qemu-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH 0/4] hw/sd: sdhci: Fixes to CVE-2020-17380, CVE-2020-25085, C

From: Alexander Bulekov
Subject: Re: [PATCH 0/4] hw/sd: sdhci: Fixes to CVE-2020-17380, CVE-2020-25085, CVE-2021-3409
Date: Mon, 15 Feb 2021 20:27:34 -0500 
On 210216 0855, Bin Meng wrote:
> Hi Alex,
> 
> On Tue, Feb 16, 2021 at 12:48 AM Alexander Bulekov <alxndr@bu.edu> wrote:
> >
> > Hi Bin,
> > Thank you for this. I ran through the OSS-Fuzz tests again, and it found
> > one thing:
> 
> Thanks for testing. Are there instructions to run OSS-Fuzz tests myself?

Yes we have some documentation in docs/devel/fuzzing.rst, but it
doesn't talk about using the OSS-Fuzz corpus.  The OSS-Fuzz corpus is
private, by default, but I uploaded a copy of the current sdhci corpus
here:
https://drive.google.com/file/d/1PcwFbY9YXPdaJ3aapIV2BI-bN5mbBgif/view?usp=sharing

To build the fuzzer, you need clang:

build the fuzzers
$ CC=clang CXX=clang++ ../configure --enable-fuzzing --enable-sanitizers \
--disable-werror
$ ninja -j`nproc` qemu-fuzz-i386

untar the corpus somewhere (~300 MB uncompressed)
$ tar -xvf sdhci-corpus.tar.gz

run through all the inputs once
$ ./qemu-fuzz-i386 --fuzz-target=generic-fuzz-sdhci-v3 \
  ~/path/to/corpus/qemu_qemu-fuzz-i386-target-generic-fuzz-sdhci-v3/* &> out

That will take some minutes, but you can look at the out file and search
for "ERROR" to find crashing inputs. 

-Alex
> 
> > Maybe this is already much better than the current state of the code, so
> > this one can be fixed in a later patch?
> 
> Depend on when Philippe can pick up this sereis, but I can also try to
> have a quick look :)
> 
> >
> > cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest \
> > -m 512M -nodefaults -device sdhci-pci,sd-spec-version=3 \
> > -device sd-card,drive=mydrive \
> > -drive if=sd,index=0,file=null-co://,format=raw,id=mydrive \
> > -nographic -qtest stdio
> > outl 0xcf8 0x80001010
> > outl 0xcfc 0xe0000000
> > outl 0xcf8 0x80001001
> > outl 0xcfc 0x06000000
> > write 0xe000002c 0x1 0x05
> > write 0xe0000005 0x1 0x02
> > write 0xe0000007 0x1 0x01
> > write 0xe0000028 0x1 0x10
> > write 0x0 0x1 0x23
> > write 0x2 0x1 0x08
> > write 0xe000000c 0x1 0x01
> > write 0xe000000e 0x1 0x20
> > write 0xe000000f 0x1 0x00
> > write 0xe000000c 0x1 0x32
> > write 0xe0000004 0x2 0x0200
> > write 0xe0000028 0x1 0x00
> > write 0xe0000003 0x1 0x40
> > EOF
> >
> >
> > ==1730971==ERROR: AddressSanitizer: heap-buffer-overflow on address
> > 0x615000031880 at pc 0x55d070f2c6d9 bp 0x7ffdcb63f130 sp 0x7ffdcb63f128
> > READ of size 4 at 0x615000031880 thread T0
> > #0 0x55d070f2c6d8 in ldl_he_p bswap.h:347:5
> > #1 0x55d070f2c6d8 in ldn_he_p bswap.h:546:1
> > #2 0x55d070f2c6d8 in flatview_write_continue 
> > build/../softmmu/physmem.c:2775:19
> > #3 0x55d070f219eb in flatview_write build/../softmmu/physmem.c:2816:14
> > #4 0x55d070f219eb in address_space_write build/../softmmu/physmem.c:2908:18
> > #5 0x55d07040de4a in dma_memory_rw_relaxed include/sysemu/dma.h:88:12
> > #6 0x55d07040de4a in dma_memory_rw include/sysemu/dma.h:127:12
> > #7 0x55d07040de4a in dma_memory_write include/sysemu/dma.h:163:12
> > #8 0x55d07040de4a in sdhci_sdma_transfer_multi_blocks 
> > build/../hw/sd/sdhci.c:619:13
> > #9 0x55d07041d15b in sdhci_write build/../hw/sd/sdhci.c:1134:21
> > #10 0x55d07123b1ac in memory_region_write_accessor 
> > build/../softmmu/memory.c:491:5
> > #11 0x55d07123acab in access_with_adjusted_size 
> > build/../softmmu/memory.c:552:18
> > #12 0x55d07123a4b0 in memory_region_dispatch_write build/../softmmu/memory.c
> > #13 0x55d070f2c29b in flatview_write_continue 
> > build/../softmmu/physmem.c:2776:23
> > #14 0x55d070f219eb in flatview_write build/../softmmu/physmem.c:2816:14
> > #15 0x55d070f219eb in address_space_write build/../softmmu/physmem.c:2908:18
> 
> Regards,
> Bin
reply via email to
[Prev in Thread] Current Thread [Next in Thread]