blob: badee2b9b56d4da44d150f2b8e3dca22c67ff41e (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
|
Null-pointer-dereference in ufs
Description of problem:
The following log reveals it:
```
../hw/ufs/ufs.c:740:13: runtime error: member access within null pointer of type 'UfsSq' (aka 'struct UfsSq')
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../hw/ufs/ufs.c:740:13 in
AddressSanitizer:DEADLYSIGNAL
=================================================================
==848760==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000020 (pc 0x6220e29edfce bp 0x7fffea0c6cf0 sp 0x7fffea0c6c40 T0)
==848760==The signal is caused by a READ memory access.
==848760==Hint: address points to the zero page.
#0 0x6220e29edfce in ufs_mcq_process_db hw/ufs/ufs.c:740:9
#1 0x6220e29dc10f in ufs_write_mcq_op_reg hw/ufs/ufs.c:758:13
#2 0x6220e29d85c6 in ufs_mmio_write hw/ufs/ufs.c:813:9
```
Steps to reproduce:
```
cat << EOF | qemu-system-x86_64 \
-display none -machine accel=qtest, -m 512M -M q35 -nodefaults -drive \
file=null-co://,if=none,id=disk0 -device ufs,id=ufs_bus -device \
ufs-lu,drive=disk0,bus=ufs_bus -qtest stdio
outl 0xcf8 0x80000810
outl 0xcfc 0xe0000000
outl 0xcf8 0x80000804
outw 0xcfc 0x02
write 0xe0001004 0x1 0x01
EOF
```
|