blob: 97d3cd35cd52b740c47a49ab36159f205bf11a47 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
|
user-level: 0.906
peripherals: 0.902
hypervisor: 0.884
register: 0.876
KVM: 0.860
mistranslation: 0.849
performance: 0.835
device: 0.833
architecture: 0.821
TCG: 0.818
permissions: 0.818
i386: 0.816
risc-v: 0.810
arm: 0.804
graphic: 0.790
assembly: 0.790
virtual: 0.778
x86: 0.777
ppc: 0.761
vnc: 0.757
kernel: 0.756
boot: 0.747
VMM: 0.744
debug: 0.743
socket: 0.739
semantic: 0.731
files: 0.730
PID: 0.722
network: 0.704
--------------------
i386: 0.999
x86: 0.990
debug: 0.204
virtual: 0.183
user-level: 0.165
files: 0.107
kernel: 0.065
hypervisor: 0.057
device: 0.046
TCG: 0.034
PID: 0.026
assembly: 0.023
semantic: 0.017
performance: 0.015
boot: 0.012
register: 0.012
architecture: 0.010
graphic: 0.006
permissions: 0.004
VMM: 0.004
KVM: 0.004
socket: 0.004
peripherals: 0.002
risc-v: 0.002
network: 0.002
mistranslation: 0.001
ppc: 0.001
vnc: 0.001
arm: 0.000
[OSS-Fuzz] Issue 28435 qemu:qemu-fuzz-i386-target-generic-fuzz-intel-hda: Stack-overflow in ldl_le_dma
affects qemu
=== Reproducer (build with --enable-sanitizers) ===
cat << EOF | ./qemu-system-i386 -machine q35 -nodefaults \
-device intel-hda,id=hda0 -device hda-output,bus=hda0.0 \
-device hda-micro,bus=hda0.0 -device hda-duplex,bus=hda0.0 \
-qtest stdio
outl 0xcf8 0x80000804
outw 0xcfc 0xffff
write 0x0 0x1 0x12
write 0x2 0x1 0x2f
outl 0xcf8 0x80000811
outl 0xcfc 0x5a6a4406
write 0x6a44005a 0x1 0x11
write 0x6a44005c 0x1 0x3f
write 0x6a442050 0x4 0x0000446a
write 0x6a44204a 0x1 0xf3
write 0x6a44204c 0x1 0xff
writeq 0x6a44005a 0x17b3f0011
write 0x6a442050 0x4 0x0000446a
write 0x6a44204a 0x1 0xf3
write 0x6a44204c 0x1 0xff
EOF
=== Stack Trace ===
==411958==ERROR: AddressSanitizer: stack-overflow on address 0x7ffcaeb8bc88 (pc 0x55c7c9dc1159 bp 0x7ffcaeb8c4d0 sp 0x7ffcaeb8bc90 T0)
#0 0x55c7c9dc1159 in __asan_memcpy (u-system-i386+0x2a13159)
#1 0x55c7cb2a457e in flatview_do_translate softmmu/physmem.c:513:12
#2 0x55c7cb2bdab0 in flatview_translate softmmu/physmem.c:563:15
#3 0x55c7cb2bdab0 in flatview_read softmmu/physmem.c:2861:10
#4 0x55c7cb2bdab0 in address_space_read_full softmmu/physmem.c:2875:18
#5 0x55c7caaec937 in dma_memory_rw_relaxed include/sysemu/dma.h:87:18
#6 0x55c7caaec937 in dma_memory_rw include/sysemu/dma.h:110:12
#7 0x55c7caaec937 in dma_memory_read include/sysemu/dma.h:116:12
#8 0x55c7caaec937 in ldl_le_dma include/sysemu/dma.h:179:1
#9 0x55c7caaec937 in ldl_le_pci_dma include/hw/pci/pci.h:816:1
#10 0x55c7caaec937 in intel_hda_corb_run hw/audio/intel-hda.c:338:16
#11 0x55c7cb2e7198 in memory_region_write_accessor softmmu/memory.c:491:5
#12 0x55c7cb2e6bd3 in access_with_adjusted_size softmmu/memory.c:552:18
#13 0x55c7cb2e646c in memory_region_dispatch_write softmmu/memory.c
#14 0x55c7cb2c8445 in flatview_write_continue softmmu/physmem.c:2759:23
#15 0x55c7cb2bdfb8 in flatview_write softmmu/physmem.c:2799:14
#16 0x55c7cb2bdfb8 in address_space_write softmmu/physmem.c:2891:18
#17 0x55c7caae2c54 in dma_memory_rw_relaxed include/sysemu/dma.h:87:18
#18 0x55c7caae2c54 in dma_memory_rw include/sysemu/dma.h:110:12
#19 0x55c7caae2c54 in dma_memory_write include/sysemu/dma.h:122:12
#20 0x55c7caae2c54 in stl_le_dma include/sysemu/dma.h:179:1
#21 0x55c7caae2c54 in stl_le_pci_dma include/hw/pci/pci.h:816:1
#22 0x55c7caae2c54 in intel_hda_response hw/audio/intel-hda.c:370:5
#23 0x55c7caaeca00 in intel_hda_corb_run hw/audio/intel-hda.c:342:9
#24 0x55c7cb2e7198 in memory_region_write_accessor softmmu/memory.c:491:5
...
OSS-Fuzz Report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28435
I think this [0] commit actually fixes this bug, can someone please confirm it?
[0] https://github.com/qemu/qemu/commit/1bf8b88f144bee747e386c88d45d772e066bbb36
No, I can still reproduce this issue with current version from the git repo (commit 8f521741e1280f0957ac1) ... when I compile QEMU with Clang and --enable-sanitizers, the reproducer still crashes with "ERROR: AddressSanitizer: stack-overflow"
Just FYI, this issue was assigned CVE-2021-3611 by Red Hat.
@Thomas, could you try by compiling qemu with a commit close to the timeframe mentioned here [0]?
[0] https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28435#c2
@Gianluca: The problem still reproduces with the current master branch (commit 13d5f87cc3b94bfccc5), so the problem is definitely not fixed yet. So no, I certainly won't waste my time trying it on older versions.
I moved this report over to QEMU's new bug tracker on gitlab.com.
Please continue with the discussion here:
https://gitlab.com/qemu-project/qemu/-/issues/542
Thanks for moving it over! ... let's close this one here on Launchpad now.
|