diff for duplicates of <CAFEAcA-qrpXJtzW=tigyAqQuYFNCBMQK_CZFx6zYkcJa+RuZuw@mail.gmail.com>
diff --git a/a/1.txt b/N1/1.txt
index abfebf9..b2b6bc5 100644
--- a/a/1.txt
+++ b/N1/1.txt
@@ -21,4 +21,156 @@ all of that DMA to a bottom-half, but that's a lot of
refactoring of a lot of device code...
thanks
--- PMM
\ No newline at end of file
+-- PMM
+
+--
+You received this bug notification because you are a member of qemu-
+devel-ml, which is subscribed to QEMU.
+https://bugs.launchpad.net/bugs/1886362
+
+Title:
+ Heap use-after-free in lduw_he_p through e1000e_write_to_rx_buffers
+
+Status in QEMU:
+ New
+
+Bug description:
+ Hello,
+ This reproducer causes a heap-use-after free. QEMU Built with --enable-sanitizers:
+ cat << EOF | ./i386-softmmu/qemu-system-i386 -M q35,accel=qtest \
+ -qtest stdio -nographic -monitor none -serial none
+ outl 0xcf8 0x80001010
+ outl 0xcfc 0xe1020000
+ outl 0xcf8 0x80001014
+ outl 0xcf8 0x80001004
+ outw 0xcfc 0x7
+ outl 0xcf8 0x800010a2
+ write 0xe102003b 0x1 0xff
+ write 0xe1020103 0x1e 0xffffff055c5e5c30be4511d084ffffffffffffffffffffffffffffffffff
+ write 0xe1020420 0x4 0xffffffff
+ write 0xe1020424 0x4 0xffffffff
+ write 0xe102042b 0x1 0xff
+ write 0xe1020430 0x4 0x055c5e5c
+ write 0x5c041 0x1 0x04
+ write 0x5c042 0x1 0x02
+ write 0x5c043 0x1 0xe1
+ write 0x5c048 0x1 0x8a
+ write 0x5c04a 0x1 0x31
+ write 0x5c04b 0x1 0xff
+ write 0xe1020403 0x1 0xff
+ EOF
+
+ The Output:
+ ==22689==ERROR: AddressSanitizer: heap-use-after-free on address 0x62500026800e at pc 0x55b93bb18bfa bp 0x7fffdbe844f0 sp 0x7fffdbe83cb8
+ READ of size 2 at 0x62500026800e thread T0
+ #0 in __asan_memcpy (/build/i386-softmmu/qemu-system-i386+)
+ #1 in lduw_he_p /include/qemu/bswap.h:332:5
+ #2 in ldn_he_p /include/qemu/bswap.h:550:1
+ #3 in flatview_write_continue /exec.c:3145:19
+ #4 in flatview_write /exec.c:3186:14
+ #5 in address_space_write /exec.c:3280:18
+ #6 in address_space_rw /exec.c:3290:16
+ #7 in dma_memory_rw_relaxed /include/sysemu/dma.h:87:18
+ #8 in dma_memory_rw /include/sysemu/dma.h:113:12
+ #9 in pci_dma_rw /include/hw/pci/pci.h:789:5
+ #10 in pci_dma_write /include/hw/pci/pci.h:802:12
+ #11 in e1000e_write_to_rx_buffers /hw/net/e1000e_core.c:1412:9
+ #12 in e1000e_write_packet_to_guest /hw/net/e1000e_core.c:1582:21
+ #13 in e1000e_receive_iov /hw/net/e1000e_core.c:1709:9
+ #14 in e1000e_nc_receive_iov /hw/net/e1000e.c:213:12
+ #15 in net_tx_pkt_sendv /hw/net/net_tx_pkt.c:544:9
+ #16 in net_tx_pkt_send /hw/net/net_tx_pkt.c:620:9
+ #17 in net_tx_pkt_send_loopback /hw/net/net_tx_pkt.c:633:11
+ #18 in e1000e_tx_pkt_send /hw/net/e1000e_core.c:664:16
+ #19 in e1000e_process_tx_desc /hw/net/e1000e_core.c:743:17
+ #20 in e1000e_start_xmit /hw/net/e1000e_core.c:934:9
+ #21 in e1000e_set_tctl /hw/net/e1000e_core.c:2431:9
+ #22 in e1000e_core_write /hw/net/e1000e_core.c:3265:9
+ #23 in e1000e_mmio_write /hw/net/e1000e.c:109:5
+ #24 in memory_region_write_accessor /memory.c:483:5
+ #25 in access_with_adjusted_size /memory.c:544:18
+ #26 in memory_region_dispatch_write /memory.c:1476:16
+ #27 in flatview_write_continue /exec.c:3146:23
+ #28 in flatview_write /exec.c:3186:14
+ #29 in address_space_write /exec.c:3280:18
+ #30 in qtest_process_command /qtest.c:567:9
+ #31 in qtest_process_inbuf /qtest.c:710:9
+ #32 in qtest_read /qtest.c:722:5
+ #33 in qemu_chr_be_write_impl /chardev/char.c:188:9
+ #34 in qemu_chr_be_write /chardev/char.c:200:9
+ #35 in fd_chr_read /chardev/char-fd.c:68:9
+ #36 in qio_channel_fd_source_dispatch /io/channel-watch.c:84:12
+ #37 in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+)
+ #38 in glib_pollfds_poll /util/main-loop.c:219:9
+ #39 in os_host_main_loop_wait /util/main-loop.c:242:5
+ #40 in main_loop_wait /util/main-loop.c:518:11
+ #41 in qemu_main_loop /softmmu/vl.c:1664:9
+ #42 in main /softmmu/main.c:52:5
+ #43 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+)
+ #44 in _start (/build/i386-softmmu/qemu-system-i386+)
+
+ 0x62500026800e is located 14 bytes inside of 138-byte region [0x625000268000,0x62500026808a)
+ freed by thread T0 here:
+ #0 in free (/build/i386-softmmu/qemu-system-i386+)
+ #1 in qemu_vfree /util/oslib-posix.c:238:5
+ #2 in address_space_unmap /exec.c:3616:5
+ #3 in dma_memory_unmap /include/sysemu/dma.h:148:5
+ #4 in pci_dma_unmap /include/hw/pci/pci.h:839:5
+ #5 in net_tx_pkt_reset /hw/net/net_tx_pkt.c:453:9
+ #6 in e1000e_process_tx_desc /hw/net/e1000e_core.c:749:9
+ #7 in e1000e_start_xmit /hw/net/e1000e_core.c:934:9
+ #8 in e1000e_set_tctl /hw/net/e1000e_core.c:2431:9
+ #9 in e1000e_core_write /hw/net/e1000e_core.c:3265:9
+ #10 in e1000e_mmio_write /hw/net/e1000e.c:109:5
+ #11 in memory_region_write_accessor /memory.c:483:5
+ #12 in access_with_adjusted_size /memory.c:544:18
+ #13 in memory_region_dispatch_write /memory.c:1476:16
+ #14 in flatview_write_continue /exec.c:3146:23
+ #15 in flatview_write /exec.c:3186:14
+ #16 in address_space_write /exec.c:3280:18
+ #17 in address_space_rw /exec.c:3290:16
+ #18 in dma_memory_rw_relaxed /include/sysemu/dma.h:87:18
+ #19 in dma_memory_rw /include/sysemu/dma.h:113:12
+ #20 in pci_dma_rw /include/hw/pci/pci.h:789:5
+ #21 in pci_dma_write /include/hw/pci/pci.h:802:12
+ #22 in e1000e_write_to_rx_buffers /hw/net/e1000e_core.c:1412:9
+ #23 in e1000e_write_packet_to_guest /hw/net/e1000e_core.c:1582:21
+ #24 in e1000e_receive_iov /hw/net/e1000e_core.c:1709:9
+ #25 in e1000e_nc_receive_iov /hw/net/e1000e.c:213:12
+ #26 in net_tx_pkt_sendv /hw/net/net_tx_pkt.c:544:9
+ #27 in net_tx_pkt_send /hw/net/net_tx_pkt.c:620:9
+ #28 in net_tx_pkt_send_loopback /hw/net/net_tx_pkt.c:633:11
+ #29 in e1000e_tx_pkt_send /hw/net/e1000e_core.c:664:16
+
+ previously allocated by thread T0 here:
+ #0 in posix_memalign (/build/i386-softmmu/qemu-system-i386+)
+ #1 in qemu_try_memalign /util/oslib-posix.c:198:11
+ #2 in qemu_memalign /util/oslib-posix.c:214:27
+ #3 in address_space_map /exec.c:3558:25
+ #4 in dma_memory_map /include/sysemu/dma.h:138:9
+ #5 in pci_dma_map /include/hw/pci/pci.h:832:11
+ #6 in net_tx_pkt_add_raw_fragment /hw/net/net_tx_pkt.c:391:24
+ #7 in e1000e_process_tx_desc /hw/net/e1000e_core.c:731:14
+ #8 in e1000e_start_xmit /hw/net/e1000e_core.c:934:9
+ #9 in e1000e_set_tctl /hw/net/e1000e_core.c:2431:9
+ #10 in e1000e_core_write /hw/net/e1000e_core.c:3265:9
+ #11 in e1000e_mmio_write /hw/net/e1000e.c:109:5
+ #12 in memory_region_write_accessor /memory.c:483:5
+ #13 in access_with_adjusted_size /memory.c:544:18
+ #14 in memory_region_dispatch_write /memory.c:1476:16
+ #15 in flatview_write_continue /exec.c:3146:23
+ #16 in flatview_write /exec.c:3186:14
+ #17 in address_space_write /exec.c:3280:18
+ #18 in qtest_process_command /qtest.c:567:9
+ #19 in qtest_process_inbuf /qtest.c:710:9
+ #20 in qtest_read /qtest.c:722:5
+ #21 in qemu_chr_be_write_impl /chardev/char.c:188:9
+ #22 in qemu_chr_be_write /chardev/char.c:200:9
+ #23 in fd_chr_read /chardev/char-fd.c:68:9
+ #24 in qio_channel_fd_source_dispatch /io/channel-watch.c:84:12
+ #25 in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+)
+
+ -Alex
+
+To manage notifications about this bug go to:
+https://bugs.launchpad.net/qemu/+bug/1886362/+subscriptions
\ No newline at end of file
diff --git a/a/content_digest b/N1/content_digest
index 84f81a3..7e2188a 100644
--- a/a/content_digest
+++ b/N1/content_digest
@@ -1,41 +1,20 @@
[
"ref\000159400349818.1851.7243060688419202620.malonedeb\@wampee.canonical.com\0"
]
-[
- "ref\0CAKXe6S+J3nARveToQjECbwV224gs66WkqGHybUhfw35t1+V8og\@mail.gmail.com\0"
-]
-[
- "ref\0002cbdf822-c74c-1af9-e5e6-7dd71412201e\@redhat.com\0"
-]
-[
- "ref\0CAKXe6S+ct7D+ibGmrAMJnqKBBKyUpwVnCem8=d=jB-0tUT-N2Q\@mail.gmail.com\0"
-]
-[
- "ref\0e4a34525-dbd1-1f85-475b-b5004885215b\@redhat.com\0"
-]
-[
- "ref\0CAKXe6SJb=1YLLGF+TP1fMd95k_WzZd73JeUJv5Sn4EE4m2zP4w\@mail.gmail.com\0"
-]
[
"ref\0f19f605c-9468-e7eb-f255-60766df2a50c\@redhat.com\0"
]
[
- "From\0Peter Maydell <peter.maydell\@linaro.org>\0"
+ "From\0Peter Maydell <1886362\@bugs.launchpad.net>\0"
]
[
"Subject\0Re: [Bug 1886362] [NEW] Heap use-after-free in lduw_he_p through e1000e_write_to_rx_buffers\0"
]
[
- "Date\0Tue, 21 Jul 2020 13:31:57 +0100\0"
+ "Date\0Tue, 21 Jul 2020 12:31:57 -0000\0"
]
[
- "To\0Jason Wang <jasowang\@redhat.com>\0"
-]
-[
- "Cc\0Paolo Bonzini <pbonzini\@redhat.com>",
- " Bug 1886362 <1886362\@bugs.launchpad.net>",
- " Li Qiang <liq3ea\@gmail.com>",
- " Qemu Developers <qemu-devel\@nongnu.org>\0"
+ "To\0qemu-devel\@nongnu.org\0"
]
[
"\0000:1\0"
@@ -67,7 +46,159 @@
"refactoring of a lot of device code...\n",
"\n",
"thanks\n",
- "-- PMM"
+ "-- PMM\n",
+ "\n",
+ "-- \n",
+ "You received this bug notification because you are a member of qemu-\n",
+ "devel-ml, which is subscribed to QEMU.\n",
+ "https://bugs.launchpad.net/bugs/1886362\n",
+ "\n",
+ "Title:\n",
+ " Heap use-after-free in lduw_he_p through e1000e_write_to_rx_buffers\n",
+ "\n",
+ "Status in QEMU:\n",
+ " New\n",
+ "\n",
+ "Bug description:\n",
+ " Hello,\n",
+ " This reproducer causes a heap-use-after free. QEMU Built with --enable-sanitizers:\n",
+ " cat << EOF | ./i386-softmmu/qemu-system-i386 -M q35,accel=qtest \\\n",
+ " -qtest stdio -nographic -monitor none -serial none\n",
+ " outl 0xcf8 0x80001010\n",
+ " outl 0xcfc 0xe1020000\n",
+ " outl 0xcf8 0x80001014\n",
+ " outl 0xcf8 0x80001004\n",
+ " outw 0xcfc 0x7\n",
+ " outl 0xcf8 0x800010a2\n",
+ " write 0xe102003b 0x1 0xff\n",
+ " write 0xe1020103 0x1e 0xffffff055c5e5c30be4511d084ffffffffffffffffffffffffffffffffff\n",
+ " write 0xe1020420 0x4 0xffffffff\n",
+ " write 0xe1020424 0x4 0xffffffff\n",
+ " write 0xe102042b 0x1 0xff\n",
+ " write 0xe1020430 0x4 0x055c5e5c\n",
+ " write 0x5c041 0x1 0x04\n",
+ " write 0x5c042 0x1 0x02\n",
+ " write 0x5c043 0x1 0xe1\n",
+ " write 0x5c048 0x1 0x8a\n",
+ " write 0x5c04a 0x1 0x31\n",
+ " write 0x5c04b 0x1 0xff\n",
+ " write 0xe1020403 0x1 0xff\n",
+ " EOF\n",
+ "\n",
+ " The Output:\n",
+ " ==22689==ERROR: AddressSanitizer: heap-use-after-free on address 0x62500026800e at pc 0x55b93bb18bfa bp 0x7fffdbe844f0 sp 0x7fffdbe83cb8\n",
+ " READ of size 2 at 0x62500026800e thread T0\n",
+ " #0 in __asan_memcpy (/build/i386-softmmu/qemu-system-i386+)\n",
+ " #1 in lduw_he_p /include/qemu/bswap.h:332:5\n",
+ " #2 in ldn_he_p /include/qemu/bswap.h:550:1\n",
+ " #3 in flatview_write_continue /exec.c:3145:19\n",
+ " #4 in flatview_write /exec.c:3186:14\n",
+ " #5 in address_space_write /exec.c:3280:18\n",
+ " #6 in address_space_rw /exec.c:3290:16\n",
+ " #7 in dma_memory_rw_relaxed /include/sysemu/dma.h:87:18\n",
+ " #8 in dma_memory_rw /include/sysemu/dma.h:113:12\n",
+ " #9 in pci_dma_rw /include/hw/pci/pci.h:789:5\n",
+ " #10 in pci_dma_write /include/hw/pci/pci.h:802:12\n",
+ " #11 in e1000e_write_to_rx_buffers /hw/net/e1000e_core.c:1412:9\n",
+ " #12 in e1000e_write_packet_to_guest /hw/net/e1000e_core.c:1582:21\n",
+ " #13 in e1000e_receive_iov /hw/net/e1000e_core.c:1709:9\n",
+ " #14 in e1000e_nc_receive_iov /hw/net/e1000e.c:213:12\n",
+ " #15 in net_tx_pkt_sendv /hw/net/net_tx_pkt.c:544:9\n",
+ " #16 in net_tx_pkt_send /hw/net/net_tx_pkt.c:620:9\n",
+ " #17 in net_tx_pkt_send_loopback /hw/net/net_tx_pkt.c:633:11\n",
+ " #18 in e1000e_tx_pkt_send /hw/net/e1000e_core.c:664:16\n",
+ " #19 in e1000e_process_tx_desc /hw/net/e1000e_core.c:743:17\n",
+ " #20 in e1000e_start_xmit /hw/net/e1000e_core.c:934:9\n",
+ " #21 in e1000e_set_tctl /hw/net/e1000e_core.c:2431:9\n",
+ " #22 in e1000e_core_write /hw/net/e1000e_core.c:3265:9\n",
+ " #23 in e1000e_mmio_write /hw/net/e1000e.c:109:5\n",
+ " #24 in memory_region_write_accessor /memory.c:483:5\n",
+ " #25 in access_with_adjusted_size /memory.c:544:18\n",
+ " #26 in memory_region_dispatch_write /memory.c:1476:16\n",
+ " #27 in flatview_write_continue /exec.c:3146:23\n",
+ " #28 in flatview_write /exec.c:3186:14\n",
+ " #29 in address_space_write /exec.c:3280:18\n",
+ " #30 in qtest_process_command /qtest.c:567:9\n",
+ " #31 in qtest_process_inbuf /qtest.c:710:9\n",
+ " #32 in qtest_read /qtest.c:722:5\n",
+ " #33 in qemu_chr_be_write_impl /chardev/char.c:188:9\n",
+ " #34 in qemu_chr_be_write /chardev/char.c:200:9\n",
+ " #35 in fd_chr_read /chardev/char-fd.c:68:9\n",
+ " #36 in qio_channel_fd_source_dispatch /io/channel-watch.c:84:12\n",
+ " #37 in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+)\n",
+ " #38 in glib_pollfds_poll /util/main-loop.c:219:9\n",
+ " #39 in os_host_main_loop_wait /util/main-loop.c:242:5\n",
+ " #40 in main_loop_wait /util/main-loop.c:518:11\n",
+ " #41 in qemu_main_loop /softmmu/vl.c:1664:9\n",
+ " #42 in main /softmmu/main.c:52:5\n",
+ " #43 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+)\n",
+ " #44 in _start (/build/i386-softmmu/qemu-system-i386+)\n",
+ "\n",
+ " 0x62500026800e is located 14 bytes inside of 138-byte region [0x625000268000,0x62500026808a)\n",
+ " freed by thread T0 here:\n",
+ " #0 in free (/build/i386-softmmu/qemu-system-i386+)\n",
+ " #1 in qemu_vfree /util/oslib-posix.c:238:5\n",
+ " #2 in address_space_unmap /exec.c:3616:5\n",
+ " #3 in dma_memory_unmap /include/sysemu/dma.h:148:5\n",
+ " #4 in pci_dma_unmap /include/hw/pci/pci.h:839:5\n",
+ " #5 in net_tx_pkt_reset /hw/net/net_tx_pkt.c:453:9\n",
+ " #6 in e1000e_process_tx_desc /hw/net/e1000e_core.c:749:9\n",
+ " #7 in e1000e_start_xmit /hw/net/e1000e_core.c:934:9\n",
+ " #8 in e1000e_set_tctl /hw/net/e1000e_core.c:2431:9\n",
+ " #9 in e1000e_core_write /hw/net/e1000e_core.c:3265:9\n",
+ " #10 in e1000e_mmio_write /hw/net/e1000e.c:109:5\n",
+ " #11 in memory_region_write_accessor /memory.c:483:5\n",
+ " #12 in access_with_adjusted_size /memory.c:544:18\n",
+ " #13 in memory_region_dispatch_write /memory.c:1476:16\n",
+ " #14 in flatview_write_continue /exec.c:3146:23\n",
+ " #15 in flatview_write /exec.c:3186:14\n",
+ " #16 in address_space_write /exec.c:3280:18\n",
+ " #17 in address_space_rw /exec.c:3290:16\n",
+ " #18 in dma_memory_rw_relaxed /include/sysemu/dma.h:87:18\n",
+ " #19 in dma_memory_rw /include/sysemu/dma.h:113:12\n",
+ " #20 in pci_dma_rw /include/hw/pci/pci.h:789:5\n",
+ " #21 in pci_dma_write /include/hw/pci/pci.h:802:12\n",
+ " #22 in e1000e_write_to_rx_buffers /hw/net/e1000e_core.c:1412:9\n",
+ " #23 in e1000e_write_packet_to_guest /hw/net/e1000e_core.c:1582:21\n",
+ " #24 in e1000e_receive_iov /hw/net/e1000e_core.c:1709:9\n",
+ " #25 in e1000e_nc_receive_iov /hw/net/e1000e.c:213:12\n",
+ " #26 in net_tx_pkt_sendv /hw/net/net_tx_pkt.c:544:9\n",
+ " #27 in net_tx_pkt_send /hw/net/net_tx_pkt.c:620:9\n",
+ " #28 in net_tx_pkt_send_loopback /hw/net/net_tx_pkt.c:633:11\n",
+ " #29 in e1000e_tx_pkt_send /hw/net/e1000e_core.c:664:16\n",
+ "\n",
+ " previously allocated by thread T0 here:\n",
+ " #0 in posix_memalign (/build/i386-softmmu/qemu-system-i386+)\n",
+ " #1 in qemu_try_memalign /util/oslib-posix.c:198:11\n",
+ " #2 in qemu_memalign /util/oslib-posix.c:214:27\n",
+ " #3 in address_space_map /exec.c:3558:25\n",
+ " #4 in dma_memory_map /include/sysemu/dma.h:138:9\n",
+ " #5 in pci_dma_map /include/hw/pci/pci.h:832:11\n",
+ " #6 in net_tx_pkt_add_raw_fragment /hw/net/net_tx_pkt.c:391:24\n",
+ " #7 in e1000e_process_tx_desc /hw/net/e1000e_core.c:731:14\n",
+ " #8 in e1000e_start_xmit /hw/net/e1000e_core.c:934:9\n",
+ " #9 in e1000e_set_tctl /hw/net/e1000e_core.c:2431:9\n",
+ " #10 in e1000e_core_write /hw/net/e1000e_core.c:3265:9\n",
+ " #11 in e1000e_mmio_write /hw/net/e1000e.c:109:5\n",
+ " #12 in memory_region_write_accessor /memory.c:483:5\n",
+ " #13 in access_with_adjusted_size /memory.c:544:18\n",
+ " #14 in memory_region_dispatch_write /memory.c:1476:16\n",
+ " #15 in flatview_write_continue /exec.c:3146:23\n",
+ " #16 in flatview_write /exec.c:3186:14\n",
+ " #17 in address_space_write /exec.c:3280:18\n",
+ " #18 in qtest_process_command /qtest.c:567:9\n",
+ " #19 in qtest_process_inbuf /qtest.c:710:9\n",
+ " #20 in qtest_read /qtest.c:722:5\n",
+ " #21 in qemu_chr_be_write_impl /chardev/char.c:188:9\n",
+ " #22 in qemu_chr_be_write /chardev/char.c:200:9\n",
+ " #23 in fd_chr_read /chardev/char-fd.c:68:9\n",
+ " #24 in qio_channel_fd_source_dispatch /io/channel-watch.c:84:12\n",
+ " #25 in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+)\n",
+ "\n",
+ " -Alex\n",
+ "\n",
+ "To manage notifications about this bug go to:\n",
+ "https://bugs.launchpad.net/qemu/+bug/1886362/+subscriptions"
]
-1430172931dc9c65e5f2e77b486a588bc64b619d36cc748d389461362ea51a4e
+75e2f90eb58752ca77443706e4ff32489db8d9441da48fdd1ce76b4487c3bbc0
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).