diff for duplicates of <20210310062046.isnnnwzjj7dbhjas@mozz.bu.edu> diff --git a/a/1.txt b/N1/1.txt index 84eed91..6ae401e 100644 --- a/a/1.txt +++ b/N1/1.txt @@ -258,3 +258,101 @@ AddressSanitizer:DEADLYSIGNAL #19 0x55abf54071e5 in main build/../softmmu/main.c:50:5 #20 0x7f976d674d09 in __libc_start_main csu/../csu/libc-start.c:308:16 #21 0x55abf535abb9 in _start (system-i386+0x2b5fbb9) + +-- +You received this bug notification because you are a member of qemu- +devel-ml, which is subscribed to QEMU. +https://bugs.launchpad.net/bugs/1918321 + +Title: + [OSS-Fuzz] Issue 31875 megasas: Null-ptr dereference in + megasas_finish_dcmd + +Status in QEMU: + New + +Bug description: + Hello, + + == QTest Reproducer == + /* + * cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, -m \ + * 512M -machine q35 -nodefaults -device megasas -device \ + * scsi-cd,drive=null0 -blockdev \ + * driver=null-co,read-zeroes=on,node-name=null0 -qtest stdio + * outl 0xcf8 0x80000801 + * outl 0xcfc 0x05000000 + * outl 0xcf8 0x80000816 + * outl 0xcfc 0x19000000 + * write 0x1e1ed300 0x1 0x01 + * write 0x1e1ed307 0x1 0x01 + * write 0x1e1ed316 0x1 0x01 + * write 0x1e1ed328 0x1 0x01 + * write 0x1e1ed32f 0x1 0x01 + * outl 0x1940 0x1e1ed300 + * outl 0x19c0 0x00 + * EOF + */ + static void null_deref_megasas_finish_dcmd(void) + { + QTestState *s = qtest_init( + "-display none , -m 512M -machine q35 -nodefaults -device megasas -device " + "scsi-cd,drive=null0 -blockdev driver=null-co,read-zeroes=on,node-name=null0 "); + qtest_outl(s, 0xcf8, 0x80000801); + qtest_outl(s, 0xcfc, 0x05000000); + qtest_outl(s, 0xcf8, 0x80000816); + qtest_outl(s, 0xcfc, 0x19000000); + qtest_bufwrite(s, 0x1e1ed300, "\x01", 0x1); + qtest_bufwrite(s, 0x1e1ed307, "\x01", 0x1); + qtest_bufwrite(s, 0x1e1ed316, "\x01", 0x1); + qtest_bufwrite(s, 0x1e1ed328, "\x01", 0x1); + qtest_bufwrite(s, 0x1e1ed32f, "\x01", 0x1); + qtest_outl(s, 0x1940, 0x1e1ed300); + qtest_outl(s, 0x19c0, 0x00); + qtest_quit(s); + } + int main(int argc, char **argv) + { + const char *arch = qtest_get_arch(); + + g_test_init(&argc, &argv, NULL); + + if (strcmp(arch, "i386") == 0) { + qtest_add_func("fuzz/null_deref_megasas_finish_dcmd", + null_deref_megasas_finish_dcmd); + } + + return g_test_run(); + } + + == Stack Trace == + ../hw/scsi/megasas.c:1884:21: runtime error: member access within null pointer of type 'union mfi_frame' + SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../hw/scsi/megasas.c:1884:21 in + ../hw/scsi/megasas.c:1884:21: runtime error: member access within null pointer of type 'struct mfi_frame_header' + SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../hw/scsi/megasas.c:1884:21 in + AddressSanitizer:DEADLYSIGNAL + ================================================================= + ==314546==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000003 (pc 0x55b1b4f4de73 bp 0x7ffcfc5a8bb0 sp 0x7ffcfc5a8900 T0) + ==314546==The signal is caused by a WRITE memory access. + ==314546==Hint: address points to the zero page. + #0 0x55b1b4f4de73 in megasas_command_complete build/../hw/scsi/megasas.c:1884:40 + #1 0x55b1b5613914 in scsi_req_complete build/../hw/scsi/scsi-bus.c:1515:5 + #2 0x55b1b5448aeb in scsi_dma_complete_noio build/../hw/scsi/scsi-disk.c:345:9 + #3 0x55b1b5446fc7 in scsi_dma_complete build/../hw/scsi/scsi-disk.c:366:5 + #4 0x55b1b4fffc56 in dma_complete build/../softmmu/dma-helpers.c:121:9 + #5 0x55b1b4fffc56 in dma_blk_cb build/../softmmu/dma-helpers.c:139:9 + #6 0x55b1b6856016 in blk_aio_complete build/../block/block-backend.c:1412:9 + #7 0x55b1b6f48b06 in aio_bh_poll build/../util/async.c:164:13 + #8 0x55b1b6f08cec in aio_dispatch build/../util/aio-posix.c:381:5 + #9 0x55b1b6f4d59c in aio_ctx_dispatch build/../util/async.c:306:5 + #10 0x7fd88c098baa in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x51baa) + #11 0x55b1b6f59a3c in glib_pollfds_poll build/../util/main-loop.c:232:9 + #12 0x55b1b6f59a3c in os_host_main_loop_wait build/../util/main-loop.c:255:5 + #13 0x55b1b6f59a3c in main_loop_wait build/../util/main-loop.c:531:11 + #14 0x55b1b61a78a9 in qemu_main_loop build/../softmmu/runstate.c:725:9 + #15 0x55b1b4c751e5 in main build/../softmmu/main.c:50:5 + #16 0x7fd88aec6d09 in __libc_start_main csu/../csu/libc-start.c:308:16 + #17 0x55b1b4bc8bb9 in _start (system-i386+0x2b5fbb9) + +To manage notifications about this bug go to: +https://bugs.launchpad.net/qemu/+bug/1918321/+subscriptions diff --git a/a/content_digest b/N1/content_digest index 45c5ff8..058e7df 100644 --- a/a/content_digest +++ b/N1/content_digest @@ -2,19 +2,16 @@ "ref\000161531961935.11554.15835639895023157218.malonedeb\@chaenomeles.canonical.com\0" ] [ - "From\0Alexander Bulekov <alxndr\@bu.edu>\0" + "From\0Alexander Bulekov <1918321\@bugs.launchpad.net>\0" ] [ "Subject\0Re: [Bug 1918321] [NEW] [OSS-Fuzz] Issue 31875 megasas: Null-ptr dereference in megasas_finish_dcmd\0" ] [ - "Date\0Wed, 10 Mar 2021 01:24:49 -0500\0" + "Date\0Wed, 10 Mar 2021 06:24:49 -0000\0" ] [ - "To\0Bug 1918321 <1918321\@bugs.launchpad.net>\0" -] -[ - "Cc\0qemu-devel\@nongnu.org\0" + "To\0qemu-devel\@nongnu.org\0" ] [ "\0000:1\0" @@ -282,7 +279,105 @@ "#18 0x55abf69398a9 in qemu_main_loop build/../softmmu/runstate.c:725:9\n", "#19 0x55abf54071e5 in main build/../softmmu/main.c:50:5\n", "#20 0x7f976d674d09 in __libc_start_main csu/../csu/libc-start.c:308:16\n", - "#21 0x55abf535abb9 in _start (system-i386+0x2b5fbb9)" + "#21 0x55abf535abb9 in _start (system-i386+0x2b5fbb9)\n", + "\n", + "-- \n", + "You received this bug notification because you are a member of qemu-\n", + "devel-ml, which is subscribed to QEMU.\n", + "https://bugs.launchpad.net/bugs/1918321\n", + "\n", + "Title:\n", + " [OSS-Fuzz] Issue 31875 megasas: Null-ptr dereference in\n", + " megasas_finish_dcmd\n", + "\n", + "Status in QEMU:\n", + " New\n", + "\n", + "Bug description:\n", + " Hello,\n", + "\n", + " == QTest Reproducer ==\n", + " /* \n", + " * cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, -m \\\n", + " * 512M -machine q35 -nodefaults -device megasas -device \\\n", + " * scsi-cd,drive=null0 -blockdev \\\n", + " * driver=null-co,read-zeroes=on,node-name=null0 -qtest stdio\n", + " * outl 0xcf8 0x80000801\n", + " * outl 0xcfc 0x05000000\n", + " * outl 0xcf8 0x80000816\n", + " * outl 0xcfc 0x19000000\n", + " * write 0x1e1ed300 0x1 0x01\n", + " * write 0x1e1ed307 0x1 0x01\n", + " * write 0x1e1ed316 0x1 0x01\n", + " * write 0x1e1ed328 0x1 0x01\n", + " * write 0x1e1ed32f 0x1 0x01\n", + " * outl 0x1940 0x1e1ed300\n", + " * outl 0x19c0 0x00\n", + " * EOF\n", + " */\n", + " static void null_deref_megasas_finish_dcmd(void)\n", + " {\n", + " QTestState *s = qtest_init(\n", + " \"-display none , -m 512M -machine q35 -nodefaults -device megasas -device \"\n", + " \"scsi-cd,drive=null0 -blockdev driver=null-co,read-zeroes=on,node-name=null0 \");\n", + " qtest_outl(s, 0xcf8, 0x80000801);\n", + " qtest_outl(s, 0xcfc, 0x05000000);\n", + " qtest_outl(s, 0xcf8, 0x80000816);\n", + " qtest_outl(s, 0xcfc, 0x19000000);\n", + " qtest_bufwrite(s, 0x1e1ed300, \"\\x01\", 0x1);\n", + " qtest_bufwrite(s, 0x1e1ed307, \"\\x01\", 0x1);\n", + " qtest_bufwrite(s, 0x1e1ed316, \"\\x01\", 0x1);\n", + " qtest_bufwrite(s, 0x1e1ed328, \"\\x01\", 0x1);\n", + " qtest_bufwrite(s, 0x1e1ed32f, \"\\x01\", 0x1);\n", + " qtest_outl(s, 0x1940, 0x1e1ed300);\n", + " qtest_outl(s, 0x19c0, 0x00);\n", + " qtest_quit(s);\n", + " }\n", + " int main(int argc, char **argv)\n", + " {\n", + " const char *arch = qtest_get_arch();\n", + "\n", + " g_test_init(&argc, &argv, NULL);\n", + "\n", + " if (strcmp(arch, \"i386\") == 0) {\n", + " qtest_add_func(\"fuzz/null_deref_megasas_finish_dcmd\",\n", + " null_deref_megasas_finish_dcmd);\n", + " }\n", + "\n", + " return g_test_run();\n", + " }\n", + "\n", + " == Stack Trace ==\n", + " ../hw/scsi/megasas.c:1884:21: runtime error: member access within null pointer of type 'union mfi_frame'\n", + " SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../hw/scsi/megasas.c:1884:21 in\n", + " ../hw/scsi/megasas.c:1884:21: runtime error: member access within null pointer of type 'struct mfi_frame_header'\n", + " SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../hw/scsi/megasas.c:1884:21 in\n", + " AddressSanitizer:DEADLYSIGNAL\n", + " =================================================================\n", + " ==314546==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000003 (pc 0x55b1b4f4de73 bp 0x7ffcfc5a8bb0 sp 0x7ffcfc5a8900 T0)\n", + " ==314546==The signal is caused by a WRITE memory access.\n", + " ==314546==Hint: address points to the zero page.\n", + " #0 0x55b1b4f4de73 in megasas_command_complete build/../hw/scsi/megasas.c:1884:40\n", + " #1 0x55b1b5613914 in scsi_req_complete build/../hw/scsi/scsi-bus.c:1515:5\n", + " #2 0x55b1b5448aeb in scsi_dma_complete_noio build/../hw/scsi/scsi-disk.c:345:9\n", + " #3 0x55b1b5446fc7 in scsi_dma_complete build/../hw/scsi/scsi-disk.c:366:5\n", + " #4 0x55b1b4fffc56 in dma_complete build/../softmmu/dma-helpers.c:121:9\n", + " #5 0x55b1b4fffc56 in dma_blk_cb build/../softmmu/dma-helpers.c:139:9\n", + " #6 0x55b1b6856016 in blk_aio_complete build/../block/block-backend.c:1412:9\n", + " #7 0x55b1b6f48b06 in aio_bh_poll build/../util/async.c:164:13\n", + " #8 0x55b1b6f08cec in aio_dispatch build/../util/aio-posix.c:381:5\n", + " #9 0x55b1b6f4d59c in aio_ctx_dispatch build/../util/async.c:306:5\n", + " #10 0x7fd88c098baa in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x51baa)\n", + " #11 0x55b1b6f59a3c in glib_pollfds_poll build/../util/main-loop.c:232:9\n", + " #12 0x55b1b6f59a3c in os_host_main_loop_wait build/../util/main-loop.c:255:5\n", + " #13 0x55b1b6f59a3c in main_loop_wait build/../util/main-loop.c:531:11\n", + " #14 0x55b1b61a78a9 in qemu_main_loop build/../softmmu/runstate.c:725:9\n", + " #15 0x55b1b4c751e5 in main build/../softmmu/main.c:50:5\n", + " #16 0x7fd88aec6d09 in __libc_start_main csu/../csu/libc-start.c:308:16\n", + " #17 0x55b1b4bc8bb9 in _start (system-i386+0x2b5fbb9)\n", + "\n", + "To manage notifications about this bug go to:\n", + "https://bugs.launchpad.net/qemu/+bug/1918321/+subscriptions" ] -6b0cd83edfede7137f2e218c2024559bc6a386418ecc2b5f0a92c86edad0d9bd +3abf0c89f0b4742c57acfc9d48bd4fc8825212acaa8d2301e15610ad76b1cdfd
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.