qemu-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug 1912780] Re: QEMU: Null Pointer Failure in fdctrl_read() in hw/bloc

From: Thomas Huth
Subject: [Bug 1912780] Re: QEMU: Null Pointer Failure in fdctrl_read() in hw/block/fdc.c
Date: Fri, 14 May 2021 19:24:11 -0000 
** Changed in: qemu
       Status: New => In Progress

** Changed in: qemu
   Importance: Undecided => High

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1912780

Title:
  QEMU: Null Pointer Failure in fdctrl_read() in hw/block/fdc.c

Status in QEMU:
  In Progress

Bug description:
  [via qemu-security list]

  This is Gaoning Pan from Zhejiang University & Ant Security Light-Year Lab.
  I found a Null Pointer issue locates in fdctrl_read() in  hw/block/fdc.c.
  This flaw allows a malicious guest user or process in a denial of service 
condition.

  This issus was discovered in the latest Qemu-5.2.0. When using floppy device, 
there are several
  choices to get specific drive in get_drv(), depending on fdctrl->cur_drv. But 
not all drives are
  initialized properly, leaving fdctrl->drives[0]->blk as NULL. So when the 
drive was used in
  blk_pread(cur_drv->blk, fd_offset(cur_drv), fdctrl->fifo, BDRV_SECTOR_SIZE) 
at line 1918,
  null pointer access triggers, thus denial of service.My reproduced 
environment is as follows:

      Host: ubuntu 18.04
      Guest: ubuntu 18.04

  My boot command is as follows:

    qemu-system-x86_64 -enable-kvm -boot c -m 2G -drive 
format=qcow2,file=./ubuntu.img \
     -nic user,hostfwd=tcp:0.0.0.0:5555-:22 -device floppy,unit=1,drive=mydrive 
\
     -drive id=mydrive,file=null-co://,size=2M,format=raw,if=none -display none

  ASAN output is as follows:
  =================================================================
  ==14688==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000034c (pc 
0x5636eee9bbaf bp 0x7ff2a53fdea0 sp 0x7ff2a53fde90 T3)
  ==14688==The signal is caused by a WRITE memory access.
  ==14688==Hint: address points to the zero page.
      #0 0x5636eee9bbae in blk_inc_in_flight ../block/block-backend.c:1356
      #1 0x5636eee9b766 in blk_prw ../block/block-backend.c:1328
      #2 0x5636eee9cd76 in blk_pread ../block/block-backend.c:1491
      #3 0x5636ee1adf24 in fdctrl_read_data ../hw/block/fdc.c:1918
      #4 0x5636ee1a6654 in fdctrl_read ../hw/block/fdc.c:935
      #5 0x5636eebb84c8 in portio_read ../softmmu/ioport.c:179
      #6 0x5636ee9848c5 in memory_region_read_accessor ../softmmu/memory.c:442
      #7 0x5636ee9855c2 in access_with_adjusted_size ../softmmu/memory.c:552
      #8 0x5636ee98f0b7 in memory_region_dispatch_read1 ../softmmu/memory.c:1420
      #9 0x5636ee98f311 in memory_region_dispatch_read ../softmmu/memory.c:1449
      #10 0x5636ee8ff64a in flatview_read_continue ../softmmu/physmem.c:2822
      #11 0x5636ee8ff9e5 in flatview_read ../softmmu/physmem.c:2862
      #12 0x5636ee8ffb83 in address_space_read_full ../softmmu/physmem.c:2875
      #13 0x5636ee8ffdeb in address_space_rw ../softmmu/physmem.c:2903
      #14 0x5636eea6a924 in kvm_handle_io ../accel/kvm/kvm-all.c:2285
      #15 0x5636eea6c5e3 in kvm_cpu_exec ../accel/kvm/kvm-all.c:2531
      #16 0x5636eeca492b in kvm_vcpu_thread_fn ../accel/kvm/kvm-cpus.c:49
      #17 0x5636ef1bc296 in qemu_thread_start ../util/qemu-thread-posix.c:521
      #18 0x7ff337c736da in start_thread 
(/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
      #19 0x7ff33799ca3e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x121a3e)

  AddressSanitizer can not provide additional info.
  SUMMARY: AddressSanitizer: SEGV ../block/block-backend.c:1356 in 
blk_inc_in_flight
  Thread T3 created by T0 here:
      #0 0x7ff33c580d2f in __interceptor_pthread_create 
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0x37d2f)
      #1 0x5636ef1bc673 in qemu_thread_create ../util/qemu-thread-posix.c:558
      #2 0x5636eeca4ce7 in kvm_start_vcpu_thread ../accel/kvm/kvm-cpus.c:73
      #3 0x5636ee9aa965 in qemu_init_vcpu ../softmmu/cpus.c:622
      #4 0x5636ee82a9b4 in x86_cpu_realizefn ../target/i386/cpu.c:6731
      #5 0x5636eed002f4 in device_set_realized ../hw/core/qdev.c:886
      #6 0x5636eecc59bc in property_set_bool ../qom/object.c:2251
      #7 0x5636eecc0c28 in object_property_set ../qom/object.c:1398
      #8 0x5636eecb6fb9 in object_property_set_qobject ../qom/qom-qobject.c:28
      #9 0x5636eecc1175 in object_property_set_bool ../qom/object.c:1465
      #10 0x5636eecfc286 in qdev_realize ../hw/core/qdev.c:399
      #11 0x5636ee739b34 in x86_cpu_new ../hw/i386/x86.c:111
      #12 0x5636ee739d6d in x86_cpus_init ../hw/i386/x86.c:138
      #13 0x5636ee6f843e in pc_init1 ../hw/i386/pc_piix.c:159
      #14 0x5636ee6fab1e in pc_init_v5_2 ../hw/i386/pc_piix.c:438
      #15 0x5636ee1cb4a7 in machine_run_board_init ../hw/core/machine.c:1134
      #16 0x5636ee9c323d in qemu_init ../softmmu/vl.c:4369
      #17 0x5636edd92c71 in main ../softmmu/main.c:49
      #18 0x7ff33789cb96 in __libc_start_main 
(/lib/x86_64-linux-gnu/libc.so.6+0x21b96)

  ==14688==ABORTING

  Reproducer is attached.

  Best regards.
  Gaoning Pan of Zhejiang University & Ant Security Light-Year Lab

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1912780/+subscriptions
reply via email to
[Prev in Thread] Current Thread [Next in Thread]