blob: f6713ab3f203caa07940a35025a60b20784bfce0 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
|
hypervisor: 0.882
virtual: 0.874
peripherals: 0.870
debug: 0.867
performance: 0.863
permissions: 0.862
risc-v: 0.857
user-level: 0.855
device: 0.854
graphic: 0.851
register: 0.842
TCG: 0.813
vnc: 0.793
semantic: 0.791
architecture: 0.790
VMM: 0.788
arm: 0.779
mistranslation: 0.777
ppc: 0.775
x86: 0.775
i386: 0.764
KVM: 0.760
boot: 0.749
files: 0.745
assembly: 0.733
kernel: 0.729
PID: 0.726
socket: 0.689
network: 0.670
[OSS-Fuzz] ahci: stack overflow in ahci_cond_start_engines
=== Reproducer ===
while true; do cat << EOF; done | ./qemu-system-i386 -machine q35 -nodefaults -nographic -qtest stdio -accel qtest
outl 0xcf8 0x8000fa27
outl 0xcfc 0x37414537
outl 0xcf8 0x8000fa01
outl 0xcfc 0x4606ce74
writew 0x37000f01 0x215a
writeq 0x37000100 0xfffaf
writeq 0x37000115 0xffff373d27004037
outl 0xcf8 0x8000fa01
outl 0xcfc 0x4606ce74
writeq 0x370000ff 0x3700011500
writeq 0x37000115 0xc41ffffff035a5a
outl 0xcf8 0x8000ea04
outb 0xcfc 0x15
outl 0xcf8 0x8000ea00
outw 0xcfc 0x5a1f
writeq 0x37000115 0x100007765746972
writeq 0x37000115 0xbf00000000000000
outl 0xcf8 0x8000ea04
outb 0xcfc 0x15
outl 0xcf8 0x8000fa46
outb 0xcfc 0xff
clock_step
writeq 0x37000115 0xaf
writeq 0x37000115 0x6301275541af7415
writeq 0x37000115 0xafaf5a5a743715
outb 0x64 0xfe
EOF
=== Stack Trace ===
==887446==ERROR: UndefinedBehaviorSanitizer: stack-overflow on address 0x7ffe567cae0c (pc 0x7fdd9100819e bp 0x7ffe567cb2b0 sp 0x7ffe567cad40 T887446)
#0 vfprintf
#1 fprintf
#2 ahci_mem_write /src/qemu/hw/ide/ahci.c:468:9
#3 memory_region_write_accessor /src/qemu/softmmu/memory.c:491:5
#4 access_with_adjusted_size /src/qemu/softmmu/memory.c:552:18
#5 memory_region_dispatch_write /src/qemu/softmmu/memory.c:0:13
#6 flatview_write_continue /src/qemu/softmmu/physmem.c:2759:23
#7 flatview_write /src/qemu/softmmu/physmem.c:2799:14
#8 address_space_write /src/qemu/softmmu/physmem.c:2891:18
#9 address_space_unmap /src/qemu/softmmu/physmem.c:3217:9
#10 dma_memory_unmap /src/qemu/include/sysemu/dma.h:226:5
#11 map_page /src/qemu/hw/ide/ahci.c:249:9
#12 ahci_map_clb_address /src/qemu/hw/ide/ahci.c:748:5
#13 ahci_cond_start_engines /src/qemu/hw/ide/ahci.c:276:14
#14 ahci_port_write /src/qemu/hw/ide/ahci.c:339:9
#15 ahci_mem_write /src/qemu/hw/ide/ahci.c:513:9
#16 memory_region_write_accessor /src/qemu/softmmu/memory.c:491:5
#17 access_with_adjusted_size /src/qemu/softmmu/memory.c:552:18
#18 memory_region_dispatch_write /src/qemu/softmmu/memory.c:0:13
#19 flatview_write_continue /src/qemu/softmmu/physmem.c:2759:23
#20 flatview_write /src/qemu/softmmu/physmem.c:2799:14
#21 address_space_write /src/qemu/softmmu/physmem.c:2891:18
#22 address_space_unmap /src/qemu/softmmu/physmem.c:3217:9
#23 dma_memory_unmap /src/qemu/include/sysemu/dma.h:226:5
#24 map_page /src/qemu/hw/ide/ahci.c:249:9
#25 ahci_map_clb_address /src/qemu/hw/ide/ahci.c:748:5
#26 ahci_cond_start_engines /src/qemu/hw/ide/ahci.c:276:14
#27 ahci_port_write /src/qemu/hw/ide/ahci.c:339:9
#28 ahci_mem_write /src/qemu/hw/ide/ahci.c:513:9
... Repeat until we run out of stack
Having a quick look, the problem might be in ahci_cond_start_engines()
which calls ahci_map_clb_address(), then ahci_map_fis_address() fails
and we return without calling ahci_unmap_clb_address().
And ahci_port_write(AHCI_PORT_REG_CMD) doesn't check
ahci_cond_start_engines() return value, calling
ahci_init_d2h() even if former failed.
This is an automated cleanup. This bug report has been moved
to QEMU's new bug tracker on gitlab.com and thus gets marked
as 'expired' now. Please continue with the discussion here:
https://gitlab.com/qemu-project/qemu/-/issues/62
|