* [Bug 1909247] [NEW] QEMU: use after free vulnerability in esp_do_dma() in hw/scsi/esp.c
@ 2020-12-24 17:02 Mauro Matteo Cascella
2020-12-24 17:09 ` [Bug 1909247] " Mauro Matteo Cascella
` (15 more replies)
0 siblings, 16 replies; 22+ messages in thread
From: Mauro Matteo Cascella @ 2020-12-24 17:02 UTC (permalink / raw)
To: qemu-devel
*** This bug is a security vulnerability ***
Public security bug reported:
A use-after-free vulnerability was found in the am53c974 SCSI host bus
adapter emulation of QEMU. It could occur in the esp_do_dma() function
in hw/scsi/esp.c while handling the 'Information Transfer' command
(CMD_TI). A privileged guest user may abuse this flaw to crash the QEMU
process on the host, resulting in a denial of service or potential code
execution with the privileges of the QEMU process.
This issue was reported by Cheolwoo Myung (Seoul National University).
Original report:
Using hypervisor fuzzer, hyfuzz, I found a use-after-free issue in
am53c974 emulator of QEMU enabled ASan.
It occurs while transferring information, as it does not check the
buffer to be transferred.
A malicious guest user/process could use this flaw to crash the QEMU
process resulting in DoS scenario.
To reproduce this issue, please run the QEMU with the following command
line.
# To enable ASan option, please set configuration with the following
$ ./configure --target-list=i386-softmmu --disable-werror --enable-sanitizers
$ make
# To reproduce this issue, please run the QEMU process with the following command line
$ ./qemu-system-i386 -m 512 -drive file=./hyfuzz.img,index=0,media=disk,format=raw \
-device am53c974,id=scsi -device scsi-hd,drive=SysDisk \
-drive id=SysDisk,if=none,file=./disk.img
Please find attached the disk images to reproduce this issue.
** Affects: qemu
Importance: Undecided
Status: New
** Tags: cve qemu security
** Attachment added: "uaf-am53c974.tar.xz"
https://bugs.launchpad.net/bugs/1909247/+attachment/5446614/+files/uaf-am53c974.tar.xz
** Information type changed from Private Security to Public Security
** Bug watch added: Red Hat Bugzilla #1909996
https://bugzilla.redhat.com/show_bug.cgi?id=1909996
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1909247
Title:
QEMU: use after free vulnerability in esp_do_dma() in hw/scsi/esp.c
Status in QEMU:
New
Bug description:
A use-after-free vulnerability was found in the am53c974 SCSI host bus
adapter emulation of QEMU. It could occur in the esp_do_dma() function
in hw/scsi/esp.c while handling the 'Information Transfer' command
(CMD_TI). A privileged guest user may abuse this flaw to crash the
QEMU process on the host, resulting in a denial of service or
potential code execution with the privileges of the QEMU process.
This issue was reported by Cheolwoo Myung (Seoul National University).
Original report:
Using hypervisor fuzzer, hyfuzz, I found a use-after-free issue in
am53c974 emulator of QEMU enabled ASan.
It occurs while transferring information, as it does not check the
buffer to be transferred.
A malicious guest user/process could use this flaw to crash the QEMU
process resulting in DoS scenario.
To reproduce this issue, please run the QEMU with the following command
line.
# To enable ASan option, please set configuration with the following
$ ./configure --target-list=i386-softmmu --disable-werror --enable-sanitizers
$ make
# To reproduce this issue, please run the QEMU process with the following command line
$ ./qemu-system-i386 -m 512 -drive file=./hyfuzz.img,index=0,media=disk,format=raw \
-device am53c974,id=scsi -device scsi-hd,drive=SysDisk \
-drive id=SysDisk,if=none,file=./disk.img
Please find attached the disk images to reproduce this issue.
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1909247/+subscriptions
^ permalink raw reply [flat|nested] 22+ messages in thread* [Bug 1909247] Re: QEMU: use after free vulnerability in esp_do_dma() in hw/scsi/esp.c 2020-12-24 17:02 [Bug 1909247] [NEW] QEMU: use after free vulnerability in esp_do_dma() in hw/scsi/esp.c Mauro Matteo Cascella @ 2020-12-24 17:09 ` Mauro Matteo Cascella 2021-01-15 16:16 ` Peter Maydell ` (14 subsequent siblings) 15 siblings, 0 replies; 22+ messages in thread From: Mauro Matteo Cascella @ 2020-12-24 17:09 UTC (permalink / raw) To: qemu-devel RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1909996 -- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/1909247 Title: QEMU: use after free vulnerability in esp_do_dma() in hw/scsi/esp.c Status in QEMU: New Bug description: A use-after-free vulnerability was found in the am53c974 SCSI host bus adapter emulation of QEMU. It could occur in the esp_do_dma() function in hw/scsi/esp.c while handling the 'Information Transfer' command (CMD_TI). A privileged guest user may abuse this flaw to crash the QEMU process on the host, resulting in a denial of service or potential code execution with the privileges of the QEMU process. This issue was reported by Cheolwoo Myung (Seoul National University). Original report: Using hypervisor fuzzer, hyfuzz, I found a use-after-free issue in am53c974 emulator of QEMU enabled ASan. It occurs while transferring information, as it does not check the buffer to be transferred. A malicious guest user/process could use this flaw to crash the QEMU process resulting in DoS scenario. To reproduce this issue, please run the QEMU with the following command line. # To enable ASan option, please set configuration with the following $ ./configure --target-list=i386-softmmu --disable-werror --enable-sanitizers $ make # To reproduce this issue, please run the QEMU process with the following command line $ ./qemu-system-i386 -m 512 -drive file=./hyfuzz.img,index=0,media=disk,format=raw \ -device am53c974,id=scsi -device scsi-hd,drive=SysDisk \ -drive id=SysDisk,if=none,file=./disk.img Please find attached the disk images to reproduce this issue. To manage notifications about this bug go to: https://bugs.launchpad.net/qemu/+bug/1909247/+subscriptions ^ permalink raw reply [flat|nested] 22+ messages in thread
* [Bug 1909247] Re: QEMU: use after free vulnerability in esp_do_dma() in hw/scsi/esp.c 2020-12-24 17:02 [Bug 1909247] [NEW] QEMU: use after free vulnerability in esp_do_dma() in hw/scsi/esp.c Mauro Matteo Cascella 2020-12-24 17:09 ` [Bug 1909247] " Mauro Matteo Cascella @ 2021-01-15 16:16 ` Peter Maydell 2021-03-15 3:01 ` Alexander Bulekov ` (13 subsequent siblings) 15 siblings, 0 replies; 22+ messages in thread From: Peter Maydell @ 2021-01-15 16:16 UTC (permalink / raw) To: qemu-devel ** Tags added: fuzzer -- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/1909247 Title: QEMU: use after free vulnerability in esp_do_dma() in hw/scsi/esp.c Status in QEMU: New Bug description: A use-after-free vulnerability was found in the am53c974 SCSI host bus adapter emulation of QEMU. It could occur in the esp_do_dma() function in hw/scsi/esp.c while handling the 'Information Transfer' command (CMD_TI). A privileged guest user may abuse this flaw to crash the QEMU process on the host, resulting in a denial of service or potential code execution with the privileges of the QEMU process. This issue was reported by Cheolwoo Myung (Seoul National University). Original report: Using hypervisor fuzzer, hyfuzz, I found a use-after-free issue in am53c974 emulator of QEMU enabled ASan. It occurs while transferring information, as it does not check the buffer to be transferred. A malicious guest user/process could use this flaw to crash the QEMU process resulting in DoS scenario. To reproduce this issue, please run the QEMU with the following command line. # To enable ASan option, please set configuration with the following $ ./configure --target-list=i386-softmmu --disable-werror --enable-sanitizers $ make # To reproduce this issue, please run the QEMU process with the following command line $ ./qemu-system-i386 -m 512 -drive file=./hyfuzz.img,index=0,media=disk,format=raw \ -device am53c974,id=scsi -device scsi-hd,drive=SysDisk \ -drive id=SysDisk,if=none,file=./disk.img Please find attached the disk images to reproduce this issue. To manage notifications about this bug go to: https://bugs.launchpad.net/qemu/+bug/1909247/+subscriptions ^ permalink raw reply [flat|nested] 22+ messages in thread
* [Bug 1909247] Re: QEMU: use after free vulnerability in esp_do_dma() in hw/scsi/esp.c 2020-12-24 17:02 [Bug 1909247] [NEW] QEMU: use after free vulnerability in esp_do_dma() in hw/scsi/esp.c Mauro Matteo Cascella 2020-12-24 17:09 ` [Bug 1909247] " Mauro Matteo Cascella 2021-01-15 16:16 ` Peter Maydell @ 2021-03-15 3:01 ` Alexander Bulekov 2021-03-15 12:11 ` Mauro Matteo Cascella ` (12 subsequent siblings) 15 siblings, 0 replies; 22+ messages in thread From: Alexander Bulekov @ 2021-03-15 3:01 UTC (permalink / raw) To: qemu-devel Looks the same, or very similar to this one: /* * Autogenerated Fuzzer Test Case * * This work is licensed under the terms of the GNU GPL, version 2 or * later. See the COPYING file in the top-level directory. */ #include "qemu/osdep.h" #include "libqos/libqtest.h" /* * cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, \ * -m 4G -device am53c974,id=scsi -device scsi-hd,drive=disk0 -drive \ * id=disk0,if=none,file=null-co://,format=raw -nodefaults -qtest stdio * outl 0xcf8 0x80001010 * outl 0xcfc 0xc000 * outl 0xcf8 0x80001004 * outw 0xcfc 0x01 * outl 0xc046 0x02 * outl 0xc03f 0x0300 * outw 0xc00b 0x4300 * outl 0xc00b 0x9000 * EOF */ static void test_fuzz(void) { QTestState *s = qtest_init( "-display none , -m 4G -device am53c974,id=scsi -device " "scsi-hd,drive=disk0 -drive " "id=disk0,if=none,file=null-co://,format=raw -nodefaults"); qtest_outl(s, 0xcf8, 0x80001010); qtest_outl(s, 0xcfc, 0xc000); qtest_outl(s, 0xcf8, 0x80001004); qtest_outw(s, 0xcfc, 0x01); qtest_outl(s, 0xc046, 0x02); qtest_outl(s, 0xc03f, 0x0300); qtest_outw(s, 0xc00b, 0x4300); qtest_outl(s, 0xc00b, 0x9000); qtest_quit(s); } int main(int argc, char **argv) { const char *arch = qtest_get_arch(); g_test_init(&argc, &argv, NULL); if (strcmp(arch, "i386") == 0) { qtest_add_func("fuzz/test_fuzz", test_fuzz); } return g_test_run(); } -- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/1909247 Title: QEMU: use after free vulnerability in esp_do_dma() in hw/scsi/esp.c Status in QEMU: New Bug description: A use-after-free vulnerability was found in the am53c974 SCSI host bus adapter emulation of QEMU. It could occur in the esp_do_dma() function in hw/scsi/esp.c while handling the 'Information Transfer' command (CMD_TI). A privileged guest user may abuse this flaw to crash the QEMU process on the host, resulting in a denial of service or potential code execution with the privileges of the QEMU process. This issue was reported by Cheolwoo Myung (Seoul National University). Original report: Using hypervisor fuzzer, hyfuzz, I found a use-after-free issue in am53c974 emulator of QEMU enabled ASan. It occurs while transferring information, as it does not check the buffer to be transferred. A malicious guest user/process could use this flaw to crash the QEMU process resulting in DoS scenario. To reproduce this issue, please run the QEMU with the following command line. # To enable ASan option, please set configuration with the following $ ./configure --target-list=i386-softmmu --disable-werror --enable-sanitizers $ make # To reproduce this issue, please run the QEMU process with the following command line $ ./qemu-system-i386 -m 512 -drive file=./hyfuzz.img,index=0,media=disk,format=raw \ -device am53c974,id=scsi -device scsi-hd,drive=SysDisk \ -drive id=SysDisk,if=none,file=./disk.img Please find attached the disk images to reproduce this issue. To manage notifications about this bug go to: https://bugs.launchpad.net/qemu/+bug/1909247/+subscriptions ^ permalink raw reply [flat|nested] 22+ messages in thread
* [Bug 1909247] Re: QEMU: use after free vulnerability in esp_do_dma() in hw/scsi/esp.c 2020-12-24 17:02 [Bug 1909247] [NEW] QEMU: use after free vulnerability in esp_do_dma() in hw/scsi/esp.c Mauro Matteo Cascella ` (2 preceding siblings ...) 2021-03-15 3:01 ` Alexander Bulekov @ 2021-03-15 12:11 ` Mauro Matteo Cascella 2021-03-15 13:50 ` Mauro Matteo Cascella ` (11 subsequent siblings) 15 siblings, 0 replies; 22+ messages in thread From: Mauro Matteo Cascella @ 2021-03-15 12:11 UTC (permalink / raw) To: qemu-devel Technically, the first one is a heap use-after-free, while the second a stack buffer overflow. They could be two different manifestations of the same issue; they both originate from handle_ti() and the root cause may be the same. Heap uaf: ================================================================= ==129653==ERROR: AddressSanitizer: heap-use-after-free on address 0x6290000b5000 at pc 0x7f0c3d947dd3 bp 0x7f0c13bfdac0 sp 0x7f0c13bfd270 READ of size 27 at 0x6290000b5000 thread T7 #0 0x7f0c3d947dd2 in __interceptor_memcpy (/lib64/libasan.so.6+0x39dd2) #1 0x562c1c7292b2 in flatview_write_continue softmmu/physmem.c:2781 #2 0x562c1c729589 in flatview_write softmmu/physmem.c:2816 #3 0x562c1c729ef7 in address_space_write softmmu/physmem.c:2908 #4 0x562c1c729faf in address_space_rw softmmu/physmem.c:2918 #5 0x562c1c217754 in dma_memory_rw_relaxed include/sysemu/dma.h:8 #6 0x562c1c2177a1 in dma_memory_rw include/sysemu/dma.h:127 #7 0x562c1c21791b in pci_dma_rw include/hw/pci/pci.h:803 #8 0x562c1c21b6e3 in esp_pci_dma_memory_rw hw/scsi/esp-pci.c:283 #9 0x562c1c21ba6e in esp_pci_dma_memory_write hw/scsi/esp-pci.c:302 #10 0x562c1c428685 in esp_do_dma hw/scsi/esp.c:526 #11 0x562c1c429cb5 in handle_ti hw/scsi/esp.c:629 ... Stack bof: ================================================================= ==138588==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffc8a90c300 at pc 0x559b1de0780e bp 0x7ffc8a90bd10 sp 0x7ffc8a90bd08 WRITE of size 4 at 0x7ffc8a90c300 thread T0 #0 0x559b1de0780d in stl_he_p include/qemu/bswap.h:353 #1 0x559b1de07dec in stn_he_p include/qemu/bswap.h:486 #2 0x559b1de23e47 in flatview_read_continue softmmu/physmem.c:2841 #3 0x559b1de24215 in flatview_read softmmu/physmem.c:2879 #4 0x559b1de243b5 in address_space_read_full softmmu/physmem.c:2892 #5 0x559b1de2462c in address_space_rw softmmu/physmem.c:2920 #6 0x559b1d1ec514 in dma_memory_rw_relaxed include/sysemu/dma.h:88 #7 0x559b1d1ec561 in dma_memory_rw include/sysemu/dma.h:127 #8 0x559b1d1ec6db in pci_dma_rw include/hw/pci/pci.h:803 #9 0x559b1d1f04a3 in esp_pci_dma_memory_rw hw/scsi/esp-pci.c:283 #10 0x559b1d1f07f8 in esp_pci_dma_memory_read hw/scsi/esp-pci.c:296 #11 0x559b1d66fab1 in esp_do_dma hw/scsi/esp.c:576 #12 0x559b1d6746e1 in handle_ti hw/scsi/esp.c:845 ... -- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/1909247 Title: QEMU: use after free vulnerability in esp_do_dma() in hw/scsi/esp.c Status in QEMU: New Bug description: A use-after-free vulnerability was found in the am53c974 SCSI host bus adapter emulation of QEMU. It could occur in the esp_do_dma() function in hw/scsi/esp.c while handling the 'Information Transfer' command (CMD_TI). A privileged guest user may abuse this flaw to crash the QEMU process on the host, resulting in a denial of service or potential code execution with the privileges of the QEMU process. This issue was reported by Cheolwoo Myung (Seoul National University). Original report: Using hypervisor fuzzer, hyfuzz, I found a use-after-free issue in am53c974 emulator of QEMU enabled ASan. It occurs while transferring information, as it does not check the buffer to be transferred. A malicious guest user/process could use this flaw to crash the QEMU process resulting in DoS scenario. To reproduce this issue, please run the QEMU with the following command line. # To enable ASan option, please set configuration with the following $ ./configure --target-list=i386-softmmu --disable-werror --enable-sanitizers $ make # To reproduce this issue, please run the QEMU process with the following command line $ ./qemu-system-i386 -m 512 -drive file=./hyfuzz.img,index=0,media=disk,format=raw \ -device am53c974,id=scsi -device scsi-hd,drive=SysDisk \ -drive id=SysDisk,if=none,file=./disk.img Please find attached the disk images to reproduce this issue. To manage notifications about this bug go to: https://bugs.launchpad.net/qemu/+bug/1909247/+subscriptions ^ permalink raw reply [flat|nested] 22+ messages in thread
* [Bug 1909247] Re: QEMU: use after free vulnerability in esp_do_dma() in hw/scsi/esp.c 2020-12-24 17:02 [Bug 1909247] [NEW] QEMU: use after free vulnerability in esp_do_dma() in hw/scsi/esp.c Mauro Matteo Cascella ` (3 preceding siblings ...) 2021-03-15 12:11 ` Mauro Matteo Cascella @ 2021-03-15 13:50 ` Mauro Matteo Cascella 2021-03-15 14:02 ` Mauro Matteo Cascella ` (10 subsequent siblings) 15 siblings, 0 replies; 22+ messages in thread From: Mauro Matteo Cascella @ 2021-03-15 13:50 UTC (permalink / raw) To: qemu-devel Note that the use-after-free was found in v5.2.0 and, as far as I can tell, is not reproducible anymore on master. The ESP/NCR53C9x emulator (hw/scsi/esp.c) underwent several changes since v5.2.0. By git- bisecting, it looks like the original reproducer is neutralized after commit [1]. However, the qtest reproducer (comment #3) seems to be working fine on master as of today. [1] https://git.qemu.org/?p=qemu.git;a=commit;h=bb0bc7bbc9764a5e9e81756819838c5db88652b8 -- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/1909247 Title: QEMU: use after free vulnerability in esp_do_dma() in hw/scsi/esp.c Status in QEMU: New Bug description: A use-after-free vulnerability was found in the am53c974 SCSI host bus adapter emulation of QEMU. It could occur in the esp_do_dma() function in hw/scsi/esp.c while handling the 'Information Transfer' command (CMD_TI). A privileged guest user may abuse this flaw to crash the QEMU process on the host, resulting in a denial of service or potential code execution with the privileges of the QEMU process. This issue was reported by Cheolwoo Myung (Seoul National University). Original report: Using hypervisor fuzzer, hyfuzz, I found a use-after-free issue in am53c974 emulator of QEMU enabled ASan. It occurs while transferring information, as it does not check the buffer to be transferred. A malicious guest user/process could use this flaw to crash the QEMU process resulting in DoS scenario. To reproduce this issue, please run the QEMU with the following command line. # To enable ASan option, please set configuration with the following $ ./configure --target-list=i386-softmmu --disable-werror --enable-sanitizers $ make # To reproduce this issue, please run the QEMU process with the following command line $ ./qemu-system-i386 -m 512 -drive file=./hyfuzz.img,index=0,media=disk,format=raw \ -device am53c974,id=scsi -device scsi-hd,drive=SysDisk \ -drive id=SysDisk,if=none,file=./disk.img Please find attached the disk images to reproduce this issue. To manage notifications about this bug go to: https://bugs.launchpad.net/qemu/+bug/1909247/+subscriptions ^ permalink raw reply [flat|nested] 22+ messages in thread
* [Bug 1909247] Re: QEMU: use after free vulnerability in esp_do_dma() in hw/scsi/esp.c 2020-12-24 17:02 [Bug 1909247] [NEW] QEMU: use after free vulnerability in esp_do_dma() in hw/scsi/esp.c Mauro Matteo Cascella ` (4 preceding siblings ...) 2021-03-15 13:50 ` Mauro Matteo Cascella @ 2021-03-15 14:02 ` Mauro Matteo Cascella 2021-03-15 14:19 ` Alexander Bulekov ` (9 subsequent siblings) 15 siblings, 0 replies; 22+ messages in thread From: Mauro Matteo Cascella @ 2021-03-15 14:02 UTC (permalink / raw) To: qemu-devel ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-35506 -- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/1909247 Title: QEMU: use after free vulnerability in esp_do_dma() in hw/scsi/esp.c Status in QEMU: New Bug description: A use-after-free vulnerability was found in the am53c974 SCSI host bus adapter emulation of QEMU. It could occur in the esp_do_dma() function in hw/scsi/esp.c while handling the 'Information Transfer' command (CMD_TI). A privileged guest user may abuse this flaw to crash the QEMU process on the host, resulting in a denial of service or potential code execution with the privileges of the QEMU process. This issue was reported by Cheolwoo Myung (Seoul National University). Original report: Using hypervisor fuzzer, hyfuzz, I found a use-after-free issue in am53c974 emulator of QEMU enabled ASan. It occurs while transferring information, as it does not check the buffer to be transferred. A malicious guest user/process could use this flaw to crash the QEMU process resulting in DoS scenario. To reproduce this issue, please run the QEMU with the following command line. # To enable ASan option, please set configuration with the following $ ./configure --target-list=i386-softmmu --disable-werror --enable-sanitizers $ make # To reproduce this issue, please run the QEMU process with the following command line $ ./qemu-system-i386 -m 512 -drive file=./hyfuzz.img,index=0,media=disk,format=raw \ -device am53c974,id=scsi -device scsi-hd,drive=SysDisk \ -drive id=SysDisk,if=none,file=./disk.img Please find attached the disk images to reproduce this issue. To manage notifications about this bug go to: https://bugs.launchpad.net/qemu/+bug/1909247/+subscriptions ^ permalink raw reply [flat|nested] 22+ messages in thread
* [Bug 1909247] Re: QEMU: use after free vulnerability in esp_do_dma() in hw/scsi/esp.c 2020-12-24 17:02 [Bug 1909247] [NEW] QEMU: use after free vulnerability in esp_do_dma() in hw/scsi/esp.c Mauro Matteo Cascella ` (5 preceding siblings ...) 2021-03-15 14:02 ` Mauro Matteo Cascella @ 2021-03-15 14:19 ` Alexander Bulekov 2021-03-17 7:43 ` Mark Cave-Ayland ` (8 subsequent siblings) 15 siblings, 0 replies; 22+ messages in thread From: Alexander Bulekov @ 2021-03-15 14:19 UTC (permalink / raw) To: qemu-devel Hi Mauro, Oops... I missed that it was a stack-overflow. I went through my list of crashes, and the closest one I can find is a heap UAF, but it is a write, rather than a read: /* * Autogenerated Fuzzer Test Case * * Copyright (c) 2021 <name of author> * * This work is licensed under the terms of the GNU GPL, version 2 or * later. See the COPYING file in the top-level directory. */ #include "qemu/osdep.h" #include "libqos/libqtest.h" /* * cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, \ * -m 4G -device am53c974,id=scsi -device scsi-hd,drive=disk0 -drive \ * id=disk0,if=none,file=null-co://,format=raw -nodefaults -qtest stdio * outl 0xcf8 0x80001010 * outl 0xcfc 0xc000 * outl 0xcf8 0x80001004 * outw 0xcfc 0x05 * outb 0xc046 0x02 * outl 0xc00b 0xc100 * outl 0xc040 0x03 * outl 0xc040 0x03 * write 0x0 0x1 0x41 * outl 0xc00b 0xc100 * outw 0xc040 0x02 * outl 0xc00b 0x9000 * EOF */ static void test_fuzz(void) { QTestState *s = qtest_init( "-display none , -m 4G -device am53c974,id=scsi -device " "scsi-hd,drive=disk0 -drive " "id=disk0,if=none,file=null-co://,format=raw -nodefaults"); qtest_outl(s, 0xcf8, 0x80001010); qtest_outl(s, 0xcfc, 0xc000); qtest_outl(s, 0xcf8, 0x80001004); qtest_outw(s, 0xcfc, 0x05); qtest_outb(s, 0xc046, 0x02); qtest_outl(s, 0xc00b, 0xc100); qtest_outl(s, 0xc040, 0x03); qtest_outl(s, 0xc040, 0x03); qtest_bufwrite(s, 0x0, "\x41", 0x1); qtest_outl(s, 0xc00b, 0xc100); qtest_outw(s, 0xc040, 0x02); qtest_outl(s, 0xc00b, 0x9000); qtest_quit(s); } int main(int argc, char **argv) { const char *arch = qtest_get_arch(); g_test_init(&argc, &argv, NULL); if (strcmp(arch, "i386") == 0) { qtest_add_func("fuzz/test_fuzz", test_fuzz); } return g_test_run(); } -- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/1909247 Title: QEMU: use after free vulnerability in esp_do_dma() in hw/scsi/esp.c Status in QEMU: New Bug description: A use-after-free vulnerability was found in the am53c974 SCSI host bus adapter emulation of QEMU. It could occur in the esp_do_dma() function in hw/scsi/esp.c while handling the 'Information Transfer' command (CMD_TI). A privileged guest user may abuse this flaw to crash the QEMU process on the host, resulting in a denial of service or potential code execution with the privileges of the QEMU process. This issue was reported by Cheolwoo Myung (Seoul National University). Original report: Using hypervisor fuzzer, hyfuzz, I found a use-after-free issue in am53c974 emulator of QEMU enabled ASan. It occurs while transferring information, as it does not check the buffer to be transferred. A malicious guest user/process could use this flaw to crash the QEMU process resulting in DoS scenario. To reproduce this issue, please run the QEMU with the following command line. # To enable ASan option, please set configuration with the following $ ./configure --target-list=i386-softmmu --disable-werror --enable-sanitizers $ make # To reproduce this issue, please run the QEMU process with the following command line $ ./qemu-system-i386 -m 512 -drive file=./hyfuzz.img,index=0,media=disk,format=raw \ -device am53c974,id=scsi -device scsi-hd,drive=SysDisk \ -drive id=SysDisk,if=none,file=./disk.img Please find attached the disk images to reproduce this issue. To manage notifications about this bug go to: https://bugs.launchpad.net/qemu/+bug/1909247/+subscriptions ^ permalink raw reply [flat|nested] 22+ messages in thread
* [Bug 1909247] Re: QEMU: use after free vulnerability in esp_do_dma() in hw/scsi/esp.c 2020-12-24 17:02 [Bug 1909247] [NEW] QEMU: use after free vulnerability in esp_do_dma() in hw/scsi/esp.c Mauro Matteo Cascella ` (6 preceding siblings ...) 2021-03-15 14:19 ` Alexander Bulekov @ 2021-03-17 7:43 ` Mark Cave-Ayland 2021-03-24 7:31 ` P J P ` (7 subsequent siblings) 15 siblings, 0 replies; 22+ messages in thread From: Mark Cave-Ayland @ 2021-03-17 7:43 UTC (permalink / raw) To: qemu-devel Thank you both for the reproducers. Please see the proposed patchset here: https://lists.gnu.org/archive/html/qemu-devel/2021-03/msg06063.html -- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/1909247 Title: QEMU: use after free vulnerability in esp_do_dma() in hw/scsi/esp.c Status in QEMU: New Bug description: A use-after-free vulnerability was found in the am53c974 SCSI host bus adapter emulation of QEMU. It could occur in the esp_do_dma() function in hw/scsi/esp.c while handling the 'Information Transfer' command (CMD_TI). A privileged guest user may abuse this flaw to crash the QEMU process on the host, resulting in a denial of service or potential code execution with the privileges of the QEMU process. This issue was reported by Cheolwoo Myung (Seoul National University). Original report: Using hypervisor fuzzer, hyfuzz, I found a use-after-free issue in am53c974 emulator of QEMU enabled ASan. It occurs while transferring information, as it does not check the buffer to be transferred. A malicious guest user/process could use this flaw to crash the QEMU process resulting in DoS scenario. To reproduce this issue, please run the QEMU with the following command line. # To enable ASan option, please set configuration with the following $ ./configure --target-list=i386-softmmu --disable-werror --enable-sanitizers $ make # To reproduce this issue, please run the QEMU process with the following command line $ ./qemu-system-i386 -m 512 -drive file=./hyfuzz.img,index=0,media=disk,format=raw \ -device am53c974,id=scsi -device scsi-hd,drive=SysDisk \ -drive id=SysDisk,if=none,file=./disk.img Please find attached the disk images to reproduce this issue. To manage notifications about this bug go to: https://bugs.launchpad.net/qemu/+bug/1909247/+subscriptions ^ permalink raw reply [flat|nested] 22+ messages in thread
* [Bug 1909247] Re: QEMU: use after free vulnerability in esp_do_dma() in hw/scsi/esp.c 2020-12-24 17:02 [Bug 1909247] [NEW] QEMU: use after free vulnerability in esp_do_dma() in hw/scsi/esp.c Mauro Matteo Cascella ` (7 preceding siblings ...) 2021-03-17 7:43 ` Mark Cave-Ayland @ 2021-03-24 7:31 ` P J P 2021-03-24 8:09 ` Mark Cave-Ayland ` (6 subsequent siblings) 15 siblings, 0 replies; 22+ messages in thread From: P J P @ 2021-03-24 7:31 UTC (permalink / raw) To: qemu-devel On Wednesday, 17 March, 2021, 10:26:36 pm IST, Cheolwoo Myung <cwmyung@snu.ac.kr> wrote: > Hello PJP, Mauro > > Of course. you can post the details with our reproducers. > I'm glad it helped you. > > Thank you. > - Cheolwoo Myung > 2021년 3월 17일 (수) 오후 10:30, P J P <pjp@fedoraproject.org>님이 작성: > >On Monday, 15 March, 2021, 07:54:30 pm IST, Mauro Matteo Cascella <mcascell@redhat.com> wrote: >>JFYI, CVE-2020-35506 was assigned to a very similar (if not the same) >>issue, see https://bugs.launchpad.net/qemu/+bug/1909247. > > * From the QEMU command lines below they do look similar. > > * CVE bug above does not link to an upstream fix/patch. Maybe it's not fixed yet? > > >On Mon, Mar 15, 2021 at 6:58 AM P J P <pjp@fedoraproject.org> wrote: > >On Monday, 15 March, 2021, 11:11:14 am IST, Cheolwoo Myung <cwmyung@snu.ac.kr> wrote: > >Using hypervisor fuzzer, hyfuzz, I found a use-after-free issue in am53c974 emulator of QEMU enabled ASan. > > > ># To reproduce this issue, please run the QEMU process with the following command line. > >$ ./qemu-system-i386 -m 512 -drive file=./hyfuzz.img,index=0,media=disk,format=raw \ > > -device am53c974,id=scsi -device scsi-hd,drive=SysDisk -drive >id=SysDisk,if=none,file=./disk.img > > > > > > Using hypervisor fuzzer, hyfuzz, I found a stack buffer overflow issue in am53c974 emulator of QEMU enabled ASan. > > > ># To reproduce this issue, please run the QEMU process with the following command line. > >$ ./qemu-system-i386 -m 512 -drive file=./hyfuzz.img,index=0,media=disk,format=raw \ > > -device am53c974,id=scsi -device scsi-hd,drive=SysDisk -drive >id=SysDisk,if=none,file=./disk.img > > * I was able to reproduce these issues against the latest upstream git source and following patch helps to fix above two issues. === $ git diff hw/scsi/ diff --git a/hw/scsi/esp-pci.c b/hw/scsi/esp-pci.c index c3d3dab05e..4a6f208069 100644 --- a/hw/scsi/esp-pci.c +++ b/hw/scsi/esp-pci.c @@ -98,6 +98,7 @@ static void esp_pci_handle_abort(PCIESPState *pci, uint32_t val) trace_esp_pci_dma_abort(val); if (s->current_req) { scsi_req_cancel(s->current_req); + s->async_len = 0; } } diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c index 507ab363bc..99bee7bc66 100644 --- a/hw/scsi/esp.c +++ b/hw/scsi/esp.c @@ -564,7 +564,7 @@ static void esp_do_dma(ESPState *s) int to_device = ((s->rregs[ESP_RSTAT] & 7) == STAT_DO); uint8_t buf[ESP_CMDFIFO_SZ]; - len = esp_get_tc(s); + len = MIN(esp_get_tc(s), sizeof(buf)); if (s->do_cmd) { /* === > >Using hypervisor fuzzer, hyfuzz, I found a heap buffer overflow issue in am53c974 emulator of QEMU enabled ASan. > > > ># To reproduce this issue, please run the QEMU process with the following command line. > >$ ./qemu-system-i386 -m 512 -drive file=./hyfuzz.img,index=0,media=disk,format=raw \ > > -device am53c974,id=scsi -device scsi-hd,drive=SysDisk -drive >id=SysDisk,if=none,file=./disk.img * This heap OOB access issue seems to occur because static void do_busid_cmd(...) ... buf = (uint8_t *)fifo8_pop_buf(&s->cmdfifo, cmdlen, &n); <== 'buf' points towards an end of the 32 byte buffer allocated via static void esp_init(Object *obj) ... fifo8_create(&s->cmdfifo, ESP_CMDFIFO_SZ(=32)); <== and the OOB access could occur at numerous places, one of which is scsi_req_new -> scsi_req_parse_cdb -> memcpy(cmd->buf, buf, cmd->len); <== buf=27, cmd->len=6 <= 27+6 exceeds limit 32. * This one is quite tricky to fix. Because 'buf[]' is accessed at various places with hard coded index values. It's not easy to check access against 's->cmdfifo' object. @Cheolwoo: is it okay with you if we post above details and your reproducers on the upstream bug -> https://bugs.launchpad.net/qemu/+bug/1909247 It'll help to discuss/prepare a proper fix patch. Thank you. --- -P J P http://feedmug.com ** Attachment added: "hw-esp-oob-issues.zip" https://bugs.launchpad.net/qemu/+bug/1909247/+attachment/5480385/+files/hw-esp-oob-issues.zip -- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/1909247 Title: QEMU: use after free vulnerability in esp_do_dma() in hw/scsi/esp.c Status in QEMU: New Bug description: A use-after-free vulnerability was found in the am53c974 SCSI host bus adapter emulation of QEMU. It could occur in the esp_do_dma() function in hw/scsi/esp.c while handling the 'Information Transfer' command (CMD_TI). A privileged guest user may abuse this flaw to crash the QEMU process on the host, resulting in a denial of service or potential code execution with the privileges of the QEMU process. This issue was reported by Cheolwoo Myung (Seoul National University). Original report: Using hypervisor fuzzer, hyfuzz, I found a use-after-free issue in am53c974 emulator of QEMU enabled ASan. It occurs while transferring information, as it does not check the buffer to be transferred. A malicious guest user/process could use this flaw to crash the QEMU process resulting in DoS scenario. To reproduce this issue, please run the QEMU with the following command line. # To enable ASan option, please set configuration with the following $ ./configure --target-list=i386-softmmu --disable-werror --enable-sanitizers $ make # To reproduce this issue, please run the QEMU process with the following command line $ ./qemu-system-i386 -m 512 -drive file=./hyfuzz.img,index=0,media=disk,format=raw \ -device am53c974,id=scsi -device scsi-hd,drive=SysDisk \ -drive id=SysDisk,if=none,file=./disk.img Please find attached the disk images to reproduce this issue. To manage notifications about this bug go to: https://bugs.launchpad.net/qemu/+bug/1909247/+subscriptions ^ permalink raw reply related [flat|nested] 22+ messages in thread
* [Bug 1909247] Re: QEMU: use after free vulnerability in esp_do_dma() in hw/scsi/esp.c 2020-12-24 17:02 [Bug 1909247] [NEW] QEMU: use after free vulnerability in esp_do_dma() in hw/scsi/esp.c Mauro Matteo Cascella ` (8 preceding siblings ...) 2021-03-24 7:31 ` P J P @ 2021-03-24 8:09 ` Mark Cave-Ayland 2021-03-24 9:51 ` Mauro Matteo Cascella ` (5 subsequent siblings) 15 siblings, 0 replies; 22+ messages in thread From: Mark Cave-Ayland @ 2021-03-24 8:09 UTC (permalink / raw) To: qemu-devel Can you confirm that this is fixed in the v2 of the above patchset? https://lists.gnu.org/archive/html/qemu-devel/2021-03/msg06550.html ATB, Mark. -- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/1909247 Title: QEMU: use after free vulnerability in esp_do_dma() in hw/scsi/esp.c Status in QEMU: New Bug description: A use-after-free vulnerability was found in the am53c974 SCSI host bus adapter emulation of QEMU. It could occur in the esp_do_dma() function in hw/scsi/esp.c while handling the 'Information Transfer' command (CMD_TI). A privileged guest user may abuse this flaw to crash the QEMU process on the host, resulting in a denial of service or potential code execution with the privileges of the QEMU process. This issue was reported by Cheolwoo Myung (Seoul National University). Original report: Using hypervisor fuzzer, hyfuzz, I found a use-after-free issue in am53c974 emulator of QEMU enabled ASan. It occurs while transferring information, as it does not check the buffer to be transferred. A malicious guest user/process could use this flaw to crash the QEMU process resulting in DoS scenario. To reproduce this issue, please run the QEMU with the following command line. # To enable ASan option, please set configuration with the following $ ./configure --target-list=i386-softmmu --disable-werror --enable-sanitizers $ make # To reproduce this issue, please run the QEMU process with the following command line $ ./qemu-system-i386 -m 512 -drive file=./hyfuzz.img,index=0,media=disk,format=raw \ -device am53c974,id=scsi -device scsi-hd,drive=SysDisk \ -drive id=SysDisk,if=none,file=./disk.img Please find attached the disk images to reproduce this issue. To manage notifications about this bug go to: https://bugs.launchpad.net/qemu/+bug/1909247/+subscriptions ^ permalink raw reply [flat|nested] 22+ messages in thread
* [Bug 1909247] Re: QEMU: use after free vulnerability in esp_do_dma() in hw/scsi/esp.c 2020-12-24 17:02 [Bug 1909247] [NEW] QEMU: use after free vulnerability in esp_do_dma() in hw/scsi/esp.c Mauro Matteo Cascella ` (9 preceding siblings ...) 2021-03-24 8:09 ` Mark Cave-Ayland @ 2021-03-24 9:51 ` Mauro Matteo Cascella 2021-03-24 15:53 ` Alexander Bulekov 2021-03-25 13:22 ` Mark Cave-Ayland ` (4 subsequent siblings) 15 siblings, 1 reply; 22+ messages in thread From: Mauro Matteo Cascella @ 2021-03-24 9:51 UTC (permalink / raw) To: qemu-devel Hello, Thank you all for your comments. Both patches (PJP/comment#8 - Mark/comment#9) seem to properly fix the UAF reported by Alexander in comment #6. However, I'm still able to reproduce the heap-bof from the above hw-esp-oob-issues.zip: ./x86_64-softmmu/qemu-system-x86_64 -m 512 \ -drive file=./atch2/hyfuzz.img,index=0,media=disk,format=raw \ -device am53c974,id=scsi -device scsi-hd,drive=SysDisk \ -drive id=SysDisk,if=none,file=./atch2/disk.img -- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/1909247 Title: QEMU: use after free vulnerability in esp_do_dma() in hw/scsi/esp.c Status in QEMU: New Bug description: A use-after-free vulnerability was found in the am53c974 SCSI host bus adapter emulation of QEMU. It could occur in the esp_do_dma() function in hw/scsi/esp.c while handling the 'Information Transfer' command (CMD_TI). A privileged guest user may abuse this flaw to crash the QEMU process on the host, resulting in a denial of service or potential code execution with the privileges of the QEMU process. This issue was reported by Cheolwoo Myung (Seoul National University). Original report: Using hypervisor fuzzer, hyfuzz, I found a use-after-free issue in am53c974 emulator of QEMU enabled ASan. It occurs while transferring information, as it does not check the buffer to be transferred. A malicious guest user/process could use this flaw to crash the QEMU process resulting in DoS scenario. To reproduce this issue, please run the QEMU with the following command line. # To enable ASan option, please set configuration with the following $ ./configure --target-list=i386-softmmu --disable-werror --enable-sanitizers $ make # To reproduce this issue, please run the QEMU process with the following command line $ ./qemu-system-i386 -m 512 -drive file=./hyfuzz.img,index=0,media=disk,format=raw \ -device am53c974,id=scsi -device scsi-hd,drive=SysDisk \ -drive id=SysDisk,if=none,file=./disk.img Please find attached the disk images to reproduce this issue. To manage notifications about this bug go to: https://bugs.launchpad.net/qemu/+bug/1909247/+subscriptions ^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [Bug 1909247] Re: QEMU: use after free vulnerability in esp_do_dma() in hw/scsi/esp.c 2021-03-24 9:51 ` Mauro Matteo Cascella @ 2021-03-24 15:53 ` Alexander Bulekov 2021-03-24 17:28 ` Philippe Mathieu-Daudé 0 siblings, 1 reply; 22+ messages in thread From: Alexander Bulekov @ 2021-03-24 15:53 UTC (permalink / raw) To: qemu-devel Hi, I can still trigger stack-overflows, heap-UAFs and heap-overflows in the code, but Mark's patches fixed some of the issues. I didn't want to flood the issue-tracker with further problems in this code, since it isn't clear what the security expectations are for this device. Of course it is only a matter of time until someone sends more reports to qemu-security. Mark, do you want me to provide more reproducers for this device? -Alex -- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/1909247 Title: QEMU: use after free vulnerability in esp_do_dma() in hw/scsi/esp.c Status in QEMU: New Bug description: A use-after-free vulnerability was found in the am53c974 SCSI host bus adapter emulation of QEMU. It could occur in the esp_do_dma() function in hw/scsi/esp.c while handling the 'Information Transfer' command (CMD_TI). A privileged guest user may abuse this flaw to crash the QEMU process on the host, resulting in a denial of service or potential code execution with the privileges of the QEMU process. This issue was reported by Cheolwoo Myung (Seoul National University). Original report: Using hypervisor fuzzer, hyfuzz, I found a use-after-free issue in am53c974 emulator of QEMU enabled ASan. It occurs while transferring information, as it does not check the buffer to be transferred. A malicious guest user/process could use this flaw to crash the QEMU process resulting in DoS scenario. To reproduce this issue, please run the QEMU with the following command line. # To enable ASan option, please set configuration with the following $ ./configure --target-list=i386-softmmu --disable-werror --enable-sanitizers $ make # To reproduce this issue, please run the QEMU process with the following command line $ ./qemu-system-i386 -m 512 -drive file=./hyfuzz.img,index=0,media=disk,format=raw \ -device am53c974,id=scsi -device scsi-hd,drive=SysDisk \ -drive id=SysDisk,if=none,file=./disk.img Please find attached the disk images to reproduce this issue. To manage notifications about this bug go to: https://bugs.launchpad.net/qemu/+bug/1909247/+subscriptions ^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [Bug 1909247] Re: QEMU: use after free vulnerability in esp_do_dma() in hw/scsi/esp.c 2021-03-24 15:53 ` Alexander Bulekov @ 2021-03-24 17:28 ` Philippe Mathieu-Daudé 2021-03-24 17:28 ` Philippe Mathieu-Daudé 0 siblings, 1 reply; 22+ messages in thread From: Philippe Mathieu-Daudé @ 2021-03-24 17:28 UTC (permalink / raw) To: Bug 1909247, qemu-devel; +Cc: Mark Cave-Ayland On 3/24/21 4:53 PM, Alexander Bulekov wrote: > Hi, > I can still trigger stack-overflows, heap-UAFs and heap-overflows in the > code, but Mark's patches fixed some of the issues. I didn't want to > flood the issue-tracker with further problems in this code, since it > isn't clear what the security expectations are for this device. Of > course it is only a matter of time until someone sends more reports to > qemu-security. I'd expect qemu-security to have a template "Thank you for your bug but this device is not within the 'security' boundary, we will forward your report to the community". > > Mark, do you want me to provide more reproducers for this device? Surely Mark prefers you provide bugfixes instead :D Phil. ^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [Bug 1909247] Re: QEMU: use after free vulnerability in esp_do_dma() in hw/scsi/esp.c 2021-03-24 17:28 ` Philippe Mathieu-Daudé @ 2021-03-24 17:28 ` Philippe Mathieu-Daudé 0 siblings, 0 replies; 22+ messages in thread From: Philippe Mathieu-Daudé @ 2021-03-24 17:28 UTC (permalink / raw) To: qemu-devel On 3/24/21 4:53 PM, Alexander Bulekov wrote: > Hi, > I can still trigger stack-overflows, heap-UAFs and heap-overflows in the > code, but Mark's patches fixed some of the issues. I didn't want to > flood the issue-tracker with further problems in this code, since it > isn't clear what the security expectations are for this device. Of > course it is only a matter of time until someone sends more reports to > qemu-security. I'd expect qemu-security to have a template "Thank you for your bug but this device is not within the 'security' boundary, we will forward your report to the community". > > Mark, do you want me to provide more reproducers for this device? Surely Mark prefers you provide bugfixes instead :D Phil. -- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/1909247 Title: QEMU: use after free vulnerability in esp_do_dma() in hw/scsi/esp.c Status in QEMU: New Bug description: A use-after-free vulnerability was found in the am53c974 SCSI host bus adapter emulation of QEMU. It could occur in the esp_do_dma() function in hw/scsi/esp.c while handling the 'Information Transfer' command (CMD_TI). A privileged guest user may abuse this flaw to crash the QEMU process on the host, resulting in a denial of service or potential code execution with the privileges of the QEMU process. This issue was reported by Cheolwoo Myung (Seoul National University). Original report: Using hypervisor fuzzer, hyfuzz, I found a use-after-free issue in am53c974 emulator of QEMU enabled ASan. It occurs while transferring information, as it does not check the buffer to be transferred. A malicious guest user/process could use this flaw to crash the QEMU process resulting in DoS scenario. To reproduce this issue, please run the QEMU with the following command line. # To enable ASan option, please set configuration with the following $ ./configure --target-list=i386-softmmu --disable-werror --enable-sanitizers $ make # To reproduce this issue, please run the QEMU process with the following command line $ ./qemu-system-i386 -m 512 -drive file=./hyfuzz.img,index=0,media=disk,format=raw \ -device am53c974,id=scsi -device scsi-hd,drive=SysDisk \ -drive id=SysDisk,if=none,file=./disk.img Please find attached the disk images to reproduce this issue. To manage notifications about this bug go to: https://bugs.launchpad.net/qemu/+bug/1909247/+subscriptions ^ permalink raw reply [flat|nested] 22+ messages in thread
* [Bug 1909247] Re: QEMU: use after free vulnerability in esp_do_dma() in hw/scsi/esp.c 2020-12-24 17:02 [Bug 1909247] [NEW] QEMU: use after free vulnerability in esp_do_dma() in hw/scsi/esp.c Mauro Matteo Cascella ` (10 preceding siblings ...) 2021-03-24 9:51 ` Mauro Matteo Cascella @ 2021-03-25 13:22 ` Mark Cave-Ayland 2021-03-29 3:21 ` [Bug 1909247] [PATCH] tests/qtest: add more tests for am53c974 device Alexander Bulekov 2021-04-01 8:15 ` [Bug 1909247] Re: QEMU: use after free vulnerability in esp_do_dma() in hw/scsi/esp.c Mark Cave-Ayland ` (3 subsequent siblings) 15 siblings, 1 reply; 22+ messages in thread From: Mark Cave-Ayland @ 2021-03-25 13:22 UTC (permalink / raw) To: qemu-devel If Alex is interested in having a fuzz-proof device as a starting point for fuzzing QEMU's SCSI layer then I don't mind doing the basic work as I've spent a few months deep in the internals of the ESP controller, and it makes sense to look at this whilst it is all still fresh. I'd say there's at least one more set of ESP changes already waiting for after the 6.0 release. PJP: Your change to esp-pci.c looks like a genuine issue, although there is an inconsistency within ESP as to what determines whether a request is in progress or not. My v2 patchset above uses the request member being non-NULL to indicate a valid request, but this should be made consistent throughout the driver. Can you provide a qtest reproducer so that it can be incorporated into the test included in the v2 patchset and also allow me to check that this issue has been fixed? Alex: If you can try PJP's patch to esp-pci.c and if you still see some issues then please update this bug with a test case or two, and I will look at them when I get a moment. Mauro: Thanks for the test case - again I shall look at this when I have some available time. -- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/1909247 Title: QEMU: use after free vulnerability in esp_do_dma() in hw/scsi/esp.c Status in QEMU: New Bug description: A use-after-free vulnerability was found in the am53c974 SCSI host bus adapter emulation of QEMU. It could occur in the esp_do_dma() function in hw/scsi/esp.c while handling the 'Information Transfer' command (CMD_TI). A privileged guest user may abuse this flaw to crash the QEMU process on the host, resulting in a denial of service or potential code execution with the privileges of the QEMU process. This issue was reported by Cheolwoo Myung (Seoul National University). Original report: Using hypervisor fuzzer, hyfuzz, I found a use-after-free issue in am53c974 emulator of QEMU enabled ASan. It occurs while transferring information, as it does not check the buffer to be transferred. A malicious guest user/process could use this flaw to crash the QEMU process resulting in DoS scenario. To reproduce this issue, please run the QEMU with the following command line. # To enable ASan option, please set configuration with the following $ ./configure --target-list=i386-softmmu --disable-werror --enable-sanitizers $ make # To reproduce this issue, please run the QEMU process with the following command line $ ./qemu-system-i386 -m 512 -drive file=./hyfuzz.img,index=0,media=disk,format=raw \ -device am53c974,id=scsi -device scsi-hd,drive=SysDisk \ -drive id=SysDisk,if=none,file=./disk.img Please find attached the disk images to reproduce this issue. To manage notifications about this bug go to: https://bugs.launchpad.net/qemu/+bug/1909247/+subscriptions ^ permalink raw reply [flat|nested] 22+ messages in thread
* [Bug 1909247] [PATCH] tests/qtest: add more tests for am53c974 device 2021-03-25 13:22 ` Mark Cave-Ayland @ 2021-03-29 3:21 ` Alexander Bulekov 2021-03-29 3:21 ` Alexander Bulekov 0 siblings, 1 reply; 22+ messages in thread From: Alexander Bulekov @ 2021-03-29 3:21 UTC (permalink / raw) To: qemu-devel Add some more regression tests for the esp device. (Prasad's Patch) Based-on: <161657108250.32717.5311086901810004029.malone@soybean.canonical.com> (Mark's v2 Patchset) Based-on: <20210317230223.24854-1-mark.cave-ayland@ilande.co.uk> Signed-off-by: Alexander Bulekov <alxndr@bu.edu> --- Hi Mark, Hopefully these are useful. I realized that my previous message was innacurate (I forgot to apply Prasad's patch, or your v2 patchset). The only corruptions that I am continuing to see are heap-overflows. I am guessing that most of these are due to some mututal root cause, so the number of tests far-exceeds the actual number of errors, but I am providing all of the crashes with unique-looking stack-traces, just in case. Please let me know if I can provide anything else that would help. -Alex tests/qtest/am53c974-test.c | 1137 +++++++++++++++++++++++++++++++++++ 1 file changed, 1137 insertions(+) diff --git a/tests/qtest/am53c974-test.c b/tests/qtest/am53c974-test.c index c90bd4c187..cb2a5646a6 100644 --- a/tests/qtest/am53c974-test.c +++ b/tests/qtest/am53c974-test.c @@ -9,6 +9,1125 @@ #include "libqos/libqtest.h" +/* + * cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, -m \ + * 512M -device am53c974,id=scsi -device scsi-hd,drive=disk0 -drive \ + * id=disk0,if=none,file=null-co://,format=raw -nodefaults -qtest stdio + * outl 0xcf8 0x80001010 + * outl 0xcfc 0xc000 + * outl 0xcf8 0x80001004 + * outw 0xcfc 0x01 + * outb 0xc000 0x4 + * outb 0xc008 0xa0 + * outl 0xc03f 0x0300 + * outl 0xc00b 0xc300 + * outw 0xc00b 0x9000 + * outl 0xc00b 0xc300 + * outl 0xc00b 0xc300 + * outl 0xc00b 0xc300 + * outw 0xc00b 0x9000 + * outw 0xc00b 0x1000 + * EOF + */ +static void crash_0900379669(void) +{ + QTestState *s = qtest_init( + "-display none -m 512M -device am53c974,id=scsi -device scsi-hd,drive=disk0 " + "-drive id=disk0,if=none,file=null-co://,format=raw -nodefaults"); + qtest_outl(s, 0xcf8, 0x80001010); + qtest_outl(s, 0xcfc, 0xc000); + qtest_outl(s, 0xcf8, 0x80001004); + qtest_outw(s, 0xcfc, 0x01); + qtest_outb(s, 0xc000, 0x4); + qtest_outb(s, 0xc008, 0xa0); + qtest_outl(s, 0xc03f, 0x0300); + qtest_outl(s, 0xc00b, 0xc300); + qtest_outw(s, 0xc00b, 0x9000); + qtest_outl(s, 0xc00b, 0xc300); + qtest_outl(s, 0xc00b, 0xc300); + qtest_outl(s, 0xc00b, 0xc300); + qtest_outw(s, 0xc00b, 0x9000); + qtest_outw(s, 0xc00b, 0x1000); + qtest_quit(s); +} +/* + * cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, -m \ + * 512M -device am53c974,id=scsi -device scsi-hd,drive=disk0 -drive \ + * id=disk0,if=none,file=null-co://,format=raw -nodefaults -qtest stdio + * outl 0xcf8 0x80001010 + * outl 0xcfc 0xc000 + * outl 0xcf8 0x80001004 + * outw 0xcfc 0x01 + * outl 0xc008 0x20 + * outw 0xc000 0x1 + * outb 0xc040 0x03 + * outl 0xc00b 0xc200 + * outl 0xc00b 0xc200 + * outl 0xc00b 0xc200 + * outl 0xc00b 0xc200 + * outl 0xc00b 0xc200 + * outl 0xc00b 0xc200 + * outl 0xc00b 0xc200 + * outl 0xc00b 0xc200 + * outl 0xc00b 0xc200 + * outl 0xc00b 0xc200 + * outl 0xc00b 0xc200 + * outw 0xc00b 0x4200 + * outl 0xc00a 0x410000 + * EOF + */ +static void crash_094661a91b(void) +{ + QTestState *s = qtest_init( + "-display none -m 512M -device am53c974,id=scsi -device scsi-hd,drive=disk0 " + "-drive id=disk0,if=none,file=null-co://,format=raw -nodefaults"); + qtest_outl(s, 0xcf8, 0x80001010); + qtest_outl(s, 0xcfc, 0xc000); + qtest_outl(s, 0xcf8, 0x80001004); + qtest_outw(s, 0xcfc, 0x01); + qtest_outl(s, 0xc008, 0x20); + qtest_outw(s, 0xc000, 0x1); + qtest_outb(s, 0xc040, 0x03); + qtest_outl(s, 0xc00b, 0xc200); + qtest_outl(s, 0xc00b, 0xc200); + qtest_outl(s, 0xc00b, 0xc200); + qtest_outl(s, 0xc00b, 0xc200); + qtest_outl(s, 0xc00b, 0xc200); + qtest_outl(s, 0xc00b, 0xc200); + qtest_outl(s, 0xc00b, 0xc200); + qtest_outl(s, 0xc00b, 0xc200); + qtest_outl(s, 0xc00b, 0xc200); + qtest_outl(s, 0xc00b, 0xc200); + qtest_outl(s, 0xc00b, 0xc200); + qtest_outw(s, 0xc00b, 0x4200); + qtest_outl(s, 0xc00a, 0x410000); + qtest_quit(s); +} +/* + * cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, -m \ + * 512M -device am53c974,id=scsi -device scsi-hd,drive=disk0 -drive \ + * id=disk0,if=none,file=null-co://,format=raw -nodefaults -qtest stdio + * outl 0xcf8 0x80001010 + * outl 0xcfc 0xc000 + * outl 0xcf8 0x80001004 + * outw 0xcfc 0x01 + * outb 0xc000 0x4 + * outl 0xc007 0x8000 + * outl 0xc03f 0x0300 + * outl 0xc00b 0x4300 + * outw 0xc00b 0x9000 + * outl 0xc00b 0xc300 + * outl 0xc00b 0xc300 + * outl 0xc00b 0xc300 + * outw 0xc00b 0x9000 + * outw 0xc00b 0x1000 + * EOF + */ +static void crash_0fff2155cb(void) +{ + QTestState *s = qtest_init( + "-display none -m 512M -device am53c974,id=scsi -device scsi-hd,drive=disk0 " + "-drive id=disk0,if=none,file=null-co://,format=raw -nodefaults"); + qtest_outl(s, 0xcf8, 0x80001010); + qtest_outl(s, 0xcfc, 0xc000); + qtest_outl(s, 0xcf8, 0x80001004); + qtest_outw(s, 0xcfc, 0x01); + qtest_outb(s, 0xc000, 0x4); + qtest_outl(s, 0xc007, 0x8000); + qtest_outl(s, 0xc03f, 0x0300); + qtest_outl(s, 0xc00b, 0x4300); + qtest_outw(s, 0xc00b, 0x9000); + qtest_outl(s, 0xc00b, 0xc300); + qtest_outl(s, 0xc00b, 0xc300); + qtest_outl(s, 0xc00b, 0xc300); + qtest_outw(s, 0xc00b, 0x9000); + qtest_outw(s, 0xc00b, 0x1000); + qtest_quit(s); +} +/* + * cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, -m \ + * 512M -device am53c974,id=scsi -device scsi-hd,drive=disk0 -drive \ + * id=disk0,if=none,file=null-co://,format=raw -nodefaults -qtest stdio + * outl 0xcf8 0x80001010 + * outl 0xcfc 0xc000 + * outl 0xcf8 0x80001004 + * outw 0xcfc 0x01 + * outw 0xc00c 0x41 + * outw 0xc00a 0x00 + * outl 0xc00a 0x00 + * outw 0xc00c 0x43 + * outw 0xc00b 0x00 + * outw 0xc00b 0x00 + * outw 0xc00c 0x00 + * outl 0xc00a 0x00 + * outw 0xc00a 0x00 + * outl 0xc00a 0x00 + * outw 0xc00c 0x00 + * outl 0xc00a 0x00 + * outw 0xc00a 0x00 + * outl 0xc00a 0x00 + * outw 0xc00c 0x00 + * outl 0xc00a 0x00 + * outw 0xc00a 0x00 + * outl 0xc00a 0x00 + * outw 0xc00c 0x00 + * outl 0xc00a 0x00 + * outl 0xc006 0x00 + * outl 0xc00b 0x00 + * outw 0xc00b 0x0800 + * outw 0xc00b 0x00 + * outw 0xc00b 0x00 + * outl 0xc006 0x00 + * outl 0xc00b 0x00 + * outw 0xc00b 0x0800 + * outw 0xc00b 0x00 + * outw 0xc00b 0x4100 + * outw 0xc00a 0x00 + * outl 0xc00a 0x100000 + * outl 0xc00a 0x00 + * outw 0xc00c 0x43 + * outl 0xc00a 0x100000 + * outl 0xc00a 0x100000 + * EOF + */ +static void crash_1548bd10e7(void) +{ + QTestState *s = qtest_init( + "-display none -m 512M -device am53c974,id=scsi -device scsi-hd,drive=disk0 " + "-drive id=disk0,if=none,file=null-co://,format=raw -nodefaults"); + qtest_outl(s, 0xcf8, 0x80001010); + qtest_outl(s, 0xcfc, 0xc000); + qtest_outl(s, 0xcf8, 0x80001004); + qtest_outw(s, 0xcfc, 0x01); + qtest_outw(s, 0xc00c, 0x41); + qtest_outw(s, 0xc00a, 0x00); + qtest_outl(s, 0xc00a, 0x00); + qtest_outw(s, 0xc00c, 0x43); + qtest_outw(s, 0xc00b, 0x00); + qtest_outw(s, 0xc00b, 0x00); + qtest_outw(s, 0xc00c, 0x00); + qtest_outl(s, 0xc00a, 0x00); + qtest_outw(s, 0xc00a, 0x00); + qtest_outl(s, 0xc00a, 0x00); + qtest_outw(s, 0xc00c, 0x00); + qtest_outl(s, 0xc00a, 0x00); + qtest_outw(s, 0xc00a, 0x00); + qtest_outl(s, 0xc00a, 0x00); + qtest_outw(s, 0xc00c, 0x00); + qtest_outl(s, 0xc00a, 0x00); + qtest_outw(s, 0xc00a, 0x00); + qtest_outl(s, 0xc00a, 0x00); + qtest_outw(s, 0xc00c, 0x00); + qtest_outl(s, 0xc00a, 0x00); + qtest_outl(s, 0xc006, 0x00); + qtest_outl(s, 0xc00b, 0x00); + qtest_outw(s, 0xc00b, 0x0800); + qtest_outw(s, 0xc00b, 0x00); + qtest_outw(s, 0xc00b, 0x00); + qtest_outl(s, 0xc006, 0x00); + qtest_outl(s, 0xc00b, 0x00); + qtest_outw(s, 0xc00b, 0x0800); + qtest_outw(s, 0xc00b, 0x00); + qtest_outw(s, 0xc00b, 0x4100); + qtest_outw(s, 0xc00a, 0x00); + qtest_outl(s, 0xc00a, 0x100000); + qtest_outl(s, 0xc00a, 0x00); + qtest_outw(s, 0xc00c, 0x43); + qtest_outl(s, 0xc00a, 0x100000); + qtest_outl(s, 0xc00a, 0x100000); + qtest_quit(s); +} +/* + * cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, -m \ + * 512M -device am53c974,id=scsi -device scsi-hd,drive=disk0 -drive \ + * id=disk0,if=none,file=null-co://,format=raw -nodefaults -qtest stdio + * outl 0xcf8 0x80001010 + * outl 0xcfc 0xc000 + * outl 0xcf8 0x80001004 + * outw 0xcfc 0x01 + * outl 0xc00a 0x420000 + * outl 0xc00a 0x430000 + * outl 0xc00b 0x00 + * outw 0xc00b 0x00 + * outw 0xc00b 0x00 + * outl 0xc00b 0x00 + * outw 0xc00b 0x00 + * outl 0xc00b 0x00 + * outw 0xc00b 0x00 + * outl 0xc00b 0x00 + * outb 0xc008 0x00 + * outw 0xc00b 0x00 + * outb 0xc008 0xa0 + * outw 0xc00b 0x00 + * outw 0xc00b 0x00 + * outw 0xc00b 0x00 + * outl 0xc00a 0x00 + * outw 0xc00b 0x00 + * outl 0xc00a 0x00 + * outl 0xc00a 0x00 + * outl 0xc00b 0x00 + * outw 0xc00b 0x00 + * outl 0xc00b 0x1000 + * outw 0xc00b 0x1000 + * EOF + */ +static void crash_1afe349482(void) +{ + QTestState *s = qtest_init( + "-display none -m 512M -device am53c974,id=scsi -device scsi-hd,drive=disk0 " + "-drive id=disk0,if=none,file=null-co://,format=raw -nodefaults"); + qtest_outl(s, 0xcf8, 0x80001010); + qtest_outl(s, 0xcfc, 0xc000); + qtest_outl(s, 0xcf8, 0x80001004); + qtest_outw(s, 0xcfc, 0x01); + qtest_outl(s, 0xc00a, 0x420000); + qtest_outl(s, 0xc00a, 0x430000); + qtest_outl(s, 0xc00b, 0x00); + qtest_outw(s, 0xc00b, 0x00); + qtest_outw(s, 0xc00b, 0x00); + qtest_outl(s, 0xc00b, 0x00); + qtest_outw(s, 0xc00b, 0x00); + qtest_outl(s, 0xc00b, 0x00); + qtest_outw(s, 0xc00b, 0x00); + qtest_outl(s, 0xc00b, 0x00); + qtest_outb(s, 0xc008, 0x00); + qtest_outw(s, 0xc00b, 0x00); + qtest_outb(s, 0xc008, 0xa0); + qtest_outw(s, 0xc00b, 0x00); + qtest_outw(s, 0xc00b, 0x00); + qtest_outw(s, 0xc00b, 0x00); + qtest_outl(s, 0xc00a, 0x00); + qtest_outw(s, 0xc00b, 0x00); + qtest_outl(s, 0xc00a, 0x00); + qtest_outl(s, 0xc00a, 0x00); + qtest_outl(s, 0xc00b, 0x00); + qtest_outw(s, 0xc00b, 0x00); + qtest_outl(s, 0xc00b, 0x1000); + qtest_outw(s, 0xc00b, 0x1000); + qtest_quit(s); +} +/* + * cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, -m \ + * 512M -device am53c974,id=scsi -device scsi-hd,drive=disk0 -drive \ + * id=disk0,if=none,file=null-co://,format=raw -nodefaults -qtest stdio + * outl 0xcf8 0x80001010 + * outl 0xcfc 0xc000 + * outl 0xcf8 0x80001004 + * outw 0xcfc 0x01 + * outl 0xc007 0x2000 + * outw 0xc00b 0x0100 + * outw 0xc00c 0x43 + * outl 0xc00a 0x00 + * outw 0xc00a 0x00 + * outl 0xc00a 0x00 + * outw 0xc00c 0x00 + * outl 0xc00a 0x00 + * outw 0xc00a 0x00 + * outl 0xc00a 0x00 + * outw 0xc00c 0x00 + * outl 0xc00a 0x00 + * outw 0xc00a 0x00 + * outl 0xc00a 0x00 + * outw 0xc00c 0x00 + * outw 0xc00b 0x00 + * outw 0xc00b 0x00 + * outw 0xc00c 0x00 + * outl 0xc00a 0x00 + * outw 0xc00a 0x00 + * outl 0xc00a 0x00 + * outw 0xc00c 0x00 + * outl 0xc00a 0x00 + * outl 0xc00a 0x00 + * outw 0xc00c 0x00 + * outl 0xc00a 0x00 + * outw 0xc00c 0x00 + * outw 0xc00b 0x00 + * outw 0xc00b 0x00 + * outw 0xc00c 0x00 + * outw 0xc00a 0x00 + * outl 0xc00a 0x100000 + * outl 0xc00a 0x100000 + * outl 0xc00a 0x00 + * outw 0xc00c 0x43 + * outl 0xc00a 0x100000 + * outl 0xc00a 0x100000 + * EOF + */ +static void crash_1b42581317(void) +{ + QTestState *s = qtest_init( + "-display none -m 512M -device am53c974,id=scsi -device scsi-hd,drive=disk0 " + "-drive id=disk0,if=none,file=null-co://,format=raw -nodefaults"); + qtest_outl(s, 0xcf8, 0x80001010); + qtest_outl(s, 0xcfc, 0xc000); + qtest_outl(s, 0xcf8, 0x80001004); + qtest_outw(s, 0xcfc, 0x01); + qtest_outl(s, 0xc007, 0x2000); + qtest_outw(s, 0xc00b, 0x0100); + qtest_outw(s, 0xc00c, 0x43); + qtest_outl(s, 0xc00a, 0x00); + qtest_outw(s, 0xc00a, 0x00); + qtest_outl(s, 0xc00a, 0x00); + qtest_outw(s, 0xc00c, 0x00); + qtest_outl(s, 0xc00a, 0x00); + qtest_outw(s, 0xc00a, 0x00); + qtest_outl(s, 0xc00a, 0x00); + qtest_outw(s, 0xc00c, 0x00); + qtest_outl(s, 0xc00a, 0x00); + qtest_outw(s, 0xc00a, 0x00); + qtest_outl(s, 0xc00a, 0x00); + qtest_outw(s, 0xc00c, 0x00); + qtest_outw(s, 0xc00b, 0x00); + qtest_outw(s, 0xc00b, 0x00); + qtest_outw(s, 0xc00c, 0x00); + qtest_outl(s, 0xc00a, 0x00); + qtest_outw(s, 0xc00a, 0x00); + qtest_outl(s, 0xc00a, 0x00); + qtest_outw(s, 0xc00c, 0x00); + qtest_outl(s, 0xc00a, 0x00); + qtest_outl(s, 0xc00a, 0x00); + qtest_outw(s, 0xc00c, 0x00); + qtest_outl(s, 0xc00a, 0x00); + qtest_outw(s, 0xc00c, 0x00); + qtest_outw(s, 0xc00b, 0x00); + qtest_outw(s, 0xc00b, 0x00); + qtest_outw(s, 0xc00c, 0x00); + qtest_outw(s, 0xc00a, 0x00); + qtest_outl(s, 0xc00a, 0x100000); + qtest_outl(s, 0xc00a, 0x100000); + qtest_outl(s, 0xc00a, 0x00); + qtest_outw(s, 0xc00c, 0x43); + qtest_outl(s, 0xc00a, 0x100000); + qtest_outl(s, 0xc00a, 0x100000); + qtest_quit(s); +} +/* + * cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, -m \ + * 512M -device am53c974,id=scsi -device scsi-hd,drive=disk0 -drive \ + * id=disk0,if=none,file=null-co://,format=raw -nodefaults -qtest stdio + * outl 0xcf8 0x80001010 + * outl 0xcfc 0xc000 + * outl 0xcf8 0x80001004 + * outw 0xcfc 0x01 + * outl 0xc007 0x1500 + * outw 0xc00b 0x4100 + * outw 0xc00b 0x4100 + * outl 0xc00b 0x0300 + * outl 0xc00b 0x0300 + * outl 0xc00b 0x0300 + * outl 0xc00b 0x0300 + * outl 0xc00b 0x0300 + * outl 0xc00b 0x0300 + * outl 0xc00b 0x0300 + * outl 0xc00b 0x0300 + * outl 0xc00b 0x0300 + * outl 0xc00b 0x0300 + * outl 0xc00b 0x0300 + * outl 0xc00b 0x0300 + * outl 0xc00b 0x0300 + * outl 0xc00b 0x0300 + * outl 0xc00b 0x00 + * outw 0xc00b 0x1000 + * outw 0xc009 0x00 + * outl 0xc00b 0xc000 + * outl 0xc00b 0xc000 + * outl 0xc00b 0xc000 + * outl 0xc00b 0xc000 + * outl 0xc00b 0x0 + * outl 0xc00b 0xc000 + * outl 0xc00b 0xc000 + * outl 0xc00b 0xc000 + * outl 0xc007 0x00 + * outl 0xc00b 0x0300 + * outl 0xc00b 0x1000 + * outl 0xc007 0x00 + * outw 0xc00b 0x4100 + * EOF + */ +static void crash_30e28cfa86(void) +{ + QTestState *s = qtest_init( + "-display none -m 512M -device am53c974,id=scsi -device scsi-hd,drive=disk0 " + "-drive id=disk0,if=none,file=null-co://,format=raw -nodefaults"); + qtest_outl(s, 0xcf8, 0x80001010); + qtest_outl(s, 0xcfc, 0xc000); + qtest_outl(s, 0xcf8, 0x80001004); + qtest_outw(s, 0xcfc, 0x01); + qtest_outl(s, 0xc007, 0x1500); + qtest_outw(s, 0xc00b, 0x4100); + qtest_outw(s, 0xc00b, 0x4100); + qtest_outl(s, 0xc00b, 0x0300); + qtest_outl(s, 0xc00b, 0x0300); + qtest_outl(s, 0xc00b, 0x0300); + qtest_outl(s, 0xc00b, 0x0300); + qtest_outl(s, 0xc00b, 0x0300); + qtest_outl(s, 0xc00b, 0x0300); + qtest_outl(s, 0xc00b, 0x0300); + qtest_outl(s, 0xc00b, 0x0300); + qtest_outl(s, 0xc00b, 0x0300); + qtest_outl(s, 0xc00b, 0x0300); + qtest_outl(s, 0xc00b, 0x0300); + qtest_outl(s, 0xc00b, 0x0300); + qtest_outl(s, 0xc00b, 0x0300); + qtest_outl(s, 0xc00b, 0x0300); + qtest_outl(s, 0xc00b, 0x00); + qtest_outw(s, 0xc00b, 0x1000); + qtest_outw(s, 0xc009, 0x00); + qtest_outl(s, 0xc00b, 0xc000); + qtest_outl(s, 0xc00b, 0xc000); + qtest_outl(s, 0xc00b, 0xc000); + qtest_outl(s, 0xc00b, 0xc000); + qtest_outl(s, 0xc00b, 0x0); + qtest_outl(s, 0xc00b, 0xc000); + qtest_outl(s, 0xc00b, 0xc000); + qtest_outl(s, 0xc00b, 0xc000); + qtest_outl(s, 0xc007, 0x00); + qtest_outl(s, 0xc00b, 0x0300); + qtest_outl(s, 0xc00b, 0x1000); + qtest_outl(s, 0xc007, 0x00); + qtest_outw(s, 0xc00b, 0x4100); + qtest_quit(s); +} +/* + * cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, -m \ + * 512M -device am53c974,id=scsi -device scsi-hd,drive=disk0 -drive \ + * id=disk0,if=none,file=null-co://,format=raw -nodefaults -qtest stdio + * outl 0xcf8 0x80001010 + * outl 0xcfc 0xc000 + * outl 0xcf8 0x80001004 + * outw 0xcfc 0x01 + * outb 0xc008 0x42 + * outw 0xc00b 0x4100 + * outw 0xc00b 0x4100 + * outw 0xc00b 0x00 + * outw 0xc00b 0x1000 + * outl 0xc00b 0x0300 + * outl 0xc00b 0x0300 + * outl 0xc00b 0x0300 + * outl 0xc00b 0x0300 + * outl 0xc00b 0x0300 + * outl 0xc00b 0x0300 + * outl 0xc00b 0x0300 + * outl 0xc00b 0x0300 + * outl 0xc00b 0x0300 + * outl 0xc00b 0x0300 + * outl 0xc00b 0x0300 + * outl 0xc00b 0x0300 + * outl 0xc00b 0x0300 + * outl 0xc00b 0x0300 + * outw 0xc00b 0x1000 + * EOF + */ +static void crash_34093bfc7c(void) +{ + QTestState *s = qtest_init( + "-display none -m 512M -device am53c974,id=scsi -device scsi-hd,drive=disk0 " + "-drive id=disk0,if=none,file=null-co://,format=raw -nodefaults"); + qtest_outl(s, 0xcf8, 0x80001010); + qtest_outl(s, 0xcfc, 0xc000); + qtest_outl(s, 0xcf8, 0x80001004); + qtest_outw(s, 0xcfc, 0x01); + qtest_outb(s, 0xc008, 0x42); + qtest_outw(s, 0xc00b, 0x4100); + qtest_outw(s, 0xc00b, 0x4100); + qtest_outw(s, 0xc00b, 0x00); + qtest_outw(s, 0xc00b, 0x1000); + qtest_outl(s, 0xc00b, 0x0300); + qtest_outl(s, 0xc00b, 0x0300); + qtest_outl(s, 0xc00b, 0x0300); + qtest_outl(s, 0xc00b, 0x0300); + qtest_outl(s, 0xc00b, 0x0300); + qtest_outl(s, 0xc00b, 0x0300); + qtest_outl(s, 0xc00b, 0x0300); + qtest_outl(s, 0xc00b, 0x0300); + qtest_outl(s, 0xc00b, 0x0300); + qtest_outl(s, 0xc00b, 0x0300); + qtest_outl(s, 0xc00b, 0x0300); + qtest_outl(s, 0xc00b, 0x0300); + qtest_outl(s, 0xc00b, 0x0300); + qtest_outl(s, 0xc00b, 0x0300); + qtest_outw(s, 0xc00b, 0x1000); + qtest_quit(s); +} +/* + * cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, -m \ + * 512M -device am53c974,id=scsi -device scsi-hd,drive=disk0 -drive \ + * id=disk0,if=none,file=null-co://,format=raw -nodefaults -qtest stdio + * outl 0xcf8 0x80001010 + * outl 0xcfc 0xc000 + * outl 0xcf8 0x80001004 + * outw 0xcfc 0x01 + * outw 0xc000 0x1 + * outb 0xc040 0x03 + * outl 0xc00b 0xc200 + * outl 0xc00b 0xc200 + * outl 0xc00b 0xc200 + * outl 0xc00b 0xc200 + * outl 0xc00b 0xc200 + * outl 0xc00b 0xc200 + * outl 0xc00b 0xc200 + * outl 0xc00b 0xc200 + * outl 0xc00b 0xc200 + * outl 0xc00b 0xc200 + * outl 0xc00b 0xc200 + * outl 0xc00b 0xc200 + * outw 0xc007 0xa000 + * outl 0xc00a 0x410000 + * EOF + */ +static void crash_3a05434a1f(void) +{ + QTestState *s = qtest_init( + "-display none -m 512M -device am53c974,id=scsi -device scsi-hd,drive=disk0 " + "-drive id=disk0,if=none,file=null-co://,format=raw -nodefaults"); + qtest_outl(s, 0xcf8, 0x80001010); + qtest_outl(s, 0xcfc, 0xc000); + qtest_outl(s, 0xcf8, 0x80001004); + qtest_outw(s, 0xcfc, 0x01); + qtest_outw(s, 0xc000, 0x1); + qtest_outb(s, 0xc040, 0x03); + qtest_outl(s, 0xc00b, 0xc200); + qtest_outl(s, 0xc00b, 0xc200); + qtest_outl(s, 0xc00b, 0xc200); + qtest_outl(s, 0xc00b, 0xc200); + qtest_outl(s, 0xc00b, 0xc200); + qtest_outl(s, 0xc00b, 0xc200); + qtest_outl(s, 0xc00b, 0xc200); + qtest_outl(s, 0xc00b, 0xc200); + qtest_outl(s, 0xc00b, 0xc200); + qtest_outl(s, 0xc00b, 0xc200); + qtest_outl(s, 0xc00b, 0xc200); + qtest_outl(s, 0xc00b, 0xc200); + qtest_outw(s, 0xc007, 0xa000); + qtest_outl(s, 0xc00a, 0x410000); + qtest_quit(s); +} +/* + * cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, -m \ + * 512M -device am53c974,id=scsi -device scsi-hd,drive=disk0 -drive \ + * id=disk0,if=none,file=null-co://,format=raw -nodefaults -qtest stdio + * outl 0xcf8 0x80001010 + * outl 0xcfc 0xc000 + * outl 0xcf8 0x80001004 + * outw 0xcfc 0x01 + * outw 0xc000 0x01 + * outb 0xc040 0x03 + * outl 0xc00b 0xc200 + * outl 0xc00b 0xc200 + * outl 0xc00b 0xc200 + * outl 0xc00b 0xc200 + * outl 0xc00b 0xc200 + * outl 0xc00b 0xc200 + * outl 0xc00b 0xc200 + * outl 0xc00b 0xc200 + * outl 0xc00b 0xc200 + * outl 0xc00b 0xc200 + * outl 0xc00b 0xc200 + * outl 0xc00b 0xc200 + * outl 0xc00b 0xc200 + * outl 0xc00b 0x4200 + * outl 0xc00b 0x4000 + * outl 0xc00b 0x4000 + * outl 0xc00b 0x4000 + * outl 0xc00b 0x4000 + * outl 0xc00b 0x4000 + * outl 0xc00b 0x4000 + * outl 0xc00b 0x4000 + * outl 0xc00b 0x4000 + * outl 0xc00b 0x4000 + * outl 0xc00b 0x4000 + * outl 0xc00b 0x4000 + * outl 0xc00b 0x4000 + * outl 0xc00b 0x4000 + * outl 0xc00b 0x4000 + * outl 0xc00b 0x4000 + * outl 0xc00b 0x4000 + * outl 0xc00b 0x4000 + * outl 0xc00b 0x4000 + * outl 0xc00b 0x4000 + * outl 0xc00b 0x4000 + * outl 0xc00b 0x4000 + * outl 0xc00b 0x4000 + * outl 0xc00b 0x4000 + * outl 0xc00b 0x4000 + * outl 0xc00b 0x4000 + * outl 0xc00b 0x4000 + * outl 0xc00b 0x4000 + * outl 0xc00b 0x4000 + * outl 0xc00b 0x4000 + * outl 0xc00b 0x4000 + * outl 0xc00b 0xc200 + * outl 0xc00b 0x00 + * outl 0xc00b 0x00 + * outl 0xc00b 0x00 + * outl 0xc00b 0x00 + * outl 0xc00b 0x00 + * outl 0xc00b 0x00 + * outl 0xc00b 0x00 + * outl 0xc00b 0x00 + * outl 0xc00b 0x00 + * outl 0xc00b 0x00 + * outl 0xc00b 0x00 + * outl 0xc00b 0x00 + * outl 0xc00b 0x00 + * outl 0xc00b 0x00 + * outl 0xc00b 0x00 + * outl 0xc00b 0x00 + * outl 0xc00b 0x00 + * outw 0xc00b 0x00 + * EOF + */ +static void crash_3ab5744bc3(void) +{ + QTestState *s = qtest_init( + "-display none -m 512M -device am53c974,id=scsi -device scsi-hd,drive=disk0 " + "-drive id=disk0,if=none,file=null-co://,format=raw -nodefaults"); + qtest_outl(s, 0xcf8, 0x80001010); + qtest_outl(s, 0xcfc, 0xc000); + qtest_outl(s, 0xcf8, 0x80001004); + qtest_outw(s, 0xcfc, 0x01); + qtest_outw(s, 0xc000, 0x01); + qtest_outb(s, 0xc040, 0x03); + qtest_outl(s, 0xc00b, 0xc200); + qtest_outl(s, 0xc00b, 0xc200); + qtest_outl(s, 0xc00b, 0xc200); + qtest_outl(s, 0xc00b, 0xc200); + qtest_outl(s, 0xc00b, 0xc200); + qtest_outl(s, 0xc00b, 0xc200); + qtest_outl(s, 0xc00b, 0xc200); + qtest_outl(s, 0xc00b, 0xc200); + qtest_outl(s, 0xc00b, 0xc200); + qtest_outl(s, 0xc00b, 0xc200); + qtest_outl(s, 0xc00b, 0xc200); + qtest_outl(s, 0xc00b, 0xc200); + qtest_outl(s, 0xc00b, 0xc200); + qtest_outl(s, 0xc00b, 0x4200); + qtest_outl(s, 0xc00b, 0x4000); + qtest_outl(s, 0xc00b, 0x4000); + qtest_outl(s, 0xc00b, 0x4000); + qtest_outl(s, 0xc00b, 0x4000); + qtest_outl(s, 0xc00b, 0x4000); + qtest_outl(s, 0xc00b, 0x4000); + qtest_outl(s, 0xc00b, 0x4000); + qtest_outl(s, 0xc00b, 0x4000); + qtest_outl(s, 0xc00b, 0x4000); + qtest_outl(s, 0xc00b, 0x4000); + qtest_outl(s, 0xc00b, 0x4000); + qtest_outl(s, 0xc00b, 0x4000); + qtest_outl(s, 0xc00b, 0x4000); + qtest_outl(s, 0xc00b, 0x4000); + qtest_outl(s, 0xc00b, 0x4000); + qtest_outl(s, 0xc00b, 0x4000); + qtest_outl(s, 0xc00b, 0x4000); + qtest_outl(s, 0xc00b, 0x4000); + qtest_outl(s, 0xc00b, 0x4000); + qtest_outl(s, 0xc00b, 0x4000); + qtest_outl(s, 0xc00b, 0x4000); + qtest_outl(s, 0xc00b, 0x4000); + qtest_outl(s, 0xc00b, 0x4000); + qtest_outl(s, 0xc00b, 0x4000); + qtest_outl(s, 0xc00b, 0x4000); + qtest_outl(s, 0xc00b, 0x4000); + qtest_outl(s, 0xc00b, 0x4000); + qtest_outl(s, 0xc00b, 0x4000); + qtest_outl(s, 0xc00b, 0x4000); + qtest_outl(s, 0xc00b, 0x4000); + qtest_outl(s, 0xc00b, 0xc200); + qtest_outl(s, 0xc00b, 0x00); + qtest_outl(s, 0xc00b, 0x00); + qtest_outl(s, 0xc00b, 0x00); + qtest_outl(s, 0xc00b, 0x00); + qtest_outl(s, 0xc00b, 0x00); + qtest_outl(s, 0xc00b, 0x00); + qtest_outl(s, 0xc00b, 0x00); + qtest_outl(s, 0xc00b, 0x00); + qtest_outl(s, 0xc00b, 0x00); + qtest_outl(s, 0xc00b, 0x00); + qtest_outl(s, 0xc00b, 0x00); + qtest_outl(s, 0xc00b, 0x00); + qtest_outl(s, 0xc00b, 0x00); + qtest_outl(s, 0xc00b, 0x00); + qtest_outl(s, 0xc00b, 0x00); + qtest_outl(s, 0xc00b, 0x00); + qtest_outl(s, 0xc00b, 0x00); + qtest_outw(s, 0xc00b, 0x00); + qtest_quit(s); +} +/* + * cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, -m \ + * 512M -device am53c974,id=scsi -device scsi-hd,drive=disk0 -drive \ + * id=disk0,if=none,file=null-co://,format=raw -nodefaults -qtest stdio + * outl 0xcf8 0x80001010 + * outl 0xcfc 0xc000 + * outl 0xcf8 0x80001004 + * outw 0xcfc 0x01 + * outl 0xc00b 0x4100 + * outw 0xc00b 0xc200 + * outl 0xc03f 0x0300 + * EOF + */ +static void crash_530ff2e211(void) +{ + QTestState *s = qtest_init( + "-display none -m 512M -device am53c974,id=scsi -device scsi-hd,drive=disk0 " + "-drive id=disk0,if=none,file=null-co://,format=raw -nodefaults"); + qtest_outl(s, 0xcf8, 0x80001010); + qtest_outl(s, 0xcfc, 0xc000); + qtest_outl(s, 0xcf8, 0x80001004); + qtest_outw(s, 0xcfc, 0x01); + qtest_outl(s, 0xc00b, 0x4100); + qtest_outw(s, 0xc00b, 0xc200); + qtest_outl(s, 0xc03f, 0x0300); + qtest_quit(s); +} +/* + * cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, -m \ + * 512M -device am53c974,id=scsi -device scsi-hd,drive=disk0 -drive \ + * id=disk0,if=none,file=null-co://,format=raw -nodefaults -qtest stdio + * outl 0xcf8 0x80001010 + * outl 0xcfc 0xc000 + * outl 0xcf8 0x80001004 + * outw 0xcfc 0x01 + * outl 0xc03f 0x0300 + * outw 0xc00b 0x4300 + * outw 0xc000 0x01 + * outw 0xc009 0x00 + * outw 0xc00b 0x1000 + * outl 0xc00d 0x02000000 + * outw 0xc00c 0xc2 + * outw 0xc00b 0x4100 + * outl 0xc00b 0x1000 + * EOF + */ +static void crash_76ab101171(void) +{ + QTestState *s = qtest_init( + "-display none -m 512M -device am53c974,id=scsi -device scsi-hd,drive=disk0 " + "-drive id=disk0,if=none,file=null-co://,format=raw -nodefaults"); + qtest_outl(s, 0xcf8, 0x80001010); + qtest_outl(s, 0xcfc, 0xc000); + qtest_outl(s, 0xcf8, 0x80001004); + qtest_outw(s, 0xcfc, 0x01); + qtest_outl(s, 0xc03f, 0x0300); + qtest_outw(s, 0xc00b, 0x4300); + qtest_outw(s, 0xc000, 0x01); + qtest_outw(s, 0xc009, 0x00); + qtest_outw(s, 0xc00b, 0x1000); + qtest_outl(s, 0xc00d, 0x02000000); + qtest_outw(s, 0xc00c, 0xc2); + qtest_outw(s, 0xc00b, 0x4100); + qtest_outl(s, 0xc00b, 0x1000); + qtest_quit(s); +} +/* + * cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, -m \ + * 512M -device am53c974,id=scsi -device scsi-hd,drive=disk0 -drive \ + * id=disk0,if=none,file=null-co://,format=raw -nodefaults -qtest stdio + * outl 0xcf8 0x80001010 + * outl 0xcfc 0xc000 + * outl 0xcf8 0x80001004 + * outw 0xcfc 0x01 + * outb 0xc000 0x4 + * outw 0xc007 0x4000 + * outl 0xc03f 0x0300 + * outl 0xc00b 0xc300 + * outw 0xc00b 0x9000 + * outl 0xc00b 0xc300 + * outw 0xc00b 0x9000 + * outl 0xc00b 0x00 + * outl 0xc00b 0xc300 + * outw 0xc00b 0x9000 + * outw 0xc00b 0x1000 + * EOF + */ +static void crash_7f743a0082(void) +{ + QTestState *s = qtest_init( + "-display none -m 512M -device am53c974,id=scsi -device scsi-hd,drive=disk0 " + "-drive id=disk0,if=none,file=null-co://,format=raw -nodefaults"); + qtest_outl(s, 0xcf8, 0x80001010); + qtest_outl(s, 0xcfc, 0xc000); + qtest_outl(s, 0xcf8, 0x80001004); + qtest_outw(s, 0xcfc, 0x01); + qtest_outb(s, 0xc000, 0x4); + qtest_outw(s, 0xc007, 0x4000); + qtest_outl(s, 0xc03f, 0x0300); + qtest_outl(s, 0xc00b, 0xc300); + qtest_outw(s, 0xc00b, 0x9000); + qtest_outl(s, 0xc00b, 0xc300); + qtest_outw(s, 0xc00b, 0x9000); + qtest_outl(s, 0xc00b, 0x00); + qtest_outl(s, 0xc00b, 0xc300); + qtest_outw(s, 0xc00b, 0x9000); + qtest_outw(s, 0xc00b, 0x1000); + qtest_quit(s); +} +/* + * cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, -m \ + * 512M -device am53c974,id=scsi -device scsi-hd,drive=disk0 -drive \ + * id=disk0,if=none,file=null-co://,format=raw -nodefaults -qtest stdio + * outl 0xcf8 0x80001010 + * outl 0xcfc 0xc000 + * outl 0xcf8 0x80001004 + * outw 0xcfc 0x01 + * outb 0xc000 0x4 + * outl 0xc03f 0x0300 + * outl 0xc00b 0xc300 + * outw 0xc00b 0x9000 + * outl 0xc00b 0x00 + * outl 0xc00b 0xc300 + * outw 0xc00b 0x9000 + * outl 0xc00b 0x00 + * outl 0xc00b 0xc300 + * outl 0xc00b 0xc300 + * outw 0xc00b 0x9000 + * outw 0xc00b 0x1000 + * EOF + */ +static void crash_87744a2e67(void) +{ + QTestState *s = qtest_init( + "-display none -m 512M -device am53c974,id=scsi -device scsi-hd,drive=disk0 " + "-drive id=disk0,if=none,file=null-co://,format=raw -nodefaults"); + qtest_outl(s, 0xcf8, 0x80001010); + qtest_outl(s, 0xcfc, 0xc000); + qtest_outl(s, 0xcf8, 0x80001004); + qtest_outw(s, 0xcfc, 0x01); + qtest_outb(s, 0xc000, 0x4); + qtest_outl(s, 0xc03f, 0x0300); + qtest_outl(s, 0xc00b, 0xc300); + qtest_outw(s, 0xc00b, 0x9000); + qtest_outl(s, 0xc00b, 0x00); + qtest_outl(s, 0xc00b, 0xc300); + qtest_outw(s, 0xc00b, 0x9000); + qtest_outl(s, 0xc00b, 0x00); + qtest_outl(s, 0xc00b, 0xc300); + qtest_outl(s, 0xc00b, 0xc300); + qtest_outw(s, 0xc00b, 0x9000); + qtest_outw(s, 0xc00b, 0x1000); + qtest_quit(s); +} +/* + * cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, -m \ + * 512M -device am53c974,id=scsi -device scsi-hd,drive=disk0 -drive \ + * id=disk0,if=none,file=null-co://,format=raw -nodefaults -qtest stdio + * outl 0xcf8 0x80001010 + * outl 0xcfc 0xc000 + * outl 0xcf8 0x80001004 + * outw 0xcfc 0x01 + * outw 0xc00c 0x41 + * outl 0xc00a 0x00 + * outw 0xc00c 0x43 + * outw 0xc00b 0x00 + * outw 0xc00b 0x00 + * outw 0xc00c 0x00 + * outl 0xc00a 0x00 + * outw 0xc00a 0x00 + * outl 0xc00a 0x00 + * outw 0xc00c 0x00 + * outl 0xc00a 0x00 + * outw 0xc00a 0x00 + * outl 0xc00a 0x00 + * outw 0xc00c 0x00 + * outl 0xc00a 0x00 + * outw 0xc00a 0x00 + * outl 0xc00a 0x00 + * outw 0xc00c 0x00 + * outw 0xc00b 0x00 + * outw 0xc00b 0x00 + * outw 0xc00c 0x00 + * outl 0xc00a 0x00 + * outw 0xc00a 0x00 + * outl 0xc00a 0x00 + * outw 0xc00c 0x00 + * outl 0xc00a 0x00 + * outl 0xc00a 0x00 + * outw 0xc00c 0x00 + * outl 0xc00a 0x00 + * outw 0xc00c 0x00 + * outw 0xc00b 0x00 + * outw 0xc00b 0x00 + * outw 0xc00c 0x00 + * outw 0xc00a 0x00 + * outl 0xc00a 0x100000 + * outl 0xc00a 0x100000 + * outl 0xc00a 0x00 + * outw 0xc00c 0x43 + * outl 0xc00a 0x100000 + * outl 0xc00a 0x100000 + * EOF + */ +static void crash_9f92a77bd6(void) +{ + QTestState *s = qtest_init( + "-display none -m 512M -device am53c974,id=scsi -device scsi-hd,drive=disk0 " + "-drive id=disk0,if=none,file=null-co://,format=raw -nodefaults"); + qtest_outl(s, 0xcf8, 0x80001010); + qtest_outl(s, 0xcfc, 0xc000); + qtest_outl(s, 0xcf8, 0x80001004); + qtest_outw(s, 0xcfc, 0x01); + qtest_outw(s, 0xc00c, 0x41); + qtest_outl(s, 0xc00a, 0x00); + qtest_outw(s, 0xc00c, 0x43); + qtest_outw(s, 0xc00b, 0x00); + qtest_outw(s, 0xc00b, 0x00); + qtest_outw(s, 0xc00c, 0x00); + qtest_outl(s, 0xc00a, 0x00); + qtest_outw(s, 0xc00a, 0x00); + qtest_outl(s, 0xc00a, 0x00); + qtest_outw(s, 0xc00c, 0x00); + qtest_outl(s, 0xc00a, 0x00); + qtest_outw(s, 0xc00a, 0x00); + qtest_outl(s, 0xc00a, 0x00); + qtest_outw(s, 0xc00c, 0x00); + qtest_outl(s, 0xc00a, 0x00); + qtest_outw(s, 0xc00a, 0x00); + qtest_outl(s, 0xc00a, 0x00); + qtest_outw(s, 0xc00c, 0x00); + qtest_outw(s, 0xc00b, 0x00); + qtest_outw(s, 0xc00b, 0x00); + qtest_outw(s, 0xc00c, 0x00); + qtest_outl(s, 0xc00a, 0x00); + qtest_outw(s, 0xc00a, 0x00); + qtest_outl(s, 0xc00a, 0x00); + qtest_outw(s, 0xc00c, 0x00); + qtest_outl(s, 0xc00a, 0x00); + qtest_outl(s, 0xc00a, 0x00); + qtest_outw(s, 0xc00c, 0x00); + qtest_outl(s, 0xc00a, 0x00); + qtest_outw(s, 0xc00c, 0x00); + qtest_outw(s, 0xc00b, 0x00); + qtest_outw(s, 0xc00b, 0x00); + qtest_outw(s, 0xc00c, 0x00); + qtest_outw(s, 0xc00a, 0x00); + qtest_outl(s, 0xc00a, 0x100000); + qtest_outl(s, 0xc00a, 0x100000); + qtest_outl(s, 0xc00a, 0x00); + qtest_outw(s, 0xc00c, 0x43); + qtest_outl(s, 0xc00a, 0x100000); + qtest_outl(s, 0xc00a, 0x100000); + qtest_quit(s); +} +/* + * cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, -m \ + * 512M -device am53c974,id=scsi -device scsi-hd,drive=disk0 -drive \ + * id=disk0,if=none,file=null-co://,format=raw -nodefaults -qtest stdio + * outl 0xcf8 0x80001010 + * outl 0xcfc 0xc000 + * outl 0xcf8 0x80001004 + * outw 0xcfc 0x01 + * outb 0xc008 0xa + * outw 0xc00b 0x4100 + * outw 0xc00b 0x4100 + * outw 0xc00b 0x1000 + * outl 0xc00b 0x0800 + * outl 0xc00b 0x0400 + * outl 0xc00b 0x0400 + * outl 0xc00b 0x0400 + * outl 0xc00b 0x0400 + * outl 0xc00b 0x0400 + * outl 0xc00b 0x0400 + * outl 0xc00b 0x0800 + * outl 0xc00b 0x0400 + * outl 0xc00b 0x0400 + * outl 0xc00b 0x0400 + * outl 0xc00b 0x0800 + * outl 0xc00b 0x0400 + * outl 0xc00b 0x0400 + * outl 0xc00b 0x0400 + * outl 0xc00b 0x4200 + * EOF + */ +static void crash_d94dc29565(void) +{ + QTestState *s = qtest_init( + "-display none -m 512M -device am53c974,id=scsi -device scsi-hd,drive=disk0 " + "-drive id=disk0,if=none,file=null-co://,format=raw -nodefaults"); + qtest_outl(s, 0xcf8, 0x80001010); + qtest_outl(s, 0xcfc, 0xc000); + qtest_outl(s, 0xcf8, 0x80001004); + qtest_outw(s, 0xcfc, 0x01); + qtest_outb(s, 0xc008, 0xa); + qtest_outw(s, 0xc00b, 0x4100); + qtest_outw(s, 0xc00b, 0x4100); + qtest_outw(s, 0xc00b, 0x1000); + qtest_outl(s, 0xc00b, 0x0800); + qtest_outl(s, 0xc00b, 0x0400); + qtest_outl(s, 0xc00b, 0x0400); + qtest_outl(s, 0xc00b, 0x0400); + qtest_outl(s, 0xc00b, 0x0400); + qtest_outl(s, 0xc00b, 0x0400); + qtest_outl(s, 0xc00b, 0x0400); + qtest_outl(s, 0xc00b, 0x0800); + qtest_outl(s, 0xc00b, 0x0400); + qtest_outl(s, 0xc00b, 0x0400); + qtest_outl(s, 0xc00b, 0x0400); + qtest_outl(s, 0xc00b, 0x0800); + qtest_outl(s, 0xc00b, 0x0400); + qtest_outl(s, 0xc00b, 0x0400); + qtest_outl(s, 0xc00b, 0x0400); + qtest_outl(s, 0xc00b, 0x4200); + qtest_quit(s); +} +/* + * cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, -m \ + * 512M -device am53c974,id=scsi -device scsi-hd,drive=disk0 -drive \ + * id=disk0,if=none,file=null-co://,format=raw -nodefaults -qtest stdio + * outl 0xcf8 0x80001010 + * outl 0xcfc 0xc000 + * outl 0xcf8 0x80001004 + * outw 0xcfc 0x01 + * outw 0xc00b 0x4100 + * outl 0xc00b 0x0300 + * inl 0xc00b + * outl 0xc00b 0x0800 + * outl 0xc00b 0x0800 + * outl 0xc00b 0x0800 + * outl 0xc00b 0x0800 + * outl 0xc00b 0x0800 + * outl 0xc00b 0x0800 + * outl 0xc00b 0x0800 + * outl 0xc00b 0x0800 + * outl 0xc00b 0x0800 + * outl 0xc00b 0x0800 + * outl 0xc00b 0x0800 + * outl 0xc00b 0x0800 + * outl 0xc00b 0x0800 + * outl 0xc00b 0x0800 + * outl 0xc00b 0x00 + * outl 0xc00a 0x410000 + * EOF + */ +static void crash_df5a21ccf3(void) +{ + QTestState *s = qtest_init( + "-display none -m 512M -device am53c974,id=scsi -device scsi-hd,drive=disk0 " + "-drive id=disk0,if=none,file=null-co://,format=raw -nodefaults"); + qtest_outl(s, 0xcf8, 0x80001010); + qtest_outl(s, 0xcfc, 0xc000); + qtest_outl(s, 0xcf8, 0x80001004); + qtest_outw(s, 0xcfc, 0x01); + qtest_outw(s, 0xc00b, 0x4100); + qtest_outl(s, 0xc00b, 0x0300); + qtest_inl(s, 0xc00b); + qtest_outl(s, 0xc00b, 0x0800); + qtest_outl(s, 0xc00b, 0x0800); + qtest_outl(s, 0xc00b, 0x0800); + qtest_outl(s, 0xc00b, 0x0800); + qtest_outl(s, 0xc00b, 0x0800); + qtest_outl(s, 0xc00b, 0x0800); + qtest_outl(s, 0xc00b, 0x0800); + qtest_outl(s, 0xc00b, 0x0800); + qtest_outl(s, 0xc00b, 0x0800); + qtest_outl(s, 0xc00b, 0x0800); + qtest_outl(s, 0xc00b, 0x0800); + qtest_outl(s, 0xc00b, 0x0800); + qtest_outl(s, 0xc00b, 0x0800); + qtest_outl(s, 0xc00b, 0x0800); + qtest_outl(s, 0xc00b, 0x00); + qtest_outl(s, 0xc00a, 0x410000); + qtest_quit(s); +} static void test_cmdfifo_underflow_ok(void) { @@ -106,6 +1225,24 @@ int main(int argc, char **argv) g_test_init(&argc, &argv, NULL); if (strcmp(arch, "i386") == 0) { + qtest_add_func("fuzz/crash_0900379669", crash_0900379669); + qtest_add_func("fuzz/crash_094661a91b", crash_094661a91b); + qtest_add_func("fuzz/crash_0fff2155cb", crash_0fff2155cb); + qtest_add_func("fuzz/crash_1548bd10e7", crash_1548bd10e7); + qtest_add_func("fuzz/crash_1afe349482", crash_1afe349482); + qtest_add_func("fuzz/crash_1b42581317", crash_1b42581317); + qtest_add_func("fuzz/crash_30e28cfa86", crash_30e28cfa86); + qtest_add_func("fuzz/crash_34093bfc7c", crash_34093bfc7c); + qtest_add_func("fuzz/crash_3a05434a1f", crash_3a05434a1f); + qtest_add_func("fuzz/crash_3ab5744bc3", crash_3ab5744bc3); + qtest_add_func("fuzz/crash_530ff2e211", crash_530ff2e211); + qtest_add_func("fuzz/crash_76ab101171", crash_76ab101171); + qtest_add_func("fuzz/crash_7f743a0082", crash_7f743a0082); + qtest_add_func("fuzz/crash_87744a2e67", crash_87744a2e67); + qtest_add_func("fuzz/crash_9f92a77bd6", crash_9f92a77bd6); + qtest_add_func("fuzz/crash_d94dc29565", crash_d94dc29565); + qtest_add_func("fuzz/crash_dd24c44f80", crash_dd24c44f80); + qtest_add_func("fuzz/crash_df5a21ccf3", crash_df5a21ccf3); qtest_add_func("am53c974/test_cmdfifo_underflow_ok", test_cmdfifo_underflow_ok); qtest_add_func("am53c974/test_cmdfifo_overflow_ok", -- 2.28.0 -- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/1909247 Title: QEMU: use after free vulnerability in esp_do_dma() in hw/scsi/esp.c Status in QEMU: New Bug description: A use-after-free vulnerability was found in the am53c974 SCSI host bus adapter emulation of QEMU. It could occur in the esp_do_dma() function in hw/scsi/esp.c while handling the 'Information Transfer' command (CMD_TI). A privileged guest user may abuse this flaw to crash the QEMU process on the host, resulting in a denial of service or potential code execution with the privileges of the QEMU process. This issue was reported by Cheolwoo Myung (Seoul National University). Original report: Using hypervisor fuzzer, hyfuzz, I found a use-after-free issue in am53c974 emulator of QEMU enabled ASan. It occurs while transferring information, as it does not check the buffer to be transferred. A malicious guest user/process could use this flaw to crash the QEMU process resulting in DoS scenario. To reproduce this issue, please run the QEMU with the following command line. # To enable ASan option, please set configuration with the following $ ./configure --target-list=i386-softmmu --disable-werror --enable-sanitizers $ make # To reproduce this issue, please run the QEMU process with the following command line $ ./qemu-system-i386 -m 512 -drive file=./hyfuzz.img,index=0,media=disk,format=raw \ -device am53c974,id=scsi -device scsi-hd,drive=SysDisk \ -drive id=SysDisk,if=none,file=./disk.img Please find attached the disk images to reproduce this issue. To manage notifications about this bug go to: https://bugs.launchpad.net/qemu/+bug/1909247/+subscriptions ^ permalink raw reply related [flat|nested] 22+ messages in thread
* [PATCH] tests/qtest: add more tests for am53c974 device 2021-03-29 3:21 ` [Bug 1909247] [PATCH] tests/qtest: add more tests for am53c974 device Alexander Bulekov @ 2021-03-29 3:21 ` Alexander Bulekov 0 siblings, 0 replies; 22+ messages in thread From: Alexander Bulekov @ 2021-03-29 3:21 UTC (permalink / raw) To: qemu-devel; +Cc: Alexander Bulekov, Mark Cave-Ayland Add some more regression tests for the esp device. (Prasad's Patch) Based-on: <161657108250.32717.5311086901810004029.malone@soybean.canonical.com> (Mark's v2 Patchset) Based-on: <20210317230223.24854-1-mark.cave-ayland@ilande.co.uk> Signed-off-by: Alexander Bulekov <alxndr@bu.edu> --- Hi Mark, Hopefully these are useful. I realized that my previous message was innacurate (I forgot to apply Prasad's patch, or your v2 patchset). The only corruptions that I am continuing to see are heap-overflows. I am guessing that most of these are due to some mututal root cause, so the number of tests far-exceeds the actual number of errors, but I am providing all of the crashes with unique-looking stack-traces, just in case. Please let me know if I can provide anything else that would help. -Alex tests/qtest/am53c974-test.c | 1137 +++++++++++++++++++++++++++++++++++ 1 file changed, 1137 insertions(+) diff --git a/tests/qtest/am53c974-test.c b/tests/qtest/am53c974-test.c index c90bd4c187..cb2a5646a6 100644 --- a/tests/qtest/am53c974-test.c +++ b/tests/qtest/am53c974-test.c @@ -9,6 +9,1125 @@ #include "libqos/libqtest.h" +/* + * cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, -m \ + * 512M -device am53c974,id=scsi -device scsi-hd,drive=disk0 -drive \ + * id=disk0,if=none,file=null-co://,format=raw -nodefaults -qtest stdio + * outl 0xcf8 0x80001010 + * outl 0xcfc 0xc000 + * outl 0xcf8 0x80001004 + * outw 0xcfc 0x01 + * outb 0xc000 0x4 + * outb 0xc008 0xa0 + * outl 0xc03f 0x0300 + * outl 0xc00b 0xc300 + * outw 0xc00b 0x9000 + * outl 0xc00b 0xc300 + * outl 0xc00b 0xc300 + * outl 0xc00b 0xc300 + * outw 0xc00b 0x9000 + * outw 0xc00b 0x1000 + * EOF + */ +static void crash_0900379669(void) +{ + QTestState *s = qtest_init( + "-display none -m 512M -device am53c974,id=scsi -device scsi-hd,drive=disk0 " + "-drive id=disk0,if=none,file=null-co://,format=raw -nodefaults"); + qtest_outl(s, 0xcf8, 0x80001010); + qtest_outl(s, 0xcfc, 0xc000); + qtest_outl(s, 0xcf8, 0x80001004); + qtest_outw(s, 0xcfc, 0x01); + qtest_outb(s, 0xc000, 0x4); + qtest_outb(s, 0xc008, 0xa0); + qtest_outl(s, 0xc03f, 0x0300); + qtest_outl(s, 0xc00b, 0xc300); + qtest_outw(s, 0xc00b, 0x9000); + qtest_outl(s, 0xc00b, 0xc300); + qtest_outl(s, 0xc00b, 0xc300); + qtest_outl(s, 0xc00b, 0xc300); + qtest_outw(s, 0xc00b, 0x9000); + qtest_outw(s, 0xc00b, 0x1000); + qtest_quit(s); +} +/* + * cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, -m \ + * 512M -device am53c974,id=scsi -device scsi-hd,drive=disk0 -drive \ + * id=disk0,if=none,file=null-co://,format=raw -nodefaults -qtest stdio + * outl 0xcf8 0x80001010 + * outl 0xcfc 0xc000 + * outl 0xcf8 0x80001004 + * outw 0xcfc 0x01 + * outl 0xc008 0x20 + * outw 0xc000 0x1 + * outb 0xc040 0x03 + * outl 0xc00b 0xc200 + * outl 0xc00b 0xc200 + * outl 0xc00b 0xc200 + * outl 0xc00b 0xc200 + * outl 0xc00b 0xc200 + * outl 0xc00b 0xc200 + * outl 0xc00b 0xc200 + * outl 0xc00b 0xc200 + * outl 0xc00b 0xc200 + * outl 0xc00b 0xc200 + * outl 0xc00b 0xc200 + * outw 0xc00b 0x4200 + * outl 0xc00a 0x410000 + * EOF + */ +static void crash_094661a91b(void) +{ + QTestState *s = qtest_init( + "-display none -m 512M -device am53c974,id=scsi -device scsi-hd,drive=disk0 " + "-drive id=disk0,if=none,file=null-co://,format=raw -nodefaults"); + qtest_outl(s, 0xcf8, 0x80001010); + qtest_outl(s, 0xcfc, 0xc000); + qtest_outl(s, 0xcf8, 0x80001004); + qtest_outw(s, 0xcfc, 0x01); + qtest_outl(s, 0xc008, 0x20); + qtest_outw(s, 0xc000, 0x1); + qtest_outb(s, 0xc040, 0x03); + qtest_outl(s, 0xc00b, 0xc200); + qtest_outl(s, 0xc00b, 0xc200); + qtest_outl(s, 0xc00b, 0xc200); + qtest_outl(s, 0xc00b, 0xc200); + qtest_outl(s, 0xc00b, 0xc200); + qtest_outl(s, 0xc00b, 0xc200); + qtest_outl(s, 0xc00b, 0xc200); + qtest_outl(s, 0xc00b, 0xc200); + qtest_outl(s, 0xc00b, 0xc200); + qtest_outl(s, 0xc00b, 0xc200); + qtest_outl(s, 0xc00b, 0xc200); + qtest_outw(s, 0xc00b, 0x4200); + qtest_outl(s, 0xc00a, 0x410000); + qtest_quit(s); +} +/* + * cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, -m \ + * 512M -device am53c974,id=scsi -device scsi-hd,drive=disk0 -drive \ + * id=disk0,if=none,file=null-co://,format=raw -nodefaults -qtest stdio + * outl 0xcf8 0x80001010 + * outl 0xcfc 0xc000 + * outl 0xcf8 0x80001004 + * outw 0xcfc 0x01 + * outb 0xc000 0x4 + * outl 0xc007 0x8000 + * outl 0xc03f 0x0300 + * outl 0xc00b 0x4300 + * outw 0xc00b 0x9000 + * outl 0xc00b 0xc300 + * outl 0xc00b 0xc300 + * outl 0xc00b 0xc300 + * outw 0xc00b 0x9000 + * outw 0xc00b 0x1000 + * EOF + */ +static void crash_0fff2155cb(void) +{ + QTestState *s = qtest_init( + "-display none -m 512M -device am53c974,id=scsi -device scsi-hd,drive=disk0 " + "-drive id=disk0,if=none,file=null-co://,format=raw -nodefaults"); + qtest_outl(s, 0xcf8, 0x80001010); + qtest_outl(s, 0xcfc, 0xc000); + qtest_outl(s, 0xcf8, 0x80001004); + qtest_outw(s, 0xcfc, 0x01); + qtest_outb(s, 0xc000, 0x4); + qtest_outl(s, 0xc007, 0x8000); + qtest_outl(s, 0xc03f, 0x0300); + qtest_outl(s, 0xc00b, 0x4300); + qtest_outw(s, 0xc00b, 0x9000); + qtest_outl(s, 0xc00b, 0xc300); + qtest_outl(s, 0xc00b, 0xc300); + qtest_outl(s, 0xc00b, 0xc300); + qtest_outw(s, 0xc00b, 0x9000); + qtest_outw(s, 0xc00b, 0x1000); + qtest_quit(s); +} +/* + * cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, -m \ + * 512M -device am53c974,id=scsi -device scsi-hd,drive=disk0 -drive \ + * id=disk0,if=none,file=null-co://,format=raw -nodefaults -qtest stdio + * outl 0xcf8 0x80001010 + * outl 0xcfc 0xc000 + * outl 0xcf8 0x80001004 + * outw 0xcfc 0x01 + * outw 0xc00c 0x41 + * outw 0xc00a 0x00 + * outl 0xc00a 0x00 + * outw 0xc00c 0x43 + * outw 0xc00b 0x00 + * outw 0xc00b 0x00 + * outw 0xc00c 0x00 + * outl 0xc00a 0x00 + * outw 0xc00a 0x00 + * outl 0xc00a 0x00 + * outw 0xc00c 0x00 + * outl 0xc00a 0x00 + * outw 0xc00a 0x00 + * outl 0xc00a 0x00 + * outw 0xc00c 0x00 + * outl 0xc00a 0x00 + * outw 0xc00a 0x00 + * outl 0xc00a 0x00 + * outw 0xc00c 0x00 + * outl 0xc00a 0x00 + * outl 0xc006 0x00 + * outl 0xc00b 0x00 + * outw 0xc00b 0x0800 + * outw 0xc00b 0x00 + * outw 0xc00b 0x00 + * outl 0xc006 0x00 + * outl 0xc00b 0x00 + * outw 0xc00b 0x0800 + * outw 0xc00b 0x00 + * outw 0xc00b 0x4100 + * outw 0xc00a 0x00 + * outl 0xc00a 0x100000 + * outl 0xc00a 0x00 + * outw 0xc00c 0x43 + * outl 0xc00a 0x100000 + * outl 0xc00a 0x100000 + * EOF + */ +static void crash_1548bd10e7(void) +{ + QTestState *s = qtest_init( + "-display none -m 512M -device am53c974,id=scsi -device scsi-hd,drive=disk0 " + "-drive id=disk0,if=none,file=null-co://,format=raw -nodefaults"); + qtest_outl(s, 0xcf8, 0x80001010); + qtest_outl(s, 0xcfc, 0xc000); + qtest_outl(s, 0xcf8, 0x80001004); + qtest_outw(s, 0xcfc, 0x01); + qtest_outw(s, 0xc00c, 0x41); + qtest_outw(s, 0xc00a, 0x00); + qtest_outl(s, 0xc00a, 0x00); + qtest_outw(s, 0xc00c, 0x43); + qtest_outw(s, 0xc00b, 0x00); + qtest_outw(s, 0xc00b, 0x00); + qtest_outw(s, 0xc00c, 0x00); + qtest_outl(s, 0xc00a, 0x00); + qtest_outw(s, 0xc00a, 0x00); + qtest_outl(s, 0xc00a, 0x00); + qtest_outw(s, 0xc00c, 0x00); + qtest_outl(s, 0xc00a, 0x00); + qtest_outw(s, 0xc00a, 0x00); + qtest_outl(s, 0xc00a, 0x00); + qtest_outw(s, 0xc00c, 0x00); + qtest_outl(s, 0xc00a, 0x00); + qtest_outw(s, 0xc00a, 0x00); + qtest_outl(s, 0xc00a, 0x00); + qtest_outw(s, 0xc00c, 0x00); + qtest_outl(s, 0xc00a, 0x00); + qtest_outl(s, 0xc006, 0x00); + qtest_outl(s, 0xc00b, 0x00); + qtest_outw(s, 0xc00b, 0x0800); + qtest_outw(s, 0xc00b, 0x00); + qtest_outw(s, 0xc00b, 0x00); + qtest_outl(s, 0xc006, 0x00); + qtest_outl(s, 0xc00b, 0x00); + qtest_outw(s, 0xc00b, 0x0800); + qtest_outw(s, 0xc00b, 0x00); + qtest_outw(s, 0xc00b, 0x4100); + qtest_outw(s, 0xc00a, 0x00); + qtest_outl(s, 0xc00a, 0x100000); + qtest_outl(s, 0xc00a, 0x00); + qtest_outw(s, 0xc00c, 0x43); + qtest_outl(s, 0xc00a, 0x100000); + qtest_outl(s, 0xc00a, 0x100000); + qtest_quit(s); +} +/* + * cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, -m \ + * 512M -device am53c974,id=scsi -device scsi-hd,drive=disk0 -drive \ + * id=disk0,if=none,file=null-co://,format=raw -nodefaults -qtest stdio + * outl 0xcf8 0x80001010 + * outl 0xcfc 0xc000 + * outl 0xcf8 0x80001004 + * outw 0xcfc 0x01 + * outl 0xc00a 0x420000 + * outl 0xc00a 0x430000 + * outl 0xc00b 0x00 + * outw 0xc00b 0x00 + * outw 0xc00b 0x00 + * outl 0xc00b 0x00 + * outw 0xc00b 0x00 + * outl 0xc00b 0x00 + * outw 0xc00b 0x00 + * outl 0xc00b 0x00 + * outb 0xc008 0x00 + * outw 0xc00b 0x00 + * outb 0xc008 0xa0 + * outw 0xc00b 0x00 + * outw 0xc00b 0x00 + * outw 0xc00b 0x00 + * outl 0xc00a 0x00 + * outw 0xc00b 0x00 + * outl 0xc00a 0x00 + * outl 0xc00a 0x00 + * outl 0xc00b 0x00 + * outw 0xc00b 0x00 + * outl 0xc00b 0x1000 + * outw 0xc00b 0x1000 + * EOF + */ +static void crash_1afe349482(void) +{ + QTestState *s = qtest_init( + "-display none -m 512M -device am53c974,id=scsi -device scsi-hd,drive=disk0 " + "-drive id=disk0,if=none,file=null-co://,format=raw -nodefaults"); + qtest_outl(s, 0xcf8, 0x80001010); + qtest_outl(s, 0xcfc, 0xc000); + qtest_outl(s, 0xcf8, 0x80001004); + qtest_outw(s, 0xcfc, 0x01); + qtest_outl(s, 0xc00a, 0x420000); + qtest_outl(s, 0xc00a, 0x430000); + qtest_outl(s, 0xc00b, 0x00); + qtest_outw(s, 0xc00b, 0x00); + qtest_outw(s, 0xc00b, 0x00); + qtest_outl(s, 0xc00b, 0x00); + qtest_outw(s, 0xc00b, 0x00); + qtest_outl(s, 0xc00b, 0x00); + qtest_outw(s, 0xc00b, 0x00); + qtest_outl(s, 0xc00b, 0x00); + qtest_outb(s, 0xc008, 0x00); + qtest_outw(s, 0xc00b, 0x00); + qtest_outb(s, 0xc008, 0xa0); + qtest_outw(s, 0xc00b, 0x00); + qtest_outw(s, 0xc00b, 0x00); + qtest_outw(s, 0xc00b, 0x00); + qtest_outl(s, 0xc00a, 0x00); + qtest_outw(s, 0xc00b, 0x00); + qtest_outl(s, 0xc00a, 0x00); + qtest_outl(s, 0xc00a, 0x00); + qtest_outl(s, 0xc00b, 0x00); + qtest_outw(s, 0xc00b, 0x00); + qtest_outl(s, 0xc00b, 0x1000); + qtest_outw(s, 0xc00b, 0x1000); + qtest_quit(s); +} +/* + * cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, -m \ + * 512M -device am53c974,id=scsi -device scsi-hd,drive=disk0 -drive \ + * id=disk0,if=none,file=null-co://,format=raw -nodefaults -qtest stdio + * outl 0xcf8 0x80001010 + * outl 0xcfc 0xc000 + * outl 0xcf8 0x80001004 + * outw 0xcfc 0x01 + * outl 0xc007 0x2000 + * outw 0xc00b 0x0100 + * outw 0xc00c 0x43 + * outl 0xc00a 0x00 + * outw 0xc00a 0x00 + * outl 0xc00a 0x00 + * outw 0xc00c 0x00 + * outl 0xc00a 0x00 + * outw 0xc00a 0x00 + * outl 0xc00a 0x00 + * outw 0xc00c 0x00 + * outl 0xc00a 0x00 + * outw 0xc00a 0x00 + * outl 0xc00a 0x00 + * outw 0xc00c 0x00 + * outw 0xc00b 0x00 + * outw 0xc00b 0x00 + * outw 0xc00c 0x00 + * outl 0xc00a 0x00 + * outw 0xc00a 0x00 + * outl 0xc00a 0x00 + * outw 0xc00c 0x00 + * outl 0xc00a 0x00 + * outl 0xc00a 0x00 + * outw 0xc00c 0x00 + * outl 0xc00a 0x00 + * outw 0xc00c 0x00 + * outw 0xc00b 0x00 + * outw 0xc00b 0x00 + * outw 0xc00c 0x00 + * outw 0xc00a 0x00 + * outl 0xc00a 0x100000 + * outl 0xc00a 0x100000 + * outl 0xc00a 0x00 + * outw 0xc00c 0x43 + * outl 0xc00a 0x100000 + * outl 0xc00a 0x100000 + * EOF + */ +static void crash_1b42581317(void) +{ + QTestState *s = qtest_init( + "-display none -m 512M -device am53c974,id=scsi -device scsi-hd,drive=disk0 " + "-drive id=disk0,if=none,file=null-co://,format=raw -nodefaults"); + qtest_outl(s, 0xcf8, 0x80001010); + qtest_outl(s, 0xcfc, 0xc000); + qtest_outl(s, 0xcf8, 0x80001004); + qtest_outw(s, 0xcfc, 0x01); + qtest_outl(s, 0xc007, 0x2000); + qtest_outw(s, 0xc00b, 0x0100); + qtest_outw(s, 0xc00c, 0x43); + qtest_outl(s, 0xc00a, 0x00); + qtest_outw(s, 0xc00a, 0x00); + qtest_outl(s, 0xc00a, 0x00); + qtest_outw(s, 0xc00c, 0x00); + qtest_outl(s, 0xc00a, 0x00); + qtest_outw(s, 0xc00a, 0x00); + qtest_outl(s, 0xc00a, 0x00); + qtest_outw(s, 0xc00c, 0x00); + qtest_outl(s, 0xc00a, 0x00); + qtest_outw(s, 0xc00a, 0x00); + qtest_outl(s, 0xc00a, 0x00); + qtest_outw(s, 0xc00c, 0x00); + qtest_outw(s, 0xc00b, 0x00); + qtest_outw(s, 0xc00b, 0x00); + qtest_outw(s, 0xc00c, 0x00); + qtest_outl(s, 0xc00a, 0x00); + qtest_outw(s, 0xc00a, 0x00); + qtest_outl(s, 0xc00a, 0x00); + qtest_outw(s, 0xc00c, 0x00); + qtest_outl(s, 0xc00a, 0x00); + qtest_outl(s, 0xc00a, 0x00); + qtest_outw(s, 0xc00c, 0x00); + qtest_outl(s, 0xc00a, 0x00); + qtest_outw(s, 0xc00c, 0x00); + qtest_outw(s, 0xc00b, 0x00); + qtest_outw(s, 0xc00b, 0x00); + qtest_outw(s, 0xc00c, 0x00); + qtest_outw(s, 0xc00a, 0x00); + qtest_outl(s, 0xc00a, 0x100000); + qtest_outl(s, 0xc00a, 0x100000); + qtest_outl(s, 0xc00a, 0x00); + qtest_outw(s, 0xc00c, 0x43); + qtest_outl(s, 0xc00a, 0x100000); + qtest_outl(s, 0xc00a, 0x100000); + qtest_quit(s); +} +/* + * cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, -m \ + * 512M -device am53c974,id=scsi -device scsi-hd,drive=disk0 -drive \ + * id=disk0,if=none,file=null-co://,format=raw -nodefaults -qtest stdio + * outl 0xcf8 0x80001010 + * outl 0xcfc 0xc000 + * outl 0xcf8 0x80001004 + * outw 0xcfc 0x01 + * outl 0xc007 0x1500 + * outw 0xc00b 0x4100 + * outw 0xc00b 0x4100 + * outl 0xc00b 0x0300 + * outl 0xc00b 0x0300 + * outl 0xc00b 0x0300 + * outl 0xc00b 0x0300 + * outl 0xc00b 0x0300 + * outl 0xc00b 0x0300 + * outl 0xc00b 0x0300 + * outl 0xc00b 0x0300 + * outl 0xc00b 0x0300 + * outl 0xc00b 0x0300 + * outl 0xc00b 0x0300 + * outl 0xc00b 0x0300 + * outl 0xc00b 0x0300 + * outl 0xc00b 0x0300 + * outl 0xc00b 0x00 + * outw 0xc00b 0x1000 + * outw 0xc009 0x00 + * outl 0xc00b 0xc000 + * outl 0xc00b 0xc000 + * outl 0xc00b 0xc000 + * outl 0xc00b 0xc000 + * outl 0xc00b 0x0 + * outl 0xc00b 0xc000 + * outl 0xc00b 0xc000 + * outl 0xc00b 0xc000 + * outl 0xc007 0x00 + * outl 0xc00b 0x0300 + * outl 0xc00b 0x1000 + * outl 0xc007 0x00 + * outw 0xc00b 0x4100 + * EOF + */ +static void crash_30e28cfa86(void) +{ + QTestState *s = qtest_init( + "-display none -m 512M -device am53c974,id=scsi -device scsi-hd,drive=disk0 " + "-drive id=disk0,if=none,file=null-co://,format=raw -nodefaults"); + qtest_outl(s, 0xcf8, 0x80001010); + qtest_outl(s, 0xcfc, 0xc000); + qtest_outl(s, 0xcf8, 0x80001004); + qtest_outw(s, 0xcfc, 0x01); + qtest_outl(s, 0xc007, 0x1500); + qtest_outw(s, 0xc00b, 0x4100); + qtest_outw(s, 0xc00b, 0x4100); + qtest_outl(s, 0xc00b, 0x0300); + qtest_outl(s, 0xc00b, 0x0300); + qtest_outl(s, 0xc00b, 0x0300); + qtest_outl(s, 0xc00b, 0x0300); + qtest_outl(s, 0xc00b, 0x0300); + qtest_outl(s, 0xc00b, 0x0300); + qtest_outl(s, 0xc00b, 0x0300); + qtest_outl(s, 0xc00b, 0x0300); + qtest_outl(s, 0xc00b, 0x0300); + qtest_outl(s, 0xc00b, 0x0300); + qtest_outl(s, 0xc00b, 0x0300); + qtest_outl(s, 0xc00b, 0x0300); + qtest_outl(s, 0xc00b, 0x0300); + qtest_outl(s, 0xc00b, 0x0300); + qtest_outl(s, 0xc00b, 0x00); + qtest_outw(s, 0xc00b, 0x1000); + qtest_outw(s, 0xc009, 0x00); + qtest_outl(s, 0xc00b, 0xc000); + qtest_outl(s, 0xc00b, 0xc000); + qtest_outl(s, 0xc00b, 0xc000); + qtest_outl(s, 0xc00b, 0xc000); + qtest_outl(s, 0xc00b, 0x0); + qtest_outl(s, 0xc00b, 0xc000); + qtest_outl(s, 0xc00b, 0xc000); + qtest_outl(s, 0xc00b, 0xc000); + qtest_outl(s, 0xc007, 0x00); + qtest_outl(s, 0xc00b, 0x0300); + qtest_outl(s, 0xc00b, 0x1000); + qtest_outl(s, 0xc007, 0x00); + qtest_outw(s, 0xc00b, 0x4100); + qtest_quit(s); +} +/* + * cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, -m \ + * 512M -device am53c974,id=scsi -device scsi-hd,drive=disk0 -drive \ + * id=disk0,if=none,file=null-co://,format=raw -nodefaults -qtest stdio + * outl 0xcf8 0x80001010 + * outl 0xcfc 0xc000 + * outl 0xcf8 0x80001004 + * outw 0xcfc 0x01 + * outb 0xc008 0x42 + * outw 0xc00b 0x4100 + * outw 0xc00b 0x4100 + * outw 0xc00b 0x00 + * outw 0xc00b 0x1000 + * outl 0xc00b 0x0300 + * outl 0xc00b 0x0300 + * outl 0xc00b 0x0300 + * outl 0xc00b 0x0300 + * outl 0xc00b 0x0300 + * outl 0xc00b 0x0300 + * outl 0xc00b 0x0300 + * outl 0xc00b 0x0300 + * outl 0xc00b 0x0300 + * outl 0xc00b 0x0300 + * outl 0xc00b 0x0300 + * outl 0xc00b 0x0300 + * outl 0xc00b 0x0300 + * outl 0xc00b 0x0300 + * outw 0xc00b 0x1000 + * EOF + */ +static void crash_34093bfc7c(void) +{ + QTestState *s = qtest_init( + "-display none -m 512M -device am53c974,id=scsi -device scsi-hd,drive=disk0 " + "-drive id=disk0,if=none,file=null-co://,format=raw -nodefaults"); + qtest_outl(s, 0xcf8, 0x80001010); + qtest_outl(s, 0xcfc, 0xc000); + qtest_outl(s, 0xcf8, 0x80001004); + qtest_outw(s, 0xcfc, 0x01); + qtest_outb(s, 0xc008, 0x42); + qtest_outw(s, 0xc00b, 0x4100); + qtest_outw(s, 0xc00b, 0x4100); + qtest_outw(s, 0xc00b, 0x00); + qtest_outw(s, 0xc00b, 0x1000); + qtest_outl(s, 0xc00b, 0x0300); + qtest_outl(s, 0xc00b, 0x0300); + qtest_outl(s, 0xc00b, 0x0300); + qtest_outl(s, 0xc00b, 0x0300); + qtest_outl(s, 0xc00b, 0x0300); + qtest_outl(s, 0xc00b, 0x0300); + qtest_outl(s, 0xc00b, 0x0300); + qtest_outl(s, 0xc00b, 0x0300); + qtest_outl(s, 0xc00b, 0x0300); + qtest_outl(s, 0xc00b, 0x0300); + qtest_outl(s, 0xc00b, 0x0300); + qtest_outl(s, 0xc00b, 0x0300); + qtest_outl(s, 0xc00b, 0x0300); + qtest_outl(s, 0xc00b, 0x0300); + qtest_outw(s, 0xc00b, 0x1000); + qtest_quit(s); +} +/* + * cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, -m \ + * 512M -device am53c974,id=scsi -device scsi-hd,drive=disk0 -drive \ + * id=disk0,if=none,file=null-co://,format=raw -nodefaults -qtest stdio + * outl 0xcf8 0x80001010 + * outl 0xcfc 0xc000 + * outl 0xcf8 0x80001004 + * outw 0xcfc 0x01 + * outw 0xc000 0x1 + * outb 0xc040 0x03 + * outl 0xc00b 0xc200 + * outl 0xc00b 0xc200 + * outl 0xc00b 0xc200 + * outl 0xc00b 0xc200 + * outl 0xc00b 0xc200 + * outl 0xc00b 0xc200 + * outl 0xc00b 0xc200 + * outl 0xc00b 0xc200 + * outl 0xc00b 0xc200 + * outl 0xc00b 0xc200 + * outl 0xc00b 0xc200 + * outl 0xc00b 0xc200 + * outw 0xc007 0xa000 + * outl 0xc00a 0x410000 + * EOF + */ +static void crash_3a05434a1f(void) +{ + QTestState *s = qtest_init( + "-display none -m 512M -device am53c974,id=scsi -device scsi-hd,drive=disk0 " + "-drive id=disk0,if=none,file=null-co://,format=raw -nodefaults"); + qtest_outl(s, 0xcf8, 0x80001010); + qtest_outl(s, 0xcfc, 0xc000); + qtest_outl(s, 0xcf8, 0x80001004); + qtest_outw(s, 0xcfc, 0x01); + qtest_outw(s, 0xc000, 0x1); + qtest_outb(s, 0xc040, 0x03); + qtest_outl(s, 0xc00b, 0xc200); + qtest_outl(s, 0xc00b, 0xc200); + qtest_outl(s, 0xc00b, 0xc200); + qtest_outl(s, 0xc00b, 0xc200); + qtest_outl(s, 0xc00b, 0xc200); + qtest_outl(s, 0xc00b, 0xc200); + qtest_outl(s, 0xc00b, 0xc200); + qtest_outl(s, 0xc00b, 0xc200); + qtest_outl(s, 0xc00b, 0xc200); + qtest_outl(s, 0xc00b, 0xc200); + qtest_outl(s, 0xc00b, 0xc200); + qtest_outl(s, 0xc00b, 0xc200); + qtest_outw(s, 0xc007, 0xa000); + qtest_outl(s, 0xc00a, 0x410000); + qtest_quit(s); +} +/* + * cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, -m \ + * 512M -device am53c974,id=scsi -device scsi-hd,drive=disk0 -drive \ + * id=disk0,if=none,file=null-co://,format=raw -nodefaults -qtest stdio + * outl 0xcf8 0x80001010 + * outl 0xcfc 0xc000 + * outl 0xcf8 0x80001004 + * outw 0xcfc 0x01 + * outw 0xc000 0x01 + * outb 0xc040 0x03 + * outl 0xc00b 0xc200 + * outl 0xc00b 0xc200 + * outl 0xc00b 0xc200 + * outl 0xc00b 0xc200 + * outl 0xc00b 0xc200 + * outl 0xc00b 0xc200 + * outl 0xc00b 0xc200 + * outl 0xc00b 0xc200 + * outl 0xc00b 0xc200 + * outl 0xc00b 0xc200 + * outl 0xc00b 0xc200 + * outl 0xc00b 0xc200 + * outl 0xc00b 0xc200 + * outl 0xc00b 0x4200 + * outl 0xc00b 0x4000 + * outl 0xc00b 0x4000 + * outl 0xc00b 0x4000 + * outl 0xc00b 0x4000 + * outl 0xc00b 0x4000 + * outl 0xc00b 0x4000 + * outl 0xc00b 0x4000 + * outl 0xc00b 0x4000 + * outl 0xc00b 0x4000 + * outl 0xc00b 0x4000 + * outl 0xc00b 0x4000 + * outl 0xc00b 0x4000 + * outl 0xc00b 0x4000 + * outl 0xc00b 0x4000 + * outl 0xc00b 0x4000 + * outl 0xc00b 0x4000 + * outl 0xc00b 0x4000 + * outl 0xc00b 0x4000 + * outl 0xc00b 0x4000 + * outl 0xc00b 0x4000 + * outl 0xc00b 0x4000 + * outl 0xc00b 0x4000 + * outl 0xc00b 0x4000 + * outl 0xc00b 0x4000 + * outl 0xc00b 0x4000 + * outl 0xc00b 0x4000 + * outl 0xc00b 0x4000 + * outl 0xc00b 0x4000 + * outl 0xc00b 0x4000 + * outl 0xc00b 0x4000 + * outl 0xc00b 0xc200 + * outl 0xc00b 0x00 + * outl 0xc00b 0x00 + * outl 0xc00b 0x00 + * outl 0xc00b 0x00 + * outl 0xc00b 0x00 + * outl 0xc00b 0x00 + * outl 0xc00b 0x00 + * outl 0xc00b 0x00 + * outl 0xc00b 0x00 + * outl 0xc00b 0x00 + * outl 0xc00b 0x00 + * outl 0xc00b 0x00 + * outl 0xc00b 0x00 + * outl 0xc00b 0x00 + * outl 0xc00b 0x00 + * outl 0xc00b 0x00 + * outl 0xc00b 0x00 + * outw 0xc00b 0x00 + * EOF + */ +static void crash_3ab5744bc3(void) +{ + QTestState *s = qtest_init( + "-display none -m 512M -device am53c974,id=scsi -device scsi-hd,drive=disk0 " + "-drive id=disk0,if=none,file=null-co://,format=raw -nodefaults"); + qtest_outl(s, 0xcf8, 0x80001010); + qtest_outl(s, 0xcfc, 0xc000); + qtest_outl(s, 0xcf8, 0x80001004); + qtest_outw(s, 0xcfc, 0x01); + qtest_outw(s, 0xc000, 0x01); + qtest_outb(s, 0xc040, 0x03); + qtest_outl(s, 0xc00b, 0xc200); + qtest_outl(s, 0xc00b, 0xc200); + qtest_outl(s, 0xc00b, 0xc200); + qtest_outl(s, 0xc00b, 0xc200); + qtest_outl(s, 0xc00b, 0xc200); + qtest_outl(s, 0xc00b, 0xc200); + qtest_outl(s, 0xc00b, 0xc200); + qtest_outl(s, 0xc00b, 0xc200); + qtest_outl(s, 0xc00b, 0xc200); + qtest_outl(s, 0xc00b, 0xc200); + qtest_outl(s, 0xc00b, 0xc200); + qtest_outl(s, 0xc00b, 0xc200); + qtest_outl(s, 0xc00b, 0xc200); + qtest_outl(s, 0xc00b, 0x4200); + qtest_outl(s, 0xc00b, 0x4000); + qtest_outl(s, 0xc00b, 0x4000); + qtest_outl(s, 0xc00b, 0x4000); + qtest_outl(s, 0xc00b, 0x4000); + qtest_outl(s, 0xc00b, 0x4000); + qtest_outl(s, 0xc00b, 0x4000); + qtest_outl(s, 0xc00b, 0x4000); + qtest_outl(s, 0xc00b, 0x4000); + qtest_outl(s, 0xc00b, 0x4000); + qtest_outl(s, 0xc00b, 0x4000); + qtest_outl(s, 0xc00b, 0x4000); + qtest_outl(s, 0xc00b, 0x4000); + qtest_outl(s, 0xc00b, 0x4000); + qtest_outl(s, 0xc00b, 0x4000); + qtest_outl(s, 0xc00b, 0x4000); + qtest_outl(s, 0xc00b, 0x4000); + qtest_outl(s, 0xc00b, 0x4000); + qtest_outl(s, 0xc00b, 0x4000); + qtest_outl(s, 0xc00b, 0x4000); + qtest_outl(s, 0xc00b, 0x4000); + qtest_outl(s, 0xc00b, 0x4000); + qtest_outl(s, 0xc00b, 0x4000); + qtest_outl(s, 0xc00b, 0x4000); + qtest_outl(s, 0xc00b, 0x4000); + qtest_outl(s, 0xc00b, 0x4000); + qtest_outl(s, 0xc00b, 0x4000); + qtest_outl(s, 0xc00b, 0x4000); + qtest_outl(s, 0xc00b, 0x4000); + qtest_outl(s, 0xc00b, 0x4000); + qtest_outl(s, 0xc00b, 0x4000); + qtest_outl(s, 0xc00b, 0xc200); + qtest_outl(s, 0xc00b, 0x00); + qtest_outl(s, 0xc00b, 0x00); + qtest_outl(s, 0xc00b, 0x00); + qtest_outl(s, 0xc00b, 0x00); + qtest_outl(s, 0xc00b, 0x00); + qtest_outl(s, 0xc00b, 0x00); + qtest_outl(s, 0xc00b, 0x00); + qtest_outl(s, 0xc00b, 0x00); + qtest_outl(s, 0xc00b, 0x00); + qtest_outl(s, 0xc00b, 0x00); + qtest_outl(s, 0xc00b, 0x00); + qtest_outl(s, 0xc00b, 0x00); + qtest_outl(s, 0xc00b, 0x00); + qtest_outl(s, 0xc00b, 0x00); + qtest_outl(s, 0xc00b, 0x00); + qtest_outl(s, 0xc00b, 0x00); + qtest_outl(s, 0xc00b, 0x00); + qtest_outw(s, 0xc00b, 0x00); + qtest_quit(s); +} +/* + * cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, -m \ + * 512M -device am53c974,id=scsi -device scsi-hd,drive=disk0 -drive \ + * id=disk0,if=none,file=null-co://,format=raw -nodefaults -qtest stdio + * outl 0xcf8 0x80001010 + * outl 0xcfc 0xc000 + * outl 0xcf8 0x80001004 + * outw 0xcfc 0x01 + * outl 0xc00b 0x4100 + * outw 0xc00b 0xc200 + * outl 0xc03f 0x0300 + * EOF + */ +static void crash_530ff2e211(void) +{ + QTestState *s = qtest_init( + "-display none -m 512M -device am53c974,id=scsi -device scsi-hd,drive=disk0 " + "-drive id=disk0,if=none,file=null-co://,format=raw -nodefaults"); + qtest_outl(s, 0xcf8, 0x80001010); + qtest_outl(s, 0xcfc, 0xc000); + qtest_outl(s, 0xcf8, 0x80001004); + qtest_outw(s, 0xcfc, 0x01); + qtest_outl(s, 0xc00b, 0x4100); + qtest_outw(s, 0xc00b, 0xc200); + qtest_outl(s, 0xc03f, 0x0300); + qtest_quit(s); +} +/* + * cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, -m \ + * 512M -device am53c974,id=scsi -device scsi-hd,drive=disk0 -drive \ + * id=disk0,if=none,file=null-co://,format=raw -nodefaults -qtest stdio + * outl 0xcf8 0x80001010 + * outl 0xcfc 0xc000 + * outl 0xcf8 0x80001004 + * outw 0xcfc 0x01 + * outl 0xc03f 0x0300 + * outw 0xc00b 0x4300 + * outw 0xc000 0x01 + * outw 0xc009 0x00 + * outw 0xc00b 0x1000 + * outl 0xc00d 0x02000000 + * outw 0xc00c 0xc2 + * outw 0xc00b 0x4100 + * outl 0xc00b 0x1000 + * EOF + */ +static void crash_76ab101171(void) +{ + QTestState *s = qtest_init( + "-display none -m 512M -device am53c974,id=scsi -device scsi-hd,drive=disk0 " + "-drive id=disk0,if=none,file=null-co://,format=raw -nodefaults"); + qtest_outl(s, 0xcf8, 0x80001010); + qtest_outl(s, 0xcfc, 0xc000); + qtest_outl(s, 0xcf8, 0x80001004); + qtest_outw(s, 0xcfc, 0x01); + qtest_outl(s, 0xc03f, 0x0300); + qtest_outw(s, 0xc00b, 0x4300); + qtest_outw(s, 0xc000, 0x01); + qtest_outw(s, 0xc009, 0x00); + qtest_outw(s, 0xc00b, 0x1000); + qtest_outl(s, 0xc00d, 0x02000000); + qtest_outw(s, 0xc00c, 0xc2); + qtest_outw(s, 0xc00b, 0x4100); + qtest_outl(s, 0xc00b, 0x1000); + qtest_quit(s); +} +/* + * cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, -m \ + * 512M -device am53c974,id=scsi -device scsi-hd,drive=disk0 -drive \ + * id=disk0,if=none,file=null-co://,format=raw -nodefaults -qtest stdio + * outl 0xcf8 0x80001010 + * outl 0xcfc 0xc000 + * outl 0xcf8 0x80001004 + * outw 0xcfc 0x01 + * outb 0xc000 0x4 + * outw 0xc007 0x4000 + * outl 0xc03f 0x0300 + * outl 0xc00b 0xc300 + * outw 0xc00b 0x9000 + * outl 0xc00b 0xc300 + * outw 0xc00b 0x9000 + * outl 0xc00b 0x00 + * outl 0xc00b 0xc300 + * outw 0xc00b 0x9000 + * outw 0xc00b 0x1000 + * EOF + */ +static void crash_7f743a0082(void) +{ + QTestState *s = qtest_init( + "-display none -m 512M -device am53c974,id=scsi -device scsi-hd,drive=disk0 " + "-drive id=disk0,if=none,file=null-co://,format=raw -nodefaults"); + qtest_outl(s, 0xcf8, 0x80001010); + qtest_outl(s, 0xcfc, 0xc000); + qtest_outl(s, 0xcf8, 0x80001004); + qtest_outw(s, 0xcfc, 0x01); + qtest_outb(s, 0xc000, 0x4); + qtest_outw(s, 0xc007, 0x4000); + qtest_outl(s, 0xc03f, 0x0300); + qtest_outl(s, 0xc00b, 0xc300); + qtest_outw(s, 0xc00b, 0x9000); + qtest_outl(s, 0xc00b, 0xc300); + qtest_outw(s, 0xc00b, 0x9000); + qtest_outl(s, 0xc00b, 0x00); + qtest_outl(s, 0xc00b, 0xc300); + qtest_outw(s, 0xc00b, 0x9000); + qtest_outw(s, 0xc00b, 0x1000); + qtest_quit(s); +} +/* + * cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, -m \ + * 512M -device am53c974,id=scsi -device scsi-hd,drive=disk0 -drive \ + * id=disk0,if=none,file=null-co://,format=raw -nodefaults -qtest stdio + * outl 0xcf8 0x80001010 + * outl 0xcfc 0xc000 + * outl 0xcf8 0x80001004 + * outw 0xcfc 0x01 + * outb 0xc000 0x4 + * outl 0xc03f 0x0300 + * outl 0xc00b 0xc300 + * outw 0xc00b 0x9000 + * outl 0xc00b 0x00 + * outl 0xc00b 0xc300 + * outw 0xc00b 0x9000 + * outl 0xc00b 0x00 + * outl 0xc00b 0xc300 + * outl 0xc00b 0xc300 + * outw 0xc00b 0x9000 + * outw 0xc00b 0x1000 + * EOF + */ +static void crash_87744a2e67(void) +{ + QTestState *s = qtest_init( + "-display none -m 512M -device am53c974,id=scsi -device scsi-hd,drive=disk0 " + "-drive id=disk0,if=none,file=null-co://,format=raw -nodefaults"); + qtest_outl(s, 0xcf8, 0x80001010); + qtest_outl(s, 0xcfc, 0xc000); + qtest_outl(s, 0xcf8, 0x80001004); + qtest_outw(s, 0xcfc, 0x01); + qtest_outb(s, 0xc000, 0x4); + qtest_outl(s, 0xc03f, 0x0300); + qtest_outl(s, 0xc00b, 0xc300); + qtest_outw(s, 0xc00b, 0x9000); + qtest_outl(s, 0xc00b, 0x00); + qtest_outl(s, 0xc00b, 0xc300); + qtest_outw(s, 0xc00b, 0x9000); + qtest_outl(s, 0xc00b, 0x00); + qtest_outl(s, 0xc00b, 0xc300); + qtest_outl(s, 0xc00b, 0xc300); + qtest_outw(s, 0xc00b, 0x9000); + qtest_outw(s, 0xc00b, 0x1000); + qtest_quit(s); +} +/* + * cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, -m \ + * 512M -device am53c974,id=scsi -device scsi-hd,drive=disk0 -drive \ + * id=disk0,if=none,file=null-co://,format=raw -nodefaults -qtest stdio + * outl 0xcf8 0x80001010 + * outl 0xcfc 0xc000 + * outl 0xcf8 0x80001004 + * outw 0xcfc 0x01 + * outw 0xc00c 0x41 + * outl 0xc00a 0x00 + * outw 0xc00c 0x43 + * outw 0xc00b 0x00 + * outw 0xc00b 0x00 + * outw 0xc00c 0x00 + * outl 0xc00a 0x00 + * outw 0xc00a 0x00 + * outl 0xc00a 0x00 + * outw 0xc00c 0x00 + * outl 0xc00a 0x00 + * outw 0xc00a 0x00 + * outl 0xc00a 0x00 + * outw 0xc00c 0x00 + * outl 0xc00a 0x00 + * outw 0xc00a 0x00 + * outl 0xc00a 0x00 + * outw 0xc00c 0x00 + * outw 0xc00b 0x00 + * outw 0xc00b 0x00 + * outw 0xc00c 0x00 + * outl 0xc00a 0x00 + * outw 0xc00a 0x00 + * outl 0xc00a 0x00 + * outw 0xc00c 0x00 + * outl 0xc00a 0x00 + * outl 0xc00a 0x00 + * outw 0xc00c 0x00 + * outl 0xc00a 0x00 + * outw 0xc00c 0x00 + * outw 0xc00b 0x00 + * outw 0xc00b 0x00 + * outw 0xc00c 0x00 + * outw 0xc00a 0x00 + * outl 0xc00a 0x100000 + * outl 0xc00a 0x100000 + * outl 0xc00a 0x00 + * outw 0xc00c 0x43 + * outl 0xc00a 0x100000 + * outl 0xc00a 0x100000 + * EOF + */ +static void crash_9f92a77bd6(void) +{ + QTestState *s = qtest_init( + "-display none -m 512M -device am53c974,id=scsi -device scsi-hd,drive=disk0 " + "-drive id=disk0,if=none,file=null-co://,format=raw -nodefaults"); + qtest_outl(s, 0xcf8, 0x80001010); + qtest_outl(s, 0xcfc, 0xc000); + qtest_outl(s, 0xcf8, 0x80001004); + qtest_outw(s, 0xcfc, 0x01); + qtest_outw(s, 0xc00c, 0x41); + qtest_outl(s, 0xc00a, 0x00); + qtest_outw(s, 0xc00c, 0x43); + qtest_outw(s, 0xc00b, 0x00); + qtest_outw(s, 0xc00b, 0x00); + qtest_outw(s, 0xc00c, 0x00); + qtest_outl(s, 0xc00a, 0x00); + qtest_outw(s, 0xc00a, 0x00); + qtest_outl(s, 0xc00a, 0x00); + qtest_outw(s, 0xc00c, 0x00); + qtest_outl(s, 0xc00a, 0x00); + qtest_outw(s, 0xc00a, 0x00); + qtest_outl(s, 0xc00a, 0x00); + qtest_outw(s, 0xc00c, 0x00); + qtest_outl(s, 0xc00a, 0x00); + qtest_outw(s, 0xc00a, 0x00); + qtest_outl(s, 0xc00a, 0x00); + qtest_outw(s, 0xc00c, 0x00); + qtest_outw(s, 0xc00b, 0x00); + qtest_outw(s, 0xc00b, 0x00); + qtest_outw(s, 0xc00c, 0x00); + qtest_outl(s, 0xc00a, 0x00); + qtest_outw(s, 0xc00a, 0x00); + qtest_outl(s, 0xc00a, 0x00); + qtest_outw(s, 0xc00c, 0x00); + qtest_outl(s, 0xc00a, 0x00); + qtest_outl(s, 0xc00a, 0x00); + qtest_outw(s, 0xc00c, 0x00); + qtest_outl(s, 0xc00a, 0x00); + qtest_outw(s, 0xc00c, 0x00); + qtest_outw(s, 0xc00b, 0x00); + qtest_outw(s, 0xc00b, 0x00); + qtest_outw(s, 0xc00c, 0x00); + qtest_outw(s, 0xc00a, 0x00); + qtest_outl(s, 0xc00a, 0x100000); + qtest_outl(s, 0xc00a, 0x100000); + qtest_outl(s, 0xc00a, 0x00); + qtest_outw(s, 0xc00c, 0x43); + qtest_outl(s, 0xc00a, 0x100000); + qtest_outl(s, 0xc00a, 0x100000); + qtest_quit(s); +} +/* + * cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, -m \ + * 512M -device am53c974,id=scsi -device scsi-hd,drive=disk0 -drive \ + * id=disk0,if=none,file=null-co://,format=raw -nodefaults -qtest stdio + * outl 0xcf8 0x80001010 + * outl 0xcfc 0xc000 + * outl 0xcf8 0x80001004 + * outw 0xcfc 0x01 + * outb 0xc008 0xa + * outw 0xc00b 0x4100 + * outw 0xc00b 0x4100 + * outw 0xc00b 0x1000 + * outl 0xc00b 0x0800 + * outl 0xc00b 0x0400 + * outl 0xc00b 0x0400 + * outl 0xc00b 0x0400 + * outl 0xc00b 0x0400 + * outl 0xc00b 0x0400 + * outl 0xc00b 0x0400 + * outl 0xc00b 0x0800 + * outl 0xc00b 0x0400 + * outl 0xc00b 0x0400 + * outl 0xc00b 0x0400 + * outl 0xc00b 0x0800 + * outl 0xc00b 0x0400 + * outl 0xc00b 0x0400 + * outl 0xc00b 0x0400 + * outl 0xc00b 0x4200 + * EOF + */ +static void crash_d94dc29565(void) +{ + QTestState *s = qtest_init( + "-display none -m 512M -device am53c974,id=scsi -device scsi-hd,drive=disk0 " + "-drive id=disk0,if=none,file=null-co://,format=raw -nodefaults"); + qtest_outl(s, 0xcf8, 0x80001010); + qtest_outl(s, 0xcfc, 0xc000); + qtest_outl(s, 0xcf8, 0x80001004); + qtest_outw(s, 0xcfc, 0x01); + qtest_outb(s, 0xc008, 0xa); + qtest_outw(s, 0xc00b, 0x4100); + qtest_outw(s, 0xc00b, 0x4100); + qtest_outw(s, 0xc00b, 0x1000); + qtest_outl(s, 0xc00b, 0x0800); + qtest_outl(s, 0xc00b, 0x0400); + qtest_outl(s, 0xc00b, 0x0400); + qtest_outl(s, 0xc00b, 0x0400); + qtest_outl(s, 0xc00b, 0x0400); + qtest_outl(s, 0xc00b, 0x0400); + qtest_outl(s, 0xc00b, 0x0400); + qtest_outl(s, 0xc00b, 0x0800); + qtest_outl(s, 0xc00b, 0x0400); + qtest_outl(s, 0xc00b, 0x0400); + qtest_outl(s, 0xc00b, 0x0400); + qtest_outl(s, 0xc00b, 0x0800); + qtest_outl(s, 0xc00b, 0x0400); + qtest_outl(s, 0xc00b, 0x0400); + qtest_outl(s, 0xc00b, 0x0400); + qtest_outl(s, 0xc00b, 0x4200); + qtest_quit(s); +} +/* + * cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, -m \ + * 512M -device am53c974,id=scsi -device scsi-hd,drive=disk0 -drive \ + * id=disk0,if=none,file=null-co://,format=raw -nodefaults -qtest stdio + * outl 0xcf8 0x80001010 + * outl 0xcfc 0xc000 + * outl 0xcf8 0x80001004 + * outw 0xcfc 0x01 + * outw 0xc00b 0x4100 + * outl 0xc00b 0x0300 + * inl 0xc00b + * outl 0xc00b 0x0800 + * outl 0xc00b 0x0800 + * outl 0xc00b 0x0800 + * outl 0xc00b 0x0800 + * outl 0xc00b 0x0800 + * outl 0xc00b 0x0800 + * outl 0xc00b 0x0800 + * outl 0xc00b 0x0800 + * outl 0xc00b 0x0800 + * outl 0xc00b 0x0800 + * outl 0xc00b 0x0800 + * outl 0xc00b 0x0800 + * outl 0xc00b 0x0800 + * outl 0xc00b 0x0800 + * outl 0xc00b 0x00 + * outl 0xc00a 0x410000 + * EOF + */ +static void crash_df5a21ccf3(void) +{ + QTestState *s = qtest_init( + "-display none -m 512M -device am53c974,id=scsi -device scsi-hd,drive=disk0 " + "-drive id=disk0,if=none,file=null-co://,format=raw -nodefaults"); + qtest_outl(s, 0xcf8, 0x80001010); + qtest_outl(s, 0xcfc, 0xc000); + qtest_outl(s, 0xcf8, 0x80001004); + qtest_outw(s, 0xcfc, 0x01); + qtest_outw(s, 0xc00b, 0x4100); + qtest_outl(s, 0xc00b, 0x0300); + qtest_inl(s, 0xc00b); + qtest_outl(s, 0xc00b, 0x0800); + qtest_outl(s, 0xc00b, 0x0800); + qtest_outl(s, 0xc00b, 0x0800); + qtest_outl(s, 0xc00b, 0x0800); + qtest_outl(s, 0xc00b, 0x0800); + qtest_outl(s, 0xc00b, 0x0800); + qtest_outl(s, 0xc00b, 0x0800); + qtest_outl(s, 0xc00b, 0x0800); + qtest_outl(s, 0xc00b, 0x0800); + qtest_outl(s, 0xc00b, 0x0800); + qtest_outl(s, 0xc00b, 0x0800); + qtest_outl(s, 0xc00b, 0x0800); + qtest_outl(s, 0xc00b, 0x0800); + qtest_outl(s, 0xc00b, 0x0800); + qtest_outl(s, 0xc00b, 0x00); + qtest_outl(s, 0xc00a, 0x410000); + qtest_quit(s); +} static void test_cmdfifo_underflow_ok(void) { @@ -106,6 +1225,24 @@ int main(int argc, char **argv) g_test_init(&argc, &argv, NULL); if (strcmp(arch, "i386") == 0) { + qtest_add_func("fuzz/crash_0900379669", crash_0900379669); + qtest_add_func("fuzz/crash_094661a91b", crash_094661a91b); + qtest_add_func("fuzz/crash_0fff2155cb", crash_0fff2155cb); + qtest_add_func("fuzz/crash_1548bd10e7", crash_1548bd10e7); + qtest_add_func("fuzz/crash_1afe349482", crash_1afe349482); + qtest_add_func("fuzz/crash_1b42581317", crash_1b42581317); + qtest_add_func("fuzz/crash_30e28cfa86", crash_30e28cfa86); + qtest_add_func("fuzz/crash_34093bfc7c", crash_34093bfc7c); + qtest_add_func("fuzz/crash_3a05434a1f", crash_3a05434a1f); + qtest_add_func("fuzz/crash_3ab5744bc3", crash_3ab5744bc3); + qtest_add_func("fuzz/crash_530ff2e211", crash_530ff2e211); + qtest_add_func("fuzz/crash_76ab101171", crash_76ab101171); + qtest_add_func("fuzz/crash_7f743a0082", crash_7f743a0082); + qtest_add_func("fuzz/crash_87744a2e67", crash_87744a2e67); + qtest_add_func("fuzz/crash_9f92a77bd6", crash_9f92a77bd6); + qtest_add_func("fuzz/crash_d94dc29565", crash_d94dc29565); + qtest_add_func("fuzz/crash_dd24c44f80", crash_dd24c44f80); + qtest_add_func("fuzz/crash_df5a21ccf3", crash_df5a21ccf3); qtest_add_func("am53c974/test_cmdfifo_underflow_ok", test_cmdfifo_underflow_ok); qtest_add_func("am53c974/test_cmdfifo_overflow_ok", -- 2.28.0 ^ permalink raw reply related [flat|nested] 22+ messages in thread
* [Bug 1909247] Re: QEMU: use after free vulnerability in esp_do_dma() in hw/scsi/esp.c 2020-12-24 17:02 [Bug 1909247] [NEW] QEMU: use after free vulnerability in esp_do_dma() in hw/scsi/esp.c Mauro Matteo Cascella ` (11 preceding siblings ...) 2021-03-25 13:22 ` Mark Cave-Ayland @ 2021-04-01 8:15 ` Mark Cave-Ayland 2021-04-14 13:36 ` Mauro Matteo Cascella ` (2 subsequent siblings) 15 siblings, 0 replies; 22+ messages in thread From: Mark Cave-Ayland @ 2021-04-01 8:15 UTC (permalink / raw) To: qemu-devel Thanks again Alex. I've just posted a v3 to the list which fixes your extra test cases, and also those contained within the uaf and hw-esp-oob attachments: https://lists.gnu.org/archive/html/qemu-devel/2021-04/msg00015.html -- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/1909247 Title: QEMU: use after free vulnerability in esp_do_dma() in hw/scsi/esp.c Status in QEMU: New Bug description: A use-after-free vulnerability was found in the am53c974 SCSI host bus adapter emulation of QEMU. It could occur in the esp_do_dma() function in hw/scsi/esp.c while handling the 'Information Transfer' command (CMD_TI). A privileged guest user may abuse this flaw to crash the QEMU process on the host, resulting in a denial of service or potential code execution with the privileges of the QEMU process. This issue was reported by Cheolwoo Myung (Seoul National University). Original report: Using hypervisor fuzzer, hyfuzz, I found a use-after-free issue in am53c974 emulator of QEMU enabled ASan. It occurs while transferring information, as it does not check the buffer to be transferred. A malicious guest user/process could use this flaw to crash the QEMU process resulting in DoS scenario. To reproduce this issue, please run the QEMU with the following command line. # To enable ASan option, please set configuration with the following $ ./configure --target-list=i386-softmmu --disable-werror --enable-sanitizers $ make # To reproduce this issue, please run the QEMU process with the following command line $ ./qemu-system-i386 -m 512 -drive file=./hyfuzz.img,index=0,media=disk,format=raw \ -device am53c974,id=scsi -device scsi-hd,drive=SysDisk \ -drive id=SysDisk,if=none,file=./disk.img Please find attached the disk images to reproduce this issue. To manage notifications about this bug go to: https://bugs.launchpad.net/qemu/+bug/1909247/+subscriptions ^ permalink raw reply [flat|nested] 22+ messages in thread
* [Bug 1909247] Re: QEMU: use after free vulnerability in esp_do_dma() in hw/scsi/esp.c 2020-12-24 17:02 [Bug 1909247] [NEW] QEMU: use after free vulnerability in esp_do_dma() in hw/scsi/esp.c Mauro Matteo Cascella ` (12 preceding siblings ...) 2021-04-01 8:15 ` [Bug 1909247] Re: QEMU: use after free vulnerability in esp_do_dma() in hw/scsi/esp.c Mark Cave-Ayland @ 2021-04-14 13:36 ` Mauro Matteo Cascella 2021-04-14 14:09 ` Mauro Matteo Cascella 2021-04-30 9:00 ` Thomas Huth 15 siblings, 0 replies; 22+ messages in thread From: Mauro Matteo Cascella @ 2021-04-14 13:36 UTC (permalink / raw) To: qemu-devel This is fixed now, thank you Mark. Patchset v4: https://lists.gnu.org/archive/html/qemu-devel/2021-04/msg01000.html Upstream commits: https://git.qemu.org/?p=qemu.git;a=commit;h=0db895361b8a82e1114372ff9f48 https://git.qemu.org/?p=qemu.git;a=commit;h=e392255766071c8cac480da3a9ae https://git.qemu.org/?p=qemu.git;a=commit;h=e5455b8c1c6170c788f3c0fd577c https://git.qemu.org/?p=qemu.git;a=commit;h=c5fef9112b15c4b5494791cdf8bb https://git.qemu.org/?p=qemu.git;a=commit;h=7b320a8e67a534925048cbabfa51 https://git.qemu.org/?p=qemu.git;a=commit;h=99545751734035b76bd372c4e721 https://git.qemu.org/?p=qemu.git;a=commit;h=fa7505c154d4d00ad89a747be2ed https://git.qemu.org/?p=qemu.git;a=commit;h=fbc6510e3379fa8f8370bf71198f https://git.qemu.org/?p=qemu.git;a=commit;h=0ebb5fd80589835153a0c2baa1b8 https://git.qemu.org/?p=qemu.git;a=commit;h=324c8809897c8c53ad05c3a7147d https://git.qemu.org/?p=qemu.git;a=commit;h=607206948cacda4a80be5b976dba ** Changed in: qemu Status: New => Fix Released -- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/1909247 Title: QEMU: use after free vulnerability in esp_do_dma() in hw/scsi/esp.c Status in QEMU: Fix Released Bug description: A use-after-free vulnerability was found in the am53c974 SCSI host bus adapter emulation of QEMU. It could occur in the esp_do_dma() function in hw/scsi/esp.c while handling the 'Information Transfer' command (CMD_TI). A privileged guest user may abuse this flaw to crash the QEMU process on the host, resulting in a denial of service or potential code execution with the privileges of the QEMU process. This issue was reported by Cheolwoo Myung (Seoul National University). Original report: Using hypervisor fuzzer, hyfuzz, I found a use-after-free issue in am53c974 emulator of QEMU enabled ASan. It occurs while transferring information, as it does not check the buffer to be transferred. A malicious guest user/process could use this flaw to crash the QEMU process resulting in DoS scenario. To reproduce this issue, please run the QEMU with the following command line. # To enable ASan option, please set configuration with the following $ ./configure --target-list=i386-softmmu --disable-werror --enable-sanitizers $ make # To reproduce this issue, please run the QEMU process with the following command line $ ./qemu-system-i386 -m 512 -drive file=./hyfuzz.img,index=0,media=disk,format=raw \ -device am53c974,id=scsi -device scsi-hd,drive=SysDisk \ -drive id=SysDisk,if=none,file=./disk.img Please find attached the disk images to reproduce this issue. To manage notifications about this bug go to: https://bugs.launchpad.net/qemu/+bug/1909247/+subscriptions ^ permalink raw reply [flat|nested] 22+ messages in thread
* [Bug 1909247] Re: QEMU: use after free vulnerability in esp_do_dma() in hw/scsi/esp.c 2020-12-24 17:02 [Bug 1909247] [NEW] QEMU: use after free vulnerability in esp_do_dma() in hw/scsi/esp.c Mauro Matteo Cascella ` (13 preceding siblings ...) 2021-04-14 13:36 ` Mauro Matteo Cascella @ 2021-04-14 14:09 ` Mauro Matteo Cascella 2021-04-30 9:00 ` Thomas Huth 15 siblings, 0 replies; 22+ messages in thread From: Mauro Matteo Cascella @ 2021-04-14 14:09 UTC (permalink / raw) To: qemu-devel ** Changed in: qemu Status: Fix Released => Fix Committed -- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/1909247 Title: QEMU: use after free vulnerability in esp_do_dma() in hw/scsi/esp.c Status in QEMU: Fix Committed Bug description: A use-after-free vulnerability was found in the am53c974 SCSI host bus adapter emulation of QEMU. It could occur in the esp_do_dma() function in hw/scsi/esp.c while handling the 'Information Transfer' command (CMD_TI). A privileged guest user may abuse this flaw to crash the QEMU process on the host, resulting in a denial of service or potential code execution with the privileges of the QEMU process. This issue was reported by Cheolwoo Myung (Seoul National University). Original report: Using hypervisor fuzzer, hyfuzz, I found a use-after-free issue in am53c974 emulator of QEMU enabled ASan. It occurs while transferring information, as it does not check the buffer to be transferred. A malicious guest user/process could use this flaw to crash the QEMU process resulting in DoS scenario. To reproduce this issue, please run the QEMU with the following command line. # To enable ASan option, please set configuration with the following $ ./configure --target-list=i386-softmmu --disable-werror --enable-sanitizers $ make # To reproduce this issue, please run the QEMU process with the following command line $ ./qemu-system-i386 -m 512 -drive file=./hyfuzz.img,index=0,media=disk,format=raw \ -device am53c974,id=scsi -device scsi-hd,drive=SysDisk \ -drive id=SysDisk,if=none,file=./disk.img Please find attached the disk images to reproduce this issue. To manage notifications about this bug go to: https://bugs.launchpad.net/qemu/+bug/1909247/+subscriptions ^ permalink raw reply [flat|nested] 22+ messages in thread
* [Bug 1909247] Re: QEMU: use after free vulnerability in esp_do_dma() in hw/scsi/esp.c 2020-12-24 17:02 [Bug 1909247] [NEW] QEMU: use after free vulnerability in esp_do_dma() in hw/scsi/esp.c Mauro Matteo Cascella ` (14 preceding siblings ...) 2021-04-14 14:09 ` Mauro Matteo Cascella @ 2021-04-30 9:00 ` Thomas Huth 15 siblings, 0 replies; 22+ messages in thread From: Thomas Huth @ 2021-04-30 9:00 UTC (permalink / raw) To: qemu-devel ** Changed in: qemu Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/1909247 Title: QEMU: use after free vulnerability in esp_do_dma() in hw/scsi/esp.c Status in QEMU: Fix Released Bug description: A use-after-free vulnerability was found in the am53c974 SCSI host bus adapter emulation of QEMU. It could occur in the esp_do_dma() function in hw/scsi/esp.c while handling the 'Information Transfer' command (CMD_TI). A privileged guest user may abuse this flaw to crash the QEMU process on the host, resulting in a denial of service or potential code execution with the privileges of the QEMU process. This issue was reported by Cheolwoo Myung (Seoul National University). Original report: Using hypervisor fuzzer, hyfuzz, I found a use-after-free issue in am53c974 emulator of QEMU enabled ASan. It occurs while transferring information, as it does not check the buffer to be transferred. A malicious guest user/process could use this flaw to crash the QEMU process resulting in DoS scenario. To reproduce this issue, please run the QEMU with the following command line. # To enable ASan option, please set configuration with the following $ ./configure --target-list=i386-softmmu --disable-werror --enable-sanitizers $ make # To reproduce this issue, please run the QEMU process with the following command line $ ./qemu-system-i386 -m 512 -drive file=./hyfuzz.img,index=0,media=disk,format=raw \ -device am53c974,id=scsi -device scsi-hd,drive=SysDisk \ -drive id=SysDisk,if=none,file=./disk.img Please find attached the disk images to reproduce this issue. To manage notifications about this bug go to: https://bugs.launchpad.net/qemu/+bug/1909247/+subscriptions ^ permalink raw reply [flat|nested] 22+ messages in thread
end of thread, other threads:[~2021-04-30 9:24 UTC | newest] Thread overview: 22+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2020-12-24 17:02 [Bug 1909247] [NEW] QEMU: use after free vulnerability in esp_do_dma() in hw/scsi/esp.c Mauro Matteo Cascella 2020-12-24 17:09 ` [Bug 1909247] " Mauro Matteo Cascella 2021-01-15 16:16 ` Peter Maydell 2021-03-15 3:01 ` Alexander Bulekov 2021-03-15 12:11 ` Mauro Matteo Cascella 2021-03-15 13:50 ` Mauro Matteo Cascella 2021-03-15 14:02 ` Mauro Matteo Cascella 2021-03-15 14:19 ` Alexander Bulekov 2021-03-17 7:43 ` Mark Cave-Ayland 2021-03-24 7:31 ` P J P 2021-03-24 8:09 ` Mark Cave-Ayland 2021-03-24 9:51 ` Mauro Matteo Cascella 2021-03-24 15:53 ` Alexander Bulekov 2021-03-24 17:28 ` Philippe Mathieu-Daudé 2021-03-24 17:28 ` Philippe Mathieu-Daudé 2021-03-25 13:22 ` Mark Cave-Ayland 2021-03-29 3:21 ` [Bug 1909247] [PATCH] tests/qtest: add more tests for am53c974 device Alexander Bulekov 2021-03-29 3:21 ` Alexander Bulekov 2021-04-01 8:15 ` [Bug 1909247] Re: QEMU: use after free vulnerability in esp_do_dma() in hw/scsi/esp.c Mark Cave-Ayland 2021-04-14 13:36 ` Mauro Matteo Cascella 2021-04-14 14:09 ` Mauro Matteo Cascella 2021-04-30 9:00 ` Thomas Huth
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).