[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH] hw/sd/sdhci: reset data count in sdhci_buff_access_is_sequen
|
From: |
Bin Meng |
|
Subject: |
Re: [PATCH] hw/sd/sdhci: reset data count in sdhci_buff_access_is_sequential() |
|
Date: |
Fri, 11 Nov 2022 08:21:32 +0800 |
On Fri, Nov 11, 2022 at 2:51 AM Mauro Matteo Cascella
<mcascell@redhat.com> wrote:
>
> On Wed, Nov 9, 2022 at 5:19 PM Bin Meng <bmeng.cn@gmail.com> wrote:
> >
> > On Wed, Nov 9, 2022 at 6:10 PM Mauro Matteo Cascella
> > <mcascell@redhat.com> wrote:
> > >
> > > On Wed, Nov 9, 2022 at 10:45 AM Siqi Chen <coc.cyqh@gmail.com> wrote:
> > > >
> > > > Hi,
> > > >
> > > > >This reproducer does not crash my QEMU. Am I missing anything?
> > > > I submitted the reproducer. Because the overflow is only one byte, it
> > > > may not be detected by the host's heap allocator. Do you compile your
> > > > qemu with sanitizer? This is my build configuration: "./configure
> > > > --target-list=x86_64-softmmu --enable-sanitizers"
> > >
> > > Right, you need to recompile QEMU with ASAN support. This is an
> > > excerpt of the stack trace:
> >
> > Is this documented somewhere? Is fuzzing.rst the right doc for this
> > feature? Looking at fuzzing.rst it says --enable-sanitizers is
> > optional.
>
> Not sure it's documented somewhere, this is how I usually compile:
>
> $ ../configure --target-list=x86_64-softmmu --enable-sanitizers
> --extra-cflags=-g3 \
> --enable-kvm --disable-tcg --enable-debug --enable-debug-info
> --disable-werror
Thanks, --disable-werror makes the build pass and I can reproduce this issue.
I can prepare a patch to improve the doc with the build instructions.
>
> Then just run the PoC using ./x86_64-softmmu/qemu-system-x86_64 should
> do the trick.
>
> > Turning on --enable-sanitizers makes the build fail:
> >
> > FAILED: subprojects/libvduse/libvduse.a.p/libvduse.c.o
> > cc -m64 -mcx16 -Isubprojects/libvduse/libvduse.a.p
> > -Isubprojects/libvduse -I../subprojects/libvduse
> > -fdiagnostics-color=auto -Wall -Winvalid-pch -Werror -std=gnu11 -O2 -g
> > -fsanitize=undefined -fsanitize=address -U_FORTIFY
> > _SOURCE -D_FORTIFY_SOURCE=2 -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE
> > -Wstrict-prototypes -Wredundant-decls -Wundef -Wwrite-strings
> > -Wmissing-prototypes -fno-strict-aliasing -fno-common -fwrapv
> > -Wold-style-declaration -W
> > old-style-definition -Wtype-limits -Wformat-security -Wformat-y2k
> > -Winit-self -Wignored-qualifiers -Wempty-body -Wnested-externs
> > -Wendif-labels -Wexpansion-to-defined -Wimplicit-fallthrough=2
> > -Wno-missing-include-dirs -Wn
> > o-shift-negative-value -Wno-psabi -fstack-protector-strong -fPIE
> > -D_GNU_SOURCE -MD -MQ subprojects/libvduse/libvduse.a.p/libvduse.c.o
> > -MF subprojects/libvduse/libvduse.a.p/libvduse.c.o.d -o
> > subprojects/libvduse/libvduse.a
> > .p/libvduse.c.o -c ../subprojects/libvduse/libvduse.c
> > In file included from /usr/include/string.h:495,
> > from ../subprojects/libvduse/libvduse.c:24:
> > In function ‘strncpy’,
> > inlined from ‘vduse_dev_create’ at
> > ../subprojects/libvduse/libvduse.c:1312:5:
> > /usr/include/x86_64-linux-gnu/bits/string_fortified.h:106:10: error:
> > ‘__builtin_strncpy’ specified bound 256 equals destination size
> > [-Werror=stringop-truncation]
> > 106 | return __builtin___strncpy_chk (__dest, __src, __len, __bos (__dest));
> > | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > cc1: all warnings being treated as errors
> >
> > I am using GCC 9.4 on Ubuntu 20.04
> >
> > >
> > > =================================================================
> > > ==39159==ERROR: AddressSanitizer: heap-buffer-overflow on address
> > > 0x615000022880 at pc 0x55b023db5fe1 bp 0x7fffeeef1650 sp
> > > 0x7fffeeef1648
> > > WRITE of size 1 at 0x615000022880 thread T0
> > > #0 0x55b023db5fe0 in sdhci_write_dataport ../../hw/sd/sdhci.c:562
> > > #1 0x55b023dc1cc7 in sdhci_write ../../hw/sd/sdhci.c:1216
> > > #2 0x55b024521e01 in memory_region_write_accessor
> > > ../../softmmu/memory.c:492
> > > #3 0x55b0245222ab in access_with_adjusted_size
> > > ../../softmmu/memory.c:554
> > > #4 0x55b02452ff15 in memory_region_dispatch_write
> > > ../../softmmu/memory.c:1514
> > > #5 0x55b024568c67 in flatview_write_continue
> > > ../../softmmu/physmem.c:2814
> > > #6 0x55b02456908d in flatview_write ../../softmmu/physmem.c:2856
> > > #7 0x55b024569a74 in address_space_write ../../softmmu/physmem.c:2952
> > > #8 0x55b02457a63c in qtest_process_command ../../softmmu/qtest.c:538
> > > #9 0x55b02457ef97 in qtest_process_inbuf ../../softmmu/qtest.c:796
> > > #10 0x55b02457f089 in qtest_read ../../softmmu/qtest.c:808
> > > #11 0x55b0249d4372 in qemu_chr_be_write_impl ../../chardev/char.c:201
> > > #12 0x55b0249d4414 in qemu_chr_be_write ../../chardev/char.c:213
> > > #13 0x55b0249db586 in fd_chr_read ../../chardev/char-fd.c:72
> > > #14 0x55b02466ba5b in qio_channel_fd_source_dispatch
> > > ../../io/channel-watch.c:84
> > > #15 0x7f88093af0ae in g_main_context_dispatch
> > > (/lib64/libglib-2.0.so.0+0x550ae)
> > > #16 0x55b024c5ff14 in glib_pollfds_poll ../../util/main-loop.c:297
> > > #17 0x55b024c600fa in os_host_main_loop_wait
> > > ../../util/main-loop.c:320
> > > #18 0x55b024c603f3 in main_loop_wait ../../util/main-loop.c:596
> > > #19 0x55b023fcca21 in qemu_main_loop ../../softmmu/runstate.c:726
> > > #20 0x55b023679735 in qemu_main ../../softmmu/main.c:36
> > > #21 0x55b023679766 in main ../../softmmu/main.c:45
> > > #22 0x7f8808728f5f in __libc_start_call_main
> > > (/lib64/libc.so.6+0x40f5f)
> > > #23 0x7f880872900f in __libc_start_main_impl
> > > (/lib64/libc.so.6+0x4100f)
> > > #24 0x55b023679644 in _start (./qemu-system-x86_64+0x20f2644)
> > >
Regards,
Bin
Re: [PATCH] hw/sd/sdhci: reset data count in sdhci_buff_access_is_sequential(), Philippe Mathieu-Daudé, 2022/11/07