QEMU-Devel Archive on lore.kernel.org
 help / color / Atom feed
From: Alexander Bulekov <alxndr@bu.edu>
To: John Snow <jsnow@redhat.com>
Cc: Li Qiang <liq3ea@gmail.com>, Michael Tokarev <mjt@tls.msk.ru>,
	QEMU Developers <qemu-devel@nongnu.org>,
	qemu-block@nongnu.org, Alexander Bulekov <alxndr@bu.edu>
Subject: [PATCH 1/2] floppy: add a regression test for CVE-2020-25741
Date: Fri, 19 Mar 2021 01:09:05 -0400
Message-ID: <20210319050906.14875-1-alxndr@bu.edu> (raw)
In-Reply-To: <20200827113806.1850687-1-ppandit@redhat.com>

dd if=/dev/zero of=/tmp/fda.img bs=1024 count=1440
cat << EOF | ./qemu-system-i386 -nographic -m 512M -nodefaults \
-accel qtest -fda /tmp/fda.img -qtest stdio
outw 0x3f4 0x0500
outb 0x3f5 0x00
outb 0x3f5 0x00
outw 0x3f4 0x00
outb 0x3f5 0x00
outw 0x3f1 0x0400
outw 0x3f4 0x0
outw 0x3f4 0x00
outb 0x3f5 0x0
outb 0x3f5 0x01
outw 0x3f1 0x0500
outb 0x3f5 0x00
EOF

Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
---

Might be useful for reproducing/regression testing

 tests/qtest/fuzz-test.c | 54 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 54 insertions(+)

diff --git a/tests/qtest/fuzz-test.c b/tests/qtest/fuzz-test.c
index 00149abec7..62ececc66f 100644
--- a/tests/qtest/fuzz-test.c
+++ b/tests/qtest/fuzz-test.c
@@ -24,6 +24,58 @@ static void test_lp1878642_pci_bus_get_irq_level_assert(void)
     qtest_quit(s);
 }
 
+/*
+ * ERROR: AddressSanitizer: SEGV on unknown address 0x000000000344
+ * The signal is caused by a WRITE memory access.
+ * #0 0x555559d7f519 in blk_inc_in_flight /block/block-backend.c:1356:5
+ * #1 0x555559d7f519 in blk_prw /block/block-backend.c:1328:5
+ * #2 0x555559d81673 in blk_pwrite /block/block-backend.c:1501:15
+ * #3 0x555558fc763f in fdctrl_write_data /hw/block/fdc.c:2414:17
+ * #4 0x555558fc763f in fdctrl_write /hw/block/fdc.c:967:9
+ * #5 0x5555594a622c in memory_region_write_accessor /softmmu/memory.c:491:5
+ * #6 0x5555594a5c93 in access_with_adjusted_size /softmmu/memory.c:552:18
+ * #7 0x5555594a54f0 in memory_region_dispatch_write /softmmu/memory.c
+ * #8 0x55555964a686 in flatview_write_continue /softmmu/physmem.c:2776:23
+ * #9 0x55555963fde8 in flatview_write /softmmu/physmem.c:2816:14
+ * #10 0x55555963fde8 in address_space_write /softmmu/physmem.c:2908:18
+ * #11 0x55555968f8a1 in cpu_outb /softmmu/ioport.c:60:5
+ * #12 0x5555597d5619 in qtest_process_command /softmmu/qtest.c:479:13
+ * #13 0x5555597d34bf in qtest_process_inbuf /softmmu/qtest.c:797:9
+ * #14 0x555559b4539d in fd_chr_read /chardev/char-fd.c:68:9
+ * #15 0x7ffff7b7dc3e in g_main_context_dispatch
+ * #16 0x55555a4facdc in glib_pollfds_poll /util/main-loop.c:231:9
+ * #17 0x55555a4facdc in os_host_main_loop_wait /util/main-loop.c:254:5
+ * #18 0x55555a4facdc in main_loop_wait /util/main-loop.c:530:11
+ * #19 0x555559a6dec9 in qemu_main_loop /softmmu/runstate.c:725:9
+ * #20 0x5555581a3085 in main /softmmu/main.c:50:5
+ */
+static void test_fdc_cve_2020_25741(void)
+{
+    QTestState *s;
+    int fd;
+    char tmpdisk[] = "/tmp/fda.XXXXXX";
+    fd = mkstemp(tmpdisk);
+    assert(fd >= 0);
+    ftruncate(fd, 1440 * 1024);
+    close(fd);
+
+    s = qtest_initf("-nographic -m 512M -nodefaults "
+                    "-drive file=%s,format=raw,if=floppy", tmpdisk);
+    qtest_outw(s, 0x3f4, 0x0500);
+    qtest_outb(s, 0x3f5, 0x00);
+    qtest_outb(s, 0x3f5, 0x00);
+    qtest_outw(s, 0x3f4, 0x00);
+    qtest_outb(s, 0x3f5, 0x00);
+    qtest_outw(s, 0x3f1, 0x0400);
+    qtest_outw(s, 0x3f4, 0x0);
+    qtest_outw(s, 0x3f4, 0x00);
+    qtest_outb(s, 0x3f5, 0x0);
+    qtest_outb(s, 0x3f5, 0x01);
+    qtest_outw(s, 0x3f1, 0x0500);
+    qtest_outb(s, 0x3f5, 0x00);
+    qtest_quit(s);
+}
+
 int main(int argc, char **argv)
 {
     const char *arch = qtest_get_arch();
@@ -33,6 +85,8 @@ int main(int argc, char **argv)
     if (strcmp(arch, "i386") == 0 || strcmp(arch, "x86_64") == 0) {
         qtest_add_func("fuzz/test_lp1878642_pci_bus_get_irq_level_assert",
                        test_lp1878642_pci_bus_get_irq_level_assert);
+        qtest_add_func("fuzz/test_fdc_cve_2020_25741",
+                       test_fdc_cve_2020_25741);
     }
 
     return g_test_run();
-- 
2.27.0



  parent reply index

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-08-27 11:38 [PATCH] fdc: check null block pointer before blk_pwrite P J P
2020-09-15 12:47 ` P J P
2020-09-18 10:52 ` Li Qiang
2021-03-19  5:09 ` Alexander Bulekov [this message]
2021-03-19  5:09   ` [PATCH 2/2] floppy: add a regression test for CVE-2021-20196 Alexander Bulekov
2021-03-19  5:53   ` [PATCH 1/2] floppy: add a regression test for CVE-2020-25741 Markus Armbruster
2021-03-19  9:26     ` Paolo Bonzini
2021-03-19  9:54       ` Markus Armbruster
2021-03-19 10:17         ` Paolo Bonzini
2021-03-19 14:51         ` Alexander Bulekov
2021-03-19 14:52       ` Alexander Bulekov
2021-05-18 17:30 ` [PATCH] fdc: check null block pointer before blk_pwrite John Snow

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210319050906.14875-1-alxndr@bu.edu \
    --to=alxndr@bu.edu \
    --cc=jsnow@redhat.com \
    --cc=liq3ea@gmail.com \
    --cc=mjt@tls.msk.ru \
    --cc=qemu-block@nongnu.org \
    --cc=qemu-devel@nongnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

QEMU-Devel Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/qemu-devel/0 qemu-devel/git/0.git
	git clone --mirror https://lore.kernel.org/qemu-devel/1 qemu-devel/git/1.git
	git clone --mirror https://lore.kernel.org/qemu-devel/2 qemu-devel/git/2.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 qemu-devel qemu-devel/ https://lore.kernel.org/qemu-devel \
		qemu-devel@nongnu.org
	public-inbox-index qemu-devel

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.nongnu.qemu-devel


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git