* [Bug 1918321] [NEW] [OSS-Fuzz] Issue 31875 megasas: Null-ptr dereference in megasas_finish_dcmd
@ 2021-03-09 19:53 Alexander Bulekov
2021-03-10 6:24 ` Alexander Bulekov
` (3 more replies)
0 siblings, 4 replies; 6+ messages in thread
From: Alexander Bulekov @ 2021-03-09 19:53 UTC (permalink / raw)
To: qemu-devel
Public bug reported:
Hello,
== QTest Reproducer ==
/*
* cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, -m \
* 512M -machine q35 -nodefaults -device megasas -device \
* scsi-cd,drive=null0 -blockdev \
* driver=null-co,read-zeroes=on,node-name=null0 -qtest stdio
* outl 0xcf8 0x80000801
* outl 0xcfc 0x05000000
* outl 0xcf8 0x80000816
* outl 0xcfc 0x19000000
* write 0x1e1ed300 0x1 0x01
* write 0x1e1ed307 0x1 0x01
* write 0x1e1ed316 0x1 0x01
* write 0x1e1ed328 0x1 0x01
* write 0x1e1ed32f 0x1 0x01
* outl 0x1940 0x1e1ed300
* outl 0x19c0 0x00
* EOF
*/
static void null_deref_megasas_finish_dcmd(void)
{
QTestState *s = qtest_init(
"-display none , -m 512M -machine q35 -nodefaults -device megasas -device "
"scsi-cd,drive=null0 -blockdev driver=null-co,read-zeroes=on,node-name=null0 ");
qtest_outl(s, 0xcf8, 0x80000801);
qtest_outl(s, 0xcfc, 0x05000000);
qtest_outl(s, 0xcf8, 0x80000816);
qtest_outl(s, 0xcfc, 0x19000000);
qtest_bufwrite(s, 0x1e1ed300, "\x01", 0x1);
qtest_bufwrite(s, 0x1e1ed307, "\x01", 0x1);
qtest_bufwrite(s, 0x1e1ed316, "\x01", 0x1);
qtest_bufwrite(s, 0x1e1ed328, "\x01", 0x1);
qtest_bufwrite(s, 0x1e1ed32f, "\x01", 0x1);
qtest_outl(s, 0x1940, 0x1e1ed300);
qtest_outl(s, 0x19c0, 0x00);
qtest_quit(s);
}
int main(int argc, char **argv)
{
const char *arch = qtest_get_arch();
g_test_init(&argc, &argv, NULL);
if (strcmp(arch, "i386") == 0) {
qtest_add_func("fuzz/null_deref_megasas_finish_dcmd",
null_deref_megasas_finish_dcmd);
}
return g_test_run();
}
== Stack Trace ==
../hw/scsi/megasas.c:1884:21: runtime error: member access within null pointer of type 'union mfi_frame'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../hw/scsi/megasas.c:1884:21 in
../hw/scsi/megasas.c:1884:21: runtime error: member access within null pointer of type 'struct mfi_frame_header'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../hw/scsi/megasas.c:1884:21 in
AddressSanitizer:DEADLYSIGNAL
=================================================================
==314546==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000003 (pc 0x55b1b4f4de73 bp 0x7ffcfc5a8bb0 sp 0x7ffcfc5a8900 T0)
==314546==The signal is caused by a WRITE memory access.
==314546==Hint: address points to the zero page.
#0 0x55b1b4f4de73 in megasas_command_complete build/../hw/scsi/megasas.c:1884:40
#1 0x55b1b5613914 in scsi_req_complete build/../hw/scsi/scsi-bus.c:1515:5
#2 0x55b1b5448aeb in scsi_dma_complete_noio build/../hw/scsi/scsi-disk.c:345:9
#3 0x55b1b5446fc7 in scsi_dma_complete build/../hw/scsi/scsi-disk.c:366:5
#4 0x55b1b4fffc56 in dma_complete build/../softmmu/dma-helpers.c:121:9
#5 0x55b1b4fffc56 in dma_blk_cb build/../softmmu/dma-helpers.c:139:9
#6 0x55b1b6856016 in blk_aio_complete build/../block/block-backend.c:1412:9
#7 0x55b1b6f48b06 in aio_bh_poll build/../util/async.c:164:13
#8 0x55b1b6f08cec in aio_dispatch build/../util/aio-posix.c:381:5
#9 0x55b1b6f4d59c in aio_ctx_dispatch build/../util/async.c:306:5
#10 0x7fd88c098baa in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x51baa)
#11 0x55b1b6f59a3c in glib_pollfds_poll build/../util/main-loop.c:232:9
#12 0x55b1b6f59a3c in os_host_main_loop_wait build/../util/main-loop.c:255:5
#13 0x55b1b6f59a3c in main_loop_wait build/../util/main-loop.c:531:11
#14 0x55b1b61a78a9 in qemu_main_loop build/../softmmu/runstate.c:725:9
#15 0x55b1b4c751e5 in main build/../softmmu/main.c:50:5
#16 0x7fd88aec6d09 in __libc_start_main csu/../csu/libc-start.c:308:16
#17 0x55b1b4bc8bb9 in _start (system-i386+0x2b5fbb9)
** Affects: qemu
Importance: Undecided
Status: New
** Tags: fuzzer
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1918321
Title:
[OSS-Fuzz] Issue 31875 megasas: Null-ptr dereference in
megasas_finish_dcmd
Status in QEMU:
New
Bug description:
Hello,
== QTest Reproducer ==
/*
* cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, -m \
* 512M -machine q35 -nodefaults -device megasas -device \
* scsi-cd,drive=null0 -blockdev \
* driver=null-co,read-zeroes=on,node-name=null0 -qtest stdio
* outl 0xcf8 0x80000801
* outl 0xcfc 0x05000000
* outl 0xcf8 0x80000816
* outl 0xcfc 0x19000000
* write 0x1e1ed300 0x1 0x01
* write 0x1e1ed307 0x1 0x01
* write 0x1e1ed316 0x1 0x01
* write 0x1e1ed328 0x1 0x01
* write 0x1e1ed32f 0x1 0x01
* outl 0x1940 0x1e1ed300
* outl 0x19c0 0x00
* EOF
*/
static void null_deref_megasas_finish_dcmd(void)
{
QTestState *s = qtest_init(
"-display none , -m 512M -machine q35 -nodefaults -device megasas -device "
"scsi-cd,drive=null0 -blockdev driver=null-co,read-zeroes=on,node-name=null0 ");
qtest_outl(s, 0xcf8, 0x80000801);
qtest_outl(s, 0xcfc, 0x05000000);
qtest_outl(s, 0xcf8, 0x80000816);
qtest_outl(s, 0xcfc, 0x19000000);
qtest_bufwrite(s, 0x1e1ed300, "\x01", 0x1);
qtest_bufwrite(s, 0x1e1ed307, "\x01", 0x1);
qtest_bufwrite(s, 0x1e1ed316, "\x01", 0x1);
qtest_bufwrite(s, 0x1e1ed328, "\x01", 0x1);
qtest_bufwrite(s, 0x1e1ed32f, "\x01", 0x1);
qtest_outl(s, 0x1940, 0x1e1ed300);
qtest_outl(s, 0x19c0, 0x00);
qtest_quit(s);
}
int main(int argc, char **argv)
{
const char *arch = qtest_get_arch();
g_test_init(&argc, &argv, NULL);
if (strcmp(arch, "i386") == 0) {
qtest_add_func("fuzz/null_deref_megasas_finish_dcmd",
null_deref_megasas_finish_dcmd);
}
return g_test_run();
}
== Stack Trace ==
../hw/scsi/megasas.c:1884:21: runtime error: member access within null pointer of type 'union mfi_frame'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../hw/scsi/megasas.c:1884:21 in
../hw/scsi/megasas.c:1884:21: runtime error: member access within null pointer of type 'struct mfi_frame_header'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../hw/scsi/megasas.c:1884:21 in
AddressSanitizer:DEADLYSIGNAL
=================================================================
==314546==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000003 (pc 0x55b1b4f4de73 bp 0x7ffcfc5a8bb0 sp 0x7ffcfc5a8900 T0)
==314546==The signal is caused by a WRITE memory access.
==314546==Hint: address points to the zero page.
#0 0x55b1b4f4de73 in megasas_command_complete build/../hw/scsi/megasas.c:1884:40
#1 0x55b1b5613914 in scsi_req_complete build/../hw/scsi/scsi-bus.c:1515:5
#2 0x55b1b5448aeb in scsi_dma_complete_noio build/../hw/scsi/scsi-disk.c:345:9
#3 0x55b1b5446fc7 in scsi_dma_complete build/../hw/scsi/scsi-disk.c:366:5
#4 0x55b1b4fffc56 in dma_complete build/../softmmu/dma-helpers.c:121:9
#5 0x55b1b4fffc56 in dma_blk_cb build/../softmmu/dma-helpers.c:139:9
#6 0x55b1b6856016 in blk_aio_complete build/../block/block-backend.c:1412:9
#7 0x55b1b6f48b06 in aio_bh_poll build/../util/async.c:164:13
#8 0x55b1b6f08cec in aio_dispatch build/../util/aio-posix.c:381:5
#9 0x55b1b6f4d59c in aio_ctx_dispatch build/../util/async.c:306:5
#10 0x7fd88c098baa in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x51baa)
#11 0x55b1b6f59a3c in glib_pollfds_poll build/../util/main-loop.c:232:9
#12 0x55b1b6f59a3c in os_host_main_loop_wait build/../util/main-loop.c:255:5
#13 0x55b1b6f59a3c in main_loop_wait build/../util/main-loop.c:531:11
#14 0x55b1b61a78a9 in qemu_main_loop build/../softmmu/runstate.c:725:9
#15 0x55b1b4c751e5 in main build/../softmmu/main.c:50:5
#16 0x7fd88aec6d09 in __libc_start_main csu/../csu/libc-start.c:308:16
#17 0x55b1b4bc8bb9 in _start (system-i386+0x2b5fbb9)
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1918321/+subscriptions
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [Bug 1918321] [NEW] [OSS-Fuzz] Issue 31875 megasas: Null-ptr dereference in megasas_finish_dcmd
2021-03-09 19:53 [Bug 1918321] [NEW] [OSS-Fuzz] Issue 31875 megasas: Null-ptr dereference in megasas_finish_dcmd Alexander Bulekov
@ 2021-03-10 6:24 ` Alexander Bulekov
2021-03-10 6:24 ` Alexander Bulekov
2021-06-10 15:19 ` [Bug 1918321] " Thomas Huth
` (2 subsequent siblings)
3 siblings, 1 reply; 6+ messages in thread
From: Alexander Bulekov @ 2021-03-10 6:24 UTC (permalink / raw)
To: Bug 1918321; +Cc: qemu-devel
I posted a reproducer for a different bug. Here are the correct
reproducer and stacktrace:
/*
* Autogenerated Fuzzer Test Case
*/
#include "qemu/osdep.h"
#include "libqos/libqtest.h"
/*
* cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest \
* -m 512M -machine q35 -nodefaults -device megasas -device \
* scsi-cd,drive=null0 -blockdev \
* driver=null-co,read-zeroes=on,node-name=null0 -qtest stdio
* outl 0xcf8 0x80000801
* outl 0xcfc 0x05000000
* outl 0xcf8 0x80000816
* outl 0xcfc 0x19000000
* write 0x1e1ed300 0x1 0x01
* write 0x1e1ed307 0x1 0x01
* write 0x1e1ed316 0x1 0x01
* write 0x1e1ed328 0x1 0x01
* write 0x1e1ed32f 0x1 0x01
* outl 0x1940 0x1e1ed300
* outl 0x1940 0x1e1ed300
* clock_step
* clock_step
* clock_step
* clock_step
* clock_step
* clock_step
* clock_step
* clock_step
* clock_step
* clock_step
* clock_step
* clock_step
* clock_step
* clock_step
* clock_step
* clock_step
* clock_step
* clock_step
* clock_step
* clock_step
* clock_step
* clock_step
* clock_step
* clock_step
* clock_step
* clock_step
* clock_step
* clock_step
* clock_step
* clock_step
* clock_step
* clock_step
* clock_step
* clock_step
* clock_step
* clock_step
* clock_step
* clock_step
* clock_step
* clock_step
* clock_step
* clock_step
* clock_step
* clock_step
* clock_step
* clock_step
* clock_step
* clock_step
* clock_step
* clock_step
* clock_step
* clock_step
* clock_step
* clock_step
* clock_step
* clock_step
* clock_step
* clock_step
* clock_step
* clock_step
* clock_step
* clock_step
* clock_step
* clock_step
* clock_step
* clock_step
* clock_step
* clock_step
* outb 0x1940 0x0
* write 0x0 0x1 0x01
* write 0x7 0x1 0x01
* write 0x16 0x1 0x01
* write 0x28 0x1 0x01
* write 0x2f 0x1 0x01
* outb 0x1940 0x0
* write 0x0 0x1 0x05
* write 0x7 0x1 0x01
* write 0x19 0x1 0x02
* write 0x1a 0x1 0x01
* write 0x1b 0x1 0x08
* write 0x2f 0x1 0x01
* outb 0x1940 0x0
* EOF
*/
static void
null_deref_megasas_finish_dcmd(void)
{
QTestState *s = qtest_init(
"-display none , -m 512M -machine q35 -nodefaults -device "
"megasas -device scsi-cd,drive=null0 -blockdev "
"driver=null-co,read-zeroes=on,node-name=null0 ");
qtest_outl(s, 0xcf8, 0x80000801);
qtest_outl(s, 0xcfc, 0x05000000);
qtest_outl(s, 0xcf8, 0x80000816);
qtest_outl(s, 0xcfc, 0x19000000);
qtest_bufwrite(s, 0x1e1ed300, "\x01", 0x1);
qtest_bufwrite(s, 0x1e1ed307, "\x01", 0x1);
qtest_bufwrite(s, 0x1e1ed316, "\x01", 0x1);
qtest_bufwrite(s, 0x1e1ed328, "\x01", 0x1);
qtest_bufwrite(s, 0x1e1ed32f, "\x01", 0x1);
qtest_outl(s, 0x1940, 0x1e1ed300);
qtest_outl(s, 0x1940, 0x1e1ed300);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_outb(s, 0x1940, 0x0);
qtest_bufwrite(s, 0x0, "\x01", 0x1);
qtest_bufwrite(s, 0x7, "\x01", 0x1);
qtest_bufwrite(s, 0x16, "\x01", 0x1);
qtest_bufwrite(s, 0x28, "\x01", 0x1);
qtest_bufwrite(s, 0x2f, "\x01", 0x1);
qtest_outb(s, 0x1940, 0x0);
qtest_bufwrite(s, 0x0, "\x05", 0x1);
qtest_bufwrite(s, 0x7, "\x01", 0x1);
qtest_bufwrite(s, 0x19, "\x02", 0x1);
qtest_bufwrite(s, 0x1a, "\x01", 0x1);
qtest_bufwrite(s, 0x1b, "\x08", 0x1);
qtest_bufwrite(s, 0x2f, "\x01", 0x1);
qtest_outb(s, 0x1940, 0x0);
qtest_quit(s);
}
int main(int argc, char **argv)
{
const char *arch = qtest_get_arch();
g_test_init(&argc, &argv, NULL);
if (strcmp(arch, "i386") == 0) {
qtest_add_func("fuzz/null_deref_megasas_finish_dcmd",
null_deref_megasas_finish_dcmd);
}
return g_test_run();
}
=== Stack Trace ===
../hw/scsi/megasas.c:726:25: runtime error: member access within null pointer of type 'union mfi_frame'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../hw/scsi/megasas.c:726:25 in
../hw/scsi/megasas.c:726:25: runtime error: member access within null pointer of type 'struct mfi_dcmd_frame'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../hw/scsi/megasas.c:726:25 in
AddressSanitizer:DEADLYSIGNAL
=================================================================
==966650==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000002c (pc 0x55abf56c7955 bp 0x7fff888f64d0 sp 0x7fff888f6400 T0)
==966650==The signal is caused by a WRITE memory access.
==966650==Hint: address points to the zero page.
#0 0x55abf56c7955 in megasas_finish_dcmd build/../hw/scsi/megasas.c
#1 0x55abf56b97c1 in megasas_handle_dcmd build/../hw/scsi/megasas.c:1601:9
#2 0x55abf56b97c1 in megasas_handle_frame build/../hw/scsi/megasas.c:1965:24
#3 0x55abf56b0e54 in megasas_mmio_write build/../hw/scsi/megasas.c:2129:9
#4 0x55abf6a867f6 in memory_region_write_accessor build/../softmmu/memory.c:491:5
#5 0x55abf6a86263 in access_with_adjusted_size build/../softmmu/memory.c:552:18
#6 0x55abf6a85ac0 in memory_region_dispatch_write build/../softmmu/memory.c
#7 0x55abf6696d86 in flatview_write_continue build/../softmmu/physmem.c:2776:23
#8 0x55abf668c74b in flatview_write build/../softmmu/physmem.c:2816:14
#9 0x55abf668c74b in address_space_write build/../softmmu/physmem.c:2908:18
#10 0x55abf67e6571 in cpu_outb build/../softmmu/ioport.c:60:5
#11 0x55abf6b68ec9 in qtest_process_command build/../softmmu/qtest.c:479:13
#12 0x55abf6b66d6f in qtest_process_inbuf build/../softmmu/qtest.c:797:9
#13 0x55abf6d4c65e in fd_chr_read build/../chardev/char-fd.c:68:9
#14 0x7f976e846aae in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x51aae)
#15 0x55abf76eba3c in glib_pollfds_poll build/../util/main-loop.c:232:9
#16 0x55abf76eba3c in os_host_main_loop_wait build/../util/main-loop.c:255:5
#17 0x55abf76eba3c in main_loop_wait build/../util/main-loop.c:531:11
#18 0x55abf69398a9 in qemu_main_loop build/../softmmu/runstate.c:725:9
#19 0x55abf54071e5 in main build/../softmmu/main.c:50:5
#20 0x7f976d674d09 in __libc_start_main csu/../csu/libc-start.c:308:16
#21 0x55abf535abb9 in _start (system-i386+0x2b5fbb9)
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [Bug 1918321] [NEW] [OSS-Fuzz] Issue 31875 megasas: Null-ptr dereference in megasas_finish_dcmd
2021-03-10 6:24 ` Alexander Bulekov
@ 2021-03-10 6:24 ` Alexander Bulekov
0 siblings, 0 replies; 6+ messages in thread
From: Alexander Bulekov @ 2021-03-10 6:24 UTC (permalink / raw)
To: qemu-devel
I posted a reproducer for a different bug. Here are the correct
reproducer and stacktrace:
/*
* Autogenerated Fuzzer Test Case
*/
#include "qemu/osdep.h"
#include "libqos/libqtest.h"
/*
* cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest \
* -m 512M -machine q35 -nodefaults -device megasas -device \
* scsi-cd,drive=null0 -blockdev \
* driver=null-co,read-zeroes=on,node-name=null0 -qtest stdio
* outl 0xcf8 0x80000801
* outl 0xcfc 0x05000000
* outl 0xcf8 0x80000816
* outl 0xcfc 0x19000000
* write 0x1e1ed300 0x1 0x01
* write 0x1e1ed307 0x1 0x01
* write 0x1e1ed316 0x1 0x01
* write 0x1e1ed328 0x1 0x01
* write 0x1e1ed32f 0x1 0x01
* outl 0x1940 0x1e1ed300
* outl 0x1940 0x1e1ed300
* clock_step
* clock_step
* clock_step
* clock_step
* clock_step
* clock_step
* clock_step
* clock_step
* clock_step
* clock_step
* clock_step
* clock_step
* clock_step
* clock_step
* clock_step
* clock_step
* clock_step
* clock_step
* clock_step
* clock_step
* clock_step
* clock_step
* clock_step
* clock_step
* clock_step
* clock_step
* clock_step
* clock_step
* clock_step
* clock_step
* clock_step
* clock_step
* clock_step
* clock_step
* clock_step
* clock_step
* clock_step
* clock_step
* clock_step
* clock_step
* clock_step
* clock_step
* clock_step
* clock_step
* clock_step
* clock_step
* clock_step
* clock_step
* clock_step
* clock_step
* clock_step
* clock_step
* clock_step
* clock_step
* clock_step
* clock_step
* clock_step
* clock_step
* clock_step
* clock_step
* clock_step
* clock_step
* clock_step
* clock_step
* clock_step
* clock_step
* clock_step
* clock_step
* outb 0x1940 0x0
* write 0x0 0x1 0x01
* write 0x7 0x1 0x01
* write 0x16 0x1 0x01
* write 0x28 0x1 0x01
* write 0x2f 0x1 0x01
* outb 0x1940 0x0
* write 0x0 0x1 0x05
* write 0x7 0x1 0x01
* write 0x19 0x1 0x02
* write 0x1a 0x1 0x01
* write 0x1b 0x1 0x08
* write 0x2f 0x1 0x01
* outb 0x1940 0x0
* EOF
*/
static void
null_deref_megasas_finish_dcmd(void)
{
QTestState *s = qtest_init(
"-display none , -m 512M -machine q35 -nodefaults -device "
"megasas -device scsi-cd,drive=null0 -blockdev "
"driver=null-co,read-zeroes=on,node-name=null0 ");
qtest_outl(s, 0xcf8, 0x80000801);
qtest_outl(s, 0xcfc, 0x05000000);
qtest_outl(s, 0xcf8, 0x80000816);
qtest_outl(s, 0xcfc, 0x19000000);
qtest_bufwrite(s, 0x1e1ed300, "\x01", 0x1);
qtest_bufwrite(s, 0x1e1ed307, "\x01", 0x1);
qtest_bufwrite(s, 0x1e1ed316, "\x01", 0x1);
qtest_bufwrite(s, 0x1e1ed328, "\x01", 0x1);
qtest_bufwrite(s, 0x1e1ed32f, "\x01", 0x1);
qtest_outl(s, 0x1940, 0x1e1ed300);
qtest_outl(s, 0x1940, 0x1e1ed300);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_outb(s, 0x1940, 0x0);
qtest_bufwrite(s, 0x0, "\x01", 0x1);
qtest_bufwrite(s, 0x7, "\x01", 0x1);
qtest_bufwrite(s, 0x16, "\x01", 0x1);
qtest_bufwrite(s, 0x28, "\x01", 0x1);
qtest_bufwrite(s, 0x2f, "\x01", 0x1);
qtest_outb(s, 0x1940, 0x0);
qtest_bufwrite(s, 0x0, "\x05", 0x1);
qtest_bufwrite(s, 0x7, "\x01", 0x1);
qtest_bufwrite(s, 0x19, "\x02", 0x1);
qtest_bufwrite(s, 0x1a, "\x01", 0x1);
qtest_bufwrite(s, 0x1b, "\x08", 0x1);
qtest_bufwrite(s, 0x2f, "\x01", 0x1);
qtest_outb(s, 0x1940, 0x0);
qtest_quit(s);
}
int main(int argc, char **argv)
{
const char *arch = qtest_get_arch();
g_test_init(&argc, &argv, NULL);
if (strcmp(arch, "i386") == 0) {
qtest_add_func("fuzz/null_deref_megasas_finish_dcmd",
null_deref_megasas_finish_dcmd);
}
return g_test_run();
}
=== Stack Trace ===
../hw/scsi/megasas.c:726:25: runtime error: member access within null pointer of type 'union mfi_frame'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../hw/scsi/megasas.c:726:25 in
../hw/scsi/megasas.c:726:25: runtime error: member access within null pointer of type 'struct mfi_dcmd_frame'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../hw/scsi/megasas.c:726:25 in
AddressSanitizer:DEADLYSIGNAL
=================================================================
==966650==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000002c (pc 0x55abf56c7955 bp 0x7fff888f64d0 sp 0x7fff888f6400 T0)
==966650==The signal is caused by a WRITE memory access.
==966650==Hint: address points to the zero page.
#0 0x55abf56c7955 in megasas_finish_dcmd build/../hw/scsi/megasas.c
#1 0x55abf56b97c1 in megasas_handle_dcmd build/../hw/scsi/megasas.c:1601:9
#2 0x55abf56b97c1 in megasas_handle_frame build/../hw/scsi/megasas.c:1965:24
#3 0x55abf56b0e54 in megasas_mmio_write build/../hw/scsi/megasas.c:2129:9
#4 0x55abf6a867f6 in memory_region_write_accessor build/../softmmu/memory.c:491:5
#5 0x55abf6a86263 in access_with_adjusted_size build/../softmmu/memory.c:552:18
#6 0x55abf6a85ac0 in memory_region_dispatch_write build/../softmmu/memory.c
#7 0x55abf6696d86 in flatview_write_continue build/../softmmu/physmem.c:2776:23
#8 0x55abf668c74b in flatview_write build/../softmmu/physmem.c:2816:14
#9 0x55abf668c74b in address_space_write build/../softmmu/physmem.c:2908:18
#10 0x55abf67e6571 in cpu_outb build/../softmmu/ioport.c:60:5
#11 0x55abf6b68ec9 in qtest_process_command build/../softmmu/qtest.c:479:13
#12 0x55abf6b66d6f in qtest_process_inbuf build/../softmmu/qtest.c:797:9
#13 0x55abf6d4c65e in fd_chr_read build/../chardev/char-fd.c:68:9
#14 0x7f976e846aae in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x51aae)
#15 0x55abf76eba3c in glib_pollfds_poll build/../util/main-loop.c:232:9
#16 0x55abf76eba3c in os_host_main_loop_wait build/../util/main-loop.c:255:5
#17 0x55abf76eba3c in main_loop_wait build/../util/main-loop.c:531:11
#18 0x55abf69398a9 in qemu_main_loop build/../softmmu/runstate.c:725:9
#19 0x55abf54071e5 in main build/../softmmu/main.c:50:5
#20 0x7f976d674d09 in __libc_start_main csu/../csu/libc-start.c:308:16
#21 0x55abf535abb9 in _start (system-i386+0x2b5fbb9)
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1918321
Title:
[OSS-Fuzz] Issue 31875 megasas: Null-ptr dereference in
megasas_finish_dcmd
Status in QEMU:
New
Bug description:
Hello,
== QTest Reproducer ==
/*
* cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, -m \
* 512M -machine q35 -nodefaults -device megasas -device \
* scsi-cd,drive=null0 -blockdev \
* driver=null-co,read-zeroes=on,node-name=null0 -qtest stdio
* outl 0xcf8 0x80000801
* outl 0xcfc 0x05000000
* outl 0xcf8 0x80000816
* outl 0xcfc 0x19000000
* write 0x1e1ed300 0x1 0x01
* write 0x1e1ed307 0x1 0x01
* write 0x1e1ed316 0x1 0x01
* write 0x1e1ed328 0x1 0x01
* write 0x1e1ed32f 0x1 0x01
* outl 0x1940 0x1e1ed300
* outl 0x19c0 0x00
* EOF
*/
static void null_deref_megasas_finish_dcmd(void)
{
QTestState *s = qtest_init(
"-display none , -m 512M -machine q35 -nodefaults -device megasas -device "
"scsi-cd,drive=null0 -blockdev driver=null-co,read-zeroes=on,node-name=null0 ");
qtest_outl(s, 0xcf8, 0x80000801);
qtest_outl(s, 0xcfc, 0x05000000);
qtest_outl(s, 0xcf8, 0x80000816);
qtest_outl(s, 0xcfc, 0x19000000);
qtest_bufwrite(s, 0x1e1ed300, "\x01", 0x1);
qtest_bufwrite(s, 0x1e1ed307, "\x01", 0x1);
qtest_bufwrite(s, 0x1e1ed316, "\x01", 0x1);
qtest_bufwrite(s, 0x1e1ed328, "\x01", 0x1);
qtest_bufwrite(s, 0x1e1ed32f, "\x01", 0x1);
qtest_outl(s, 0x1940, 0x1e1ed300);
qtest_outl(s, 0x19c0, 0x00);
qtest_quit(s);
}
int main(int argc, char **argv)
{
const char *arch = qtest_get_arch();
g_test_init(&argc, &argv, NULL);
if (strcmp(arch, "i386") == 0) {
qtest_add_func("fuzz/null_deref_megasas_finish_dcmd",
null_deref_megasas_finish_dcmd);
}
return g_test_run();
}
== Stack Trace ==
../hw/scsi/megasas.c:1884:21: runtime error: member access within null pointer of type 'union mfi_frame'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../hw/scsi/megasas.c:1884:21 in
../hw/scsi/megasas.c:1884:21: runtime error: member access within null pointer of type 'struct mfi_frame_header'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../hw/scsi/megasas.c:1884:21 in
AddressSanitizer:DEADLYSIGNAL
=================================================================
==314546==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000003 (pc 0x55b1b4f4de73 bp 0x7ffcfc5a8bb0 sp 0x7ffcfc5a8900 T0)
==314546==The signal is caused by a WRITE memory access.
==314546==Hint: address points to the zero page.
#0 0x55b1b4f4de73 in megasas_command_complete build/../hw/scsi/megasas.c:1884:40
#1 0x55b1b5613914 in scsi_req_complete build/../hw/scsi/scsi-bus.c:1515:5
#2 0x55b1b5448aeb in scsi_dma_complete_noio build/../hw/scsi/scsi-disk.c:345:9
#3 0x55b1b5446fc7 in scsi_dma_complete build/../hw/scsi/scsi-disk.c:366:5
#4 0x55b1b4fffc56 in dma_complete build/../softmmu/dma-helpers.c:121:9
#5 0x55b1b4fffc56 in dma_blk_cb build/../softmmu/dma-helpers.c:139:9
#6 0x55b1b6856016 in blk_aio_complete build/../block/block-backend.c:1412:9
#7 0x55b1b6f48b06 in aio_bh_poll build/../util/async.c:164:13
#8 0x55b1b6f08cec in aio_dispatch build/../util/aio-posix.c:381:5
#9 0x55b1b6f4d59c in aio_ctx_dispatch build/../util/async.c:306:5
#10 0x7fd88c098baa in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x51baa)
#11 0x55b1b6f59a3c in glib_pollfds_poll build/../util/main-loop.c:232:9
#12 0x55b1b6f59a3c in os_host_main_loop_wait build/../util/main-loop.c:255:5
#13 0x55b1b6f59a3c in main_loop_wait build/../util/main-loop.c:531:11
#14 0x55b1b61a78a9 in qemu_main_loop build/../softmmu/runstate.c:725:9
#15 0x55b1b4c751e5 in main build/../softmmu/main.c:50:5
#16 0x7fd88aec6d09 in __libc_start_main csu/../csu/libc-start.c:308:16
#17 0x55b1b4bc8bb9 in _start (system-i386+0x2b5fbb9)
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1918321/+subscriptions
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug 1918321] Re: [OSS-Fuzz] Issue 31875 megasas: Null-ptr dereference in megasas_finish_dcmd
2021-03-09 19:53 [Bug 1918321] [NEW] [OSS-Fuzz] Issue 31875 megasas: Null-ptr dereference in megasas_finish_dcmd Alexander Bulekov
2021-03-10 6:24 ` Alexander Bulekov
@ 2021-06-10 15:19 ` Thomas Huth
2021-08-21 4:14 ` Alexander Bulekov
2021-08-21 6:30 ` Thomas Huth
3 siblings, 0 replies; 6+ messages in thread
From: Thomas Huth @ 2021-06-10 15:19 UTC (permalink / raw)
To: qemu-devel
This is still reproducible with the current qemu git version (commit
7fe7fae8b48e3f9c647f)
** Tags added: block
** Changed in: qemu
Status: New => Confirmed
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1918321
Title:
[OSS-Fuzz] Issue 31875 megasas: Null-ptr dereference in
megasas_finish_dcmd
Status in QEMU:
Confirmed
Bug description:
Hello,
== QTest Reproducer ==
/*
* cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, -m \
* 512M -machine q35 -nodefaults -device megasas -device \
* scsi-cd,drive=null0 -blockdev \
* driver=null-co,read-zeroes=on,node-name=null0 -qtest stdio
* outl 0xcf8 0x80000801
* outl 0xcfc 0x05000000
* outl 0xcf8 0x80000816
* outl 0xcfc 0x19000000
* write 0x1e1ed300 0x1 0x01
* write 0x1e1ed307 0x1 0x01
* write 0x1e1ed316 0x1 0x01
* write 0x1e1ed328 0x1 0x01
* write 0x1e1ed32f 0x1 0x01
* outl 0x1940 0x1e1ed300
* outl 0x19c0 0x00
* EOF
*/
static void null_deref_megasas_finish_dcmd(void)
{
QTestState *s = qtest_init(
"-display none , -m 512M -machine q35 -nodefaults -device megasas -device "
"scsi-cd,drive=null0 -blockdev driver=null-co,read-zeroes=on,node-name=null0 ");
qtest_outl(s, 0xcf8, 0x80000801);
qtest_outl(s, 0xcfc, 0x05000000);
qtest_outl(s, 0xcf8, 0x80000816);
qtest_outl(s, 0xcfc, 0x19000000);
qtest_bufwrite(s, 0x1e1ed300, "\x01", 0x1);
qtest_bufwrite(s, 0x1e1ed307, "\x01", 0x1);
qtest_bufwrite(s, 0x1e1ed316, "\x01", 0x1);
qtest_bufwrite(s, 0x1e1ed328, "\x01", 0x1);
qtest_bufwrite(s, 0x1e1ed32f, "\x01", 0x1);
qtest_outl(s, 0x1940, 0x1e1ed300);
qtest_outl(s, 0x19c0, 0x00);
qtest_quit(s);
}
int main(int argc, char **argv)
{
const char *arch = qtest_get_arch();
g_test_init(&argc, &argv, NULL);
if (strcmp(arch, "i386") == 0) {
qtest_add_func("fuzz/null_deref_megasas_finish_dcmd",
null_deref_megasas_finish_dcmd);
}
return g_test_run();
}
== Stack Trace ==
../hw/scsi/megasas.c:1884:21: runtime error: member access within null pointer of type 'union mfi_frame'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../hw/scsi/megasas.c:1884:21 in
../hw/scsi/megasas.c:1884:21: runtime error: member access within null pointer of type 'struct mfi_frame_header'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../hw/scsi/megasas.c:1884:21 in
AddressSanitizer:DEADLYSIGNAL
=================================================================
==314546==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000003 (pc 0x55b1b4f4de73 bp 0x7ffcfc5a8bb0 sp 0x7ffcfc5a8900 T0)
==314546==The signal is caused by a WRITE memory access.
==314546==Hint: address points to the zero page.
#0 0x55b1b4f4de73 in megasas_command_complete build/../hw/scsi/megasas.c:1884:40
#1 0x55b1b5613914 in scsi_req_complete build/../hw/scsi/scsi-bus.c:1515:5
#2 0x55b1b5448aeb in scsi_dma_complete_noio build/../hw/scsi/scsi-disk.c:345:9
#3 0x55b1b5446fc7 in scsi_dma_complete build/../hw/scsi/scsi-disk.c:366:5
#4 0x55b1b4fffc56 in dma_complete build/../softmmu/dma-helpers.c:121:9
#5 0x55b1b4fffc56 in dma_blk_cb build/../softmmu/dma-helpers.c:139:9
#6 0x55b1b6856016 in blk_aio_complete build/../block/block-backend.c:1412:9
#7 0x55b1b6f48b06 in aio_bh_poll build/../util/async.c:164:13
#8 0x55b1b6f08cec in aio_dispatch build/../util/aio-posix.c:381:5
#9 0x55b1b6f4d59c in aio_ctx_dispatch build/../util/async.c:306:5
#10 0x7fd88c098baa in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x51baa)
#11 0x55b1b6f59a3c in glib_pollfds_poll build/../util/main-loop.c:232:9
#12 0x55b1b6f59a3c in os_host_main_loop_wait build/../util/main-loop.c:255:5
#13 0x55b1b6f59a3c in main_loop_wait build/../util/main-loop.c:531:11
#14 0x55b1b61a78a9 in qemu_main_loop build/../softmmu/runstate.c:725:9
#15 0x55b1b4c751e5 in main build/../softmmu/main.c:50:5
#16 0x7fd88aec6d09 in __libc_start_main csu/../csu/libc-start.c:308:16
#17 0x55b1b4bc8bb9 in _start (system-i386+0x2b5fbb9)
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1918321/+subscriptions
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug 1918321] Re: [OSS-Fuzz] Issue 31875 megasas: Null-ptr dereference in megasas_finish_dcmd
2021-03-09 19:53 [Bug 1918321] [NEW] [OSS-Fuzz] Issue 31875 megasas: Null-ptr dereference in megasas_finish_dcmd Alexander Bulekov
2021-03-10 6:24 ` Alexander Bulekov
2021-06-10 15:19 ` [Bug 1918321] " Thomas Huth
@ 2021-08-21 4:14 ` Alexander Bulekov
2021-08-21 6:30 ` Thomas Huth
3 siblings, 0 replies; 6+ messages in thread
From: Alexander Bulekov @ 2021-08-21 4:14 UTC (permalink / raw)
To: qemu-devel
I moved this report over to QEMU's new bug tracker on gitlab.com.
Please continue with the discussion here:
https://gitlab.com/qemu-project/qemu/-/issues/548
** Bug watch added: gitlab.com/qemu-project/qemu/-/issues #548
https://gitlab.com/qemu-project/qemu/-/issues/548
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1918321
Title:
[OSS-Fuzz] Issue 31875 megasas: Null-ptr dereference in
megasas_finish_dcmd
Status in QEMU:
Confirmed
Bug description:
Hello,
== QTest Reproducer ==
/*
* cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, -m \
* 512M -machine q35 -nodefaults -device megasas -device \
* scsi-cd,drive=null0 -blockdev \
* driver=null-co,read-zeroes=on,node-name=null0 -qtest stdio
* outl 0xcf8 0x80000801
* outl 0xcfc 0x05000000
* outl 0xcf8 0x80000816
* outl 0xcfc 0x19000000
* write 0x1e1ed300 0x1 0x01
* write 0x1e1ed307 0x1 0x01
* write 0x1e1ed316 0x1 0x01
* write 0x1e1ed328 0x1 0x01
* write 0x1e1ed32f 0x1 0x01
* outl 0x1940 0x1e1ed300
* outl 0x19c0 0x00
* EOF
*/
static void null_deref_megasas_finish_dcmd(void)
{
QTestState *s = qtest_init(
"-display none , -m 512M -machine q35 -nodefaults -device megasas -device "
"scsi-cd,drive=null0 -blockdev driver=null-co,read-zeroes=on,node-name=null0 ");
qtest_outl(s, 0xcf8, 0x80000801);
qtest_outl(s, 0xcfc, 0x05000000);
qtest_outl(s, 0xcf8, 0x80000816);
qtest_outl(s, 0xcfc, 0x19000000);
qtest_bufwrite(s, 0x1e1ed300, "\x01", 0x1);
qtest_bufwrite(s, 0x1e1ed307, "\x01", 0x1);
qtest_bufwrite(s, 0x1e1ed316, "\x01", 0x1);
qtest_bufwrite(s, 0x1e1ed328, "\x01", 0x1);
qtest_bufwrite(s, 0x1e1ed32f, "\x01", 0x1);
qtest_outl(s, 0x1940, 0x1e1ed300);
qtest_outl(s, 0x19c0, 0x00);
qtest_quit(s);
}
int main(int argc, char **argv)
{
const char *arch = qtest_get_arch();
g_test_init(&argc, &argv, NULL);
if (strcmp(arch, "i386") == 0) {
qtest_add_func("fuzz/null_deref_megasas_finish_dcmd",
null_deref_megasas_finish_dcmd);
}
return g_test_run();
}
== Stack Trace ==
../hw/scsi/megasas.c:1884:21: runtime error: member access within null pointer of type 'union mfi_frame'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../hw/scsi/megasas.c:1884:21 in
../hw/scsi/megasas.c:1884:21: runtime error: member access within null pointer of type 'struct mfi_frame_header'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../hw/scsi/megasas.c:1884:21 in
AddressSanitizer:DEADLYSIGNAL
=================================================================
==314546==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000003 (pc 0x55b1b4f4de73 bp 0x7ffcfc5a8bb0 sp 0x7ffcfc5a8900 T0)
==314546==The signal is caused by a WRITE memory access.
==314546==Hint: address points to the zero page.
#0 0x55b1b4f4de73 in megasas_command_complete build/../hw/scsi/megasas.c:1884:40
#1 0x55b1b5613914 in scsi_req_complete build/../hw/scsi/scsi-bus.c:1515:5
#2 0x55b1b5448aeb in scsi_dma_complete_noio build/../hw/scsi/scsi-disk.c:345:9
#3 0x55b1b5446fc7 in scsi_dma_complete build/../hw/scsi/scsi-disk.c:366:5
#4 0x55b1b4fffc56 in dma_complete build/../softmmu/dma-helpers.c:121:9
#5 0x55b1b4fffc56 in dma_blk_cb build/../softmmu/dma-helpers.c:139:9
#6 0x55b1b6856016 in blk_aio_complete build/../block/block-backend.c:1412:9
#7 0x55b1b6f48b06 in aio_bh_poll build/../util/async.c:164:13
#8 0x55b1b6f08cec in aio_dispatch build/../util/aio-posix.c:381:5
#9 0x55b1b6f4d59c in aio_ctx_dispatch build/../util/async.c:306:5
#10 0x7fd88c098baa in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x51baa)
#11 0x55b1b6f59a3c in glib_pollfds_poll build/../util/main-loop.c:232:9
#12 0x55b1b6f59a3c in os_host_main_loop_wait build/../util/main-loop.c:255:5
#13 0x55b1b6f59a3c in main_loop_wait build/../util/main-loop.c:531:11
#14 0x55b1b61a78a9 in qemu_main_loop build/../softmmu/runstate.c:725:9
#15 0x55b1b4c751e5 in main build/../softmmu/main.c:50:5
#16 0x7fd88aec6d09 in __libc_start_main csu/../csu/libc-start.c:308:16
#17 0x55b1b4bc8bb9 in _start (system-i386+0x2b5fbb9)
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1918321/+subscriptions
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug 1918321] Re: [OSS-Fuzz] Issue 31875 megasas: Null-ptr dereference in megasas_finish_dcmd
2021-03-09 19:53 [Bug 1918321] [NEW] [OSS-Fuzz] Issue 31875 megasas: Null-ptr dereference in megasas_finish_dcmd Alexander Bulekov
` (2 preceding siblings ...)
2021-08-21 4:14 ` Alexander Bulekov
@ 2021-08-21 6:30 ` Thomas Huth
3 siblings, 0 replies; 6+ messages in thread
From: Thomas Huth @ 2021-08-21 6:30 UTC (permalink / raw)
To: qemu-devel
Thanks for moving it over! ... let's close this one here on Launchpad
now.
** Changed in: qemu
Status: Confirmed => Invalid
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1918321
Title:
[OSS-Fuzz] Issue 31875 megasas: Null-ptr dereference in
megasas_finish_dcmd
Status in QEMU:
Invalid
Bug description:
Hello,
== QTest Reproducer ==
/*
* cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, -m \
* 512M -machine q35 -nodefaults -device megasas -device \
* scsi-cd,drive=null0 -blockdev \
* driver=null-co,read-zeroes=on,node-name=null0 -qtest stdio
* outl 0xcf8 0x80000801
* outl 0xcfc 0x05000000
* outl 0xcf8 0x80000816
* outl 0xcfc 0x19000000
* write 0x1e1ed300 0x1 0x01
* write 0x1e1ed307 0x1 0x01
* write 0x1e1ed316 0x1 0x01
* write 0x1e1ed328 0x1 0x01
* write 0x1e1ed32f 0x1 0x01
* outl 0x1940 0x1e1ed300
* outl 0x19c0 0x00
* EOF
*/
static void null_deref_megasas_finish_dcmd(void)
{
QTestState *s = qtest_init(
"-display none , -m 512M -machine q35 -nodefaults -device megasas -device "
"scsi-cd,drive=null0 -blockdev driver=null-co,read-zeroes=on,node-name=null0 ");
qtest_outl(s, 0xcf8, 0x80000801);
qtest_outl(s, 0xcfc, 0x05000000);
qtest_outl(s, 0xcf8, 0x80000816);
qtest_outl(s, 0xcfc, 0x19000000);
qtest_bufwrite(s, 0x1e1ed300, "\x01", 0x1);
qtest_bufwrite(s, 0x1e1ed307, "\x01", 0x1);
qtest_bufwrite(s, 0x1e1ed316, "\x01", 0x1);
qtest_bufwrite(s, 0x1e1ed328, "\x01", 0x1);
qtest_bufwrite(s, 0x1e1ed32f, "\x01", 0x1);
qtest_outl(s, 0x1940, 0x1e1ed300);
qtest_outl(s, 0x19c0, 0x00);
qtest_quit(s);
}
int main(int argc, char **argv)
{
const char *arch = qtest_get_arch();
g_test_init(&argc, &argv, NULL);
if (strcmp(arch, "i386") == 0) {
qtest_add_func("fuzz/null_deref_megasas_finish_dcmd",
null_deref_megasas_finish_dcmd);
}
return g_test_run();
}
== Stack Trace ==
../hw/scsi/megasas.c:1884:21: runtime error: member access within null pointer of type 'union mfi_frame'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../hw/scsi/megasas.c:1884:21 in
../hw/scsi/megasas.c:1884:21: runtime error: member access within null pointer of type 'struct mfi_frame_header'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../hw/scsi/megasas.c:1884:21 in
AddressSanitizer:DEADLYSIGNAL
=================================================================
==314546==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000003 (pc 0x55b1b4f4de73 bp 0x7ffcfc5a8bb0 sp 0x7ffcfc5a8900 T0)
==314546==The signal is caused by a WRITE memory access.
==314546==Hint: address points to the zero page.
#0 0x55b1b4f4de73 in megasas_command_complete build/../hw/scsi/megasas.c:1884:40
#1 0x55b1b5613914 in scsi_req_complete build/../hw/scsi/scsi-bus.c:1515:5
#2 0x55b1b5448aeb in scsi_dma_complete_noio build/../hw/scsi/scsi-disk.c:345:9
#3 0x55b1b5446fc7 in scsi_dma_complete build/../hw/scsi/scsi-disk.c:366:5
#4 0x55b1b4fffc56 in dma_complete build/../softmmu/dma-helpers.c:121:9
#5 0x55b1b4fffc56 in dma_blk_cb build/../softmmu/dma-helpers.c:139:9
#6 0x55b1b6856016 in blk_aio_complete build/../block/block-backend.c:1412:9
#7 0x55b1b6f48b06 in aio_bh_poll build/../util/async.c:164:13
#8 0x55b1b6f08cec in aio_dispatch build/../util/aio-posix.c:381:5
#9 0x55b1b6f4d59c in aio_ctx_dispatch build/../util/async.c:306:5
#10 0x7fd88c098baa in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x51baa)
#11 0x55b1b6f59a3c in glib_pollfds_poll build/../util/main-loop.c:232:9
#12 0x55b1b6f59a3c in os_host_main_loop_wait build/../util/main-loop.c:255:5
#13 0x55b1b6f59a3c in main_loop_wait build/../util/main-loop.c:531:11
#14 0x55b1b61a78a9 in qemu_main_loop build/../softmmu/runstate.c:725:9
#15 0x55b1b4c751e5 in main build/../softmmu/main.c:50:5
#16 0x7fd88aec6d09 in __libc_start_main csu/../csu/libc-start.c:308:16
#17 0x55b1b4bc8bb9 in _start (system-i386+0x2b5fbb9)
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1918321/+subscriptions
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2021-08-21 6:42 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-03-09 19:53 [Bug 1918321] [NEW] [OSS-Fuzz] Issue 31875 megasas: Null-ptr dereference in megasas_finish_dcmd Alexander Bulekov
2021-03-10 6:24 ` Alexander Bulekov
2021-03-10 6:24 ` Alexander Bulekov
2021-06-10 15:19 ` [Bug 1918321] " Thomas Huth
2021-08-21 4:14 ` Alexander Bulekov
2021-08-21 6:30 ` Thomas Huth
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).