1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
|
hypervisor: 0.890
peripherals: 0.886
user-level: 0.869
KVM: 0.838
risc-v: 0.838
i386: 0.827
TCG: 0.819
mistranslation: 0.798
VMM: 0.785
graphic: 0.770
ppc: 0.759
virtual: 0.740
vnc: 0.722
device: 0.718
performance: 0.712
register: 0.706
x86: 0.691
assembly: 0.682
permissions: 0.679
arm: 0.670
architecture: 0.659
semantic: 0.638
debug: 0.626
network: 0.615
boot: 0.607
socket: 0.595
files: 0.595
kernel: 0.586
PID: 0.582
Heap-use-after-free in put_dwords through ehci_flush_qh
Hello,
Reproducer:
cat << EOF | ./qemu-system-i386 -machine q35 \
-device ich9-usb-ehci1,bus=pcie.0,addr=1d.7,\
multifunction=on,id=ich9-ehci-1 \
-drive if=none,id=usbcdrom,media=cdrom \
-device usb-storage,bus=ich9-ehci-1.0,\
port=2,drive=usbcdrom \
-display none -nodefaults -qtest stdio -accel qtest
outl 0xcf8 0x8000ef02
outl 0xcfc 0xfbff0061
outl 0xcf8 0x8000ef11
outl 0xcfc 0x60606060
writeq 0x60606065 0xb70560ff84ffff7f
writeq 0x60606065 0xff0004fe050000ff
writeq 0x60606020 0xff015e5c057b0039
writeq 0x60606033 0x846c8a0200000611
write 0x2000004 0x4 0x4a606060
write 0x8 0x4 0x97a98095
write 0x0 0x4 0x4a606060
write 0x4 0x4 0x97a98095
write 0xc 0x4 0x4a606060
write 0x10 0x4 0x97a98095
write 0x14 0x4 0x4a606060
write 0x18 0x4 0x97a98095
write 0x1c 0x4 0x4a606060
clock_step
EOF
The trace:
797726@1598407357.169284:usb_port_claim bus 0, port 2
797726@1598407357.169585:usb_port_attach bus 0, port 2, devspeed full+high+super, portspeed high
797726@1598407357.169598:usb_ehci_port_attach attach port #1, owner ehci, device QEMU USB MSD
797726@1598407357.169608:usb_ehci_irq level 0, frindex 0x0000, sts 0x4, mask 0x0
797726@1598407357.186943:usb_ehci_reset === RESET ===
797726@1598407357.186960:usb_ehci_port_detach detach port #1, owner ehci
797726@1598407357.186968:usb_ehci_irq level 0, frindex 0x0000, sts 0x4, mask 0x0
797726@1598407357.186976:usb_ehci_irq level 0, frindex 0x0000, sts 0x1000, mask 0x0
797726@1598407357.186984:usb_ehci_port_attach attach port #1, owner ehci, device QEMU USB MSD
797726@1598407357.186989:usb_ehci_irq level 0, frindex 0x0000, sts 0x1004, mask 0x0
[R +0.073737] outl 0xcf8 0x8000ef02
OK
[S +0.073774] OK
[R +0.073801] outl 0xcfc 0xfbff0061
OK
[S +0.075074] OK
[R +0.075108] outl 0xcf8 0x8000ef11
OK
[S +0.075126] OK
[R +0.075135] outl 0xcfc 0x60606060
OK
[S +0.076290] OK
[R +0.076317] writeq 0x60606065 0xb70560ff84ffff7f
797726@1598407357.194959:usb_ehci_portsc_write wr mmio 0x0048 [port 1] = 0x560ff84
797726@1598407357.194967:usb_ehci_port_reset reset port #1 - 1
797726@1598407357.194971:usb_ehci_port_suspend port #1
797726@1598407357.194975:usb_ehci_portsc_change ch mmio 0x0048 [port 1] = 0x601183 (old: 0x1003)
OK
[S +0.076363] OK
[R +0.076377] writeq 0x60606065 0xff0004fe050000ff
797726@1598407357.195005:usb_ehci_portsc_write wr mmio 0x0048 [port 1] = 0x4fe05
797726@1598407357.195011:usb_ehci_port_reset reset port #1 - 0
797726@1598407357.195019:usb_ehci_port_detach detach port #1, owner ehci
797726@1598407357.195026:usb_ehci_irq level 0, frindex 0x0000, sts 0x1004, mask 0x0
797726@1598407357.195034:usb_ehci_port_attach attach port #1, owner ehci, device QEMU USB MSD
797726@1598407357.195038:usb_ehci_irq level 0, frindex 0x0000, sts 0x1004, mask 0x0
797726@1598407357.195049:usb_ehci_portsc_change ch mmio 0x0048 [port 1] = 0x1005 (old: 0x601183)
OK
[S +0.076439] OK
[R +0.076457] writeq 0x60606020 0xff015e5c057b0039
797726@1598407357.195087:usb_ehci_opreg_write wr mmio 0x0020 [USBCMD] = 0x57b0039
attempt to set frame list size -- value 8
797726@1598407357.195097:usb_ehci_usbsts usbsts HALT 0
797726@1598407357.195105:usb_ehci_opreg_change ch mmio 0x0020 [USBCMD] = 0x57b0031 (old: 0x80000)
797726@1598407357.195111:usb_ehci_opreg_write wr mmio 0x0024 [USBSTS] = 0xff015e5c
797726@1598407357.195117:usb_ehci_usbsts usbsts PCD 0
797726@1598407357.195120:usb_ehci_usbsts usbsts FLR 0
797726@1598407357.195124:usb_ehci_usbsts usbsts HSE 0
797726@1598407357.195127:usb_ehci_irq level 0, frindex 0x0000, sts 0x0, mask 0x0
797726@1598407357.195132:usb_ehci_opreg_change ch mmio 0x0024 [USBSTS] = 0x0 (old: 0x4)
OK
[S +0.076519] OK
[R +0.076534] writeq 0x60606033 0x846c8a0200000611
797726@1598407357.195164:usb_ehci_opreg_write wr mmio 0x0034 [P-LIST BASE] = 0x2000006
ehci: PERIODIC list base register set while periodic schedule
is enabled and HC is enabled
797726@1598407357.195174:usb_ehci_opreg_change ch mmio 0x0034 [P-LIST BASE] = 0x2000006 (old: 0x0)
OK
[S +0.076562] OK
[R +0.076574] write 0x2000004 0x4 0x4a606060
OK
[S +0.076855] OK
[R +0.076869] write 0x8 0x4 0x97a98095
OK
[S +0.077214] OK
[R +0.077225] write 0x0 0x4 0x4a606060
OK
[S +0.077233] OK
[R +0.077242] write 0x4 0x4 0x97a98095
OK
[S +0.077250] OK
[R +0.077258] write 0xc 0x4 0x4a606060
OK
[S +0.077266] OK
[R +0.077274] write 0x10 0x4 0x97a98095
OK
[S +0.077281] OK
[R +0.077289] write 0x14 0x4 0x4a606060
OK
[S +0.077295] OK
[R +0.077304] write 0x18 0x4 0x97a98095
OK
[S +0.077310] OK
[R +0.077325] write 0x1c 0x4 0x4a606060
OK
[S +0.077333] OK
[R +0.077340] clock_step
OK 27462700
[S +0.077415] OK 27462700
797726@1598407357.196115:usb_ehci_state periodic schedule ACTIVE
797726@1598407357.196123:usb_ehci_usbsts usbsts PSS 1
797726@1598407357.196137:usb_ehci_state periodic schedule FETCH ENTRY
797726@1598407357.196145:usb_ehci_state periodic schedule FETCH QH
797726@1598407357.196154:usb_ehci_queue_action q 0x60d0000050b0: alloc
797726@1598407357.196168:usb_ehci_opreg_read rd mmio 0x0040 [unknown] = 0x0
797726@1598407357.196176:usb_ehci_opreg_read rd mmio 0x0044 [unknown] = 0x0
797726@1598407357.196182:usb_ehci_opreg_read rd mmio 0x0048 [unknown] = 0x0
797726@1598407357.196188:usb_ehci_opreg_read rd mmio 0x004c [unknown] = 0x0
797726@1598407357.196195:usb_ehci_opreg_read rd mmio 0x0050 [unknown] = 0x0
797726@1598407357.196201:usb_ehci_opreg_read rd mmio 0x0054 [unknown] = 0x0
797726@1598407357.196206:usb_ehci_opreg_read rd mmio 0x0058 [unknown] = 0x0
797726@1598407357.196211:usb_ehci_opreg_read rd mmio 0x005c [unknown] = 0x0
797726@1598407357.196217:usb_ehci_opreg_read rd mmio 0x0060 [CONFIGFLAG] = 0x0
797726@1598407357.196224:usb_ehci_portsc_read rd mmio 0x0044 [port 0] = 0x1000
797726@1598407357.196230:usb_ehci_portsc_read rd mmio 0x0048 [port 1] = 0x1005
797726@1598407357.196237:usb_ehci_portsc_read rd mmio 0x004c [port 2] = 0x1000
797726@1598407357.196243:usb_ehci_qh_ptrs q 0x60d0000050b0 - QH @ 0x60606040: next 0x00000000 qtds 0x00000000,0x00000000,0x00000000
797726@1598407357.196249:usb_ehci_qh_fields QH @ 0x60606040 - rl 0, mplen 0, eps 0, ep 0, dev 0
797726@1598407357.196255:usb_ehci_qh_bits QH @ 0x60606040 - c 0, h 0, dtc 0, i 0
797726@1598407357.196262:usb_ehci_queue_action q 0x60d0000050b0: reset
797726@1598407357.196275:usb_ehci_state periodic schedule ADVANCEQUEUE
797726@1598407357.196281:usb_ehci_state periodic schedule FETCH QTD
797726@1598407357.196300:usb_ehci_qtd_ptrs q 0x60d0000050b0 - QTD @ 0x00000000: next 0x6060604a altnext 0x9580a997
797726@1598407357.196306:usb_ehci_qtd_fields QTD @ 0x00000000 - tbytes 5504, cpage 2, cerr 2, pid 1
797726@1598407357.196311:usb_ehci_qtd_bits QTD @ 0x00000000 - ioc 1, active 1, halt 0, babble 1, xacterr 0
797726@1598407357.196323:usb_ehci_packet_action q 0x60d0000050b0 p 0x611000044380: alloc
797726@1598407357.196327:usb_ehci_state periodic schedule EXECUTE
797726@1598407357.196346:usb_ehci_opreg_write wr mmio 0x004c [unknown] = 0x0
797726@1598407357.196351:usb_ehci_opreg_change ch mmio 0x004c [unknown] = 0x0 (old: 0x0)
797726@1598407357.196359:usb_ehci_opreg_write wr mmio 0x0050 [unknown] = 0x6060604a
797726@1598407357.196363:usb_ehci_opreg_change ch mmio 0x0050 [unknown] = 0x6060604a (old: 0x0)
797726@1598407357.196370:usb_ehci_opreg_write wr mmio 0x0054 [unknown] = 0x9580a981
797726@1598407357.196374:usb_ehci_opreg_change ch mmio 0x0054 [unknown] = 0x9580a981 (old: 0x0)
797726@1598407357.196380:usb_ehci_opreg_write wr mmio 0x0058 [unknown] = 0x1580a997
797726@1598407357.196385:usb_ehci_opreg_change ch mmio 0x0058 [unknown] = 0x1580a997 (old: 0x0)
797726@1598407357.196392:usb_ehci_opreg_write wr mmio 0x005c [unknown] = 0x6060604a
797726@1598407357.196396:usb_ehci_opreg_change ch mmio 0x005c [unknown] = 0x6060604a (old: 0x0)
797726@1598407357.196403:usb_ehci_opreg_write wr mmio 0x0060 [CONFIGFLAG] = 0x9580a900
797726@1598407357.196407:usb_ehci_opreg_change ch mmio 0x0060 [CONFIGFLAG] = 0x0 (old: 0x0)
797726@1598407357.196415:usb_ehci_portsc_write wr mmio 0x0044 [port 0] = 0x60606040
797726@1598407357.196422:usb_ehci_portsc_change ch mmio 0x0044 [port 0] = 0x601040 (old: 0x1000)
797726@1598407357.196428:usb_ehci_portsc_write wr mmio 0x0048 [port 1] = 0x9580a997
797726@1598407357.196432:usb_ehci_port_reset reset port #1 - 1
797726@1598407357.196437:usb_ehci_port_suspend port #1
797726@1598407357.196441:usb_ehci_portsc_change ch mmio 0x0048 [port 1] = 0x1185 (old: 0x1005)
797726@1598407357.196448:usb_ehci_portsc_write wr mmio 0x004c [port 2] = 0x6060604a
797726@1598407357.196453:usb_ehci_portsc_change ch mmio 0x004c [port 2] = 0x601040 (old: 0x1000)
797726@1598407357.196474:usb_packet_state_change bus 0, port 2, ep 0, packet 0x6110000443c0, state undef -> setup
797726@1598407357.196505:usb_ehci_opreg_write wr mmio 0x004c [unknown] = 0xbebebebe
797726@1598407357.196509:usb_ehci_opreg_change ch mmio 0x004c [unknown] = 0xbebebebe (old: 0x0)
797726@1598407357.196516:usb_ehci_opreg_write wr mmio 0x0050 [unknown] = 0xbebebebe
797726@1598407357.196520:usb_ehci_opreg_change ch mmio 0x0050 [unknown] = 0xbebebebe (old: 0x6060604a)
797726@1598407357.196527:usb_ehci_opreg_write wr mmio 0x0054 [unknown] = 0xbebebebe
797726@1598407357.196530:usb_ehci_opreg_change ch mmio 0x0054 [unknown] = 0xbebebebe (old: 0x9580a981)
797726@1598407357.196540:usb_ehci_opreg_write wr mmio 0x0058 [unknown] = 0xbebebebe
797726@1598407357.196544:usb_ehci_opreg_change ch mmio 0x0058 [unknown] = 0xbebebebe (old: 0x1580a997)
797726@1598407357.196550:usb_ehci_opreg_write wr mmio 0x005c [unknown] = 0xbebebebe
797726@1598407357.196554:usb_ehci_opreg_change ch mmio 0x005c [unknown] = 0xbebebebe (old: 0x6060604a)
797726@1598407357.196560:usb_ehci_opreg_write wr mmio 0x0060 [CONFIGFLAG] = 0xbebebebe
797726@1598407357.196563:usb_ehci_opreg_change ch mmio 0x0060 [CONFIGFLAG] = 0x0 (old: 0x0)
797726@1598407357.196569:usb_ehci_portsc_write wr mmio 0x0044 [port 0] = 0xbebebebe
797726@1598407357.196573:usb_ehci_port_suspend port #0
797726@1598407357.196577:usb_ehci_port_resume port #0
797726@1598407357.196580:usb_ehci_portsc_change ch mmio 0x0044 [port 0] = 0x301000 (old: 0x601040)
797726@1598407357.196586:usb_ehci_portsc_write wr mmio 0x0048 [port 1] = 0xbebebebe
797726@1598407357.196590:usb_ehci_port_reset reset port #1 - 0
797726@1598407357.196596:usb_ehci_port_detach detach port #1, owner ehci
797726@1598407357.196602:usb_ehci_queue_action q 0x60d0000050b0: free
797726@1598407357.196606:usb_ehci_queue_action q 0x60d0000050b0: cancel
797726@1598407357.196610:usb_ehci_packet_action q 0x60d0000050b0 p 0x611000044380: free
797726@1598407357.196626:usb_ehci_irq level 0, frindex 0x0008, sts 0x4004, mask 0x0
797726@1598407357.196636:usb_ehci_port_attach attach port #1, owner ehci, device QEMU USB MSD
797726@1598407357.196642:usb_ehci_irq level 0, frindex 0x0008, sts 0x4004, mask 0x0
797726@1598407357.196655:usb_ehci_port_suspend port #1
797726@1598407357.196659:usb_ehci_portsc_change ch mmio 0x0048 [port 1] = 0x301085 (old: 0x1185)
797726@1598407357.196669:usb_ehci_portsc_write wr mmio 0x004c [port 2] = 0xbebebebe
797726@1598407357.196674:usb_ehci_port_suspend port #2
797726@1598407357.196679:usb_ehci_port_resume port #2
797726@1598407357.196684:usb_ehci_portsc_change ch mmio 0x004c [port 2] = 0x301000 (old: 0x601040)
797726@1598407357.196694:usb_ehci_portsc_write wr mmio 0x0050 [port 3] = 0xbebebebe
797726@1598407357.196699:usb_ehci_port_suspend port #3
797726@1598407357.196704:usb_ehci_portsc_change ch mmio 0x0050 [port 3] = 0x301080 (old: 0x1000)
797726@1598407357.196712:usb_ehci_portsc_write wr mmio 0x0054 [port 4] = 0xbebebebe
797726@1598407357.196716:usb_ehci_port_suspend port #4
797726@1598407357.196718:usb_ehci_portsc_change ch mmio 0x0054 [port 4] = 0x301080 (old: 0x1000)
797726@1598407357.196724:usb_ehci_portsc_write wr mmio 0x0058 [port 5] = 0xbebebebe
797726@1598407357.196729:usb_ehci_port_suspend port #5
797726@1598407357.196733:usb_ehci_portsc_change ch mmio 0x0058 [port 5] = 0x301080 (old: 0x1000)
=================================================================
==797726==ERROR: AddressSanitizer: heap-use-after-free on address 0x6110000443e8 at pc 0x5574af0ef59d bp 0x7fff5b343a00 sp 0x7fff5b3439f8
READ of size 4 at 0x6110000443e8 thread T0
#0 0x5574af0ef59c in usb_packet_unmap /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/libhw.c:64:28
#1 0x5574af0ee924 in usb_packet_map /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/libhw.c:54:5
#2 0x5574ae630c2f in ehci_execute /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:1376:9
#3 0x5574ae619cfe in ehci_state_execute /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:1942:13
#4 0x5574ae60e8d9 in ehci_advance_state /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:2083:21
#5 0x5574ae60c753 in ehci_advance_periodic_state /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:2213:9
#6 0x5574ae5d9df3 in ehci_work_bh /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:2299:17
#7 0x5574b21013c2 in aio_bh_call /home/alxndr/Development/qemu/general-fuzz/build/../util/async.c:136:5
#8 0x5574b2102dc2 in aio_bh_poll /home/alxndr/Development/qemu/general-fuzz/build/../util/async.c:164:13
#9 0x5574b211a84b in aio_dispatch /home/alxndr/Development/qemu/general-fuzz/build/../util/aio-posix.c:380:5
#10 0x5574b210c29e in aio_ctx_dispatch /home/alxndr/Development/qemu/general-fuzz/build/../util/async.c:306:5
#11 0x7f44ce9dc5fc in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x505fc)
#12 0x5574b2339c67 in glib_pollfds_poll /home/alxndr/Development/qemu/general-fuzz/build/../util/main-loop.c:217:9
#13 0x5574b2337567 in os_host_main_loop_wait /home/alxndr/Development/qemu/general-fuzz/build/../util/main-loop.c:240:5
#14 0x5574b2336f47 in main_loop_wait /home/alxndr/Development/qemu/general-fuzz/build/../util/main-loop.c:516:11
#15 0x5574b0b1508d in qemu_main_loop /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/vl.c:1676:9
#16 0x5574ae4a751c in main /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/main.c:50:5
#17 0x7f44ce1e5cc9 in __libc_start_main csu/../csu/libc-start.c:308:16
#18 0x5574ae3fccf9 in _start (/home/alxndr/Development/qemu/general-fuzz/build/qemu-system-i386+0x2cb0cf9)
0x6110000443e8 is located 104 bytes inside of 248-byte region [0x611000044380,0x611000044478)
freed by thread T0 here:
#0 0x5574ae4751bd in free (/home/alxndr/Development/qemu/general-fuzz/build/qemu-system-i386+0x2d291bd)
#1 0x5574ae5e71a1 in ehci_free_packet /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:541:5
#2 0x5574ae5e3662 in ehci_cancel_queue /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:584:9
#3 0x5574ae5e174c in ehci_free_queue /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:611:17
#4 0x5574ae608300 in ehci_queues_rip_device /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:674:9
#5 0x5574ae6034ba in ehci_detach /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:732:5
#6 0x5574af06427f in usb_detach /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/core.c:70:5
#7 0x5574af064607 in usb_port_reset /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/core.c:79:5
#8 0x5574ae63af7a in ehci_port_write /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:993:13
#9 0x5574b0e31de0 in memory_region_write_accessor /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:483:5
#10 0x5574b0e312bd in access_with_adjusted_size /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:544:18
#11 0x5574b0e2ef70 in memory_region_dispatch_write /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:1466:16
#12 0x5574b0a8d8a6 in flatview_write_continue /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3176:23
#13 0x5574b0a76878 in flatview_write /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3216:14
#14 0x5574b0a763a8 in address_space_write /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3308:18
#15 0x5574b0a7dff7 in address_space_unmap /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3634:9
#16 0x5574af0f0262 in dma_memory_unmap /home/alxndr/Development/qemu/general-fuzz/include/sysemu/dma.h:145:5
#17 0x5574af0f0143 in usb_packet_unmap /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/libhw.c:65:9
#18 0x5574af0ee924 in usb_packet_map /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/libhw.c:54:5
#19 0x5574ae630c2f in ehci_execute /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:1376:9
#20 0x5574ae619cfe in ehci_state_execute /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:1942:13
#21 0x5574ae60e8d9 in ehci_advance_state /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:2083:21
#22 0x5574ae60c753 in ehci_advance_periodic_state /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:2213:9
#23 0x5574ae5d9df3 in ehci_work_bh /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:2299:17
#24 0x5574b21013c2 in aio_bh_call /home/alxndr/Development/qemu/general-fuzz/build/../util/async.c:136:5
#25 0x5574b2102dc2 in aio_bh_poll /home/alxndr/Development/qemu/general-fuzz/build/../util/async.c:164:13
#26 0x5574b211a84b in aio_dispatch /home/alxndr/Development/qemu/general-fuzz/build/../util/aio-posix.c:380:5
#27 0x5574b210c29e in aio_ctx_dispatch /home/alxndr/Development/qemu/general-fuzz/build/../util/async.c:306:5
#28 0x7f44ce9dc5fc in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x505fc)
previously allocated by thread T0 here:
#0 0x5574ae4755b2 in calloc (/home/alxndr/Development/qemu/general-fuzz/build/qemu-system-i386+0x2d295b2)
#1 0x7f44ce9e2210 in g_malloc0 (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x56210)
#2 0x5574ae6175be in ehci_state_fetchqtd /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:1844:13
#3 0x5574ae60e7f1 in ehci_advance_state /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:2073:21
#4 0x5574ae60c753 in ehci_advance_periodic_state /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:2213:9
#5 0x5574ae5d9df3 in ehci_work_bh /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:2299:17
#6 0x5574b21013c2 in aio_bh_call /home/alxndr/Development/qemu/general-fuzz/build/../util/async.c:136:5
#7 0x5574b2102dc2 in aio_bh_poll /home/alxndr/Development/qemu/general-fuzz/build/../util/async.c:164:13
#8 0x5574b211a84b in aio_dispatch /home/alxndr/Development/qemu/general-fuzz/build/../util/aio-posix.c:380:5
#9 0x5574b210c29e in aio_ctx_dispatch /home/alxndr/Development/qemu/general-fuzz/build/../util/async.c:306:5
#10 0x7f44ce9dc5fc in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x505fc)
SUMMARY: AddressSanitizer: heap-use-after-free /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/libhw.c:64:28 in usb_packet_unmap
Shadow bytes around the buggy address:
0x0c2280000820: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2280000830: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2280000840: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c2280000850: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2280000860: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
=>0x0c2280000870: fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd
0x0c2280000880: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
0x0c2280000890: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c22800008a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c22800008b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c22800008c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==797726==ABORTING
-Alex
I can still reproduce this issue when compiling the current version of QEMU with Clang + asan. Marking as "Confirmed".
I moved this report over to QEMU's new bug tracker on gitlab.com.
Please continue with the discussion here:
https://gitlab.com/qemu-project/qemu/-/issues/541
Thanks for moving it over! ... let's close this one here on Launchpad now.
|