diff options
| author | Christian Krinitsin <mail@krinitsin.com> | 2025-06-01 21:35:14 +0200 |
|---|---|---|
| committer | Christian Krinitsin <mail@krinitsin.com> | 2025-06-01 21:35:14 +0200 |
| commit | 3e4c5a6261770bced301b5e74233e7866166ea5b (patch) | |
| tree | 9379fddaba693ef8a045da06efee8529baa5f6f4 /gitlab/issues_text/target_missing/host_missing/accel_missing/2299 | |
| parent | e5634e2806195bee44407853c4bf8776f7abfa4f (diff) | |
| download | qemu-analysis-3e4c5a6261770bced301b5e74233e7866166ea5b.tar.gz qemu-analysis-3e4c5a6261770bced301b5e74233e7866166ea5b.zip | |
clean up repository
Diffstat (limited to 'gitlab/issues_text/target_missing/host_missing/accel_missing/2299')
| -rw-r--r-- | gitlab/issues_text/target_missing/host_missing/accel_missing/2299 | 203 |
1 files changed, 0 insertions, 203 deletions
diff --git a/gitlab/issues_text/target_missing/host_missing/accel_missing/2299 b/gitlab/issues_text/target_missing/host_missing/accel_missing/2299 deleted file mode 100644 index ae432c688..000000000 --- a/gitlab/issues_text/target_missing/host_missing/accel_missing/2299 +++ /dev/null @@ -1,203 +0,0 @@ -UFS Device sanitizers error -Description of problem: -Sanitizers error reported by Zheyu Ma zheyuma97@gmail.com - -The following log can reveal it: - -==3619819==ERROR: AddressSanitizer: heap-buffer-overflow on address - -0x62a000011200 at pc 0x7f9f9903a2c3 bp 0x7ffd44e1ee60 sp 0x7ffd44e1e608 - -WRITE of size 20512 at 0x62a000011200 thread T0 - -``` -#0 0x7f9f9903a2c2 in __interceptor_memcpy -``` - -../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:827 - -``` -#1 0x5f23331ea4fc in memcpy -``` - -/usr/include/x86_64-linux-gnu/bits/string_fortified.h:29 - -``` -#2 0x5f23331ea4fc in flatview_read_continue_step -``` - -../system/physmem.c:2818 - -``` -#3 0x5f23331eab72 in flatview_read_continue ../system/physmem.c:2835 - -#4 0x5f23331eadc4 in flatview_read ../system/physmem.c:2865 - -#5 0x5f23331ec2a5 in address_space_read_full ../system/physmem.c:2878 - -#6 0x5f23331ec2a5 in address_space_rw ../system/physmem.c:2906 - -#7 0x5f23326b7ad0 in ufs_dma_read_req_upiu ../hw/ufs/ufs.c:129 - -#8 0x5f23326b7ad0 in ufs_dma_read_upiu ../hw/ufs/ufs.c:185 - -#9 0x5f23326b7ad0 in ufs_exec_req ../hw/ufs/ufs.c:1021 - -#10 0x5f23326b7ad0 in ufs_process_req ../hw/ufs/ufs.c:1066 - -#11 0x5f2333a9160d in aio_bh_call ../util/async.c:171 - -#12 0x5f2333a91f45 in aio_bh_poll ../util/async.c:218 - -#13 0x5f2333a217a9 in aio_dispatch ../util/aio-posix.c:423 - -#14 0x5f2333a90d01 in aio_ctx_dispatch ../util/async.c:360 - -#15 0x7f9f985c4d3a in g_main_context_dispatch -``` - -(/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x55d3a) - -``` -#16 0x5f2333a9690f in glib_pollfds_poll ../util/main-loop.c:287 - -#17 0x5f2333a9690f in os_host_main_loop_wait ../util/main-loop.c:310 - -#18 0x5f2333a9690f in main_loop_wait ../util/main-loop.c:589 - -#19 0x5f23329370e0 in qemu_main_loop ../system/runstate.c:783 - -#20 0x5f23333b4d7a in qemu_default_main ../system/main.c:37 - -#21 0x7f9f97629d8f in __libc_start_call_main -``` - -../sysdeps/nptl/libc_start_call_main.h:58 - -``` -#22 0x7f9f97629e3f in __libc_start_main_impl ../csu/libc-start.c:392 - -#23 0x5f2331c8df64 in _start -``` - -(/home/joey/repo/qemu/build/qemu-system-x86_64+0x2ea8f64) - -0x62a000011200 is located 0 bytes to the right of 20480-byte region - -\[0x62a00000c200,0x62a000011200) - -allocated by thread T0 here: - -``` -#0 0x7f9f990b4a57 in __interceptor_calloc -``` - -../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154 - -``` -#1 0x7f9f985cdc50 in g_malloc0 -``` - -(/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x5ec50) - -``` -#2 0xf0e808deae299ff (<unknown module>) -``` - -SUMMARY: AddressSanitizer: heap-buffer-overflow - -../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:827 - -in \__interceptor_memcpy - -Shadow bytes around the buggy address: - -0x0c547fffa1f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - -0x0c547fffa200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - -0x0c547fffa210: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - -0x0c547fffa220: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - -0x0c547fffa230: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - -=\>0x0c547fffa240:\[fa\]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa - -0x0c547fffa250: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa - -0x0c547fffa260: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa - -0x0c547fffa270: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa - -0x0c547fffa280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa - -0x0c547fffa290: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa - -Shadow byte legend (one shadow byte represents 8 application bytes): - -Addressable: 00 - -Partially addressable: 01 02 03 04 05 06 07 - -Heap left redzone: fa - -Freed heap region: fd - -Stack left redzone: f1 - -Stack mid redzone: f2 - -Stack right redzone: f3 - -Stack after return: f5 - -Stack use after scope: f8 - -Global redzone: f9 - -Global init order: f6 - -Poisoned by user: f7 - -Container overflow: fc - -Array cookie: ac - -Intra object redzone: bb - -ASan internal: fe - -Left alloca redzone: ca - -Right alloca redzone: cb - -Shadow gap: cc - -==3619819==ABORTING - -And Here is a simple PoC: - -cat \<\< EOF \\ - -qemu-system-x86_64 \\ - -\-display none -machine accel=qtest -m 512M -M q35 -nodefaults -drive \\ - -file=[null-co://,if=none,id=disk0](null-co://,if=none,id=disk0) -device ufs,id=ufs_bus -device \\ - -ufs-lu,drive=disk0,bus=ufs_bus -qtest stdio - -outl 0xcf8 0x80000810 - -outl 0xcfc 0xe0000000 - -outl 0xcf8 0x80000804 - -outw 0xcfc 0x06 - -write 0xe0000058 0x1 0xa7 - -write 0xa 0x1 0x50 - -EOF |