diff options
| author | Christian Krinitsin <mail@krinitsin.com> | 2025-05-30 16:52:07 +0200 |
|---|---|---|
| committer | Christian Krinitsin <mail@krinitsin.com> | 2025-05-30 16:52:17 +0200 |
| commit | 9260319e7411ff8281700a532caa436f40120ec4 (patch) | |
| tree | 2f6bfe5f3458dd49d328d3a9eb508595450adec0 /gitlab/issues/target_missing/host_missing/accel_missing/2852.toml | |
| parent | 225caa38269323af1bfc2daadff5ec8bd930747f (diff) | |
| download | emulator-bug-study-9260319e7411ff8281700a532caa436f40120ec4.tar.gz emulator-bug-study-9260319e7411ff8281700a532caa436f40120ec4.zip | |
gitlab scraper: download in toml and text format
Diffstat (limited to 'gitlab/issues/target_missing/host_missing/accel_missing/2852.toml')
| -rw-r--r-- | gitlab/issues/target_missing/host_missing/accel_missing/2852.toml | 88 |
1 files changed, 0 insertions, 88 deletions
diff --git a/gitlab/issues/target_missing/host_missing/accel_missing/2852.toml b/gitlab/issues/target_missing/host_missing/accel_missing/2852.toml deleted file mode 100644 index 98f341a8..00000000 --- a/gitlab/issues/target_missing/host_missing/accel_missing/2852.toml +++ /dev/null @@ -1,88 +0,0 @@ -id = 2852 -title = "heap-use-after-free in timer_pending()" -state = "closed" -created_at = "2025-03-04T08:36:06.291Z" -closed_at = "2025-03-06T02:25:22.231Z" -labels = ["Storage", "workflow::Patch available"] -url = "https://gitlab.com/qemu-project/qemu/-/issues/2852" -host-os = "Alt Workstation K 10.3" -host-arch = "x86_64" -qemu-version = "QEMU emulator version v9.2.2 (v9.2.2-50d38b8921837827ea397d4b20c8bc5efe186e53)" -guest-os = "n/a" -guest-arch = "n/a" -description = """In the QED block driver, the need_check_timer timer is freed in -bdrv_qed_detach_aio_context, but the pointer to the timer is not -set to NULL. This can lead to a use-after-free scenario -in bdrv_qed_drain_begin().""" -reproduce = """1. [test.qed](/uploads/c8820345bfcd562308da99d9f83df3cf/test.qed) -2. ./qemu-img snapshot -q -a test test.qed""" -additional = """<details> -<pre> -./qemu-img snapshot -q -a test test.qed -==21083==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! -================================================================= -==21083==ERROR: AddressSanitizer: heap-use-after-free on address 0x60400004ca50 at pc 0x56050d1462b6 bp 0x7fff14d0d870 sp 0x7fff14d0d868 -READ of size 8 at 0x60400004ca50 thread T0 - #0 0x56050d1462b5 in timer_pending /home/gerben/qemu-img_fuzz/build/../util/qemu-timer.c:483:16 - #1 0x56050cddf82e in bdrv_qed_drain_begin /home/gerben/qemu-img_fuzz/build/../block/qed.c:378:32 - #2 0x56050cb9bb65 in bdrv_do_drained_begin /home/gerben/qemu-img_fuzz/build/../block/io.c:364:13 - #3 0x56050cb9ca03 in bdrv_drain_all_begin_nopoll /home/gerben/qemu-img_fuzz/build/../block/io.c:506:9 - #4 0x56050cb96318 in bdrv_graph_wrlock /home/gerben/qemu-img_fuzz/build/../block/graph-lock.c:116:5 - #5 0x56050cd0cbc4 in bdrv_snapshot_goto /home/gerben/qemu-img_fuzz/build/../block/snapshot.c:294:9 - #6 0x56050cf95dd2 in img_snapshot /home/gerben/qemu-img_fuzz/build/../qemu-img.c:3500:15 - #7 0x7f4adeddbefc in __libc_start_main (/lib64/libc.so.6+0x27efc) - #8 0x56050c96a9f9 in _start /usr/src/RPM/BUILD/glibc-2.32-alt5.p10.3/csu/../sysdeps/x86_64/start.S:120 - -0x60400004ca50 is located 0 bytes inside of 48-byte region [0x60400004ca50,0x60400004ca80) -freed by thread T0 here: - #0 0x56050ca0daef in free /usr/src/RPM/BUILD/llvm-11.0.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:123:3 - #1 0x56050cde6b86 in bdrv_qed_do_close /home/gerben/qemu-img_fuzz/build/../block/qed.c:619:5 - #2 0x56050cddbe85 in bdrv_qed_close /home/gerben/qemu-img_fuzz/build/../block/qed.c:639:5 - #3 0x56050cd0cbb2 in bdrv_snapshot_goto /home/gerben/qemu-img_fuzz/build/../block/snapshot.c:290:13 - #4 0x56050cf95dd2 in img_snapshot /home/gerben/qemu-img_fuzz/build/../qemu-img.c:3500:15 - #5 0x7f4adeddbefc in __libc_start_main (/lib64/libc.so.6+0x27efc) - -previously allocated by thread T0 here: - #0 0x56050ca0dfa7 in calloc /usr/src/RPM/BUILD/llvm-11.0.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:154:3 - #1 0x7f4adf359670 in g_malloc0 (/lib64/libglib-2.0.so.0+0x5c670) - #2 0x56050cde4bd0 in bdrv_qed_do_open /home/gerben/qemu-img_fuzz/build/../block/qed.c:543:5 - #3 0x56050cde21a2 in bdrv_qed_open_entry /home/gerben/qemu-img_fuzz/build/../block/qed.c:569:16 - #4 0x56050d137706 in coroutine_trampoline /home/gerben/qemu-img_fuzz/build/../util/coroutine-ucontext.c:175:9 - #5 0x7f4adee066cf (/lib64/libc.so.6+0x526cf) - -SUMMARY: AddressSanitizer: heap-use-after-free /home/gerben/qemu-img_fuzz/build/../util/qemu-timer.c:483:16 in timer_pending -Shadow bytes around the buggy address: - 0x0c08800018f0: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 fa - 0x0c0880001900: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 fa - 0x0c0880001910: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 fa - 0x0c0880001920: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fd - 0x0c0880001930: fa fa 00 00 00 00 01 fa fa fa 00 00 00 00 00 fa -=>0x0c0880001940: fa fa 00 00 00 00 00 fa fa fa[fd]fd fd fd fd fd - 0x0c0880001950: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa - 0x0c0880001960: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa - 0x0c0880001970: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa - 0x0c0880001980: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa - 0x0c0880001990: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa -Shadow byte legend (one shadow byte represents 8 application bytes): - Addressable: 00 - Partially addressable: 01 02 03 04 05 06 07 - Heap left redzone: fa - Freed heap region: fd - Stack left redzone: f1 - Stack mid redzone: f2 - Stack right redzone: f3 - Stack after return: f5 - Stack use after scope: f8 - Global redzone: f9 - Global init order: f6 - Poisoned by user: f7 - Container overflow: fc - Array cookie: ac - Intra object redzone: bb - ASan internal: fe - Left alloca redzone: ca - Right alloca redzone: cb - Shadow gap: cc -==21083==ABORTING -</pre> -</details>""" |