Re: [PATCH 0/2] use unsigned type for MegasasState fields

P J P Tue, 12 May 2020 11:38:22 -0700

+-- On Tue, 12 May 2020, Philippe Mathieu-Daudé wrote --+
| Cc'ing Marc-André our signed/unsigned conversion expert (with Paolo).


  megasas_init_firmware
    pa_lo = le32_to_cpu(initq->pi_addr_lo);
    pa_hi = le32_to_cpu(initq->pi_addr_hi);
    s->producer_pa = ((uint64_t) pa_hi << 32) | pa_lo;
    s->reply_queue_head = ldl_le_pci_dma(pcid, s->producer_pa);

IIUC, here ldl_le_pci_dma() returns an 'uint32_t' type, but since 
'reply_queue_head' is a signed int, large 'uint32_t' value turns negative.

| Do you have a reproducer?

  Yes, there is a reproducer with ASAN, though it did not work for me. 
Ren(CC'd) had shared this trace:

AddressSanitizer: heap-buffer-overflow on address 0x7f9159054058 at pc 
0x55763514b5cd bp 0x7f9179bd6d90 sp 0x7f9179bd6d88
READ of size 8 at 0x7f9159054058 thread T2
  #0 0x55763514b5cc in megasas_lookup_frame 
/home/ren/tmp/redacted-dbg/qemu/hw/scsi/megasas.c:449:30
  #1 0x55763513205c in megasas_handle_abort 
/home/ren/tmp/redacted-dbg/qemu/hw/scsi/megasas.c:1904:17
  #2 0x55763512d0f8 in megasas_handle_frame 
/home/ren/tmp/redacted-dbg/qemu/hw/scsi/megasas.c:1961:24
  #3 0x55763512ba7d in megasas_mmio_write 
/home/ren/tmp/redacted-dbg/qemu/hw/scsi/megasas.c:2122:9
  #4 0x55763515247c in megasas_port_write 
/home/ren/tmp/redacted-dbg/qemu/hw/scsi/megasas.c:2173:5
  #5 0x557634621b3b in memory_region_write_accessor 
/home/ren/tmp/redacted-dbg/qemu/memory.c:483:5
  #6 0x557634621741 in access_with_adjusted_size 
/home/ren/tmp/redacted-dbg/qemu/memory.c:544:18
  #7 0x557634620498 in memory_region_dispatch_write 
/home/ren/tmp/redacted-dbg/qemu/memory.c:1482:16
  #8 0x5576344b6b6c in flatview_write_continue 
/home/ren/tmp/redacted-dbg/qemu/exec.c:3161:23
  #9 0x5576344a87d9 in flatview_write 
/home/ren/tmp/redacted-dbg/qemu/exec.c:3201:14
  #10 0x5576344a8376 in address_space_write 
/home/ren/tmp/redacted-dbg/qemu/exec.c:3291:18
  #11 0x5576344a8af4 in address_space_rw 
/home/ren/tmp/redacted-dbg/qemu/exec.c:3301:16
  #12 0x557634689e10 in kvm_handle_io 
/home/ren/tmp/redacted-dbg/qemu/accel/kvm/kvm-all.c:2086:9
  #13 0x557634688a45 in kvm_cpu_exec 
/home/ren/tmp/redacted-dbg/qemu/accel/kvm/kvm-all.c:2332:13
  #14 0x5576345ee7aa in qemu_kvm_cpu_thread_fn 
/home/ren/tmp/redacted-dbg/qemu/cpus.c:1299:17
  #15 0x557635a11509 in qemu_thread_start 
/home/ren/tmp/redacted-dbg/qemu/util/qemu-thread-posix.c:519:9
  #16 0x7f918cec26b9 in start_thread 
(/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
  #17 0x7f918c5d441c in clone 
/build/glibc-LK5gWL/glibc-2.23/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:109


Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
8685 545E B54C 486B C6EB 271E E285 8B5A F050 DE8D

Re: [PATCH 0/2] use unsigned type for MegasasState fields

Reply via email to