summary refs log tree commit diff stats
path: root/results/classifier/108/other/2852
diff options
context:
space:
mode:
Diffstat (limited to 'results/classifier/108/other/2852')
-rw-r--r--results/classifier/108/other/285295
1 files changed, 95 insertions, 0 deletions
diff --git a/results/classifier/108/other/2852 b/results/classifier/108/other/2852
new file mode 100644
index 000000000..adc7a5b78
--- /dev/null
+++ b/results/classifier/108/other/2852
@@ -0,0 +1,95 @@
+other: 0.882
+graphic: 0.753
+performance: 0.739
+device: 0.710
+permissions: 0.687
+socket: 0.672
+semantic: 0.668
+vnc: 0.664
+debug: 0.654
+network: 0.642
+KVM: 0.617
+files: 0.610
+PID: 0.597
+boot: 0.567
+
+heap-use-after-free in timer_pending()
+Description of problem:
+In the QED block driver, the need_check_timer timer is freed in
+bdrv_qed_detach_aio_context, but the pointer to the timer is not
+set to NULL. This can lead to a use-after-free scenario
+in bdrv_qed_drain_begin().
+Steps to reproduce:
+1. [test.qed](/uploads/c8820345bfcd562308da99d9f83df3cf/test.qed)
+2. ./qemu-img snapshot -q -a test test.qed
+Additional information:
+<details>
+<pre>
+./qemu-img snapshot -q -a test test.qed
+==21083==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases!
+=================================================================
+==21083==ERROR: AddressSanitizer: heap-use-after-free on address 0x60400004ca50 at pc 0x56050d1462b6 bp 0x7fff14d0d870 sp 0x7fff14d0d868
+READ of size 8 at 0x60400004ca50 thread T0
+    #0 0x56050d1462b5 in timer_pending /home/gerben/qemu-img_fuzz/build/../util/qemu-timer.c:483:16
+    #1 0x56050cddf82e in bdrv_qed_drain_begin /home/gerben/qemu-img_fuzz/build/../block/qed.c:378:32
+    #2 0x56050cb9bb65 in bdrv_do_drained_begin /home/gerben/qemu-img_fuzz/build/../block/io.c:364:13
+    #3 0x56050cb9ca03 in bdrv_drain_all_begin_nopoll /home/gerben/qemu-img_fuzz/build/../block/io.c:506:9
+    #4 0x56050cb96318 in bdrv_graph_wrlock /home/gerben/qemu-img_fuzz/build/../block/graph-lock.c:116:5
+    #5 0x56050cd0cbc4 in bdrv_snapshot_goto /home/gerben/qemu-img_fuzz/build/../block/snapshot.c:294:9
+    #6 0x56050cf95dd2 in img_snapshot /home/gerben/qemu-img_fuzz/build/../qemu-img.c:3500:15
+    #7 0x7f4adeddbefc in __libc_start_main (/lib64/libc.so.6+0x27efc)
+    #8 0x56050c96a9f9 in _start /usr/src/RPM/BUILD/glibc-2.32-alt5.p10.3/csu/../sysdeps/x86_64/start.S:120
+
+0x60400004ca50 is located 0 bytes inside of 48-byte region [0x60400004ca50,0x60400004ca80)
+freed by thread T0 here:
+    #0 0x56050ca0daef in free /usr/src/RPM/BUILD/llvm-11.0.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:123:3
+    #1 0x56050cde6b86 in bdrv_qed_do_close /home/gerben/qemu-img_fuzz/build/../block/qed.c:619:5
+    #2 0x56050cddbe85 in bdrv_qed_close /home/gerben/qemu-img_fuzz/build/../block/qed.c:639:5
+    #3 0x56050cd0cbb2 in bdrv_snapshot_goto /home/gerben/qemu-img_fuzz/build/../block/snapshot.c:290:13
+    #4 0x56050cf95dd2 in img_snapshot /home/gerben/qemu-img_fuzz/build/../qemu-img.c:3500:15
+    #5 0x7f4adeddbefc in __libc_start_main (/lib64/libc.so.6+0x27efc)
+
+previously allocated by thread T0 here:
+    #0 0x56050ca0dfa7 in calloc /usr/src/RPM/BUILD/llvm-11.0.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:154:3
+    #1 0x7f4adf359670 in g_malloc0 (/lib64/libglib-2.0.so.0+0x5c670)
+    #2 0x56050cde4bd0 in bdrv_qed_do_open /home/gerben/qemu-img_fuzz/build/../block/qed.c:543:5
+    #3 0x56050cde21a2 in bdrv_qed_open_entry /home/gerben/qemu-img_fuzz/build/../block/qed.c:569:16
+    #4 0x56050d137706 in coroutine_trampoline /home/gerben/qemu-img_fuzz/build/../util/coroutine-ucontext.c:175:9
+    #5 0x7f4adee066cf  (/lib64/libc.so.6+0x526cf)
+
+SUMMARY: AddressSanitizer: heap-use-after-free /home/gerben/qemu-img_fuzz/build/../util/qemu-timer.c:483:16 in timer_pending
+Shadow bytes around the buggy address:
+  0x0c08800018f0: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 fa
+  0x0c0880001900: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 fa
+  0x0c0880001910: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 fa
+  0x0c0880001920: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fd
+  0x0c0880001930: fa fa 00 00 00 00 01 fa fa fa 00 00 00 00 00 fa
+=>0x0c0880001940: fa fa 00 00 00 00 00 fa fa fa[fd]fd fd fd fd fd
+  0x0c0880001950: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x0c0880001960: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x0c0880001970: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x0c0880001980: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x0c0880001990: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+Shadow byte legend (one shadow byte represents 8 application bytes):
+  Addressable:           00
+  Partially addressable: 01 02 03 04 05 06 07 
+  Heap left redzone:       fa
+  Freed heap region:       fd
+  Stack left redzone:      f1
+  Stack mid redzone:       f2
+  Stack right redzone:     f3
+  Stack after return:      f5
+  Stack use after scope:   f8
+  Global redzone:          f9
+  Global init order:       f6
+  Poisoned by user:        f7
+  Container overflow:      fc
+  Array cookie:            ac
+  Intra object redzone:    bb
+  ASan internal:           fe
+  Left alloca redzone:     ca
+  Right alloca redzone:    cb
+  Shadow gap:              cc
+==21083==ABORTING
+</pre>
+</details>