qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed
* [Bug 1892761] [NEW] Heap-use-after-free through double-fetch in ehci
@ 2020-08-24 16:04 Alexander Bulekov
  2021-05-27 15:11 ` [Bug 1892761] " Thomas Huth
                   ` (2 more replies)
  0 siblings, 3 replies; 4+ messages in thread
From: Alexander Bulekov @ 2020-08-24 16:04 UTC (permalink / raw)
  To: qemu-devel

Public bug reported:

Hello,
I don't have a qtest reproducer for this crash because it involves a DMA double-fetch, and I don't think we can reproduce those with qtest.

Instead, I attached the pseudo-qtest trace produced by the fuzzer, along with some trace events.
The lines annotated with [DMA] are write commands that were triggered by a callback from a DMA read by the device. The lines annotated with [DOUBLE-FETCH] are DMA accesses that hit the same address more than once (possible double-fetches).

I am still thinking of nicer ways of presenting this trace and providing a reproducer.
-Alex

** Affects: qemu
     Importance: Undecided
         Status: New

** Attachment added: "ehci"
   https://bugs.launchpad.net/bugs/1892761/+attachment/5404187/+files/ehci

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1892761

Title:
  Heap-use-after-free through double-fetch in ehci

Status in QEMU:
  New

Bug description:
  Hello,
  I don't have a qtest reproducer for this crash because it involves a DMA double-fetch, and I don't think we can reproduce those with qtest.

  Instead, I attached the pseudo-qtest trace produced by the fuzzer, along with some trace events.
  The lines annotated with [DMA] are write commands that were triggered by a callback from a DMA read by the device. The lines annotated with [DOUBLE-FETCH] are DMA accesses that hit the same address more than once (possible double-fetches).

  I am still thinking of nicer ways of presenting this trace and providing a reproducer.
  -Alex

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1892761/+subscriptions


^ permalink raw reply	[flat|nested] 4+ messages in thread
* [Bug 1892761] Re: Heap-use-after-free through double-fetch in ehci
  2020-08-24 16:04 [Bug 1892761] [NEW] Heap-use-after-free through double-fetch in ehci Alexander Bulekov
@ 2021-05-27 15:11 ` Thomas Huth
  2021-06-14 23:51 ` Alexander Bulekov
  2021-07-16 17:22 ` Thomas Huth
  2 siblings, 0 replies; 4+ messages in thread
From: Thomas Huth @ 2021-05-27 15:11 UTC (permalink / raw)
  To: qemu-devel

Hi Alexander! Have you ever been able to create a reproducer for this
problem?

** Changed in: qemu
       Status: New => Incomplete

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1892761

Title:
  Heap-use-after-free through double-fetch in ehci

Status in QEMU:
  Incomplete

Bug description:
  Hello,
  I don't have a qtest reproducer for this crash because it involves a DMA double-fetch, and I don't think we can reproduce those with qtest.

  Instead, I attached the pseudo-qtest trace produced by the fuzzer, along with some trace events.
  The lines annotated with [DMA] are write commands that were triggered by a callback from a DMA read by the device. The lines annotated with [DOUBLE-FETCH] are DMA accesses that hit the same address more than once (possible double-fetches).

  I am still thinking of nicer ways of presenting this trace and providing a reproducer.
  -Alex

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1892761/+subscriptions


^ permalink raw reply	[flat|nested] 4+ messages in thread
* [Bug 1892761] Re: Heap-use-after-free through double-fetch in ehci
  2020-08-24 16:04 [Bug 1892761] [NEW] Heap-use-after-free through double-fetch in ehci Alexander Bulekov
  2021-05-27 15:11 ` [Bug 1892761] " Thomas Huth
@ 2021-06-14 23:51 ` Alexander Bulekov
  2021-07-16 17:22 ` Thomas Huth
  2 siblings, 0 replies; 4+ messages in thread
From: Alexander Bulekov @ 2021-06-14 23:51 UTC (permalink / raw)
  To: qemu-devel

No. If we figure out some way to consistently reproduce double-fetches
in a non-fuzzer build, I'll report the issue again, but this can
probably be closed

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1892761

Title:
  Heap-use-after-free through double-fetch in ehci

Status in QEMU:
  Incomplete

Bug description:
  Hello,
  I don't have a qtest reproducer for this crash because it involves a DMA double-fetch, and I don't think we can reproduce those with qtest.

  Instead, I attached the pseudo-qtest trace produced by the fuzzer, along with some trace events.
  The lines annotated with [DMA] are write commands that were triggered by a callback from a DMA read by the device. The lines annotated with [DOUBLE-FETCH] are DMA accesses that hit the same address more than once (possible double-fetches).

  I am still thinking of nicer ways of presenting this trace and providing a reproducer.
  -Alex

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1892761/+subscriptions


^ permalink raw reply	[flat|nested] 4+ messages in thread
* [Bug 1892761] Re: Heap-use-after-free through double-fetch in ehci
  2020-08-24 16:04 [Bug 1892761] [NEW] Heap-use-after-free through double-fetch in ehci Alexander Bulekov
  2021-05-27 15:11 ` [Bug 1892761] " Thomas Huth
  2021-06-14 23:51 ` Alexander Bulekov
@ 2021-07-16 17:22 ` Thomas Huth
  2 siblings, 0 replies; 4+ messages in thread
From: Thomas Huth @ 2021-07-16 17:22 UTC (permalink / raw)
  To: qemu-devel

Ok, let's close this one since it was not reproducible. If you find a
reproducer, please open a new ticket in the gitlab tracker instead.

** Changed in: qemu
       Status: Incomplete => Won't Fix

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1892761

Title:
  Heap-use-after-free through double-fetch in ehci

Status in QEMU:
  Won't Fix

Bug description:
  Hello,
  I don't have a qtest reproducer for this crash because it involves a DMA double-fetch, and I don't think we can reproduce those with qtest.

  Instead, I attached the pseudo-qtest trace produced by the fuzzer, along with some trace events.
  The lines annotated with [DMA] are write commands that were triggered by a callback from a DMA read by the device. The lines annotated with [DOUBLE-FETCH] are DMA accesses that hit the same address more than once (possible double-fetches).

  I am still thinking of nicer ways of presenting this trace and providing a reproducer.
  -Alex

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1892761/+subscriptions



^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2021-07-16 17:32 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-08-24 16:04 [Bug 1892761] [NEW] Heap-use-after-free through double-fetch in ehci Alexander Bulekov
2021-05-27 15:11 ` [Bug 1892761] " Thomas Huth
2021-06-14 23:51 ` Alexander Bulekov
2021-07-16 17:22 ` Thomas Huth

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).