blob: ae432c688a5a9aedd9818e757346029e23645a1b (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
|
UFS Device sanitizers error
Description of problem:
Sanitizers error reported by Zheyu Ma zheyuma97@gmail.com
The following log can reveal it:
==3619819==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x62a000011200 at pc 0x7f9f9903a2c3 bp 0x7ffd44e1ee60 sp 0x7ffd44e1e608
WRITE of size 20512 at 0x62a000011200 thread T0
```
#0 0x7f9f9903a2c2 in __interceptor_memcpy
```
../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:827
```
#1 0x5f23331ea4fc in memcpy
```
/usr/include/x86_64-linux-gnu/bits/string_fortified.h:29
```
#2 0x5f23331ea4fc in flatview_read_continue_step
```
../system/physmem.c:2818
```
#3 0x5f23331eab72 in flatview_read_continue ../system/physmem.c:2835
#4 0x5f23331eadc4 in flatview_read ../system/physmem.c:2865
#5 0x5f23331ec2a5 in address_space_read_full ../system/physmem.c:2878
#6 0x5f23331ec2a5 in address_space_rw ../system/physmem.c:2906
#7 0x5f23326b7ad0 in ufs_dma_read_req_upiu ../hw/ufs/ufs.c:129
#8 0x5f23326b7ad0 in ufs_dma_read_upiu ../hw/ufs/ufs.c:185
#9 0x5f23326b7ad0 in ufs_exec_req ../hw/ufs/ufs.c:1021
#10 0x5f23326b7ad0 in ufs_process_req ../hw/ufs/ufs.c:1066
#11 0x5f2333a9160d in aio_bh_call ../util/async.c:171
#12 0x5f2333a91f45 in aio_bh_poll ../util/async.c:218
#13 0x5f2333a217a9 in aio_dispatch ../util/aio-posix.c:423
#14 0x5f2333a90d01 in aio_ctx_dispatch ../util/async.c:360
#15 0x7f9f985c4d3a in g_main_context_dispatch
```
(/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x55d3a)
```
#16 0x5f2333a9690f in glib_pollfds_poll ../util/main-loop.c:287
#17 0x5f2333a9690f in os_host_main_loop_wait ../util/main-loop.c:310
#18 0x5f2333a9690f in main_loop_wait ../util/main-loop.c:589
#19 0x5f23329370e0 in qemu_main_loop ../system/runstate.c:783
#20 0x5f23333b4d7a in qemu_default_main ../system/main.c:37
#21 0x7f9f97629d8f in __libc_start_call_main
```
../sysdeps/nptl/libc_start_call_main.h:58
```
#22 0x7f9f97629e3f in __libc_start_main_impl ../csu/libc-start.c:392
#23 0x5f2331c8df64 in _start
```
(/home/joey/repo/qemu/build/qemu-system-x86_64+0x2ea8f64)
0x62a000011200 is located 0 bytes to the right of 20480-byte region
\[0x62a00000c200,0x62a000011200)
allocated by thread T0 here:
```
#0 0x7f9f990b4a57 in __interceptor_calloc
```
../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154
```
#1 0x7f9f985cdc50 in g_malloc0
```
(/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x5ec50)
```
#2 0xf0e808deae299ff (<unknown module>)
```
SUMMARY: AddressSanitizer: heap-buffer-overflow
../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:827
in \__interceptor_memcpy
Shadow bytes around the buggy address:
0x0c547fffa1f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c547fffa200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c547fffa210: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c547fffa220: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c547fffa230: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=\>0x0c547fffa240:\[fa\]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c547fffa250: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c547fffa260: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c547fffa270: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c547fffa280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c547fffa290: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==3619819==ABORTING
And Here is a simple PoC:
cat \<\< EOF \\
qemu-system-x86_64 \\
\-display none -machine accel=qtest -m 512M -M q35 -nodefaults -drive \\
file=[null-co://,if=none,id=disk0](null-co://,if=none,id=disk0) -device ufs,id=ufs_bus -device \\
ufs-lu,drive=disk0,bus=ufs_bus -qtest stdio
outl 0xcf8 0x80000810
outl 0xcfc 0xe0000000
outl 0xcf8 0x80000804
outw 0xcfc 0x06
write 0xe0000058 0x1 0xa7
write 0xa 0x1 0x50
EOF
|