From: Mauro Matteo Cascella <1910723@bugs.launchpad.net>
To: qemu-devel@nongnu.org
Subject: [Bug 1910723] Re: NULL pointer dereference issues in am53c974 SCSI host bus adapter
Date: Wed, 14 Apr 2021 13:31:10 -0000 [thread overview]
Message-ID: <161840707025.30877.9354363774293865708.malone@gac.canonical.com> (raw)
In-Reply-To: 161010205447.5394.7992680653208743690.malonedeb@gac.canonical.com
Patchset v4:
https://lists.gnu.org/archive/html/qemu-devel/2021-04/msg01000.html
Upstream commits:
https://git.qemu.org/?p=qemu.git;a=commit;h=0db895361b8a82e1114372ff9f4857abea605701
https://git.qemu.org/?p=qemu.git;a=commit;h=e392255766071c8cac480da3a9ae4f94e56d7cbc
https://git.qemu.org/?p=qemu.git;a=commit;h=e5455b8c1c6170c788f3c0fd577cc3be53539a99
https://git.qemu.org/?p=qemu.git;a=commit;h=c5fef9112b15c4b5494791cdf8bbb40bc1938dd3
https://git.qemu.org/?p=qemu.git;a=commit;h=7b320a8e67a534925048cbabfa51431e0349dafd
https://git.qemu.org/?p=qemu.git;a=commit;h=99545751734035b76bd372c4e7215bb337428d89
https://git.qemu.org/?p=qemu.git;a=commit;h=fa7505c154d4d00ad89a747be2eda556643ce00e
https://git.qemu.org/?p=qemu.git;a=commit;h=fbc6510e3379fa8f8370bf71198f0ce733bf07f9
https://git.qemu.org/?p=qemu.git;a=commit;h=0ebb5fd80589835153a0c2baa1b8cc7a04e67a93
https://git.qemu.org/?p=qemu.git;a=commit;h=324c8809897c8c53ad05c3a7147d272f1711cd5e
https://git.qemu.org/?p=qemu.git;a=commit;h=607206948cacda4a80be5b976dba490970a18a76
** Changed in: qemu
Status: New => Fix Released
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1910723
Title:
NULL pointer dereference issues in am53c974 SCSI host bus adapter
Status in QEMU:
Fix Released
Bug description:
Two NULL pointer dereference issues were found in the am53c974 SCSI
host bus adapter emulation of QEMU. They could occur while handling
the 'Information Transfer' command (CMD_TI) in function handle_ti() in
hw/scsi/esp.c, and could be abused by a malicious guest to crash the
QEMU process on the host resulting in a denial of service.
Both issues were reported by Cheolwoo Myung (Seoul National
University). To reproduce them, configure and run QEMU as follows.
Please find attached the required disk images.
$ ./configure --target-list=x86_64-softmmu --enable-kvm --enable-sanitizers
$ make
$ ./qemu-system-x86_64 -m 512 -drive file=./hyfuzz.img,index=0,media=disk,format=raw \
-device am53c974,id=scsi -device scsi-hd,drive=SysDisk \
-drive id=SysDisk,if=none,file=./disk.img
Additional info:
RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1909766
RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1909769
ASAN logs:
==672133==
hw/scsi/scsi-bus.c:1385:12: runtime error: member access within null pointer of type 'struct SCSIRequest'
AddressSanitizer:DEADLYSIGNAL
=================================================================
==672133==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000171 (pc 0x55bd63e20b85 bp 0x7f4b6fffdfa0 sp 0x7f4b6fffdf70 T7)
==672133==The signal is caused by a READ memory access.
==672133==Hint: address points to the zero page.
#0 0x55bd63e20b85 in scsi_req_continue hw/scsi/scsi-bus.c:1385
#1 0x55bd63ab34fb in esp_do_dma hw/scsi/esp.c:453
#2 0x55bd63ab4b3c in handle_ti hw/scsi/esp.c:549
#3 0x55bd63ab72a9 in esp_reg_write hw/scsi/esp.c:691
#4 0x55bd63d7b5dd in esp_pci_io_write hw/scsi/esp-pci.c:206
#5 0x55bd645d55a3 in memory_region_write_accessor softmmu/memory.c:491
#6 0x55bd645d5a24 in access_with_adjusted_size softmmu/memory.c:552
#7 0x55bd645e2baa in memory_region_dispatch_write softmmu/memory.c:1501
#8 0x55bd646b75ff in flatview_write_continue softmmu/physmem.c:2759
#9 0x55bd646b79d1 in flatview_write softmmu/physmem.c:2799
#10 0x55bd646b8341 in address_space_write softmmu/physmem.c:2891
#11 0x55bd646b83f9 in address_space_rw softmmu/physmem.c:2901
#12 0x55bd648c4736 in kvm_handle_io accel/kvm/kvm-all.c:2285
#13 0x55bd648c69c8 in kvm_cpu_exec accel/kvm/kvm-all.c:2531
#14 0x55bd647b2413 in kvm_vcpu_thread_fn accel/kvm/kvm-cpus.c:49
#15 0x55bd64f560de in qemu_thread_start util/qemu-thread-posix.c:521
#16 0x7f4b981763f8 in start_thread (/lib64/libpthread.so.0+0x93f8)
#17 0x7f4b980a3902 in __GI___clone (/lib64/libc.so.6+0x101902)
---
==672020==
hw/scsi/esp.c:196:62: runtime error: member access within null pointer of type 'struct SCSIDevice'
AddressSanitizer:DEADLYSIGNAL
=================================================================
==672020==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000098 (pc 0x559bc99946fd bp 0x7f08bd737fb0 sp 0x7f08bd737f70 T7)
==672020==The signal is caused by a READ memory access.
==672020==Hint: address points to the zero page.
#0 0x559bc99946fd in do_busid_cmd hw/scsi/esp.c:196
#1 0x559bc9994e71 in do_cmd hw/scsi/esp.c:220
#2 0x559bc999ae81 in handle_ti hw/scsi/esp.c:555
#3 0x559bc999d2a9 in esp_reg_write hw/scsi/esp.c:691
#4 0x559bc9c615dd in esp_pci_io_write hw/scsi/esp-pci.c:206
#5 0x559bca4bb5a3 in memory_region_write_accessor softmmu/memory.c:491
#6 0x559bca4bba24 in access_with_adjusted_size softmmu/memory.c:552
#7 0x559bca4c8baa in memory_region_dispatch_write softmmu/memory.c:1501
#8 0x559bca59d5ff in flatview_write_continue softmmu/physmem.c:2759
#9 0x559bca59d9d1 in flatview_write softmmu/physmem.c:2799
#10 0x559bca59e341 in address_space_write softmmu/physmem.c:2891
#11 0x559bca59e3f9 in address_space_rw softmmu/physmem.c:2901
#12 0x559bca7aa736 in kvm_handle_io accel/kvm/kvm-all.c:2285
#13 0x559bca7ac9c8 in kvm_cpu_exec accel/kvm/kvm-all.c:2531
#14 0x559bca698413 in kvm_vcpu_thread_fn accel/kvm/kvm-cpus.c:49
#15 0x559bcae3c0de in qemu_thread_start util/qemu-thread-posix.c:521
#16 0x7f08e57ba3f8 in start_thread (/lib64/libpthread.so.0+0x93f8)
#17 0x7f08e56e7902 in __GI___clone (/lib64/libc.so.6+0x101902)
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1910723/+subscriptions
next prev parent reply other threads:[~2021-04-14 13:46 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-01-08 10:34 [Bug 1910723] [NEW] NULL pointer dereference issues in am53c974 SCSI host bus adapter Mauro Matteo Cascella
2021-03-15 2:52 ` [Bug 1910723] " Alexander Bulekov
2021-03-15 2:53 ` Alexander Bulekov
2021-03-15 14:07 ` Mauro Matteo Cascella
2021-03-17 7:42 ` Mark Cave-Ayland
2021-03-24 10:08 ` Mauro Matteo Cascella
2021-04-14 13:31 ` Mauro Matteo Cascella [this message]
2021-04-14 14:10 ` Mauro Matteo Cascella
2021-04-29 9:57 ` Thomas Huth
2021-04-30 9:00 ` Thomas Huth
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=161840707025.30877.9354363774293865708.malone@gac.canonical.com \
--to=1910723@bugs.launchpad.net \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).