is caused by a READ memory access.
==672133==Hint: address points to the zero page.
#0 0x55bd63e20b85 in scsi_req_continue hw/scsi/scsi-bus.c:1385
#1 0x55bd63ab34fb in esp_do_dma hw/scsi/esp.c:453
#2 0x55bd63ab4b3c in handle_ti hw/scsi/esp.c:549
#3 0x55bd63ab72a9 in esp_reg_write hw/scsi/esp.c:691
#4 0x55bd63d7b5dd in esp_pci_io_write hw/scsi/esp-pci.c:206
#5 0x55bd645d55a3 in memory_region_write_accessor softmmu/memory.c:491
#6 0x55bd645d5a24 in access_with_adjusted_size softmmu/memory.c:552
#7 0x55bd645e2baa in memory_region_dispatch_write softmmu/memory.c:1501
#8 0x55bd646b75ff in flatview_write_continue softmmu/physmem.c:2759
#9 0x55bd646b79d1 in flatview_write softmmu/physmem.c:2799
#10 0x55bd646b8341 in address_space_write softmmu/physmem.c:2891
#11 0x55bd646b83f9 in address_space_rw softmmu/physmem.c:2901
#12 0x55bd648c4736 in kvm_handle_io accel/kvm/kvm-all.c:2285
#13 0x55bd648c69c8 in kvm_cpu_exec accel/kvm/kvm-all.c:2531
#14 0x55bd647b2413 in kvm_vcpu_thread_fn accel/kvm/kvm-cpus.c:49
#15 0x55bd64f560de in qemu_thread_start util/qemu-thread-posix.c:521
#16 0x7f4b981763f8 in start_thread (/lib64/libpthread.so.0+0x93f8)
#17 0x7f4b980a3902 in __GI___clone (/lib64/libc.so.6+0x101902)
---
==672020==
hw/scsi/esp.c:196:62: runtime error: member access within null pointer of type 'struct SCSIDevice'
AddressSanitizer:DEADLYSIGNAL
=================================================================
==672020==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000098 (pc 0x559bc99946fd bp 0x7f08bd737fb0 sp 0x7f08bd737f70 T7)
==672020==The signal is caused by a READ memory access.
==672020==Hint: address points to the zero page.
#0 0x559bc99946fd in do_busid_cmd hw/scsi/esp.c:196
#1 0x559bc9994e71 in do_cmd hw/scsi/esp.c:220
#2 0x559bc999ae81 in handle_ti hw/scsi/esp.c:555
#3 0x559bc999d2a9 in esp_reg_write hw/scsi/esp.c:691
#4 0x559bc9c615dd in esp_pci_io_write hw/scsi/esp-pci.c:206
#5 0x559bca4bb5a3 in memory_region_write_accessor softmmu/memory.c:491
#6 0x559bca4bba24 in access_with_adjusted_size softmmu/memory.c:552
#7 0x559bca4c8baa in memory_region_dispatch_write softmmu/memory.c:1501
#8 0x559bca59d5ff in flatview_write_continue softmmu/physmem.c:2759
#9 0x559bca59d9d1 in flatview_write softmmu/physmem.c:2799
#10 0x559bca59e341 in address_space_write softmmu/physmem.c:2891
#11 0x559bca59e3f9 in address_space_rw softmmu/physmem.c:2901
#12 0x559bca7aa736 in kvm_handle_io accel/kvm/kvm-all.c:2285
#13 0x559bca7ac9c8 in kvm_cpu_exec accel/kvm/kvm-all.c:2531
#14 0x559bca698413 in kvm_vcpu_thread_fn accel/kvm/kvm-cpus.c:49
#15 0x559bcae3c0de in qemu_thread_start util/qemu-thread-posix.c:521
#16 0x7f08e57ba3f8 in start_thread (/lib64/libpthread.so.0+0x93f8)
#17 0x7f08e56e7902 in __GI___clone (/lib64/libc.so.6+0x101902)
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1910723/+subscriptions
^ permalink raw reply [flat|nested] 10+ messages in thread
* [Bug 1910723] Re: NULL pointer dereference issues in am53c974 SCSI host bus adapter
2021-01-08 10:34 [Bug 1910723] [NEW] NULL pointer dereference issues in am53c974 SCSI host bus adapter Mauro Matteo Cascella
` (4 preceding siblings ...)
2021-03-24 10:08 ` Mauro Matteo Cascella
@ 2021-04-14 13:31 ` Mauro Matteo Cascella
2021-04-14 14:10 ` Mauro Matteo Cascella
` (2 subsequent siblings)
8 siblings, 0 replies; 10+ messages in thread
From: Mauro Matteo Cascella @ 2021-04-14 13:31 UTC (permalink / raw)
To: qemu-devel
Patchset v4:
https://lists.gnu.org/archive/html/qemu-devel/2021-04/msg01000.html
Upstream commits:
https://git.qemu.org/?p=qemu.git;a=commit;h=0db895361b8a82e1114372ff9f4857abea605701
https://git.qemu.org/?p=qemu.git;a=commit;h=e392255766071c8cac480da3a9ae4f94e56d7cbc
https://git.qemu.org/?p=qemu.git;a=commit;h=e5455b8c1c6170c788f3c0fd577cc3be53539a99
https://git.qemu.org/?p=qemu.git;a=commit;h=c5fef9112b15c4b5494791cdf8bbb40bc1938dd3
https://git.qemu.org/?p=qemu.git;a=commit;h=7b320a8e67a534925048cbabfa51431e0349dafd
https://git.qemu.org/?p=qemu.git;a=commit;h=99545751734035b76bd372c4e7215bb337428d89
https://git.qemu.org/?p=qemu.git;a=commit;h=fa7505c154d4d00ad89a747be2eda556643ce00e
https://git.qemu.org/?p=qemu.git;a=commit;h=fbc6510e3379fa8f8370bf71198f0ce733bf07f9
https://git.qemu.org/?p=qemu.git;a=commit;h=0ebb5fd80589835153a0c2baa1b8cc7a04e67a93
https://git.qemu.org/?p=qemu.git;a=commit;h=324c8809897c8c53ad05c3a7147d272f1711cd5e
https://git.qemu.org/?p=qemu.git;a=commit;h=607206948cacda4a80be5b976dba490970a18a76
** Changed in: qemu
Status: New => Fix Released
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1910723
Title:
NULL pointer dereference issues in am53c974 SCSI host bus adapter
Status in QEMU:
Fix Released
Bug description:
Two NULL pointer dereference issues were found in the am53c974 SCSI
host bus adapter emulation of QEMU. They could occur while handling
the 'Information Transfer' command (CMD_TI) in function handle_ti() in
hw/scsi/esp.c, and could be abused by a malicious guest to crash the
QEMU process on the host resulting in a denial of service.
Both issues were reported by Cheolwoo Myung (Seoul National
University). To reproduce them, configure and run QEMU as follows.
Please find attached the required disk images.
$ ./configure --target-list=x86_64-softmmu --enable-kvm --enable-sanitizers
$ make
$ ./qemu-system-x86_64 -m 512 -drive file=./hyfuzz.img,index=0,media=disk,format=raw \
-device am53c974,id=scsi -device scsi-hd,drive=SysDisk \
-drive id=SysDisk,if=none,file=./disk.img
Additional info:
RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1909766
RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1909769
ASAN logs:
==672133==
hw/scsi/scsi-bus.c:1385:12: runtime error: member access within null pointer of type 'struct SCSIRequest'
AddressSanitizer:DEADLYSIGNAL
=================================================================
==672133==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000171 (pc 0x55bd63e20b85 bp 0x7f4b6fffdfa0 sp 0x7f4b6fffdf70 T7)
==672133==The signal is caused by a READ memory access.
==672133==Hint: address points to the zero page.
#0 0x55bd63e20b85 in scsi_req_continue hw/scsi/scsi-bus.c:1385
#1 0x55bd63ab34fb in esp_do_dma hw/scsi/esp.c:453
#2 0x55bd63ab4b3c in handle_ti hw/scsi/esp.c:549
#3 0x55bd63ab72a9 in esp_reg_write hw/scsi/esp.c:691
#4 0x55bd63d7b5dd in esp_pci_io_write hw/scsi/esp-pci.c:206
#5 0x55bd645d55a3 in memory_region_write_accessor softmmu/memory.c:491
#6 0x55bd645d5a24 in access_with_adjusted_size softmmu/memory.c:552
#7 0x55bd645e2baa in memory_region_dispatch_write softmmu/memory.c:1501
#8 0x55bd646b75ff in flatview_write_continue softmmu/physmem.c:2759
#9 0x55bd646b79d1 in flatview_write softmmu/physmem.c:2799
#10 0x55bd646b8341 in address_space_write softmmu/physmem.c:2891
#11 0x55bd646b83f9 in address_space_rw softmmu/physmem.c:2901
#12 0x55bd648c4736 in kvm_handle_io accel/kvm/kvm-all.c:2285
#13 0x55bd648c69c8 in kvm_cpu_exec accel/kvm/kvm-all.c:2531
#14 0x55bd647b2413 in kvm_vcpu_thread_fn accel/kvm/kvm-cpus.c:49
#15 0x55bd64f560de in qemu_thread_start util/qemu-thread-posix.c:521
#16 0x7f4b981763f8 in start_thread (/lib64/libpthread.so.0+0x93f8)
#17 0x7f4b980a3902 in __GI___clone (/lib64/libc.so.6+0x101902)
---
==672020==
hw/scsi/esp.c:196:62: runtime error: member access within null pointer of type 'struct SCSIDevice'
AddressSanitizer:DEADLYSIGNAL
=================================================================
==672020==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000098 (pc 0x559bc99946fd bp 0x7f08bd737fb0 sp 0x7f08bd737f70 T7)
==672020==The signal is caused by a READ memory access.
==672020==Hint: address points to the zero page.
#0 0x559bc99946fd in do_busid_cmd hw/scsi/esp.c:196
#1 0x559bc9994e71 in do_cmd hw/scsi/esp.c:220
#2 0x559bc999ae81 in handle_ti hw/scsi/esp.c:555
#3 0x559bc999d2a9 in esp_reg_write hw/scsi/esp.c:691
#4 0x559bc9c615dd in esp_pci_io_write hw/scsi/esp-pci.c:206
#5 0x559bca4bb5a3 in memory_region_write_accessor softmmu/memory.c:491
#6 0x559bca4bba24 in access_with_adjusted_size softmmu/memory.c:552
#7 0x559bca4c8baa in memory_region_dispatch_write softmmu/memory.c:1501
#8 0x559bca59d5ff in flatview_write_continue softmmu/physmem.c:2759
#9 0x559bca59d9d1 in flatview_write softmmu/physmem.c:2799
#10 0x559bca59e341 in address_space_write softmmu/physmem.c:2891
#11 0x559bca59e3f9 in address_space_rw softmmu/physmem.c:2901
#12 0x559bca7aa736 in kvm_handle_io accel/kvm/kvm-all.c:2285
#13 0x559bca7ac9c8 in kvm_cpu_exec accel/kvm/kvm-all.c:2531
#14 0x559bca698413 in kvm_vcpu_thread_fn accel/kvm/kvm-cpus.c:49
#15 0x559bcae3c0de in qemu_thread_start util/qemu-thread-posix.c:521
#16 0x7f08e57ba3f8 in start_thread (/lib64/libpthread.so.0+0x93f8)
#17 0x7f08e56e7902 in __GI___clone (/lib64/libc.so.6+0x101902)
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1910723/+subscriptions
^ permalink raw reply [flat|nested] 10+ messages in thread
* [Bug 1910723] Re: NULL pointer dereference issues in am53c974 SCSI host bus adapter
2021-01-08 10:34 [Bug 1910723] [NEW] NULL pointer dereference issues in am53c974 SCSI host bus adapter Mauro Matteo Cascella
` (5 preceding siblings ...)
2021-04-14 13:31 ` Mauro Matteo Cascella
@ 2021-04-14 14:10 ` Mauro Matteo Cascella
2021-04-29 9:57 ` Thomas Huth
2021-04-30 9:00 ` Thomas Huth
8 siblings, 0 replies; 10+ messages in thread
From: Mauro Matteo Cascella @ 2021-04-14 14:10 UTC (permalink / raw)
To: qemu-devel
** Changed in: qemu
Status: Fix Released => Fix Committed
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1910723
Title:
NULL pointer dereference issues in am53c974 SCSI host bus adapter
Status in QEMU:
Fix Committed
Bug description:
Two NULL pointer dereference issues were found in the am53c974 SCSI
host bus adapter emulation of QEMU. They could occur while handling
the 'Information Transfer' command (CMD_TI) in function handle_ti() in
hw/scsi/esp.c, and could be abused by a malicious guest to crash the
QEMU process on the host resulting in a denial of service.
Both issues were reported by Cheolwoo Myung (Seoul National
University). To reproduce them, configure and run QEMU as follows.
Please find attached the required disk images.
$ ./configure --target-list=x86_64-softmmu --enable-kvm --enable-sanitizers
$ make
$ ./qemu-system-x86_64 -m 512 -drive file=./hyfuzz.img,index=0,media=disk,format=raw \
-device am53c974,id=scsi -device scsi-hd,drive=SysDisk \
-drive id=SysDisk,if=none,file=./disk.img
Additional info:
RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1909766
RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1909769
ASAN logs:
==672133==
hw/scsi/scsi-bus.c:1385:12: runtime error: member access within null pointer of type 'struct SCSIRequest'
AddressSanitizer:DEADLYSIGNAL
=================================================================
==672133==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000171 (pc 0x55bd63e20b85 bp 0x7f4b6fffdfa0 sp 0x7f4b6fffdf70 T7)
==672133==The signal is caused by a READ memory access.
==672133==Hint: address points to the zero page.
#0 0x55bd63e20b85 in scsi_req_continue hw/scsi/scsi-bus.c:1385
#1 0x55bd63ab34fb in esp_do_dma hw/scsi/esp.c:453
#2 0x55bd63ab4b3c in handle_ti hw/scsi/esp.c:549
#3 0x55bd63ab72a9 in esp_reg_write hw/scsi/esp.c:691
#4 0x55bd63d7b5dd in esp_pci_io_write hw/scsi/esp-pci.c:206
#5 0x55bd645d55a3 in memory_region_write_accessor softmmu/memory.c:491
#6 0x55bd645d5a24 in access_with_adjusted_size softmmu/memory.c:552
#7 0x55bd645e2baa in memory_region_dispatch_write softmmu/memory.c:1501
#8 0x55bd646b75ff in flatview_write_continue softmmu/physmem.c:2759
#9 0x55bd646b79d1 in flatview_write softmmu/physmem.c:2799
#10 0x55bd646b8341 in address_space_write softmmu/physmem.c:2891
#11 0x55bd646b83f9 in address_space_rw softmmu/physmem.c:2901
#12 0x55bd648c4736 in kvm_handle_io accel/kvm/kvm-all.c:2285
#13 0x55bd648c69c8 in kvm_cpu_exec accel/kvm/kvm-all.c:2531
#14 0x55bd647b2413 in kvm_vcpu_thread_fn accel/kvm/kvm-cpus.c:49
#15 0x55bd64f560de in qemu_thread_start util/qemu-thread-posix.c:521
#16 0x7f4b981763f8 in start_thread (/lib64/libpthread.so.0+0x93f8)
#17 0x7f4b980a3902 in __GI___clone (/lib64/libc.so.6+0x101902)
---
==672020==
hw/scsi/esp.c:196:62: runtime error: member access within null pointer of type 'struct SCSIDevice'
AddressSanitizer:DEADLYSIGNAL
=================================================================
==672020==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000098 (pc 0x559bc99946fd bp 0x7f08bd737fb0 sp 0x7f08bd737f70 T7)
==672020==The signal is caused by a READ memory access.
==672020==Hint: address points to the zero page.
#0 0x559bc99946fd in do_busid_cmd hw/scsi/esp.c:196
#1 0x559bc9994e71 in do_cmd hw/scsi/esp.c:220
#2 0x559bc999ae81 in handle_ti hw/scsi/esp.c:555
#3 0x559bc999d2a9 in esp_reg_write hw/scsi/esp.c:691
#4 0x559bc9c615dd in esp_pci_io_write hw/scsi/esp-pci.c:206
#5 0x559bca4bb5a3 in memory_region_write_accessor softmmu/memory.c:491
#6 0x559bca4bba24 in access_with_adjusted_size softmmu/memory.c:552
#7 0x559bca4c8baa in memory_region_dispatch_write softmmu/memory.c:1501
#8 0x559bca59d5ff in flatview_write_continue softmmu/physmem.c:2759
#9 0x559bca59d9d1 in flatview_write softmmu/physmem.c:2799
#10 0x559bca59e341 in address_space_write softmmu/physmem.c:2891
#11 0x559bca59e3f9 in address_space_rw softmmu/physmem.c:2901
#12 0x559bca7aa736 in kvm_handle_io accel/kvm/kvm-all.c:2285
#13 0x559bca7ac9c8 in kvm_cpu_exec accel/kvm/kvm-all.c:2531
#14 0x559bca698413 in kvm_vcpu_thread_fn accel/kvm/kvm-cpus.c:49
#15 0x559bcae3c0de in qemu_thread_start util/qemu-thread-posix.c:521
#16 0x7f08e57ba3f8 in start_thread (/lib64/libpthread.so.0+0x93f8)
#17 0x7f08e56e7902 in __GI___clone (/lib64/libc.so.6+0x101902)
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1910723/+subscriptions
^ permalink raw reply [flat|nested] 10+ messages in thread
* [Bug 1910723] Re: NULL pointer dereference issues in am53c974 SCSI host bus adapter
2021-01-08 10:34 [Bug 1910723] [NEW] NULL pointer dereference issues in am53c974 SCSI host bus adapter Mauro Matteo Cascella
` (6 preceding siblings ...)
2021-04-14 14:10 ` Mauro Matteo Cascella
@ 2021-04-29 9:57 ` Thomas Huth
2021-04-30 9:00 ` Thomas Huth
8 siblings, 0 replies; 10+ messages in thread
From: Thomas Huth @ 2021-04-29 9:57 UTC (permalink / raw)
To: qemu-devel
** Tags removed: qemu
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1910723
Title:
NULL pointer dereference issues in am53c974 SCSI host bus adapter
Status in QEMU:
Fix Committed
Bug description:
Two NULL pointer dereference issues were found in the am53c974 SCSI
host bus adapter emulation of QEMU. They could occur while handling
the 'Information Transfer' command (CMD_TI) in function handle_ti() in
hw/scsi/esp.c, and could be abused by a malicious guest to crash the
QEMU process on the host resulting in a denial of service.
Both issues were reported by Cheolwoo Myung (Seoul National
University). To reproduce them, configure and run QEMU as follows.
Please find attached the required disk images.
$ ./configure --target-list=x86_64-softmmu --enable-kvm --enable-sanitizers
$ make
$ ./qemu-system-x86_64 -m 512 -drive file=./hyfuzz.img,index=0,media=disk,format=raw \
-device am53c974,id=scsi -device scsi-hd,drive=SysDisk \
-drive id=SysDisk,if=none,file=./disk.img
Additional info:
RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1909766
RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1909769
ASAN logs:
==672133==
hw/scsi/scsi-bus.c:1385:12: runtime error: member access within null pointer of type 'struct SCSIRequest'
AddressSanitizer:DEADLYSIGNAL
=================================================================
==672133==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000171 (pc 0x55bd63e20b85 bp 0x7f4b6fffdfa0 sp 0x7f4b6fffdf70 T7)
==672133==The signal is caused by a READ memory access.
==672133==Hint: address points to the zero page.
#0 0x55bd63e20b85 in scsi_req_continue hw/scsi/scsi-bus.c:1385
#1 0x55bd63ab34fb in esp_do_dma hw/scsi/esp.c:453
#2 0x55bd63ab4b3c in handle_ti hw/scsi/esp.c:549
#3 0x55bd63ab72a9 in esp_reg_write hw/scsi/esp.c:691
#4 0x55bd63d7b5dd in esp_pci_io_write hw/scsi/esp-pci.c:206
#5 0x55bd645d55a3 in memory_region_write_accessor softmmu/memory.c:491
#6 0x55bd645d5a24 in access_with_adjusted_size softmmu/memory.c:552
#7 0x55bd645e2baa in memory_region_dispatch_write softmmu/memory.c:1501
#8 0x55bd646b75ff in flatview_write_continue softmmu/physmem.c:2759
#9 0x55bd646b79d1 in flatview_write softmmu/physmem.c:2799
#10 0x55bd646b8341 in address_space_write softmmu/physmem.c:2891
#11 0x55bd646b83f9 in address_space_rw softmmu/physmem.c:2901
#12 0x55bd648c4736 in kvm_handle_io accel/kvm/kvm-all.c:2285
#13 0x55bd648c69c8 in kvm_cpu_exec accel/kvm/kvm-all.c:2531
#14 0x55bd647b2413 in kvm_vcpu_thread_fn accel/kvm/kvm-cpus.c:49
#15 0x55bd64f560de in qemu_thread_start util/qemu-thread-posix.c:521
#16 0x7f4b981763f8 in start_thread (/lib64/libpthread.so.0+0x93f8)
#17 0x7f4b980a3902 in __GI___clone (/lib64/libc.so.6+0x101902)
---
==672020==
hw/scsi/esp.c:196:62: runtime error: member access within null pointer of type 'struct SCSIDevice'
AddressSanitizer:DEADLYSIGNAL
=================================================================
==672020==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000098 (pc 0x559bc99946fd bp 0x7f08bd737fb0 sp 0x7f08bd737f70 T7)
==672020==The signal is caused by a READ memory access.
==672020==Hint: address points to the zero page.
#0 0x559bc99946fd in do_busid_cmd hw/scsi/esp.c:196
#1 0x559bc9994e71 in do_cmd hw/scsi/esp.c:220
#2 0x559bc999ae81 in handle_ti hw/scsi/esp.c:555
#3 0x559bc999d2a9 in esp_reg_write hw/scsi/esp.c:691
#4 0x559bc9c615dd in esp_pci_io_write hw/scsi/esp-pci.c:206
#5 0x559bca4bb5a3 in memory_region_write_accessor softmmu/memory.c:491
#6 0x559bca4bba24 in access_with_adjusted_size softmmu/memory.c:552
#7 0x559bca4c8baa in memory_region_dispatch_write softmmu/memory.c:1501
#8 0x559bca59d5ff in flatview_write_continue softmmu/physmem.c:2759
#9 0x559bca59d9d1 in flatview_write softmmu/physmem.c:2799
#10 0x559bca59e341 in address_space_write softmmu/physmem.c:2891
#11 0x559bca59e3f9 in address_space_rw softmmu/physmem.c:2901
#12 0x559bca7aa736 in kvm_handle_io accel/kvm/kvm-all.c:2285
#13 0x559bca7ac9c8 in kvm_cpu_exec accel/kvm/kvm-all.c:2531
#14 0x559bca698413 in kvm_vcpu_thread_fn accel/kvm/kvm-cpus.c:49
#15 0x559bcae3c0de in qemu_thread_start util/qemu-thread-posix.c:521
#16 0x7f08e57ba3f8 in start_thread (/lib64/libpthread.so.0+0x93f8)
#17 0x7f08e56e7902 in __GI___clone (/lib64/libc.so.6+0x101902)
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1910723/+subscriptions
^ permalink raw reply [flat|nested] 10+ messages in thread
* [Bug 1910723] Re: NULL pointer dereference issues in am53c974 SCSI host bus adapter
2021-01-08 10:34 [Bug 1910723] [NEW] NULL pointer dereference issues in am53c974 SCSI host bus adapter Mauro Matteo Cascella
` (7 preceding siblings ...)
2021-04-29 9:57 ` Thomas Huth
@ 2021-04-30 9:00 ` Thomas Huth
8 siblings, 0 replies; 10+ messages in thread
From: Thomas Huth @ 2021-04-30 9:00 UTC (permalink / raw)
To: qemu-devel
** Changed in: qemu
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1910723
Title:
NULL pointer dereference issues in am53c974 SCSI host bus adapter
Status in QEMU:
Fix Released
Bug description:
Two NULL pointer dereference issues were found in the am53c974 SCSI
host bus adapter emulation of QEMU. They could occur while handling
the 'Information Transfer' command (CMD_TI) in function handle_ti() in
hw/scsi/esp.c, and could be abused by a malicious guest to crash the
QEMU process on the host resulting in a denial of service.
Both issues were reported by Cheolwoo Myung (Seoul National
University). To reproduce them, configure and run QEMU as follows.
Please find attached the required disk images.
$ ./configure --target-list=x86_64-softmmu --enable-kvm --enable-sanitizers
$ make
$ ./qemu-system-x86_64 -m 512 -drive file=./hyfuzz.img,index=0,media=disk,format=raw \
-device am53c974,id=scsi -device scsi-hd,drive=SysDisk \
-drive id=SysDisk,if=none,file=./disk.img
Additional info:
RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1909766
RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1909769
ASAN logs:
==672133==
hw/scsi/scsi-bus.c:1385:12: runtime error: member access within null pointer of type 'struct SCSIRequest'
AddressSanitizer:DEADLYSIGNAL
=================================================================
==672133==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000171 (pc 0x55bd63e20b85 bp 0x7f4b6fffdfa0 sp 0x7f4b6fffdf70 T7)
==672133==The signal is caused by a READ memory access.
==672133==Hint: address points to the zero page.
#0 0x55bd63e20b85 in scsi_req_continue hw/scsi/scsi-bus.c:1385
#1 0x55bd63ab34fb in esp_do_dma hw/scsi/esp.c:453
#2 0x55bd63ab4b3c in handle_ti hw/scsi/esp.c:549
#3 0x55bd63ab72a9 in esp_reg_write hw/scsi/esp.c:691
#4 0x55bd63d7b5dd in esp_pci_io_write hw/scsi/esp-pci.c:206
#5 0x55bd645d55a3 in memory_region_write_accessor softmmu/memory.c:491
#6 0x55bd645d5a24 in access_with_adjusted_size softmmu/memory.c:552
#7 0x55bd645e2baa in memory_region_dispatch_write softmmu/memory.c:1501
#8 0x55bd646b75ff in flatview_write_continue softmmu/physmem.c:2759
#9 0x55bd646b79d1 in flatview_write softmmu/physmem.c:2799
#10 0x55bd646b8341 in address_space_write softmmu/physmem.c:2891
#11 0x55bd646b83f9 in address_space_rw softmmu/physmem.c:2901
#12 0x55bd648c4736 in kvm_handle_io accel/kvm/kvm-all.c:2285
#13 0x55bd648c69c8 in kvm_cpu_exec accel/kvm/kvm-all.c:2531
#14 0x55bd647b2413 in kvm_vcpu_thread_fn accel/kvm/kvm-cpus.c:49
#15 0x55bd64f560de in qemu_thread_start util/qemu-thread-posix.c:521
#16 0x7f4b981763f8 in start_thread (/lib64/libpthread.so.0+0x93f8)
#17 0x7f4b980a3902 in __GI___clone (/lib64/libc.so.6+0x101902)
---
==672020==
hw/scsi/esp.c:196:62: runtime error: member access within null pointer of type 'struct SCSIDevice'
AddressSanitizer:DEADLYSIGNAL
=================================================================
==672020==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000098 (pc 0x559bc99946fd bp 0x7f08bd737fb0 sp 0x7f08bd737f70 T7)
==672020==The signal is caused by a READ memory access.
==672020==Hint: address points to the zero page.
#0 0x559bc99946fd in do_busid_cmd hw/scsi/esp.c:196
#1 0x559bc9994e71 in do_cmd hw/scsi/esp.c:220
#2 0x559bc999ae81 in handle_ti hw/scsi/esp.c:555
#3 0x559bc999d2a9 in esp_reg_write hw/scsi/esp.c:691
#4 0x559bc9c615dd in esp_pci_io_write hw/scsi/esp-pci.c:206
#5 0x559bca4bb5a3 in memory_region_write_accessor softmmu/memory.c:491
#6 0x559bca4bba24 in access_with_adjusted_size softmmu/memory.c:552
#7 0x559bca4c8baa in memory_region_dispatch_write softmmu/memory.c:1501
#8 0x559bca59d5ff in flatview_write_continue softmmu/physmem.c:2759
#9 0x559bca59d9d1 in flatview_write softmmu/physmem.c:2799
#10 0x559bca59e341 in address_space_write softmmu/physmem.c:2891
#11 0x559bca59e3f9 in address_space_rw softmmu/physmem.c:2901
#12 0x559bca7aa736 in kvm_handle_io accel/kvm/kvm-all.c:2285
#13 0x559bca7ac9c8 in kvm_cpu_exec accel/kvm/kvm-all.c:2531
#14 0x559bca698413 in kvm_vcpu_thread_fn accel/kvm/kvm-cpus.c:49
#15 0x559bcae3c0de in qemu_thread_start util/qemu-thread-posix.c:521
#16 0x7f08e57ba3f8 in start_thread (/lib64/libpthread.so.0+0x93f8)
#17 0x7f08e56e7902 in __GI___clone (/lib64/libc.so.6+0x101902)
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1910723/+subscriptions
^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2021-04-30 9:19 UTC | newest]
Thread overview: 10+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-01-08 10:34 [Bug 1910723] [NEW] NULL pointer dereference issues in am53c974 SCSI host bus adapter Mauro Matteo Cascella
2021-03-15 2:52 ` [Bug 1910723] " Alexander Bulekov
2021-03-15 2:53 ` Alexander Bulekov
2021-03-15 14:07 ` Mauro Matteo Cascella
2021-03-17 7:42 ` Mark Cave-Ayland
2021-03-24 10:08 ` Mauro Matteo Cascella
2021-04-14 13:31 ` Mauro Matteo Cascella
2021-04-14 14:10 ` Mauro Matteo Cascella
2021-04-29 9:57 ` Thomas Huth
2021-04-30 9:00 ` Thomas Huth
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).