summary refs log tree commit diff stats
path: root/gitlab/issues/target_missing/host_missing/accel_missing/2299.toml
diff options
context:
space:
mode:
Diffstat (limited to 'gitlab/issues/target_missing/host_missing/accel_missing/2299.toml')
-rw-r--r--gitlab/issues/target_missing/host_missing/accel_missing/2299.toml215
1 files changed, 215 insertions, 0 deletions
diff --git a/gitlab/issues/target_missing/host_missing/accel_missing/2299.toml b/gitlab/issues/target_missing/host_missing/accel_missing/2299.toml
new file mode 100644
index 00000000..9b527267
--- /dev/null
+++ b/gitlab/issues/target_missing/host_missing/accel_missing/2299.toml
@@ -0,0 +1,215 @@
+id = 2299
+title = "UFS Device sanitizers error"
+state = "closed"
+created_at = "2024-04-22T03:29:29.520Z"
+closed_at = "2024-05-01T22:14:33.454Z"
+labels = ["Fuzzer"]
+url = "https://gitlab.com/qemu-project/qemu/-/issues/2299"
+host-os = "n/a"
+host-arch = "n/a"
+qemu-version = "n/a"
+guest-os = "n/a"
+guest-arch = "n/a"
+description = """Sanitizers error reported by Zheyu Ma zheyuma97@gmail.com
+
+The following log can reveal it:
+
+==3619819==ERROR: AddressSanitizer: heap-buffer-overflow on address
+
+0x62a000011200 at pc 0x7f9f9903a2c3 bp 0x7ffd44e1ee60 sp 0x7ffd44e1e608
+
+WRITE of size 20512 at 0x62a000011200 thread T0
+
+```
+#0 0x7f9f9903a2c2 in __interceptor_memcpy
+```
+
+../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:827
+
+```
+#1 0x5f23331ea4fc in memcpy
+```
+
+/usr/include/x86_64-linux-gnu/bits/string_fortified.h:29
+
+```
+#2 0x5f23331ea4fc in flatview_read_continue_step
+```
+
+../system/physmem.c:2818
+
+```
+#3 0x5f23331eab72 in flatview_read_continue ../system/physmem.c:2835
+
+#4 0x5f23331eadc4 in flatview_read ../system/physmem.c:2865
+
+#5 0x5f23331ec2a5 in address_space_read_full ../system/physmem.c:2878
+
+#6 0x5f23331ec2a5 in address_space_rw ../system/physmem.c:2906
+
+#7 0x5f23326b7ad0 in ufs_dma_read_req_upiu ../hw/ufs/ufs.c:129
+
+#8 0x5f23326b7ad0 in ufs_dma_read_upiu ../hw/ufs/ufs.c:185
+
+#9 0x5f23326b7ad0 in ufs_exec_req ../hw/ufs/ufs.c:1021
+
+#10 0x5f23326b7ad0 in ufs_process_req ../hw/ufs/ufs.c:1066
+
+#11 0x5f2333a9160d in aio_bh_call ../util/async.c:171
+
+#12 0x5f2333a91f45 in aio_bh_poll ../util/async.c:218
+
+#13 0x5f2333a217a9 in aio_dispatch ../util/aio-posix.c:423
+
+#14 0x5f2333a90d01 in aio_ctx_dispatch ../util/async.c:360
+
+#15 0x7f9f985c4d3a in g_main_context_dispatch
+```
+
+(/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x55d3a)
+
+```
+#16 0x5f2333a9690f in glib_pollfds_poll ../util/main-loop.c:287
+
+#17 0x5f2333a9690f in os_host_main_loop_wait ../util/main-loop.c:310
+
+#18 0x5f2333a9690f in main_loop_wait ../util/main-loop.c:589
+
+#19 0x5f23329370e0 in qemu_main_loop ../system/runstate.c:783
+
+#20 0x5f23333b4d7a in qemu_default_main ../system/main.c:37
+
+#21 0x7f9f97629d8f in __libc_start_call_main
+```
+
+../sysdeps/nptl/libc_start_call_main.h:58
+
+```
+#22 0x7f9f97629e3f in __libc_start_main_impl ../csu/libc-start.c:392
+
+#23 0x5f2331c8df64 in _start
+```
+
+(/home/joey/repo/qemu/build/qemu-system-x86_64+0x2ea8f64)
+
+0x62a000011200 is located 0 bytes to the right of 20480-byte region
+
+\\[0x62a00000c200,0x62a000011200)
+
+allocated by thread T0 here:
+
+```
+#0 0x7f9f990b4a57 in __interceptor_calloc
+```
+
+../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154
+
+```
+#1 0x7f9f985cdc50 in g_malloc0
+```
+
+(/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x5ec50)
+
+```
+#2 0xf0e808deae299ff  (<unknown module>)
+```
+
+SUMMARY: AddressSanitizer: heap-buffer-overflow
+
+../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:827
+
+in \\__interceptor_memcpy
+
+Shadow bytes around the buggy address:
+
+0x0c547fffa1f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+
+0x0c547fffa200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+
+0x0c547fffa210: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+
+0x0c547fffa220: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+
+0x0c547fffa230: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+
+=\\>0x0c547fffa240:\\[fa\\]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+
+0x0c547fffa250: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+
+0x0c547fffa260: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+
+0x0c547fffa270: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+
+0x0c547fffa280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+
+0x0c547fffa290: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+
+Shadow byte legend (one shadow byte represents 8 application bytes):
+
+Addressable: 00
+
+Partially addressable: 01 02 03 04 05 06 07
+
+Heap left redzone: fa
+
+Freed heap region: fd
+
+Stack left redzone: f1
+
+Stack mid redzone: f2
+
+Stack right redzone: f3
+
+Stack after return: f5
+
+Stack use after scope: f8
+
+Global redzone: f9
+
+Global init order: f6
+
+Poisoned by user: f7
+
+Container overflow: fc
+
+Array cookie: ac
+
+Intra object redzone: bb
+
+ASan internal: fe
+
+Left alloca redzone: ca
+
+Right alloca redzone: cb
+
+Shadow gap: cc
+
+==3619819==ABORTING
+
+And Here is a simple PoC:
+
+cat \\<\\< EOF \\\\
+
+qemu-system-x86_64 \\\\
+
+\\-display none -machine accel=qtest -m 512M -M q35 -nodefaults -drive \\\\
+
+file=[null-co://,if=none,id=disk0](null-co://,if=none,id=disk0) -device ufs,id=ufs_bus -device \\\\
+
+ufs-lu,drive=disk0,bus=ufs_bus -qtest stdio
+
+outl 0xcf8 0x80000810
+
+outl 0xcfc 0xe0000000
+
+outl 0xcf8 0x80000804
+
+outw 0xcfc 0x06
+
+write 0xe0000058 0x1 0xa7
+
+write 0xa 0x1 0x50
+
+EOF"""
+reproduce = "n/a"
+additional = "n/a"