diff options
Diffstat (limited to 'gitlab/issues/target_missing/host_missing/accel_missing/2753.toml')
| -rw-r--r-- | gitlab/issues/target_missing/host_missing/accel_missing/2753.toml | 132 |
1 files changed, 0 insertions, 132 deletions
diff --git a/gitlab/issues/target_missing/host_missing/accel_missing/2753.toml b/gitlab/issues/target_missing/host_missing/accel_missing/2753.toml deleted file mode 100644 index ee9b20041..000000000 --- a/gitlab/issues/target_missing/host_missing/accel_missing/2753.toml +++ /dev/null @@ -1,132 +0,0 @@ -id = 2753 -title = "Uninitialized read in vhost_user_backend_init." -state = "opened" -created_at = "2024-12-28T05:07:38.250Z" -closed_at = "n/a" -labels = ["Cryptography"] -url = "https://gitlab.com/qemu-project/qemu/-/issues/2753" -host-os = "ubuntu 20.04" -host-arch = "x86_64" -qemu-version = "9.1.93 (v9.2.0-rc3), 1cf9bc6eba7506ab6d9de635f224259225f63466" -guest-os = "qtest" -guest-arch = "x86" -description = """In backends/cryptodev-vhost.c::cryptodev_vhost_init, crypto->dev.config_ops is not initialized (See code below). I think here `g_new0` should be used instead of `g_new`. -``` -struct CryptoDevBackendVhost * -cryptodev_vhost_init( - CryptoDevBackendVhostOptions *options) -{ - ... - crypto = g_new(CryptoDevBackendVhost, 1); - crypto->dev.max_queues = 1; - crypto->dev.nvqs = 1; - crypto->dev.vqs = crypto->vqs; - - crypto->cc = options->cc; - - crypto->dev.protocol_features = 0; - crypto->backend = -1; - ... -} -``` -In vhost_user_backend_init, crypto->dev.config_ops will be dereferenced. Since it is uninitialized with 0, it is possible that a random value pointer will be dereferenced. -``` -static int vhost_user_backend_init(struct vhost_dev *dev, void *opaque, - Error **errp) -{ - ... - if (virtio_has_feature(features, VHOST_USER_F_PROTOCOL_FEATURES)) { - bool supports_f_config = vus->supports_config || - (dev->config_ops && dev->config_ops->vhost_dev_config_notifier); - uint64_t protocol_features; - ... -``` - - -As a result, ASAN will capture this uninitialized, since it assigns 0xbe to every bytes of allocated but uninitilized memory.""" -reproduce = """1.Build dpdk vhost-user crypto backend. Following instructions here: [DPDK installation](https://doc.dpdk.org/guides/prog_guide/build-sdk-meson.html) -``` -wget https://fast.dpdk.org/rel/dpdk-24.11.tar.xz -meson setup -Dexamples=all build -cd build -ninja -meson install -cd examples -sudo ./dpdk-vhost_crypto --vdev 'crypto_aesni_mb0' -- --config \\(7,0,0\\) --socket-file=7,/tmp/my-crypto.sock -``` -After setting up the backend, should see something like: -``` -EAL: Detected CPU lcores: 48 -EAL: Detected NUMA nodes: 2 -EAL: Detected static linkage of DPDK -EAL: Multi-process socket /var/run/dpdk/rte/mp_socket -EAL: Selected IOVA mode 'PA' -EAL: VFIO support initialized -CRYPTODEV: Creating cryptodev crypto_aesni_mb0 -CRYPTODEV: Initialisation parameters - name: crypto_aesni_mb0,socket id: 0, max queue pairs: 8 -IPSEC_MB: ipsec_mb_create() line 168: IPSec Multi-buffer library version used: 2.0.0 -USER1: Processing on Core 7 started -VHOST_CONFIG: (/tmp/my-crypto.sock) logging feature is disabled in async copy mode -VHOST_CONFIG: (/tmp/my-crypto.sock) vhost-user server: socket created, fd: 213 -VHOST_CONFIG: (/tmp/my-crypto.sock) binding succeeded -``` - -2.Build qemu with ASAN (i.e., --enable-asan) and vhost support (i.e., --enable-vhost-user --enable-vhost-crypto) - -3.Ensure that /dev/hugemaps and /tmp/my-crypto.sock can be accessed. You may need to change their permissions by chmod, or run qemu-system as root. - -4.Run the command below to reproduce problem. -``` -cat << EOF | \\ -./qemu-system-x86_64 --enable-kvm -m 512M \\ --object \\ -memory-backend-file,id=mem,size=512M,mem-path=/dev/hugepages,share=on \\ --numa node,memdev=mem -smp cpus=4 -machine q35 -chardev \\ -socket,id=chardev0,path=/tmp/my-crypto.sock -object \\ -cryptodev-vhost-user,id=cryptodev0,chardev=chardev0 -device \\ -virtio-crypto-pci,id=crypto0,cryptodev=cryptodev0 -display none -qtest \\ -stdio -EOF -```""" -additional = """Here is the information reported by ASAN: -``` -==2270320==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases! -[I 0.000000] OPENED -../hw/virtio/vhost-user.c:2183:50: runtime error: member access within misaligned address 0xbebebebebebebebe for type 'const VhostDevConfigOps' (aka 'const struct VhostDevConfigOps'), which requires 8 byte alignment -0xbebebebebebebebe: note: pointer points here -<memory cannot be printed> -SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../hw/virtio/vhost-user.c:2183:50 in -../hw/virtio/vhost-user.c:2183:50: runtime error: load of misaligned address 0xbebebebebebebebe for type 'int (*const)(struct vhost_dev *)', which requires 8 byte alignment -0xbebebebebebebebe: note: pointer points here -<memory cannot be printed> -SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../hw/virtio/vhost-user.c:2183:50 in -AddressSanitizer:DEADLYSIGNAL -================================================================= -==2270320==ERROR: AddressSanitizer: SEGV on unknown address (pc 0x5619d01bd606 bp 0x7fffc6d3add0 sp 0x7fffc6d3a4e0 T0) -==2270320==The signal is caused by a READ memory access. -==2270320==Hint: this fault was caused by a dereference of a high value address (see register values below). Disassemble the provided pc to learn which register was used. - #0 0x5619d01bd606 in vhost_user_backend_init /mnt/Hypervisor/qemu/build/master/fuzz/../hw/virtio/vhost-user.c:2183:50 - #1 0x5619ced13a08 in vhost_dev_init /mnt/Hypervisor/qemu/build/master/fuzz/../hw/virtio/vhost.c:1523:9 - #2 0x5619cef8cc30 in cryptodev_vhost_init /mnt/Hypervisor/qemu/build/master/fuzz/../backends/cryptodev-vhost.c:69:9 - #3 0x5619cef9aca6 in cryptodev_vhost_user_start /mnt/Hypervisor/qemu/build/master/fuzz/../backends/cryptodev-vhost-user.c:108:30 - #4 0x5619cef9a599 in cryptodev_vhost_user_event /mnt/Hypervisor/qemu/build/master/fuzz/../backends/cryptodev-vhost-user.c:164:13 - #5 0x5619d0e22ed1 in chr_be_event /mnt/Hypervisor/qemu/build/master/fuzz/../chardev/char.c:62:5 - #6 0x5619d0e18465 in qemu_chr_be_event /mnt/Hypervisor/qemu/build/master/fuzz/../chardev/char.c:82:5 - #7 0x5619d0de5d42 in qemu_chr_fe_set_handlers_full /mnt/Hypervisor/qemu/build/master/fuzz/../chardev/char-fe.c:283:13 - #8 0x5619d0de5674 in qemu_chr_fe_set_handlers /mnt/Hypervisor/qemu/build/master/fuzz/../chardev/char-fe.c:297:5 - #9 0x5619cef98960 in cryptodev_vhost_user_init /mnt/Hypervisor/qemu/build/master/fuzz/../backends/cryptodev-vhost-user.c:220:5 - #10 0x5619cef71e98 in cryptodev_backend_complete /mnt/Hypervisor/qemu/build/master/fuzz/../backends/cryptodev.c:420:9 - #11 0x5619d067dc40 in user_creatable_complete /mnt/Hypervisor/qemu/build/master/fuzz/../qom/object_interfaces.c:28:9 - #12 0x5619d067e6a8 in user_creatable_add_type /mnt/Hypervisor/qemu/build/master/fuzz/../qom/object_interfaces.c:125:10 - #13 0x5619d067ec74 in user_creatable_add_qapi /mnt/Hypervisor/qemu/build/master/fuzz/../qom/object_interfaces.c:157:11 - #14 0x5619cef5582b in object_option_foreach_add /mnt/Hypervisor/qemu/build/master/fuzz/../system/vl.c:1809:13 - #15 0x5619cef5253c in qemu_create_late_backends /mnt/Hypervisor/qemu/build/master/fuzz/../system/vl.c:2029:5 - #16 0x5619cef46efe in qemu_init /mnt/Hypervisor/qemu/build/master/fuzz/../system/vl.c:3726:5 - #17 0x5619d0e46f11 in main /mnt/Hypervisor/qemu/build/master/fuzz/../system/main.c:47:5 - #18 0x7efeef09a082 in __libc_start_main /build/glibc-LcI20x/glibc-2.31/csu/../csu/libc-start.c:308:16 - #19 0x5619cd0be89d in _start (/mnt/Hypervisor/qemu/build/master/fuzz/qemu-system-x86_64+0x2c8b89d) - -AddressSanitizer can not provide additional info. -SUMMARY: AddressSanitizer: SEGV /mnt/Hypervisor/qemu/build/master/fuzz/../hw/virtio/vhost-user.c:2183:50 in vhost_user_backend_init -==2270320==ABORTING -```""" |