[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH] hw/sd/sdhci: reset data count in sdhci_buff_access_is_sequen
|
From: |
Bin Meng |
|
Subject: |
Re: [PATCH] hw/sd/sdhci: reset data count in sdhci_buff_access_is_sequential() |
|
Date: |
Thu, 10 Nov 2022 00:18:45 +0800 |
On Wed, Nov 9, 2022 at 6:10 PM Mauro Matteo Cascella
<mcascell@redhat.com> wrote:
>
> On Wed, Nov 9, 2022 at 10:45 AM Siqi Chen <coc.cyqh@gmail.com> wrote:
> >
> > Hi,
> >
> > >This reproducer does not crash my QEMU. Am I missing anything?
> > I submitted the reproducer. Because the overflow is only one byte, it may
> > not be detected by the host's heap allocator. Do you compile your qemu
> > with sanitizer? This is my build configuration: "./configure
> > --target-list=x86_64-softmmu --enable-sanitizers"
>
> Right, you need to recompile QEMU with ASAN support. This is an
> excerpt of the stack trace:
Is this documented somewhere? Is fuzzing.rst the right doc for this
feature? Looking at fuzzing.rst it says --enable-sanitizers is
optional.
Turning on --enable-sanitizers makes the build fail:
FAILED: subprojects/libvduse/libvduse.a.p/libvduse.c.o
cc -m64 -mcx16 -Isubprojects/libvduse/libvduse.a.p
-Isubprojects/libvduse -I../subprojects/libvduse
-fdiagnostics-color=auto -Wall -Winvalid-pch -Werror -std=gnu11 -O2 -g
-fsanitize=undefined -fsanitize=address -U_FORTIFY
_SOURCE -D_FORTIFY_SOURCE=2 -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE
-Wstrict-prototypes -Wredundant-decls -Wundef -Wwrite-strings
-Wmissing-prototypes -fno-strict-aliasing -fno-common -fwrapv
-Wold-style-declaration -W
old-style-definition -Wtype-limits -Wformat-security -Wformat-y2k
-Winit-self -Wignored-qualifiers -Wempty-body -Wnested-externs
-Wendif-labels -Wexpansion-to-defined -Wimplicit-fallthrough=2
-Wno-missing-include-dirs -Wn
o-shift-negative-value -Wno-psabi -fstack-protector-strong -fPIE
-D_GNU_SOURCE -MD -MQ subprojects/libvduse/libvduse.a.p/libvduse.c.o
-MF subprojects/libvduse/libvduse.a.p/libvduse.c.o.d -o
subprojects/libvduse/libvduse.a
.p/libvduse.c.o -c ../subprojects/libvduse/libvduse.c
In file included from /usr/include/string.h:495,
from ../subprojects/libvduse/libvduse.c:24:
In function ‘strncpy’,
inlined from ‘vduse_dev_create’ at ../subprojects/libvduse/libvduse.c:1312:5:
/usr/include/x86_64-linux-gnu/bits/string_fortified.h:106:10: error:
‘__builtin_strncpy’ specified bound 256 equals destination size
[-Werror=stringop-truncation]
106 | return __builtin___strncpy_chk (__dest, __src, __len, __bos (__dest));
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
cc1: all warnings being treated as errors
I am using GCC 9.4 on Ubuntu 20.04
>
> =================================================================
> ==39159==ERROR: AddressSanitizer: heap-buffer-overflow on address
> 0x615000022880 at pc 0x55b023db5fe1 bp 0x7fffeeef1650 sp
> 0x7fffeeef1648
> WRITE of size 1 at 0x615000022880 thread T0
> #0 0x55b023db5fe0 in sdhci_write_dataport ../../hw/sd/sdhci.c:562
> #1 0x55b023dc1cc7 in sdhci_write ../../hw/sd/sdhci.c:1216
> #2 0x55b024521e01 in memory_region_write_accessor
> ../../softmmu/memory.c:492
> #3 0x55b0245222ab in access_with_adjusted_size ../../softmmu/memory.c:554
> #4 0x55b02452ff15 in memory_region_dispatch_write
> ../../softmmu/memory.c:1514
> #5 0x55b024568c67 in flatview_write_continue ../../softmmu/physmem.c:2814
> #6 0x55b02456908d in flatview_write ../../softmmu/physmem.c:2856
> #7 0x55b024569a74 in address_space_write ../../softmmu/physmem.c:2952
> #8 0x55b02457a63c in qtest_process_command ../../softmmu/qtest.c:538
> #9 0x55b02457ef97 in qtest_process_inbuf ../../softmmu/qtest.c:796
> #10 0x55b02457f089 in qtest_read ../../softmmu/qtest.c:808
> #11 0x55b0249d4372 in qemu_chr_be_write_impl ../../chardev/char.c:201
> #12 0x55b0249d4414 in qemu_chr_be_write ../../chardev/char.c:213
> #13 0x55b0249db586 in fd_chr_read ../../chardev/char-fd.c:72
> #14 0x55b02466ba5b in qio_channel_fd_source_dispatch
> ../../io/channel-watch.c:84
> #15 0x7f88093af0ae in g_main_context_dispatch
> (/lib64/libglib-2.0.so.0+0x550ae)
> #16 0x55b024c5ff14 in glib_pollfds_poll ../../util/main-loop.c:297
> #17 0x55b024c600fa in os_host_main_loop_wait ../../util/main-loop.c:320
> #18 0x55b024c603f3 in main_loop_wait ../../util/main-loop.c:596
> #19 0x55b023fcca21 in qemu_main_loop ../../softmmu/runstate.c:726
> #20 0x55b023679735 in qemu_main ../../softmmu/main.c:36
> #21 0x55b023679766 in main ../../softmmu/main.c:45
> #22 0x7f8808728f5f in __libc_start_call_main (/lib64/libc.so.6+0x40f5f)
> #23 0x7f880872900f in __libc_start_main_impl (/lib64/libc.so.6+0x4100f)
> #24 0x55b023679644 in _start (./qemu-system-x86_64+0x20f2644)
>
Regards,
Bin
Re: [PATCH] hw/sd/sdhci: reset data count in sdhci_buff_access_is_sequential(), Philippe Mathieu-Daudé, 2022/11/07