blob: 409e61fd58b2638fad3e57dec84356ce89bf0c3e (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
|
Out-of-bounds access and heap-use-after-free in smc91c111_writeb()
Description of problem:
An out-of-bounds access bug was triggered by my fuzzer.
The error is:
```
../hw/net/smc91c111.c:457:17: runtime error: index 48 out of bounds for type 'uint8_t[4][2048]' (aka 'unsigned char[4][2048]')
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../hw/net/smc91c111.c:457:17 in
=================================================================
==60006==ERROR: AddressSanitizer: heap-use-after-free on address 0x6290000385b4 at pc 0x5de3d1ac6add bp 0x7ffc4d4b2b30 sp 0x7ffc4d4b2b28
WRITE of size 1 at 0x6290000385b4 thread T0
warning: DWARF unit at offset 0x00417a37 has unsupported address size: 31 (supported are 2, 4, 8)
#0 0x5de3d1ac6adc in smc91c111_writeb smc91c111.c
#1 0x5de3d1abf6e3 in smc91c111_writefn smc91c111.c
#2 0x5de3d2d9e2d3 in memory_region_write_accessor memory.c
#3 0x5de3d2d9da4a in access_with_adjusted_size memory.c
#4 0x5de3d2d9ce78 in memory_region_dispatch_write
#5 0x5de3d2df5e44 in flatview_write_continue_step physmem.c
#6 0x5de3d2de2d40 in flatview_write physmem.c
#7 0x5de3d2de29d7 in address_space_write
...
0x6290000385b4 is located 5044 bytes inside of 16176-byte region [0x629000037200,0x62900003b130)
freed by thread T0 here:
#0 0x5de3d1100027 in __interceptor_free.part.0 asan_malloc_linux.cpp
#1 0x5de3d2f35106 in object_unref
#2 0x5de3d24ac45c in qemu_get_nic_models
#3 0x5de3d24acead in qemu_create_nic_bus_devices
#4 0x5de3d2722553 in realview_init realview.c
#5 0x5de3d1468182 in machine_run_board_init
#6 0x5de3d237e40a in qmp_x_exit_preconfig
#7 0x5de3d238505c in qemu_init
...
previously allocated by thread T0 here:
#0 0x5de3d1101217 in malloc
#1 0x7ea39d40a738 in g_malloc
#2 0x5de3d24acead in qemu_create_nic_bus_devices
#3 0x5de3d2722553 in realview_init realview.c
#4 0x5de3d1468182 in machine_run_board_init
#5 0x5de3d237e40a in qmp_x_exit_preconfig
#6 0x5de3d238505c in qemu_init
...
```
Steps to reproduce:
```
export QEMU_ARGS="-display none -machine accel=qtest, -m 512M -machine realview-eb"
cat << EOF | ./qemu-system-arm $QEMU_ARGS -qtest /dev/null -qtest stdio
clock_step
readw 0x4e000000
readw 0x4e000000
clock_step
writel 0x4e00000c 0x2402e660
readb 0x4e000008
readl 0x4e000000
clock_step
readb 0x4e000000
writel 0x4e000000 0x66308c81
writew 0x4e000008 0xe40ba4c
readb 0x4e000000
readw 0x4e000000
readl 0x4e000008
EOF
```
Additional information:
|