qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed
* [Bug 1910723] [NEW] NULL pointer dereference issues in am53c974 SCSI host bus adapter
@ 2021-01-08 10:34 Mauro Matteo Cascella
  2021-03-15  2:52 ` [Bug 1910723] " Alexander Bulekov
                   ` (8 more replies)
  0 siblings, 9 replies; 10+ messages in thread
From: Mauro Matteo Cascella @ 2021-01-08 10:34 UTC (permalink / raw)
  To: qemu-devel

Public bug reported:

Two NULL pointer dereference issues were found in the am53c974 SCSI host
bus adapter emulation of QEMU. They could occur while handling the
'Information Transfer' command (CMD_TI) in function handle_ti() in
hw/scsi/esp.c, and could be abused by a malicious guest to crash the
QEMU process on the host resulting in a denial of service.

Both issues were reported by Cheolwoo Myung (Seoul National University).
To reproduce them, configure and run QEMU as follows. Please find
attached the required disk images.

$ ./configure --target-list=x86_64-softmmu --enable-kvm --enable-sanitizers
$ make
$ ./qemu-system-x86_64 -m 512 -drive file=./hyfuzz.img,index=0,media=disk,format=raw \
-device am53c974,id=scsi -device scsi-hd,drive=SysDisk \
-drive id=SysDisk,if=none,file=./disk.img

Additional info:
RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1909766
RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1909769

ASAN logs:
==672133==         
hw/scsi/scsi-bus.c:1385:12: runtime error: member access within null pointer of type 'struct SCSIRequest'
AddressSanitizer:DEADLYSIGNAL                                                                            
=================================================================             
==672133==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000171 (pc 0x55bd63e20b85 bp 0x7f4b6fffdfa0 sp 0x7f4b6fffdf70 T7)
==672133==The signal is caused by a READ memory access.         
==672133==Hint: address points to the zero page.                                                         
    #0 0x55bd63e20b85 in scsi_req_continue hw/scsi/scsi-bus.c:1385
    #1 0x55bd63ab34fb in esp_do_dma hw/scsi/esp.c:453       
    #2 0x55bd63ab4b3c in handle_ti hw/scsi/esp.c:549          
    #3 0x55bd63ab72a9 in esp_reg_write hw/scsi/esp.c:691                 
    #4 0x55bd63d7b5dd in esp_pci_io_write hw/scsi/esp-pci.c:206    
    #5 0x55bd645d55a3 in memory_region_write_accessor softmmu/memory.c:491
    #6 0x55bd645d5a24 in access_with_adjusted_size softmmu/memory.c:552
    #7 0x55bd645e2baa in memory_region_dispatch_write softmmu/memory.c:1501
    #8 0x55bd646b75ff in flatview_write_continue softmmu/physmem.c:2759
    #9 0x55bd646b79d1 in flatview_write softmmu/physmem.c:2799
    #10 0x55bd646b8341 in address_space_write softmmu/physmem.c:2891   
    #11 0x55bd646b83f9 in address_space_rw softmmu/physmem.c:2901
    #12 0x55bd648c4736 in kvm_handle_io accel/kvm/kvm-all.c:2285
    #13 0x55bd648c69c8 in kvm_cpu_exec accel/kvm/kvm-all.c:2531
    #14 0x55bd647b2413 in kvm_vcpu_thread_fn accel/kvm/kvm-cpus.c:49
    #15 0x55bd64f560de in qemu_thread_start util/qemu-thread-posix.c:521
    #16 0x7f4b981763f8 in start_thread (/lib64/libpthread.so.0+0x93f8)
    #17 0x7f4b980a3902 in __GI___clone (/lib64/libc.so.6+0x101902)

---

==672020==
hw/scsi/esp.c:196:62: runtime error: member access within null pointer of type 'struct SCSIDevice'
AddressSanitizer:DEADLYSIGNAL                                                                            
=================================================================             
==672020==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000098 (pc 0x559bc99946fd bp 0x7f08bd737fb0 sp 0x7f08bd737f70 T7)
==672020==The signal is caused by a READ memory access.         
==672020==Hint: address points to the zero page.                                                         
    #0 0x559bc99946fd in do_busid_cmd hw/scsi/esp.c:196        
    #1 0x559bc9994e71 in do_cmd hw/scsi/esp.c:220           
    #2 0x559bc999ae81 in handle_ti hw/scsi/esp.c:555          
    #3 0x559bc999d2a9 in esp_reg_write hw/scsi/esp.c:691                 
    #4 0x559bc9c615dd in esp_pci_io_write hw/scsi/esp-pci.c:206    
    #5 0x559bca4bb5a3 in memory_region_write_accessor softmmu/memory.c:491
    #6 0x559bca4bba24 in access_with_adjusted_size softmmu/memory.c:552
    #7 0x559bca4c8baa in memory_region_dispatch_write softmmu/memory.c:1501
    #8 0x559bca59d5ff in flatview_write_continue softmmu/physmem.c:2759
    #9 0x559bca59d9d1 in flatview_write softmmu/physmem.c:2799
    #10 0x559bca59e341 in address_space_write softmmu/physmem.c:2891   
    #11 0x559bca59e3f9 in address_space_rw softmmu/physmem.c:2901
    #12 0x559bca7aa736 in kvm_handle_io accel/kvm/kvm-all.c:2285
    #13 0x559bca7ac9c8 in kvm_cpu_exec accel/kvm/kvm-all.c:2531
    #14 0x559bca698413 in kvm_vcpu_thread_fn accel/kvm/kvm-cpus.c:49
    #15 0x559bcae3c0de in qemu_thread_start util/qemu-thread-posix.c:521
    #16 0x7f08e57ba3f8 in start_thread (/lib64/libpthread.so.0+0x93f8)
    #17 0x7f08e56e7902 in __GI___clone (/lib64/libc.so.6+0x101902)

** Affects: qemu
     Importance: Undecided
         Status: New


** Tags: cve qemu security

** Attachment added: "null-derefs-am53c974.tar.gz"
   https://bugs.launchpad.net/bugs/1910723/+attachment/5450693/+files/null-derefs-am53c974.tar.gz

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1910723

Title:
  NULL pointer dereference issues in am53c974 SCSI host bus adapter

Status in QEMU:
  New

Bug description:
  Two NULL pointer dereference issues were found in the am53c974 SCSI
  host bus adapter emulation of QEMU. They could occur while handling
  the 'Information Transfer' command (CMD_TI) in function handle_ti() in
  hw/scsi/esp.c, and could be abused by a malicious guest to crash the
  QEMU process on the host resulting in a denial of service.

  Both issues were reported by Cheolwoo Myung (Seoul National
  University). To reproduce them, configure and run QEMU as follows.
  Please find attached the required disk images.

  $ ./configure --target-list=x86_64-softmmu --enable-kvm --enable-sanitizers
  $ make
  $ ./qemu-system-x86_64 -m 512 -drive file=./hyfuzz.img,index=0,media=disk,format=raw \
  -device am53c974,id=scsi -device scsi-hd,drive=SysDisk \
  -drive id=SysDisk,if=none,file=./disk.img

  Additional info:
  RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1909766
  RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1909769

  ASAN logs:
  ==672133==         
  hw/scsi/scsi-bus.c:1385:12: runtime error: member access within null pointer of type 'struct SCSIRequest'
  AddressSanitizer:DEADLYSIGNAL                                                                            
  =================================================================             
  ==672133==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000171 (pc 0x55bd63e20b85 bp 0x7f4b6fffdfa0 sp 0x7f4b6fffdf70 T7)
  ==672133==The signal is caused by a READ memory access.         
  ==672133==Hint: address points to the zero page.                                                         
      #0 0x55bd63e20b85 in scsi_req_continue hw/scsi/scsi-bus.c:1385
      #1 0x55bd63ab34fb in esp_do_dma hw/scsi/esp.c:453       
      #2 0x55bd63ab4b3c in handle_ti hw/scsi/esp.c:549          
      #3 0x55bd63ab72a9 in esp_reg_write hw/scsi/esp.c:691                 
      #4 0x55bd63d7b5dd in esp_pci_io_write hw/scsi/esp-pci.c:206    
      #5 0x55bd645d55a3 in memory_region_write_accessor softmmu/memory.c:491
      #6 0x55bd645d5a24 in access_with_adjusted_size softmmu/memory.c:552
      #7 0x55bd645e2baa in memory_region_dispatch_write softmmu/memory.c:1501
      #8 0x55bd646b75ff in flatview_write_continue softmmu/physmem.c:2759
      #9 0x55bd646b79d1 in flatview_write softmmu/physmem.c:2799
      #10 0x55bd646b8341 in address_space_write softmmu/physmem.c:2891   
      #11 0x55bd646b83f9 in address_space_rw softmmu/physmem.c:2901
      #12 0x55bd648c4736 in kvm_handle_io accel/kvm/kvm-all.c:2285
      #13 0x55bd648c69c8 in kvm_cpu_exec accel/kvm/kvm-all.c:2531
      #14 0x55bd647b2413 in kvm_vcpu_thread_fn accel/kvm/kvm-cpus.c:49
      #15 0x55bd64f560de in qemu_thread_start util/qemu-thread-posix.c:521
      #16 0x7f4b981763f8 in start_thread (/lib64/libpthread.so.0+0x93f8)
      #17 0x7f4b980a3902 in __GI___clone (/lib64/libc.so.6+0x101902)

  ---

  ==672020==
  hw/scsi/esp.c:196:62: runtime error: member access within null pointer of type 'struct SCSIDevice'
  AddressSanitizer:DEADLYSIGNAL                                                                            
  =================================================================             
  ==672020==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000098 (pc 0x559bc99946fd bp 0x7f08bd737fb0 sp 0x7f08bd737f70 T7)
  ==672020==The signal is caused by a READ memory access.         
  ==672020==Hint: address points to the zero page.                                                         
      #0 0x559bc99946fd in do_busid_cmd hw/scsi/esp.c:196        
      #1 0x559bc9994e71 in do_cmd hw/scsi/esp.c:220           
      #2 0x559bc999ae81 in handle_ti hw/scsi/esp.c:555          
      #3 0x559bc999d2a9 in esp_reg_write hw/scsi/esp.c:691                 
      #4 0x559bc9c615dd in esp_pci_io_write hw/scsi/esp-pci.c:206    
      #5 0x559bca4bb5a3 in memory_region_write_accessor softmmu/memory.c:491
      #6 0x559bca4bba24 in access_with_adjusted_size softmmu/memory.c:552
      #7 0x559bca4c8baa in memory_region_dispatch_write softmmu/memory.c:1501
      #8 0x559bca59d5ff in flatview_write_continue softmmu/physmem.c:2759
      #9 0x559bca59d9d1 in flatview_write softmmu/physmem.c:2799
      #10 0x559bca59e341 in address_space_write softmmu/physmem.c:2891   
      #11 0x559bca59e3f9 in address_space_rw softmmu/physmem.c:2901
      #12 0x559bca7aa736 in kvm_handle_io accel/kvm/kvm-all.c:2285
      #13 0x559bca7ac9c8 in kvm_cpu_exec accel/kvm/kvm-all.c:2531
      #14 0x559bca698413 in kvm_vcpu_thread_fn accel/kvm/kvm-cpus.c:49
      #15 0x559bcae3c0de in qemu_thread_start util/qemu-thread-posix.c:521
      #16 0x7f08e57ba3f8 in start_thread (/lib64/libpthread.so.0+0x93f8)
      #17 0x7f08e56e7902 in __GI___clone (/lib64/libc.so.6+0x101902)

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1910723/+subscriptions


^ permalink raw reply	[flat|nested] 10+ messages in thread

* [Bug 1910723] Re: NULL pointer dereference issues in am53c974 SCSI host bus adapter
  2021-01-08 10:34 [Bug 1910723] [NEW] NULL pointer dereference issues in am53c974 SCSI host bus adapter Mauro Matteo Cascella
@ 2021-03-15  2:52 ` Alexander Bulekov
  2021-03-15  2:53 ` Alexander Bulekov
                   ` (7 subsequent siblings)
  8 siblings, 0 replies; 10+ messages in thread
From: Alexander Bulekov @ 2021-03-15  2:52 UTC (permalink / raw)
  To: qemu-devel

QTest Reproducer for the first:
/*
 * Autogenerated Fuzzer Test Case
 *
 * This work is licensed under the terms of the GNU GPL, version 2 or later.
 * See the COPYING file in the top-level directory.
 */

#include "qemu/osdep.h"

#include "libqos/libqtest.h"

/*
 * cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, -m \
 * 512M -device am53c974,id=scsi -device scsi-hd,drive=disk0 -drive \
 * id=disk0,if=none,file=null-co://,format=raw -nodefaults -qtest stdio
 * outl 0xcf8 0x80001010
 * outl 0xcfc 0xc000
 * outl 0xcf8 0x80001004
 * outw 0xcfc 0x05
 * outb 0xc046 0x02
 * outl 0xc00b 0xc100
 * outl 0xc040 0x03
 * outl 0xc040 0x03
 * write 0x0 0x1 0x41
 * outl 0xc00b 0xc100
 * outw 0xc040 0x02
 * outw 0xc040 0x81
 * outl 0xc00b 0x9000
 * EOF
 */
static void test_fuzz(void)
{
    QTestState *s = qtest_init(
        "-display none , -m 512M -device am53c974,id=scsi -device "
        "scsi-hd,drive=disk0 -drive "
        "id=disk0,if=none,file=null-co://,format=raw -nodefaults");
    qtest_outl(s, 0xcf8, 0x80001010);
    qtest_outl(s, 0xcfc, 0xc000);
    qtest_outl(s, 0xcf8, 0x80001004);
    qtest_outw(s, 0xcfc, 0x05);
    qtest_outb(s, 0xc046, 0x02);
    qtest_outl(s, 0xc00b, 0xc100);
    qtest_outl(s, 0xc040, 0x03);
    qtest_outl(s, 0xc040, 0x03);
    qtest_bufwrite(s, 0x0, "\x41", 0x1);
    qtest_outl(s, 0xc00b, 0xc100);
    qtest_outw(s, 0xc040, 0x02);
    qtest_outw(s, 0xc040, 0x81);
    qtest_outl(s, 0xc00b, 0x9000);
    qtest_quit(s);
}
int main(int argc, char **argv)
{
    const char *arch = qtest_get_arch();

    g_test_init(&argc, &argv, NULL);

    if (strcmp(arch, "i386") == 0) {
        qtest_add_func("fuzz/test_fuzz", test_fuzz);
    }

    return g_test_run();
}

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1910723

Title:
  NULL pointer dereference issues in am53c974 SCSI host bus adapter

Status in QEMU:
  New

Bug description:
  Two NULL pointer dereference issues were found in the am53c974 SCSI
  host bus adapter emulation of QEMU. They could occur while handling
  the 'Information Transfer' command (CMD_TI) in function handle_ti() in
  hw/scsi/esp.c, and could be abused by a malicious guest to crash the
  QEMU process on the host resulting in a denial of service.

  Both issues were reported by Cheolwoo Myung (Seoul National
  University). To reproduce them, configure and run QEMU as follows.
  Please find attached the required disk images.

  $ ./configure --target-list=x86_64-softmmu --enable-kvm --enable-sanitizers
  $ make
  $ ./qemu-system-x86_64 -m 512 -drive file=./hyfuzz.img,index=0,media=disk,format=raw \
  -device am53c974,id=scsi -device scsi-hd,drive=SysDisk \
  -drive id=SysDisk,if=none,file=./disk.img

  Additional info:
  RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1909766
  RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1909769

  ASAN logs:
  ==672133==         
  hw/scsi/scsi-bus.c:1385:12: runtime error: member access within null pointer of type 'struct SCSIRequest'
  AddressSanitizer:DEADLYSIGNAL                                                                            
  =================================================================             
  ==672133==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000171 (pc 0x55bd63e20b85 bp 0x7f4b6fffdfa0 sp 0x7f4b6fffdf70 T7)
  ==672133==The signal is caused by a READ memory access.         
  ==672133==Hint: address points to the zero page.                                                         
      #0 0x55bd63e20b85 in scsi_req_continue hw/scsi/scsi-bus.c:1385
      #1 0x55bd63ab34fb in esp_do_dma hw/scsi/esp.c:453       
      #2 0x55bd63ab4b3c in handle_ti hw/scsi/esp.c:549          
      #3 0x55bd63ab72a9 in esp_reg_write hw/scsi/esp.c:691                 
      #4 0x55bd63d7b5dd in esp_pci_io_write hw/scsi/esp-pci.c:206    
      #5 0x55bd645d55a3 in memory_region_write_accessor softmmu/memory.c:491
      #6 0x55bd645d5a24 in access_with_adjusted_size softmmu/memory.c:552
      #7 0x55bd645e2baa in memory_region_dispatch_write softmmu/memory.c:1501
      #8 0x55bd646b75ff in flatview_write_continue softmmu/physmem.c:2759
      #9 0x55bd646b79d1 in flatview_write softmmu/physmem.c:2799
      #10 0x55bd646b8341 in address_space_write softmmu/physmem.c:2891   
      #11 0x55bd646b83f9 in address_space_rw softmmu/physmem.c:2901
      #12 0x55bd648c4736 in kvm_handle_io accel/kvm/kvm-all.c:2285
      #13 0x55bd648c69c8 in kvm_cpu_exec accel/kvm/kvm-all.c:2531
      #14 0x55bd647b2413 in kvm_vcpu_thread_fn accel/kvm/kvm-cpus.c:49
      #15 0x55bd64f560de in qemu_thread_start util/qemu-thread-posix.c:521
      #16 0x7f4b981763f8 in start_thread (/lib64/libpthread.so.0+0x93f8)
      #17 0x7f4b980a3902 in __GI___clone (/lib64/libc.so.6+0x101902)

  ---

  ==672020==
  hw/scsi/esp.c:196:62: runtime error: member access within null pointer of type 'struct SCSIDevice'
  AddressSanitizer:DEADLYSIGNAL                                                                            
  =================================================================             
  ==672020==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000098 (pc 0x559bc99946fd bp 0x7f08bd737fb0 sp 0x7f08bd737f70 T7)
  ==672020==The signal is caused by a READ memory access.         
  ==672020==Hint: address points to the zero page.                                                         
      #0 0x559bc99946fd in do_busid_cmd hw/scsi/esp.c:196        
      #1 0x559bc9994e71 in do_cmd hw/scsi/esp.c:220           
      #2 0x559bc999ae81 in handle_ti hw/scsi/esp.c:555          
      #3 0x559bc999d2a9 in esp_reg_write hw/scsi/esp.c:691                 
      #4 0x559bc9c615dd in esp_pci_io_write hw/scsi/esp-pci.c:206    
      #5 0x559bca4bb5a3 in memory_region_write_accessor softmmu/memory.c:491
      #6 0x559bca4bba24 in access_with_adjusted_size softmmu/memory.c:552
      #7 0x559bca4c8baa in memory_region_dispatch_write softmmu/memory.c:1501
      #8 0x559bca59d5ff in flatview_write_continue softmmu/physmem.c:2759
      #9 0x559bca59d9d1 in flatview_write softmmu/physmem.c:2799
      #10 0x559bca59e341 in address_space_write softmmu/physmem.c:2891   
      #11 0x559bca59e3f9 in address_space_rw softmmu/physmem.c:2901
      #12 0x559bca7aa736 in kvm_handle_io accel/kvm/kvm-all.c:2285
      #13 0x559bca7ac9c8 in kvm_cpu_exec accel/kvm/kvm-all.c:2531
      #14 0x559bca698413 in kvm_vcpu_thread_fn accel/kvm/kvm-cpus.c:49
      #15 0x559bcae3c0de in qemu_thread_start util/qemu-thread-posix.c:521
      #16 0x7f08e57ba3f8 in start_thread (/lib64/libpthread.so.0+0x93f8)
      #17 0x7f08e56e7902 in __GI___clone (/lib64/libc.so.6+0x101902)

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1910723/+subscriptions


^ permalink raw reply	[flat|nested] 10+ messages in thread

* [Bug 1910723] Re: NULL pointer dereference issues in am53c974 SCSI host bus adapter
  2021-01-08 10:34 [Bug 1910723] [NEW] NULL pointer dereference issues in am53c974 SCSI host bus adapter Mauro Matteo Cascella
  2021-03-15  2:52 ` [Bug 1910723] " Alexander Bulekov
@ 2021-03-15  2:53 ` Alexander Bulekov
  2021-03-15 14:07 ` Mauro Matteo Cascella
                   ` (6 subsequent siblings)
  8 siblings, 0 replies; 10+ messages in thread
From: Alexander Bulekov @ 2021-03-15  2:53 UTC (permalink / raw)
  To: qemu-devel

QTest Reproducer for the second:
/*
 * Autogenerated Fuzzer Test Case
 *
 * This work is licensed under the terms of the GNU GPL, version 2 or
 * later. See the COPYING file in the top-level directory.
 */

#include "qemu/osdep.h"

#include "libqos/libqtest.h"

/*
 * cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, \
 * -m 512M -device am53c974,id=scsi -device scsi-hd,drive=disk0 -drive \
 * id=disk0,if=none,file=null-co://,format=raw -nodefaults -qtest stdio
 * outl 0xcf8 0x80001001
 * outl 0xcfc 0x01000000
 * outl 0xcf8 0x8000100e
 * outl 0xcfc 0xef800000
 * outl 0xef8b 0x4100
 * outw 0xef80 0x01
 * outl 0xefc0 0x03
 * outl 0xef8b 0xc100
 * outl 0xef8b 0x9000
 * EOF
 */
static void test_fuzz(void)
{
    QTestState *s = qtest_init(
        "-display none , -m 512M -device am53c974,id=scsi -device "
        "scsi-hd,drive=disk0 -drive "
        "id=disk0,if=none,file=null-co://,format=raw -nodefaults");
    qtest_outl(s, 0xcf8, 0x80001001);
    qtest_outl(s, 0xcfc, 0x01000000);
    qtest_outl(s, 0xcf8, 0x8000100e);
    qtest_outl(s, 0xcfc, 0xef800000);
    qtest_outl(s, 0xef8b, 0x4100);
    qtest_outw(s, 0xef80, 0x01);
    qtest_outl(s, 0xefc0, 0x03);
    qtest_outl(s, 0xef8b, 0xc100);
    qtest_outl(s, 0xef8b, 0x9000);
    qtest_quit(s);
}
int main(int argc, char **argv)
{
    const char *arch = qtest_get_arch();

    g_test_init(&argc, &argv, NULL);

    if (strcmp(arch, "i386") == 0) {
        qtest_add_func("fuzz/test_fuzz", test_fuzz);
    }

    return g_test_run();
}

** Tags added: fuzzer

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1910723

Title:
  NULL pointer dereference issues in am53c974 SCSI host bus adapter

Status in QEMU:
  New

Bug description:
  Two NULL pointer dereference issues were found in the am53c974 SCSI
  host bus adapter emulation of QEMU. They could occur while handling
  the 'Information Transfer' command (CMD_TI) in function handle_ti() in
  hw/scsi/esp.c, and could be abused by a malicious guest to crash the
  QEMU process on the host resulting in a denial of service.

  Both issues were reported by Cheolwoo Myung (Seoul National
  University). To reproduce them, configure and run QEMU as follows.
  Please find attached the required disk images.

  $ ./configure --target-list=x86_64-softmmu --enable-kvm --enable-sanitizers
  $ make
  $ ./qemu-system-x86_64 -m 512 -drive file=./hyfuzz.img,index=0,media=disk,format=raw \
  -device am53c974,id=scsi -device scsi-hd,drive=SysDisk \
  -drive id=SysDisk,if=none,file=./disk.img

  Additional info:
  RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1909766
  RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1909769

  ASAN logs:
  ==672133==         
  hw/scsi/scsi-bus.c:1385:12: runtime error: member access within null pointer of type 'struct SCSIRequest'
  AddressSanitizer:DEADLYSIGNAL                                                                            
  =================================================================             
  ==672133==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000171 (pc 0x55bd63e20b85 bp 0x7f4b6fffdfa0 sp 0x7f4b6fffdf70 T7)
  ==672133==The signal is caused by a READ memory access.         
  ==672133==Hint: address points to the zero page.                                                         
      #0 0x55bd63e20b85 in scsi_req_continue hw/scsi/scsi-bus.c:1385
      #1 0x55bd63ab34fb in esp_do_dma hw/scsi/esp.c:453       
      #2 0x55bd63ab4b3c in handle_ti hw/scsi/esp.c:549          
      #3 0x55bd63ab72a9 in esp_reg_write hw/scsi/esp.c:691                 
      #4 0x55bd63d7b5dd in esp_pci_io_write hw/scsi/esp-pci.c:206    
      #5 0x55bd645d55a3 in memory_region_write_accessor softmmu/memory.c:491
      #6 0x55bd645d5a24 in access_with_adjusted_size softmmu/memory.c:552
      #7 0x55bd645e2baa in memory_region_dispatch_write softmmu/memory.c:1501
      #8 0x55bd646b75ff in flatview_write_continue softmmu/physmem.c:2759
      #9 0x55bd646b79d1 in flatview_write softmmu/physmem.c:2799
      #10 0x55bd646b8341 in address_space_write softmmu/physmem.c:2891   
      #11 0x55bd646b83f9 in address_space_rw softmmu/physmem.c:2901
      #12 0x55bd648c4736 in kvm_handle_io accel/kvm/kvm-all.c:2285
      #13 0x55bd648c69c8 in kvm_cpu_exec accel/kvm/kvm-all.c:2531
      #14 0x55bd647b2413 in kvm_vcpu_thread_fn accel/kvm/kvm-cpus.c:49
      #15 0x55bd64f560de in qemu_thread_start util/qemu-thread-posix.c:521
      #16 0x7f4b981763f8 in start_thread (/lib64/libpthread.so.0+0x93f8)
      #17 0x7f4b980a3902 in __GI___clone (/lib64/libc.so.6+0x101902)

  ---

  ==672020==
  hw/scsi/esp.c:196:62: runtime error: member access within null pointer of type 'struct SCSIDevice'
  AddressSanitizer:DEADLYSIGNAL                                                                            
  =================================================================             
  ==672020==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000098 (pc 0x559bc99946fd bp 0x7f08bd737fb0 sp 0x7f08bd737f70 T7)
  ==672020==The signal is caused by a READ memory access.         
  ==672020==Hint: address points to the zero page.                                                         
      #0 0x559bc99946fd in do_busid_cmd hw/scsi/esp.c:196        
      #1 0x559bc9994e71 in do_cmd hw/scsi/esp.c:220           
      #2 0x559bc999ae81 in handle_ti hw/scsi/esp.c:555          
      #3 0x559bc999d2a9 in esp_reg_write hw/scsi/esp.c:691                 
      #4 0x559bc9c615dd in esp_pci_io_write hw/scsi/esp-pci.c:206    
      #5 0x559bca4bb5a3 in memory_region_write_accessor softmmu/memory.c:491
      #6 0x559bca4bba24 in access_with_adjusted_size softmmu/memory.c:552
      #7 0x559bca4c8baa in memory_region_dispatch_write softmmu/memory.c:1501
      #8 0x559bca59d5ff in flatview_write_continue softmmu/physmem.c:2759
      #9 0x559bca59d9d1 in flatview_write softmmu/physmem.c:2799
      #10 0x559bca59e341 in address_space_write softmmu/physmem.c:2891   
      #11 0x559bca59e3f9 in address_space_rw softmmu/physmem.c:2901
      #12 0x559bca7aa736 in kvm_handle_io accel/kvm/kvm-all.c:2285
      #13 0x559bca7ac9c8 in kvm_cpu_exec accel/kvm/kvm-all.c:2531
      #14 0x559bca698413 in kvm_vcpu_thread_fn accel/kvm/kvm-cpus.c:49
      #15 0x559bcae3c0de in qemu_thread_start util/qemu-thread-posix.c:521
      #16 0x7f08e57ba3f8 in start_thread (/lib64/libpthread.so.0+0x93f8)
      #17 0x7f08e56e7902 in __GI___clone (/lib64/libc.so.6+0x101902)

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1910723/+subscriptions


^ permalink raw reply	[flat|nested] 10+ messages in thread

* [Bug 1910723] Re: NULL pointer dereference issues in am53c974 SCSI host bus adapter
  2021-01-08 10:34 [Bug 1910723] [NEW] NULL pointer dereference issues in am53c974 SCSI host bus adapter Mauro Matteo Cascella
  2021-03-15  2:52 ` [Bug 1910723] " Alexander Bulekov
  2021-03-15  2:53 ` Alexander Bulekov
@ 2021-03-15 14:07 ` Mauro Matteo Cascella
  2021-03-17  7:42 ` Mark Cave-Ayland
                   ` (5 subsequent siblings)
  8 siblings, 0 replies; 10+ messages in thread
From: Mauro Matteo Cascella @ 2021-03-15 14:07 UTC (permalink / raw)
  To: qemu-devel

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-35504

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-35505

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1910723

Title:
  NULL pointer dereference issues in am53c974 SCSI host bus adapter

Status in QEMU:
  New

Bug description:
  Two NULL pointer dereference issues were found in the am53c974 SCSI
  host bus adapter emulation of QEMU. They could occur while handling
  the 'Information Transfer' command (CMD_TI) in function handle_ti() in
  hw/scsi/esp.c, and could be abused by a malicious guest to crash the
  QEMU process on the host resulting in a denial of service.

  Both issues were reported by Cheolwoo Myung (Seoul National
  University). To reproduce them, configure and run QEMU as follows.
  Please find attached the required disk images.

  $ ./configure --target-list=x86_64-softmmu --enable-kvm --enable-sanitizers
  $ make
  $ ./qemu-system-x86_64 -m 512 -drive file=./hyfuzz.img,index=0,media=disk,format=raw \
  -device am53c974,id=scsi -device scsi-hd,drive=SysDisk \
  -drive id=SysDisk,if=none,file=./disk.img

  Additional info:
  RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1909766
  RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1909769

  ASAN logs:
  ==672133==         
  hw/scsi/scsi-bus.c:1385:12: runtime error: member access within null pointer of type 'struct SCSIRequest'
  AddressSanitizer:DEADLYSIGNAL                                                                            
  =================================================================             
  ==672133==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000171 (pc 0x55bd63e20b85 bp 0x7f4b6fffdfa0 sp 0x7f4b6fffdf70 T7)
  ==672133==The signal is caused by a READ memory access.         
  ==672133==Hint: address points to the zero page.                                                         
      #0 0x55bd63e20b85 in scsi_req_continue hw/scsi/scsi-bus.c:1385
      #1 0x55bd63ab34fb in esp_do_dma hw/scsi/esp.c:453       
      #2 0x55bd63ab4b3c in handle_ti hw/scsi/esp.c:549          
      #3 0x55bd63ab72a9 in esp_reg_write hw/scsi/esp.c:691                 
      #4 0x55bd63d7b5dd in esp_pci_io_write hw/scsi/esp-pci.c:206    
      #5 0x55bd645d55a3 in memory_region_write_accessor softmmu/memory.c:491
      #6 0x55bd645d5a24 in access_with_adjusted_size softmmu/memory.c:552
      #7 0x55bd645e2baa in memory_region_dispatch_write softmmu/memory.c:1501
      #8 0x55bd646b75ff in flatview_write_continue softmmu/physmem.c:2759
      #9 0x55bd646b79d1 in flatview_write softmmu/physmem.c:2799
      #10 0x55bd646b8341 in address_space_write softmmu/physmem.c:2891   
      #11 0x55bd646b83f9 in address_space_rw softmmu/physmem.c:2901
      #12 0x55bd648c4736 in kvm_handle_io accel/kvm/kvm-all.c:2285
      #13 0x55bd648c69c8 in kvm_cpu_exec accel/kvm/kvm-all.c:2531
      #14 0x55bd647b2413 in kvm_vcpu_thread_fn accel/kvm/kvm-cpus.c:49
      #15 0x55bd64f560de in qemu_thread_start util/qemu-thread-posix.c:521
      #16 0x7f4b981763f8 in start_thread (/lib64/libpthread.so.0+0x93f8)
      #17 0x7f4b980a3902 in __GI___clone (/lib64/libc.so.6+0x101902)

  ---

  ==672020==
  hw/scsi/esp.c:196:62: runtime error: member access within null pointer of type 'struct SCSIDevice'
  AddressSanitizer:DEADLYSIGNAL                                                                            
  =================================================================             
  ==672020==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000098 (pc 0x559bc99946fd bp 0x7f08bd737fb0 sp 0x7f08bd737f70 T7)
  ==672020==The signal is caused by a READ memory access.         
  ==672020==Hint: address points to the zero page.                                                         
      #0 0x559bc99946fd in do_busid_cmd hw/scsi/esp.c:196        
      #1 0x559bc9994e71 in do_cmd hw/scsi/esp.c:220           
      #2 0x559bc999ae81 in handle_ti hw/scsi/esp.c:555          
      #3 0x559bc999d2a9 in esp_reg_write hw/scsi/esp.c:691                 
      #4 0x559bc9c615dd in esp_pci_io_write hw/scsi/esp-pci.c:206    
      #5 0x559bca4bb5a3 in memory_region_write_accessor softmmu/memory.c:491
      #6 0x559bca4bba24 in access_with_adjusted_size softmmu/memory.c:552
      #7 0x559bca4c8baa in memory_region_dispatch_write softmmu/memory.c:1501
      #8 0x559bca59d5ff in flatview_write_continue softmmu/physmem.c:2759
      #9 0x559bca59d9d1 in flatview_write softmmu/physmem.c:2799
      #10 0x559bca59e341 in address_space_write softmmu/physmem.c:2891   
      #11 0x559bca59e3f9 in address_space_rw softmmu/physmem.c:2901
      #12 0x559bca7aa736 in kvm_handle_io accel/kvm/kvm-all.c:2285
      #13 0x559bca7ac9c8 in kvm_cpu_exec accel/kvm/kvm-all.c:2531
      #14 0x559bca698413 in kvm_vcpu_thread_fn accel/kvm/kvm-cpus.c:49
      #15 0x559bcae3c0de in qemu_thread_start util/qemu-thread-posix.c:521
      #16 0x7f08e57ba3f8 in start_thread (/lib64/libpthread.so.0+0x93f8)
      #17 0x7f08e56e7902 in __GI___clone (/lib64/libc.so.6+0x101902)

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1910723/+subscriptions


^ permalink raw reply	[flat|nested] 10+ messages in thread

* [Bug 1910723] Re: NULL pointer dereference issues in am53c974 SCSI host bus adapter
  2021-01-08 10:34 [Bug 1910723] [NEW] NULL pointer dereference issues in am53c974 SCSI host bus adapter Mauro Matteo Cascella
                   ` (2 preceding siblings ...)
  2021-03-15 14:07 ` Mauro Matteo Cascella
@ 2021-03-17  7:42 ` Mark Cave-Ayland
  2021-03-24 10:08 ` Mauro Matteo Cascella
                   ` (4 subsequent siblings)
  8 siblings, 0 replies; 10+ messages in thread
From: Mark Cave-Ayland @ 2021-03-17  7:42 UTC (permalink / raw)
  To: qemu-devel

Thank you both for the reproducers. Please see the proposed patchset
here:

https://lists.gnu.org/archive/html/qemu-devel/2021-03/msg06063.html

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1910723

Title:
  NULL pointer dereference issues in am53c974 SCSI host bus adapter

Status in QEMU:
  New

Bug description:
  Two NULL pointer dereference issues were found in the am53c974 SCSI
  host bus adapter emulation of QEMU. They could occur while handling
  the 'Information Transfer' command (CMD_TI) in function handle_ti() in
  hw/scsi/esp.c, and could be abused by a malicious guest to crash the
  QEMU process on the host resulting in a denial of service.

  Both issues were reported by Cheolwoo Myung (Seoul National
  University). To reproduce them, configure and run QEMU as follows.
  Please find attached the required disk images.

  $ ./configure --target-list=x86_64-softmmu --enable-kvm --enable-sanitizers
  $ make
  $ ./qemu-system-x86_64 -m 512 -drive file=./hyfuzz.img,index=0,media=disk,format=raw \
  -device am53c974,id=scsi -device scsi-hd,drive=SysDisk \
  -drive id=SysDisk,if=none,file=./disk.img

  Additional info:
  RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1909766
  RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1909769

  ASAN logs:
  ==672133==         
  hw/scsi/scsi-bus.c:1385:12: runtime error: member access within null pointer of type 'struct SCSIRequest'
  AddressSanitizer:DEADLYSIGNAL                                                                            
  =================================================================             
  ==672133==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000171 (pc 0x55bd63e20b85 bp 0x7f4b6fffdfa0 sp 0x7f4b6fffdf70 T7)
  ==672133==The signal is caused by a READ memory access.         
  ==672133==Hint: address points to the zero page.                                                         
      #0 0x55bd63e20b85 in scsi_req_continue hw/scsi/scsi-bus.c:1385
      #1 0x55bd63ab34fb in esp_do_dma hw/scsi/esp.c:453       
      #2 0x55bd63ab4b3c in handle_ti hw/scsi/esp.c:549          
      #3 0x55bd63ab72a9 in esp_reg_write hw/scsi/esp.c:691                 
      #4 0x55bd63d7b5dd in esp_pci_io_write hw/scsi/esp-pci.c:206    
      #5 0x55bd645d55a3 in memory_region_write_accessor softmmu/memory.c:491
      #6 0x55bd645d5a24 in access_with_adjusted_size softmmu/memory.c:552
      #7 0x55bd645e2baa in memory_region_dispatch_write softmmu/memory.c:1501
      #8 0x55bd646b75ff in flatview_write_continue softmmu/physmem.c:2759
      #9 0x55bd646b79d1 in flatview_write softmmu/physmem.c:2799
      #10 0x55bd646b8341 in address_space_write softmmu/physmem.c:2891   
      #11 0x55bd646b83f9 in address_space_rw softmmu/physmem.c:2901
      #12 0x55bd648c4736 in kvm_handle_io accel/kvm/kvm-all.c:2285
      #13 0x55bd648c69c8 in kvm_cpu_exec accel/kvm/kvm-all.c:2531
      #14 0x55bd647b2413 in kvm_vcpu_thread_fn accel/kvm/kvm-cpus.c:49
      #15 0x55bd64f560de in qemu_thread_start util/qemu-thread-posix.c:521
      #16 0x7f4b981763f8 in start_thread (/lib64/libpthread.so.0+0x93f8)
      #17 0x7f4b980a3902 in __GI___clone (/lib64/libc.so.6+0x101902)

  ---

  ==672020==
  hw/scsi/esp.c:196:62: runtime error: member access within null pointer of type 'struct SCSIDevice'
  AddressSanitizer:DEADLYSIGNAL                                                                            
  =================================================================             
  ==672020==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000098 (pc 0x559bc99946fd bp 0x7f08bd737fb0 sp 0x7f08bd737f70 T7)
  ==672020==The signal is caused by a READ memory access.         
  ==672020==Hint: address points to the zero page.                                                         
      #0 0x559bc99946fd in do_busid_cmd hw/scsi/esp.c:196        
      #1 0x559bc9994e71 in do_cmd hw/scsi/esp.c:220           
      #2 0x559bc999ae81 in handle_ti hw/scsi/esp.c:555          
      #3 0x559bc999d2a9 in esp_reg_write hw/scsi/esp.c:691                 
      #4 0x559bc9c615dd in esp_pci_io_write hw/scsi/esp-pci.c:206    
      #5 0x559bca4bb5a3 in memory_region_write_accessor softmmu/memory.c:491
      #6 0x559bca4bba24 in access_with_adjusted_size softmmu/memory.c:552
      #7 0x559bca4c8baa in memory_region_dispatch_write softmmu/memory.c:1501
      #8 0x559bca59d5ff in flatview_write_continue softmmu/physmem.c:2759
      #9 0x559bca59d9d1 in flatview_write softmmu/physmem.c:2799
      #10 0x559bca59e341 in address_space_write softmmu/physmem.c:2891   
      #11 0x559bca59e3f9 in address_space_rw softmmu/physmem.c:2901
      #12 0x559bca7aa736 in kvm_handle_io accel/kvm/kvm-all.c:2285
      #13 0x559bca7ac9c8 in kvm_cpu_exec accel/kvm/kvm-all.c:2531
      #14 0x559bca698413 in kvm_vcpu_thread_fn accel/kvm/kvm-cpus.c:49
      #15 0x559bcae3c0de in qemu_thread_start util/qemu-thread-posix.c:521
      #16 0x7f08e57ba3f8 in start_thread (/lib64/libpthread.so.0+0x93f8)
      #17 0x7f08e56e7902 in __GI___clone (/lib64/libc.so.6+0x101902)

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1910723/+subscriptions


^ permalink raw reply	[flat|nested] 10+ messages in thread

* [Bug 1910723] Re: NULL pointer dereference issues in am53c974 SCSI host bus adapter
  2021-01-08 10:34 [Bug 1910723] [NEW] NULL pointer dereference issues in am53c974 SCSI host bus adapter Mauro Matteo Cascella
                   ` (3 preceding siblings ...)
  2021-03-17  7:42 ` Mark Cave-Ayland
@ 2021-03-24 10:08 ` Mauro Matteo Cascella
  2021-04-14 13:31 ` Mauro Matteo Cascella
                   ` (3 subsequent siblings)
  8 siblings, 0 replies; 10+ messages in thread
From: Mauro Matteo Cascella @ 2021-03-24 10:08 UTC (permalink / raw)
  To: qemu-devel

I can confirm this is fixed now, thank you Mark.

Patchset v2:
https://lists.gnu.org/archive/html/qemu-devel/2021-03/msg06550.html

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1910723

Title:
  NULL pointer dereference issues in am53c974 SCSI host bus adapter

Status in QEMU:
  New

Bug description:
  Two NULL pointer dereference issues were found in the am53c974 SCSI
  host bus adapter emulation of QEMU. They could occur while handling
  the 'Information Transfer' command (CMD_TI) in function handle_ti() in
  hw/scsi/esp.c, and could be abused by a malicious guest to crash the
  QEMU process on the host resulting in a denial of service.

  Both issues were reported by Cheolwoo Myung (Seoul National
  University). To reproduce them, configure and run QEMU as follows.
  Please find attached the required disk images.

  $ ./configure --target-list=x86_64-softmmu --enable-kvm --enable-sanitizers
  $ make
  $ ./qemu-system-x86_64 -m 512 -drive file=./hyfuzz.img,index=0,media=disk,format=raw \
  -device am53c974,id=scsi -device scsi-hd,drive=SysDisk \
  -drive id=SysDisk,if=none,file=./disk.img

  Additional info:
  RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1909766
  RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1909769

  ASAN logs:
  ==672133==         
  hw/scsi/scsi-bus.c:1385:12: runtime error: member access within null pointer of type 'struct SCSIRequest'
  AddressSanitizer:DEADLYSIGNAL                                                                            
  =================================================================             
  ==672133==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000171 (pc 0x55bd63e20b85 bp 0x7f4b6fffdfa0 sp 0x7f4b6fffdf70 T7)
  ==672133==The signal is caused by a READ memory access.         
  ==672133==Hint: address points to the zero page.                                                         
      #0 0x55bd63e20b85 in scsi_req_continue hw/scsi/scsi-bus.c:1385
      #1 0x55bd63ab34fb in esp_do_dma hw/scsi/esp.c:453       
      #2 0x55bd63ab4b3c in handle_ti hw/scsi/esp.c:549          
      #3 0x55bd63ab72a9 in esp_reg_write hw/scsi/esp.c:691                 
      #4 0x55bd63d7b5dd in esp_pci_io_write hw/scsi/esp-pci.c:206    
      #5 0x55bd645d55a3 in memory_region_write_accessor softmmu/memory.c:491
      #6 0x55bd645d5a24 in access_with_adjusted_size softmmu/memory.c:552
      #7 0x55bd645e2baa in memory_region_dispatch_write softmmu/memory.c:1501
      #8 0x55bd646b75ff in flatview_write_continue softmmu/physmem.c:2759
      #9 0x55bd646b79d1 in flatview_write softmmu/physmem.c:2799
      #10 0x55bd646b8341 in address_space_write softmmu/physmem.c:2891   
      #11 0x55bd646b83f9 in address_space_rw softmmu/physmem.c:2901
      #12 0x55bd648c4736 in kvm_handle_io accel/kvm/kvm-all.c:2285
      #13 0x55bd648c69c8 in kvm_cpu_exec accel/kvm/kvm-all.c:2531
      #14 0x55bd647b2413 in kvm_vcpu_thread_fn accel/kvm/kvm-cpus.c:49
      #15 0x55bd64f560de in qemu_thread_start util/qemu-thread-posix.c:521
      #16 0x7f4b981763f8 in start_thread (/lib64/libpthread.so.0+0x93f8)
      #17 0x7f4b980a3902 in __GI___clone (/lib64/libc.so.6+0x101902)

  ---

  ==672020==
  hw/scsi/esp.c:196:62: runtime error: member access within null pointer of type 'struct SCSIDevice'
  AddressSanitizer:DEADLYSIGNAL                                                                            
  =================================================================             
  ==672020==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000098 (pc 0x559bc99946fd bp 0x7f08bd737fb0 sp 0x7f08bd737f70 T7)
  ==672020==The signal is caused by a READ memory access.         
  ==672020==Hint: address points to the zero page.                                                         
      #0 0x559bc99946fd in do_busid_cmd hw/scsi/esp.c:196        
      #1 0x559bc9994e71 in do_cmd hw/scsi/esp.c:220           
      #2 0x559bc999ae81 in handle_ti hw/scsi/esp.c:555          
      #3 0x559bc999d2a9 in esp_reg_write hw/scsi/esp.c:691                 
      #4 0x559bc9c615dd in esp_pci_io_write hw/scsi/esp-pci.c:206    
      #5 0x559bca4bb5a3 in memory_region_write_accessor softmmu/memory.c:491
      #6 0x559bca4bba24 in access_with_adjusted_size softmmu/memory.c:552
      #7 0x559bca4c8baa in memory_region_dispatch_write softmmu/memory.c:1501
      #8 0x559bca59d5ff in flatview_write_continue softmmu/physmem.c:2759
      #9 0x559bca59d9d1 in flatview_write softmmu/physmem.c:2799
      #10 0x559bca59e341 in address_space_write softmmu/physmem.c:2891   
      #11 0x559bca59e3f9 in address_space_rw softmmu/physmem.c:2901
      #12 0x559bca7aa736 in kvm_handle_io accel/kvm/kvm-all.c:2285
      #13 0x559bca7ac9c8 in kvm_cpu_exec accel/kvm/kvm-all.c:2531
      #14 0x559bca698413 in kvm_vcpu_thread_fn accel/kvm/kvm-cpus.c:49
      #15 0x559bcae3c0de in qemu_thread_start util/qemu-thread-posix.c:521
      #16 0x7f08e57ba3f8 in start_thread (/lib64/libpthread.so.0+0x93f8)
      #17 0x7f08e56e7902 in __GI___clone (/lib64/libc.so.6+0x101902)

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1910723/+subscriptions


^ permalink raw reply	[flat|nested] 10+ messages in thread

* [Bug 1910723] Re: NULL pointer dereference issues in am53c974 SCSI host bus adapter
  2021-01-08 10:34 [Bug 1910723] [NEW] NULL pointer dereference issues in am53c974 SCSI host bus adapter Mauro Matteo Cascella
                   ` (4 preceding siblings ...)
  2021-03-24 10:08 ` Mauro Matteo Cascella
@ 2021-04-14 13:31 ` Mauro Matteo Cascella
  2021-04-14 14:10 ` Mauro Matteo Cascella
                   ` (2 subsequent siblings)
  8 siblings, 0 replies; 10+ messages in thread
From: Mauro Matteo Cascella @ 2021-04-14 13:31 UTC (permalink / raw)
  To: qemu-devel

Patchset v4:
https://lists.gnu.org/archive/html/qemu-devel/2021-04/msg01000.html

Upstream commits:
https://git.qemu.org/?p=qemu.git;a=commit;h=0db895361b8a82e1114372ff9f4857abea605701
https://git.qemu.org/?p=qemu.git;a=commit;h=e392255766071c8cac480da3a9ae4f94e56d7cbc
https://git.qemu.org/?p=qemu.git;a=commit;h=e5455b8c1c6170c788f3c0fd577cc3be53539a99
https://git.qemu.org/?p=qemu.git;a=commit;h=c5fef9112b15c4b5494791cdf8bbb40bc1938dd3
https://git.qemu.org/?p=qemu.git;a=commit;h=7b320a8e67a534925048cbabfa51431e0349dafd
https://git.qemu.org/?p=qemu.git;a=commit;h=99545751734035b76bd372c4e7215bb337428d89
https://git.qemu.org/?p=qemu.git;a=commit;h=fa7505c154d4d00ad89a747be2eda556643ce00e
https://git.qemu.org/?p=qemu.git;a=commit;h=fbc6510e3379fa8f8370bf71198f0ce733bf07f9
https://git.qemu.org/?p=qemu.git;a=commit;h=0ebb5fd80589835153a0c2baa1b8cc7a04e67a93
https://git.qemu.org/?p=qemu.git;a=commit;h=324c8809897c8c53ad05c3a7147d272f1711cd5e
https://git.qemu.org/?p=qemu.git;a=commit;h=607206948cacda4a80be5b976dba490970a18a76

** Changed in: qemu
       Status: New => Fix Released

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1910723

Title:
  NULL pointer dereference issues in am53c974 SCSI host bus adapter

Status in QEMU:
  Fix Released

Bug description:
  Two NULL pointer dereference issues were found in the am53c974 SCSI
  host bus adapter emulation of QEMU. They could occur while handling
  the 'Information Transfer' command (CMD_TI) in function handle_ti() in
  hw/scsi/esp.c, and could be abused by a malicious guest to crash the
  QEMU process on the host resulting in a denial of service.

  Both issues were reported by Cheolwoo Myung (Seoul National
  University). To reproduce them, configure and run QEMU as follows.
  Please find attached the required disk images.

  $ ./configure --target-list=x86_64-softmmu --enable-kvm --enable-sanitizers
  $ make
  $ ./qemu-system-x86_64 -m 512 -drive file=./hyfuzz.img,index=0,media=disk,format=raw \
  -device am53c974,id=scsi -device scsi-hd,drive=SysDisk \
  -drive id=SysDisk,if=none,file=./disk.img

  Additional info:
  RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1909766
  RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1909769

  ASAN logs:
  ==672133==         
  hw/scsi/scsi-bus.c:1385:12: runtime error: member access within null pointer of type 'struct SCSIRequest'
  AddressSanitizer:DEADLYSIGNAL                                                                            
  =================================================================             
  ==672133==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000171 (pc 0x55bd63e20b85 bp 0x7f4b6fffdfa0 sp 0x7f4b6fffdf70 T7)
  ==672133==The signal is caused by a READ memory access.         
  ==672133==Hint: address points to the zero page.                                                         
      #0 0x55bd63e20b85 in scsi_req_continue hw/scsi/scsi-bus.c:1385
      #1 0x55bd63ab34fb in esp_do_dma hw/scsi/esp.c:453       
      #2 0x55bd63ab4b3c in handle_ti hw/scsi/esp.c:549          
      #3 0x55bd63ab72a9 in esp_reg_write hw/scsi/esp.c:691                 
      #4 0x55bd63d7b5dd in esp_pci_io_write hw/scsi/esp-pci.c:206    
      #5 0x55bd645d55a3 in memory_region_write_accessor softmmu/memory.c:491
      #6 0x55bd645d5a24 in access_with_adjusted_size softmmu/memory.c:552
      #7 0x55bd645e2baa in memory_region_dispatch_write softmmu/memory.c:1501
      #8 0x55bd646b75ff in flatview_write_continue softmmu/physmem.c:2759
      #9 0x55bd646b79d1 in flatview_write softmmu/physmem.c:2799
      #10 0x55bd646b8341 in address_space_write softmmu/physmem.c:2891   
      #11 0x55bd646b83f9 in address_space_rw softmmu/physmem.c:2901
      #12 0x55bd648c4736 in kvm_handle_io accel/kvm/kvm-all.c:2285
      #13 0x55bd648c69c8 in kvm_cpu_exec accel/kvm/kvm-all.c:2531
      #14 0x55bd647b2413 in kvm_vcpu_thread_fn accel/kvm/kvm-cpus.c:49
      #15 0x55bd64f560de in qemu_thread_start util/qemu-thread-posix.c:521
      #16 0x7f4b981763f8 in start_thread (/lib64/libpthread.so.0+0x93f8)
      #17 0x7f4b980a3902 in __GI___clone (/lib64/libc.so.6+0x101902)

  ---

  ==672020==
  hw/scsi/esp.c:196:62: runtime error: member access within null pointer of type 'struct SCSIDevice'
  AddressSanitizer:DEADLYSIGNAL                                                                            
  =================================================================             
  ==672020==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000098 (pc 0x559bc99946fd bp 0x7f08bd737fb0 sp 0x7f08bd737f70 T7)
  ==672020==The signal is caused by a READ memory access.         
  ==672020==Hint: address points to the zero page.                                                         
      #0 0x559bc99946fd in do_busid_cmd hw/scsi/esp.c:196        
      #1 0x559bc9994e71 in do_cmd hw/scsi/esp.c:220           
      #2 0x559bc999ae81 in handle_ti hw/scsi/esp.c:555          
      #3 0x559bc999d2a9 in esp_reg_write hw/scsi/esp.c:691                 
      #4 0x559bc9c615dd in esp_pci_io_write hw/scsi/esp-pci.c:206    
      #5 0x559bca4bb5a3 in memory_region_write_accessor softmmu/memory.c:491
      #6 0x559bca4bba24 in access_with_adjusted_size softmmu/memory.c:552
      #7 0x559bca4c8baa in memory_region_dispatch_write softmmu/memory.c:1501
      #8 0x559bca59d5ff in flatview_write_continue softmmu/physmem.c:2759
      #9 0x559bca59d9d1 in flatview_write softmmu/physmem.c:2799
      #10 0x559bca59e341 in address_space_write softmmu/physmem.c:2891   
      #11 0x559bca59e3f9 in address_space_rw softmmu/physmem.c:2901
      #12 0x559bca7aa736 in kvm_handle_io accel/kvm/kvm-all.c:2285
      #13 0x559bca7ac9c8 in kvm_cpu_exec accel/kvm/kvm-all.c:2531
      #14 0x559bca698413 in kvm_vcpu_thread_fn accel/kvm/kvm-cpus.c:49
      #15 0x559bcae3c0de in qemu_thread_start util/qemu-thread-posix.c:521
      #16 0x7f08e57ba3f8 in start_thread (/lib64/libpthread.so.0+0x93f8)
      #17 0x7f08e56e7902 in __GI___clone (/lib64/libc.so.6+0x101902)

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1910723/+subscriptions


^ permalink raw reply	[flat|nested] 10+ messages in thread

* [Bug 1910723] Re: NULL pointer dereference issues in am53c974 SCSI host bus adapter
  2021-01-08 10:34 [Bug 1910723] [NEW] NULL pointer dereference issues in am53c974 SCSI host bus adapter Mauro Matteo Cascella
                   ` (5 preceding siblings ...)
  2021-04-14 13:31 ` Mauro Matteo Cascella
@ 2021-04-14 14:10 ` Mauro Matteo Cascella
  2021-04-29  9:57 ` Thomas Huth
  2021-04-30  9:00 ` Thomas Huth
  8 siblings, 0 replies; 10+ messages in thread
From: Mauro Matteo Cascella @ 2021-04-14 14:10 UTC (permalink / raw)
  To: qemu-devel

** Changed in: qemu
       Status: Fix Released => Fix Committed

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1910723

Title:
  NULL pointer dereference issues in am53c974 SCSI host bus adapter

Status in QEMU:
  Fix Committed

Bug description:
  Two NULL pointer dereference issues were found in the am53c974 SCSI
  host bus adapter emulation of QEMU. They could occur while handling
  the 'Information Transfer' command (CMD_TI) in function handle_ti() in
  hw/scsi/esp.c, and could be abused by a malicious guest to crash the
  QEMU process on the host resulting in a denial of service.

  Both issues were reported by Cheolwoo Myung (Seoul National
  University). To reproduce them, configure and run QEMU as follows.
  Please find attached the required disk images.

  $ ./configure --target-list=x86_64-softmmu --enable-kvm --enable-sanitizers
  $ make
  $ ./qemu-system-x86_64 -m 512 -drive file=./hyfuzz.img,index=0,media=disk,format=raw \
  -device am53c974,id=scsi -device scsi-hd,drive=SysDisk \
  -drive id=SysDisk,if=none,file=./disk.img

  Additional info:
  RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1909766
  RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1909769

  ASAN logs:
  ==672133==         
  hw/scsi/scsi-bus.c:1385:12: runtime error: member access within null pointer of type 'struct SCSIRequest'
  AddressSanitizer:DEADLYSIGNAL                                                                            
  =================================================================             
  ==672133==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000171 (pc 0x55bd63e20b85 bp 0x7f4b6fffdfa0 sp 0x7f4b6fffdf70 T7)
  ==672133==The signal is caused by a READ memory access.         
  ==672133==Hint: address points to the zero page.                                                         
      #0 0x55bd63e20b85 in scsi_req_continue hw/scsi/scsi-bus.c:1385
      #1 0x55bd63ab34fb in esp_do_dma hw/scsi/esp.c:453       
      #2 0x55bd63ab4b3c in handle_ti hw/scsi/esp.c:549          
      #3 0x55bd63ab72a9 in esp_reg_write hw/scsi/esp.c:691                 
      #4 0x55bd63d7b5dd in esp_pci_io_write hw/scsi/esp-pci.c:206    
      #5 0x55bd645d55a3 in memory_region_write_accessor softmmu/memory.c:491
      #6 0x55bd645d5a24 in access_with_adjusted_size softmmu/memory.c:552
      #7 0x55bd645e2baa in memory_region_dispatch_write softmmu/memory.c:1501
      #8 0x55bd646b75ff in flatview_write_continue softmmu/physmem.c:2759
      #9 0x55bd646b79d1 in flatview_write softmmu/physmem.c:2799
      #10 0x55bd646b8341 in address_space_write softmmu/physmem.c:2891   
      #11 0x55bd646b83f9 in address_space_rw softmmu/physmem.c:2901
      #12 0x55bd648c4736 in kvm_handle_io accel/kvm/kvm-all.c:2285
      #13 0x55bd648c69c8 in kvm_cpu_exec accel/kvm/kvm-all.c:2531
      #14 0x55bd647b2413 in kvm_vcpu_thread_fn accel/kvm/kvm-cpus.c:49
      #15 0x55bd64f560de in qemu_thread_start util/qemu-thread-posix.c:521
      #16 0x7f4b981763f8 in start_thread (/lib64/libpthread.so.0+0x93f8)
      #17 0x7f4b980a3902 in __GI___clone (/lib64/libc.so.6+0x101902)

  ---

  ==672020==
  hw/scsi/esp.c:196:62: runtime error: member access within null pointer of type 'struct SCSIDevice'
  AddressSanitizer:DEADLYSIGNAL                                                                            
  =================================================================             
  ==672020==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000098 (pc 0x559bc99946fd bp 0x7f08bd737fb0 sp 0x7f08bd737f70 T7)
  ==672020==The signal is caused by a READ memory access.         
  ==672020==Hint: address points to the zero page.                                                         
      #0 0x559bc99946fd in do_busid_cmd hw/scsi/esp.c:196        
      #1 0x559bc9994e71 in do_cmd hw/scsi/esp.c:220           
      #2 0x559bc999ae81 in handle_ti hw/scsi/esp.c:555          
      #3 0x559bc999d2a9 in esp_reg_write hw/scsi/esp.c:691                 
      #4 0x559bc9c615dd in esp_pci_io_write hw/scsi/esp-pci.c:206    
      #5 0x559bca4bb5a3 in memory_region_write_accessor softmmu/memory.c:491
      #6 0x559bca4bba24 in access_with_adjusted_size softmmu/memory.c:552
      #7 0x559bca4c8baa in memory_region_dispatch_write softmmu/memory.c:1501
      #8 0x559bca59d5ff in flatview_write_continue softmmu/physmem.c:2759
      #9 0x559bca59d9d1 in flatview_write softmmu/physmem.c:2799
      #10 0x559bca59e341 in address_space_write softmmu/physmem.c:2891   
      #11 0x559bca59e3f9 in address_space_rw softmmu/physmem.c:2901
      #12 0x559bca7aa736 in kvm_handle_io accel/kvm/kvm-all.c:2285
      #13 0x559bca7ac9c8 in kvm_cpu_exec accel/kvm/kvm-all.c:2531
      #14 0x559bca698413 in kvm_vcpu_thread_fn accel/kvm/kvm-cpus.c:49
      #15 0x559bcae3c0de in qemu_thread_start util/qemu-thread-posix.c:521
      #16 0x7f08e57ba3f8 in start_thread (/lib64/libpthread.so.0+0x93f8)
      #17 0x7f08e56e7902 in __GI___clone (/lib64/libc.so.6+0x101902)

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1910723/+subscriptions


^ permalink raw reply	[flat|nested] 10+ messages in thread

* [Bug 1910723] Re: NULL pointer dereference issues in am53c974 SCSI host bus adapter
  2021-01-08 10:34 [Bug 1910723] [NEW] NULL pointer dereference issues in am53c974 SCSI host bus adapter Mauro Matteo Cascella
                   ` (6 preceding siblings ...)
  2021-04-14 14:10 ` Mauro Matteo Cascella
@ 2021-04-29  9:57 ` Thomas Huth
  2021-04-30  9:00 ` Thomas Huth
  8 siblings, 0 replies; 10+ messages in thread
From: Thomas Huth @ 2021-04-29  9:57 UTC (permalink / raw)
  To: qemu-devel

** Tags removed: qemu

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1910723

Title:
  NULL pointer dereference issues in am53c974 SCSI host bus adapter

Status in QEMU:
  Fix Committed

Bug description:
  Two NULL pointer dereference issues were found in the am53c974 SCSI
  host bus adapter emulation of QEMU. They could occur while handling
  the 'Information Transfer' command (CMD_TI) in function handle_ti() in
  hw/scsi/esp.c, and could be abused by a malicious guest to crash the
  QEMU process on the host resulting in a denial of service.

  Both issues were reported by Cheolwoo Myung (Seoul National
  University). To reproduce them, configure and run QEMU as follows.
  Please find attached the required disk images.

  $ ./configure --target-list=x86_64-softmmu --enable-kvm --enable-sanitizers
  $ make
  $ ./qemu-system-x86_64 -m 512 -drive file=./hyfuzz.img,index=0,media=disk,format=raw \
  -device am53c974,id=scsi -device scsi-hd,drive=SysDisk \
  -drive id=SysDisk,if=none,file=./disk.img

  Additional info:
  RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1909766
  RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1909769

  ASAN logs:
  ==672133==         
  hw/scsi/scsi-bus.c:1385:12: runtime error: member access within null pointer of type 'struct SCSIRequest'
  AddressSanitizer:DEADLYSIGNAL                                                                            
  =================================================================             
  ==672133==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000171 (pc 0x55bd63e20b85 bp 0x7f4b6fffdfa0 sp 0x7f4b6fffdf70 T7)
  ==672133==The signal is caused by a READ memory access.         
  ==672133==Hint: address points to the zero page.                                                         
      #0 0x55bd63e20b85 in scsi_req_continue hw/scsi/scsi-bus.c:1385
      #1 0x55bd63ab34fb in esp_do_dma hw/scsi/esp.c:453       
      #2 0x55bd63ab4b3c in handle_ti hw/scsi/esp.c:549          
      #3 0x55bd63ab72a9 in esp_reg_write hw/scsi/esp.c:691                 
      #4 0x55bd63d7b5dd in esp_pci_io_write hw/scsi/esp-pci.c:206    
      #5 0x55bd645d55a3 in memory_region_write_accessor softmmu/memory.c:491
      #6 0x55bd645d5a24 in access_with_adjusted_size softmmu/memory.c:552
      #7 0x55bd645e2baa in memory_region_dispatch_write softmmu/memory.c:1501
      #8 0x55bd646b75ff in flatview_write_continue softmmu/physmem.c:2759
      #9 0x55bd646b79d1 in flatview_write softmmu/physmem.c:2799
      #10 0x55bd646b8341 in address_space_write softmmu/physmem.c:2891   
      #11 0x55bd646b83f9 in address_space_rw softmmu/physmem.c:2901
      #12 0x55bd648c4736 in kvm_handle_io accel/kvm/kvm-all.c:2285
      #13 0x55bd648c69c8 in kvm_cpu_exec accel/kvm/kvm-all.c:2531
      #14 0x55bd647b2413 in kvm_vcpu_thread_fn accel/kvm/kvm-cpus.c:49
      #15 0x55bd64f560de in qemu_thread_start util/qemu-thread-posix.c:521
      #16 0x7f4b981763f8 in start_thread (/lib64/libpthread.so.0+0x93f8)
      #17 0x7f4b980a3902 in __GI___clone (/lib64/libc.so.6+0x101902)

  ---

  ==672020==
  hw/scsi/esp.c:196:62: runtime error: member access within null pointer of type 'struct SCSIDevice'
  AddressSanitizer:DEADLYSIGNAL                                                                            
  =================================================================             
  ==672020==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000098 (pc 0x559bc99946fd bp 0x7f08bd737fb0 sp 0x7f08bd737f70 T7)
  ==672020==The signal is caused by a READ memory access.         
  ==672020==Hint: address points to the zero page.                                                         
      #0 0x559bc99946fd in do_busid_cmd hw/scsi/esp.c:196        
      #1 0x559bc9994e71 in do_cmd hw/scsi/esp.c:220           
      #2 0x559bc999ae81 in handle_ti hw/scsi/esp.c:555          
      #3 0x559bc999d2a9 in esp_reg_write hw/scsi/esp.c:691                 
      #4 0x559bc9c615dd in esp_pci_io_write hw/scsi/esp-pci.c:206    
      #5 0x559bca4bb5a3 in memory_region_write_accessor softmmu/memory.c:491
      #6 0x559bca4bba24 in access_with_adjusted_size softmmu/memory.c:552
      #7 0x559bca4c8baa in memory_region_dispatch_write softmmu/memory.c:1501
      #8 0x559bca59d5ff in flatview_write_continue softmmu/physmem.c:2759
      #9 0x559bca59d9d1 in flatview_write softmmu/physmem.c:2799
      #10 0x559bca59e341 in address_space_write softmmu/physmem.c:2891   
      #11 0x559bca59e3f9 in address_space_rw softmmu/physmem.c:2901
      #12 0x559bca7aa736 in kvm_handle_io accel/kvm/kvm-all.c:2285
      #13 0x559bca7ac9c8 in kvm_cpu_exec accel/kvm/kvm-all.c:2531
      #14 0x559bca698413 in kvm_vcpu_thread_fn accel/kvm/kvm-cpus.c:49
      #15 0x559bcae3c0de in qemu_thread_start util/qemu-thread-posix.c:521
      #16 0x7f08e57ba3f8 in start_thread (/lib64/libpthread.so.0+0x93f8)
      #17 0x7f08e56e7902 in __GI___clone (/lib64/libc.so.6+0x101902)

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1910723/+subscriptions


^ permalink raw reply	[flat|nested] 10+ messages in thread

* [Bug 1910723] Re: NULL pointer dereference issues in am53c974 SCSI host bus adapter
  2021-01-08 10:34 [Bug 1910723] [NEW] NULL pointer dereference issues in am53c974 SCSI host bus adapter Mauro Matteo Cascella
                   ` (7 preceding siblings ...)
  2021-04-29  9:57 ` Thomas Huth
@ 2021-04-30  9:00 ` Thomas Huth
  8 siblings, 0 replies; 10+ messages in thread
From: Thomas Huth @ 2021-04-30  9:00 UTC (permalink / raw)
  To: qemu-devel

** Changed in: qemu
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1910723

Title:
  NULL pointer dereference issues in am53c974 SCSI host bus adapter

Status in QEMU:
  Fix Released

Bug description:
  Two NULL pointer dereference issues were found in the am53c974 SCSI
  host bus adapter emulation of QEMU. They could occur while handling
  the 'Information Transfer' command (CMD_TI) in function handle_ti() in
  hw/scsi/esp.c, and could be abused by a malicious guest to crash the
  QEMU process on the host resulting in a denial of service.

  Both issues were reported by Cheolwoo Myung (Seoul National
  University). To reproduce them, configure and run QEMU as follows.
  Please find attached the required disk images.

  $ ./configure --target-list=x86_64-softmmu --enable-kvm --enable-sanitizers
  $ make
  $ ./qemu-system-x86_64 -m 512 -drive file=./hyfuzz.img,index=0,media=disk,format=raw \
  -device am53c974,id=scsi -device scsi-hd,drive=SysDisk \
  -drive id=SysDisk,if=none,file=./disk.img

  Additional info:
  RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1909766
  RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1909769

  ASAN logs:
  ==672133==         
  hw/scsi/scsi-bus.c:1385:12: runtime error: member access within null pointer of type 'struct SCSIRequest'
  AddressSanitizer:DEADLYSIGNAL                                                                            
  =================================================================             
  ==672133==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000171 (pc 0x55bd63e20b85 bp 0x7f4b6fffdfa0 sp 0x7f4b6fffdf70 T7)
  ==672133==The signal is caused by a READ memory access.         
  ==672133==Hint: address points to the zero page.                                                         
      #0 0x55bd63e20b85 in scsi_req_continue hw/scsi/scsi-bus.c:1385
      #1 0x55bd63ab34fb in esp_do_dma hw/scsi/esp.c:453       
      #2 0x55bd63ab4b3c in handle_ti hw/scsi/esp.c:549          
      #3 0x55bd63ab72a9 in esp_reg_write hw/scsi/esp.c:691                 
      #4 0x55bd63d7b5dd in esp_pci_io_write hw/scsi/esp-pci.c:206    
      #5 0x55bd645d55a3 in memory_region_write_accessor softmmu/memory.c:491
      #6 0x55bd645d5a24 in access_with_adjusted_size softmmu/memory.c:552
      #7 0x55bd645e2baa in memory_region_dispatch_write softmmu/memory.c:1501
      #8 0x55bd646b75ff in flatview_write_continue softmmu/physmem.c:2759
      #9 0x55bd646b79d1 in flatview_write softmmu/physmem.c:2799
      #10 0x55bd646b8341 in address_space_write softmmu/physmem.c:2891   
      #11 0x55bd646b83f9 in address_space_rw softmmu/physmem.c:2901
      #12 0x55bd648c4736 in kvm_handle_io accel/kvm/kvm-all.c:2285
      #13 0x55bd648c69c8 in kvm_cpu_exec accel/kvm/kvm-all.c:2531
      #14 0x55bd647b2413 in kvm_vcpu_thread_fn accel/kvm/kvm-cpus.c:49
      #15 0x55bd64f560de in qemu_thread_start util/qemu-thread-posix.c:521
      #16 0x7f4b981763f8 in start_thread (/lib64/libpthread.so.0+0x93f8)
      #17 0x7f4b980a3902 in __GI___clone (/lib64/libc.so.6+0x101902)

  ---

  ==672020==
  hw/scsi/esp.c:196:62: runtime error: member access within null pointer of type 'struct SCSIDevice'
  AddressSanitizer:DEADLYSIGNAL                                                                            
  =================================================================             
  ==672020==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000098 (pc 0x559bc99946fd bp 0x7f08bd737fb0 sp 0x7f08bd737f70 T7)
  ==672020==The signal is caused by a READ memory access.         
  ==672020==Hint: address points to the zero page.                                                         
      #0 0x559bc99946fd in do_busid_cmd hw/scsi/esp.c:196        
      #1 0x559bc9994e71 in do_cmd hw/scsi/esp.c:220           
      #2 0x559bc999ae81 in handle_ti hw/scsi/esp.c:555          
      #3 0x559bc999d2a9 in esp_reg_write hw/scsi/esp.c:691                 
      #4 0x559bc9c615dd in esp_pci_io_write hw/scsi/esp-pci.c:206    
      #5 0x559bca4bb5a3 in memory_region_write_accessor softmmu/memory.c:491
      #6 0x559bca4bba24 in access_with_adjusted_size softmmu/memory.c:552
      #7 0x559bca4c8baa in memory_region_dispatch_write softmmu/memory.c:1501
      #8 0x559bca59d5ff in flatview_write_continue softmmu/physmem.c:2759
      #9 0x559bca59d9d1 in flatview_write softmmu/physmem.c:2799
      #10 0x559bca59e341 in address_space_write softmmu/physmem.c:2891   
      #11 0x559bca59e3f9 in address_space_rw softmmu/physmem.c:2901
      #12 0x559bca7aa736 in kvm_handle_io accel/kvm/kvm-all.c:2285
      #13 0x559bca7ac9c8 in kvm_cpu_exec accel/kvm/kvm-all.c:2531
      #14 0x559bca698413 in kvm_vcpu_thread_fn accel/kvm/kvm-cpus.c:49
      #15 0x559bcae3c0de in qemu_thread_start util/qemu-thread-posix.c:521
      #16 0x7f08e57ba3f8 in start_thread (/lib64/libpthread.so.0+0x93f8)
      #17 0x7f08e56e7902 in __GI___clone (/lib64/libc.so.6+0x101902)

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1910723/+subscriptions


^ permalink raw reply	[flat|nested] 10+ messages in thread

end of thread, other threads:[~2021-04-30  9:19 UTC | newest]

Thread overview: 10+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-01-08 10:34 [Bug 1910723] [NEW] NULL pointer dereference issues in am53c974 SCSI host bus adapter Mauro Matteo Cascella
2021-03-15  2:52 ` [Bug 1910723] " Alexander Bulekov
2021-03-15  2:53 ` Alexander Bulekov
2021-03-15 14:07 ` Mauro Matteo Cascella
2021-03-17  7:42 ` Mark Cave-Ayland
2021-03-24 10:08 ` Mauro Matteo Cascella
2021-04-14 13:31 ` Mauro Matteo Cascella
2021-04-14 14:10 ` Mauro Matteo Cascella
2021-04-29  9:57 ` Thomas Huth
2021-04-30  9:00 ` Thomas Huth

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).