blob: b168712c090d87f7d69440e580e6584d94c9d1e5 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
|
id = 2778
title = "Null Dereference in ahci-hd device"
state = "opened"
created_at = "2025-01-15T11:52:20.316Z"
closed_at = "n/a"
labels = ["Fuzzer"]
url = "https://gitlab.com/qemu-project/qemu/-/issues/2778"
host-os = "Debian 12"
host-arch = "x86_64"
qemu-version = "QEMU emulator version 9.2.50 (v9.2.0-1001-g7433709a14)"
guest-os = "n/a"
guest-arch = "n/a"
description = """Issue was found by fuzzing. With some qtest commands we can crash qemu-system-x86_64 because of Null dereference."""
reproduce = """Command:
```
cat << EOF | ./qemu-system-x86_64 -display none -machine accel=qtest -m 512M -machine q35 -nodefaults -drive file=null-co://,if=none,format=raw,id=disk0 -device ide-hd,drive=disk0 -qtest stdio
outl 0xcf8 0x8000fa24
outl 0xcfc 0xe0000000
outl 0xcf8 0x8000fa04
outw 0xcfc 0x06
write 0xe00003b8 0x1 0x01
write 0x0 0x1 0x27
write 0x1 0x1 0x80
write 0x2 0x1 0x20
write 0x7 0x1 0x01
write 0xe0000398 0x1 0x01
write 0xe0000398 0x1 0x00
write 0xe0000398 0x1 0x01
EOF
```
Results in
```
[I 0.000001] OPENED
[R +0.082978] outl 0xcf8 0x8000fa24
[S +0.083040] OK
OK
[R +0.083070] outl 0xcfc 0xe0000000
[S +0.083115] OK
OK
[R +0.083132] outl 0xcf8 0x8000fa04
[S +0.083152] OK
OK
[R +0.083180] outw 0xcfc 0x06
[S +0.084233] OK
OK
[R +0.084291] write 0xe00003b8 0x1 0x01
[S +0.084344] OK
OK
[R +0.084384] write 0x0 0x1 0x27
[S +0.085007] OK
OK
[R +0.085041] write 0x1 0x1 0x80
[S +0.085055] OK
OK
[R +0.085071] write 0x2 0x1 0x20
[S +0.085084] OK
OK
[R +0.085096] write 0x7 0x1 0x01
[S +0.085110] OK
OK
[R +0.085123] write 0xe0000398 0x1 0x01
[S +0.085254] OK
OK
[R +0.085294] write 0xe0000398 0x1 0x00
[S +0.085324] OK
OK
[R +0.085349] write 0xe0000398 0x1 0x01
[S +0.085408] OK
OK
../hw/ide/ahci.c:1377:46: runtime error: member access within null pointer of type 'AHCICmdHdr' (aka 'struct AHCICmdHdr')
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../hw/ide/ahci.c:1377:46 in
../hw/ide/ahci.c:1377:46: runtime error: load of null pointer of type 'uint16_t' (aka 'unsigned short')
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../hw/ide/ahci.c:1377:46 in
AddressSanitizer:DEADLYSIGNAL
=================================================================
==2547739==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x55abf3a79f9c bp 0x7ffc213000d0 sp 0x7ffc212fffa0 T0)
==2547739==The signal is caused by a READ memory access.
==2547739==Hint: address points to the zero page.
#0 0x55abf3a79f9c in ahci_pio_transfer /home/artemiin/Work/original_qemu/build/../hw/ide/ahci.c:1377:46
#1 0x55abf3a8a396 in ide_transfer_start_norecurse /home/artemiin/Work/original_qemu/build/../hw/ide/core.c:581:5
#2 0x55abf3aab79e in ide_transfer_start /home/artemiin/Work/original_qemu/build/../hw/ide/core.c:588:9
#3 0x55abf3aab79e in ide_sector_read_cb /home/artemiin/Work/original_qemu/build/../hw/ide/core.c:789:5
#4 0x55abf3a8d6e2 in ide_buffered_readv_cb /home/artemiin/Work/original_qemu/build/../hw/ide/core.c:684:9
#5 0x55abf4f31d33 in blk_aio_complete /home/artemiin/Work/original_qemu/build/../block/block-backend.c:1552:9
#6 0x55abf545010b in aio_bh_call /home/artemiin/Work/original_qemu/build/../util/async.c:172:5
#7 0x55abf545089f in aio_bh_poll /home/artemiin/Work/original_qemu/build/../util/async.c:219:13
#8 0x55abf53e746a in aio_dispatch /home/artemiin/Work/original_qemu/build/../util/aio-posix.c:424:5
#9 0x55abf545469a in aio_ctx_dispatch /home/artemiin/Work/original_qemu/build/../util/async.c:361:5
#10 0x7f358845b7a8 in g_main_context_dispatch (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x547a8) (BuildId: 9f90bd7bbfcf84a1f1c5a6102f70e6264837b9d4)
#11 0x55abf5455787 in glib_pollfds_poll /home/artemiin/Work/original_qemu/build/../util/main-loop.c:287:9
#12 0x55abf5455787 in os_host_main_loop_wait /home/artemiin/Work/original_qemu/build/../util/main-loop.c:310:5
#13 0x55abf5455787 in main_loop_wait /home/artemiin/Work/original_qemu/build/../util/main-loop.c:589:11
#14 0x55abf425c296 in qemu_main_loop /home/artemiin/Work/original_qemu/build/../system/runstate.c:835:9
#15 0x55abf51df1c6 in qemu_default_main /home/artemiin/Work/original_qemu/build/../system/main.c:48:14
#16 0x55abf51df1a1 in main /home/artemiin/Work/original_qemu/build/../system/main.c:76:9
#17 0x7f3587219249 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#18 0x7f3587219304 in __libc_start_main csu/../csu/libc-start.c:360:3
#19 0x55abf353be60 in _start (/home/artemiin/Work/original_qemu/build/qemu-system-x86_64+0x1828e60) (BuildId: f91712a3af40a999ce35e39809ce00f92c35ae25)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/artemiin/Work/original_qemu/build/../hw/ide/ahci.c:1377:46 in ahci_pio_transfer
==2547739==ABORTING
```"""
additional = """This issue may need a complicated patch so I ask developers to take a look at this issue."""
|