1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
|
debug: 0.844
user-level: 0.805
ppc: 0.803
peripherals: 0.788
x86: 0.787
permissions: 0.786
virtual: 0.785
risc-v: 0.779
mistranslation: 0.774
VMM: 0.772
arm: 0.771
i386: 0.769
performance: 0.767
KVM: 0.764
vnc: 0.762
network: 0.760
TCG: 0.757
architecture: 0.746
device: 0.740
graphic: 0.739
semantic: 0.738
hypervisor: 0.733
register: 0.719
assembly: 0.711
PID: 0.696
files: 0.679
socket: 0.659
kernel: 0.649
boot: 0.646
QEMU: scsi: use-after-free in mptsas_process_scsi_io_request() of mptsas1068 emulator
* Cheolwoo Myung of Seoul National University reported a use-after-free issue in the SCSI Megaraid
emulator of the QEMU.
* It occurs while handling mptsas_process_scsi_io_request(), as it does not
check a list in s->pending.
* This was found in version 5.2.0 (master)
==31872==ERROR: AddressSanitizer: heap-use-after-free on address
0x60c000107568 at pc 0x564514950c7c bp 0x7fff524ef4b0 sp 0x7fff524ef4a0 WRITE of size 8 at 0x60c000107568 thread T0
#0 0x564514950c7b in mptsas_process_scsi_io_request ../hw/scsi/mptsas.c:306
#1 0x564514950c7b in mptsas_fetch_request ../hw/scsi/mptsas.c:775
#2 0x564514950c7b in mptsas_fetch_requests ../hw/scsi/mptsas.c:790
#3 0x56451585c25d in aio_bh_poll ../util/async.c:164
#4 0x5645158d7e7d in aio_dispatch ../util/aio-posix.c:381
#5 0x56451585be2d in aio_ctx_dispatch ../util/async.c:306
#6 0x7f1cc8af4416 in g_main_context_dispatch
(/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4c416)
#7 0x56451583f059 in glib_pollfds_poll ../util/main-loop.c:221
#8 0x56451583f059 in os_host_main_loop_wait ../util/main-loop.c:244
#9 0x56451583f059 in main_loop_wait ../util/main-loop.c:520
#10 0x56451536b181 in qemu_main_loop ../softmmu/vl.c:1537
#11 0x5645143ddd3d in main ../softmmu/main.c:50
#12 0x7f1cc2650b96 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
#13 0x5645143eece9 in _start
(/home/cwmyung/prj/hyfuzz/src/qemu-repro/build/qemu-system-i386+0x1d55ce9)
0x60c000107568 is located 104 bytes inside of 120-byte region
[0x60c000107500,0x60c000107578)
freed by thread T0 here:
#0 0x7f1cca9777a8 in __interceptor_free
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0xde7a8)
#1 0x56451495008b in mptsas_process_scsi_io_request ../hw/scsi/mptsas.c:358
#2 0x56451495008b in mptsas_fetch_request ../hw/scsi/mptsas.c:775
#3 0x56451495008b in mptsas_fetch_requests ../hw/scsi/mptsas.c:790
#4 0x7fff524ef8bf (<unknown module>)
previously allocated by thread T0 here:
#0 0x7f1cca977d28 in __interceptor_calloc
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0xded28)
#1 0x7f1cc8af9b10 in g_malloc0
(/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x51b10)
#2 0x7fff524ef8bf (<unknown module>)
SUMMARY: AddressSanitizer: heap-use-after-free ../hw/scsi/mptsas.c:306
in mptsas_process_scsi_io_request
Shadow bytes around the buggy address:
0x0c1880018e50: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c1880018e60: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
0x0c1880018e70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c1880018e80: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c1880018e90: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
=>0x0c1880018ea0: fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd fa
0x0c1880018eb0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c1880018ec0: 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa fa
0x0c1880018ed0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1880018ee0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1880018ef0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==31872==ABORTING
To reproduce this issue, please run the QEMU with the following command
line.
# To enable ASan option, please set configuration with the following command
$ ./configure --target-list=i386-softmmu --disable-werror --enable-sanitizers
$ make
# To reproduce this issue, please run the QEMU process with the
following command line.
$ ./qemu-system-i386 -m 512 -drive
file=./hyfuzz.img,index=0,media=disk,format=raw -device
mptsas1068,id=scsi -device scsi-hd,drive=SysDisk -drive
id=SysDisk,if=none,file=./disk.img
CVE-2021-3392 assigned by Red Hat In.c
Upstream patch
-> https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg00488.html
Upstream commit:
https://git.qemu.org/?p=qemu.git;a=commit;h=3791642c8d60029adf9b00bcb4e34d7d8a1aea4d
|