[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH] hw/sd/sdhci: reset data count in sdhci_buff_access_is_sequen
|
From: |
Mauro Matteo Cascella |
|
Subject: |
Re: [PATCH] hw/sd/sdhci: reset data count in sdhci_buff_access_is_sequential() |
|
Date: |
Thu, 10 Nov 2022 19:51:09 +0100 |
On Wed, Nov 9, 2022 at 5:19 PM Bin Meng <bmeng.cn@gmail.com> wrote:
>
> On Wed, Nov 9, 2022 at 6:10 PM Mauro Matteo Cascella
> <mcascell@redhat.com> wrote:
> >
> > On Wed, Nov 9, 2022 at 10:45 AM Siqi Chen <coc.cyqh@gmail.com> wrote:
> > >
> > > Hi,
> > >
> > > >This reproducer does not crash my QEMU. Am I missing anything?
> > > I submitted the reproducer. Because the overflow is only one byte, it may
> > > not be detected by the host's heap allocator. Do you compile your qemu
> > > with sanitizer? This is my build configuration: "./configure
> > > --target-list=x86_64-softmmu --enable-sanitizers"
> >
> > Right, you need to recompile QEMU with ASAN support. This is an
> > excerpt of the stack trace:
>
> Is this documented somewhere? Is fuzzing.rst the right doc for this
> feature? Looking at fuzzing.rst it says --enable-sanitizers is
> optional.
Not sure it's documented somewhere, this is how I usually compile:
$ ../configure --target-list=x86_64-softmmu --enable-sanitizers
--extra-cflags=-g3 \
--enable-kvm --disable-tcg --enable-debug --enable-debug-info --disable-werror
Then just run the PoC using ./x86_64-softmmu/qemu-system-x86_64 should
do the trick.
> Turning on --enable-sanitizers makes the build fail:
>
> FAILED: subprojects/libvduse/libvduse.a.p/libvduse.c.o
> cc -m64 -mcx16 -Isubprojects/libvduse/libvduse.a.p
> -Isubprojects/libvduse -I../subprojects/libvduse
> -fdiagnostics-color=auto -Wall -Winvalid-pch -Werror -std=gnu11 -O2 -g
> -fsanitize=undefined -fsanitize=address -U_FORTIFY
> _SOURCE -D_FORTIFY_SOURCE=2 -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE
> -Wstrict-prototypes -Wredundant-decls -Wundef -Wwrite-strings
> -Wmissing-prototypes -fno-strict-aliasing -fno-common -fwrapv
> -Wold-style-declaration -W
> old-style-definition -Wtype-limits -Wformat-security -Wformat-y2k
> -Winit-self -Wignored-qualifiers -Wempty-body -Wnested-externs
> -Wendif-labels -Wexpansion-to-defined -Wimplicit-fallthrough=2
> -Wno-missing-include-dirs -Wn
> o-shift-negative-value -Wno-psabi -fstack-protector-strong -fPIE
> -D_GNU_SOURCE -MD -MQ subprojects/libvduse/libvduse.a.p/libvduse.c.o
> -MF subprojects/libvduse/libvduse.a.p/libvduse.c.o.d -o
> subprojects/libvduse/libvduse.a
> .p/libvduse.c.o -c ../subprojects/libvduse/libvduse.c
> In file included from /usr/include/string.h:495,
> from ../subprojects/libvduse/libvduse.c:24:
> In function ‘strncpy’,
> inlined from ‘vduse_dev_create’ at ../subprojects/libvduse/libvduse.c:1312:5:
> /usr/include/x86_64-linux-gnu/bits/string_fortified.h:106:10: error:
> ‘__builtin_strncpy’ specified bound 256 equals destination size
> [-Werror=stringop-truncation]
> 106 | return __builtin___strncpy_chk (__dest, __src, __len, __bos (__dest));
> | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> cc1: all warnings being treated as errors
>
> I am using GCC 9.4 on Ubuntu 20.04
>
> >
> > =================================================================
> > ==39159==ERROR: AddressSanitizer: heap-buffer-overflow on address
> > 0x615000022880 at pc 0x55b023db5fe1 bp 0x7fffeeef1650 sp
> > 0x7fffeeef1648
> > WRITE of size 1 at 0x615000022880 thread T0
> > #0 0x55b023db5fe0 in sdhci_write_dataport ../../hw/sd/sdhci.c:562
> > #1 0x55b023dc1cc7 in sdhci_write ../../hw/sd/sdhci.c:1216
> > #2 0x55b024521e01 in memory_region_write_accessor
> > ../../softmmu/memory.c:492
> > #3 0x55b0245222ab in access_with_adjusted_size
> > ../../softmmu/memory.c:554
> > #4 0x55b02452ff15 in memory_region_dispatch_write
> > ../../softmmu/memory.c:1514
> > #5 0x55b024568c67 in flatview_write_continue
> > ../../softmmu/physmem.c:2814
> > #6 0x55b02456908d in flatview_write ../../softmmu/physmem.c:2856
> > #7 0x55b024569a74 in address_space_write ../../softmmu/physmem.c:2952
> > #8 0x55b02457a63c in qtest_process_command ../../softmmu/qtest.c:538
> > #9 0x55b02457ef97 in qtest_process_inbuf ../../softmmu/qtest.c:796
> > #10 0x55b02457f089 in qtest_read ../../softmmu/qtest.c:808
> > #11 0x55b0249d4372 in qemu_chr_be_write_impl ../../chardev/char.c:201
> > #12 0x55b0249d4414 in qemu_chr_be_write ../../chardev/char.c:213
> > #13 0x55b0249db586 in fd_chr_read ../../chardev/char-fd.c:72
> > #14 0x55b02466ba5b in qio_channel_fd_source_dispatch
> > ../../io/channel-watch.c:84
> > #15 0x7f88093af0ae in g_main_context_dispatch
> > (/lib64/libglib-2.0.so.0+0x550ae)
> > #16 0x55b024c5ff14 in glib_pollfds_poll ../../util/main-loop.c:297
> > #17 0x55b024c600fa in os_host_main_loop_wait ../../util/main-loop.c:320
> > #18 0x55b024c603f3 in main_loop_wait ../../util/main-loop.c:596
> > #19 0x55b023fcca21 in qemu_main_loop ../../softmmu/runstate.c:726
> > #20 0x55b023679735 in qemu_main ../../softmmu/main.c:36
> > #21 0x55b023679766 in main ../../softmmu/main.c:45
> > #22 0x7f8808728f5f in __libc_start_call_main (/lib64/libc.so.6+0x40f5f)
> > #23 0x7f880872900f in __libc_start_main_impl (/lib64/libc.so.6+0x4100f)
> > #24 0x55b023679644 in _start (./qemu-system-x86_64+0x20f2644)
> >
>
> Regards,
> Bin
>
--
Mauro Matteo Cascella
Red Hat Product Security
PGP-Key ID: BB3410B0
Re: [PATCH] hw/sd/sdhci: reset data count in sdhci_buff_access_is_sequential(), Philippe Mathieu-Daudé, 2022/11/07