[Bug 1878259] [NEW] Null-pointer dereference in megasas_handle

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug 1878259] [NEW] Null-pointer dereference in megasas_handle_frame

From:	Alexander Bulekov
Subject:	[Bug 1878259] [NEW] Null-pointer dereference in megasas_handle_frame
Date:	Tue, 12 May 2020 18:31:17 -0000

Public bug reported:

Hello,
While fuzzing, I found an input that triggers a null-pointer dereference in 
megasas_handle_frame:

==1595==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 
0x55e3e83e6e08 bp 0x7ffdb04c63b0 sp 0x7ffd
==1595==The signal is caused by a READ memory access.
==1595==Hint: address points to the zero page.
    #0 0x55e3e83e6e08 in megasas_handle_frame 
/home/alxndr/Development/qemu/hw/scsi/megasas.c:1952:36
    #1 0x55e3e83e6e08 in megasas_mmio_write 
/home/alxndr/Development/qemu/hw/scsi/megasas.c:2122:9
    #2 0x55e3e7d088d6 in memory_region_write_accessor 
/home/alxndr/Development/qemu/memory.c:483:5
    #3 0x55e3e7d0827f in access_with_adjusted_size 
/home/alxndr/Development/qemu/memory.c:544:18
    #4 0x55e3e7d0827f in memory_region_dispatch_write 
/home/alxndr/Development/qemu/memory.c:1476:16
    #5 0x55e3e7c1d1d3 in flatview_write_continue 
/home/alxndr/Development/qemu/exec.c:3137:23
    #6 0x55e3e7c15b97 in flatview_write 
/home/alxndr/Development/qemu/exec.c:3177:14
    #7 0x55e3e7c15b97 in address_space_write 
/home/alxndr/Development/qemu/exec.c:3268:18
    #8 0x55e3e7d03bc4 in qtest_process_command 
/home/alxndr/Development/qemu/qtest.c:567:9
    #9 0x55e3e7cfe74d in qtest_process_inbuf 
/home/alxndr/Development/qemu/qtest.c:710:9
    #10 0x55e3e8804cad in fd_chr_read 
/home/alxndr/Development/qemu/chardev/char-fd.c:68:9
    #11 0x7f602ef2a897 in g_main_context_dispatch 
(/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4e897)
    #12 0x55e3e8948384 in glib_pollfds_poll 
/home/alxndr/Development/qemu/util/main-loop.c:219:9
    #13 0x55e3e8948384 in os_host_main_loop_wait 
/home/alxndr/Development/qemu/util/main-loop.c:242:5
    #14 0x55e3e8948384 in main_loop_wait 
/home/alxndr/Development/qemu/util/main-loop.c:518:11
    #15 0x55e3e7f27676 in qemu_main_loop 
/home/alxndr/Development/qemu/softmmu/vl.c:1664:9
    #16 0x55e3e8851c6a in main /home/alxndr/Development/qemu/softmmu/main.c:49:5
    #17 0x7f602dadae0a in __libc_start_main 
/build/glibc-GwnBeO/glibc-2.30/csu/../csu/libc-start.c:308:16
    #18 0x55e3e7b5c7b9 in _start 
(/home/alxndr/Development/qemu/build/i386-softmmu/qemu-system-i386+0x9027b9)

I can reproduce it in qemu 5.0 using:

cat << EOF | ~/Development/qemu/build/i386-softmmu/qemu-system-i386 -qtest 
stdio -nographic -monitor none -serial none -M q35 -device megasas
outl 0xcf8 0x80001814
outl 0xcfc 0xc021
outl 0xcf8 0x80001818
outl 0xcf8 0x80001804
outw 0xcfc 0x7
outl 0xcf8 0x80001810
outl 0xcfc 0xe10c0000
outl 0xcf8 0x8000f810
outl 0xcf8 0x8000fa24
outl 0xcfc 0xe10c4000
outl 0xcf8 0x8000fa04
outw 0xcfc 0x7
outl 0xcf8 0x8000fb20
write 0xe10c4384 0x15 0x838383838383838383838383838383838383838383
write 0xc021e10c00c0 0x4 0x082c04dd
EOF

I also attached the commands to this launchpad report, in case the
formatting is broken:

qemu-system-i386 -qtest stdio -nographic -monitor none -serial none -M
q35 -device megasas < attachment

Please let me know if I can provide any further info.
-Alex

** Affects: qemu
     Importance: Undecided
         Status: New

** Attachment added: "attachment"
   https://bugs.launchpad.net/bugs/1878259/+attachment/5370500/+files/attachment

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1878259

Title:
  Null-pointer dereference in megasas_handle_frame

Status in QEMU:
  New

Bug description:
  Hello,
  While fuzzing, I found an input that triggers a null-pointer dereference in 
megasas_handle_frame:

  ==1595==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 
0x55e3e83e6e08 bp 0x7ffdb04c63b0 sp 0x7ffd
  ==1595==The signal is caused by a READ memory access.
  ==1595==Hint: address points to the zero page.
      #0 0x55e3e83e6e08 in megasas_handle_frame 
/home/alxndr/Development/qemu/hw/scsi/megasas.c:1952:36
      #1 0x55e3e83e6e08 in megasas_mmio_write 
/home/alxndr/Development/qemu/hw/scsi/megasas.c:2122:9
      #2 0x55e3e7d088d6 in memory_region_write_accessor 
/home/alxndr/Development/qemu/memory.c:483:5
      #3 0x55e3e7d0827f in access_with_adjusted_size 
/home/alxndr/Development/qemu/memory.c:544:18
      #4 0x55e3e7d0827f in memory_region_dispatch_write 
/home/alxndr/Development/qemu/memory.c:1476:16
      #5 0x55e3e7c1d1d3 in flatview_write_continue 
/home/alxndr/Development/qemu/exec.c:3137:23
      #6 0x55e3e7c15b97 in flatview_write 
/home/alxndr/Development/qemu/exec.c:3177:14
      #7 0x55e3e7c15b97 in address_space_write 
/home/alxndr/Development/qemu/exec.c:3268:18
      #8 0x55e3e7d03bc4 in qtest_process_command 
/home/alxndr/Development/qemu/qtest.c:567:9
      #9 0x55e3e7cfe74d in qtest_process_inbuf 
/home/alxndr/Development/qemu/qtest.c:710:9
      #10 0x55e3e8804cad in fd_chr_read 
/home/alxndr/Development/qemu/chardev/char-fd.c:68:9
      #11 0x7f602ef2a897 in g_main_context_dispatch 
(/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4e897)
      #12 0x55e3e8948384 in glib_pollfds_poll 
/home/alxndr/Development/qemu/util/main-loop.c:219:9
      #13 0x55e3e8948384 in os_host_main_loop_wait 
/home/alxndr/Development/qemu/util/main-loop.c:242:5
      #14 0x55e3e8948384 in main_loop_wait 
/home/alxndr/Development/qemu/util/main-loop.c:518:11
      #15 0x55e3e7f27676 in qemu_main_loop 
/home/alxndr/Development/qemu/softmmu/vl.c:1664:9
      #16 0x55e3e8851c6a in main 
/home/alxndr/Development/qemu/softmmu/main.c:49:5
      #17 0x7f602dadae0a in __libc_start_main 
/build/glibc-GwnBeO/glibc-2.30/csu/../csu/libc-start.c:308:16
      #18 0x55e3e7b5c7b9 in _start 
(/home/alxndr/Development/qemu/build/i386-softmmu/qemu-system-i386+0x9027b9)

  I can reproduce it in qemu 5.0 using:

  cat << EOF | ~/Development/qemu/build/i386-softmmu/qemu-system-i386 -qtest 
stdio -nographic -monitor none -serial none -M q35 -device megasas
  outl 0xcf8 0x80001814
  outl 0xcfc 0xc021
  outl 0xcf8 0x80001818
  outl 0xcf8 0x80001804
  outw 0xcfc 0x7
  outl 0xcf8 0x80001810
  outl 0xcfc 0xe10c0000
  outl 0xcf8 0x8000f810
  outl 0xcf8 0x8000fa24
  outl 0xcfc 0xe10c4000
  outl 0xcf8 0x8000fa04
  outw 0xcfc 0x7
  outl 0xcf8 0x8000fb20
  write 0xe10c4384 0x15 0x838383838383838383838383838383838383838383
  write 0xc021e10c00c0 0x4 0x082c04dd
  EOF

  I also attached the commands to this launchpad report, in case the
  formatting is broken:

  qemu-system-i386 -qtest stdio -nographic -monitor none -serial none -M
  q35 -device megasas < attachment

  Please let me know if I can provide any further info.
  -Alex

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1878259/+subscriptions

[Prev in Thread]

Current Thread

[Next in Thread]

[Bug 1878259] [NEW] Null-pointer dereference in megasas_handle_frame, Alexander Bulekov <=
- [Bug 1878259] Re: Null-pointer dereference in megasas_handle_frame, P J P, 2020/05/28

Prev by Date: Re: [PATCH v8 74/74] cputlb: queue async flush jobs without the BQL
Next by Date: Re: Infinite loop in bus_unparent(), qdev bug or qdev misuse?
Previous by thread: [Bug 1878255] [NEW] Assertion failure in bdrv_aio_cancel, through ide
Next by thread: [Bug 1878259] Re: Null-pointer dereference in megasas_handle_frame
Index(es):
- Date
- Thread