blob: 8cce9e0f05afe9cfe90cdd52c29f9f1c68d93c73 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
|
id = 2268
title = "Out of bounds access in smc91c111_readb()"
state = "closed"
created_at = "2024-04-06T01:19:43.809Z"
closed_at = "2024-04-10T17:55:02.119Z"
labels = ["Fuzzer", "Networking", "Stable::to backport", "workflow::Patch available"]
url = "https://gitlab.com/qemu-project/qemu/-/issues/2268"
host-os = "Ubuntu 20.04"
host-arch = "x86_64"
qemu-version = "commit fea445e8fe9acea4f"
guest-os = "Ubuntu 20.04"
guest-arch = "arm"
description = """I detected an out-of-bounds access in smc91c111_readb with my fuzzer.
Stack trace (part):\\
`hw/net/smc91c111.c:607:24: runtime error: index 175 out of bounds for`\\
`type 'uint8_t[4][2048]' (aka 'unsigned char[4][2048]')`\\
`SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior`\\
`hw/net/smc91c111.c:607:24 in`\\
`AddressSanitizer:DEADLYSIGNAL`\\
`==============================`<wbr>`==============================`<wbr>`=====`\\
`==397944==ERROR: AddressSanitizer: SEGV on unknown address`\\
`0x629000077db4 (pc 0x56272aed3b8d bp 0x7ffd1471f290 sp 0x7ffd1471ea20`\\
`T0)`\\
`==397944==The signal is caused by a READ memory access.`\\
`#0 0x56272aed3b8d in smc91c111_readb hw/net/smc91c111.c:607:24`\\
`#1 0x56272aecfd61 in smc91c111_readfn hw/net/smc91c111.c:650:16`\\
`#2 0x56272d4b228b in memory_region_read_accessor system/memory.c:445:11`\\
`#3 0x56272d46fb85 in access_with_adjusted_size system/memory.c:573:18`\\
`#4 0x56272d46c58e in memory_region_dispatch_read1 system/memory.c:1426:16`\\
`#5 0x56272d46bcd7 in memory_region_dispatch_read system/memory.c:1459:9`\\
`#6 0x56272d4e8e03 in flatview_read_continue_step system/physmem.c:2794:18`\\
`#7 0x56272d4e871e in flatview_read_continue system/physmem.c:2835:19`\\
`#8 0x56272d4e98b8 in flatview_read system/physmem.c:2865:12`\\
`#9 0x56272d4e9388 in address_space_read_full system/physmem.c:2878:18`\\
`#10 0x56272d6e7840 in address_space_read include/exec/memory.h:3026:18`\\
`...`\\
Bug analysis: I found s-\\>packet_num = 175 at line 599."""
reproduce = """Reproducer:\\
export QEMU_ARGS="-display none -machine accel=qtest, -m 512M -machine\\
mainstone"\\
cat \\<\\< EOF | ./qemu-system-arm $QEMU_ARGS -qtest /dev/null -qtest stdio\\
outl 0xcf8 0x80000010\\
outl 0xcfc 0x10000300\\
outl 0xcf8 0x80000004\\
outl 0xcfc 0x07\\
writel 0x1000030c 0x66027cd6\\
writel 0x10000300 0x64af8eda\\
readw 0x10000308\\
EOF"""
additional = """Ack: Chuhong Yuan (hslester96@gmail.com)"""
|