[Bug 1913916] Re: aarch64-virt: heap-buffer-overflow in address_space_lookup_region

Peter Maydell Tue, 02 Feb 2021 04:21:09 -0800

*** This bug is a duplicate of bug 1913917 ***
    https://bugs.launchpad.net/bugs/1913917


This is a duplicate of the rather simpler bug 1913917. The overrun occurs on 
the first 
writel 0x8000f00 0xff4affb0, which corrupts memory and eventually results in 
the crash described in the backtrace. I'm not sure why the fuzzer isn't just 
reporting the original overrun.


** This bug has been marked a duplicate of bug 1913917
   aarch64-virt: heap-use-after-free in gic_dist_writeb

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1913916

Title:
  aarch64-virt: heap-buffer-overflow in address_space_lookup_region

Status in QEMU:
  Confirmed

Bug description:
  Reproducer:
  cat << EOF | ./qemu-system-aarch64 \
  -machine virt,accel=qtest -qtest stdio
  writel 0x8000f00 0xff4affb0
  writel 0x8000f00 0xf2f8017f
  writeq 0x801000e 0x5a5a5a6c8ff7004b
  writeq 0x8010010 0x5a5a5a5a73ba2f00
  writel 0x8000000 0x3bf5a03
  writel 0x8000000 0x3bf5a03
  writeq 0x8010000 0x10ffff03fbffffff
  writel 0x8000f1f 0x5a55fc00
  readl 0x8011f00
  readl 0x80000d3
  readl 0x80000d3
  clock_step
  writeq 0x4010008004 0x4604fffdffc54c01
  writeq 0x4010008002 0xf7478b3f5aff5a55
  writel 0x8000f00 0x2d6954
  writel 0x800005a 0x2706fcf
  readq 0x800002c
  readw 0x9000004
  readq 0x800002c
  writeq 0x801000e 0x5555017f00017f00
  writew 0x8010000 0x55
  writew 0x8010000 0x465a
  writew 0x8010000 0x55
  writew 0x8010000 0xaf00
  writeq 0x8010015 0x3b5a5a5555460000
  writeq 0x8010015 0xd546002b2b000000
  writeq 0x8010015 0xc44ea5aaaab9ffff
  readq 0x8000a5a
  EOF

  Stacktrace:
  ==638893==ERROR: AddressSanitizer: heap-buffer-overflow on address 
0x629000022b84 at pc 0x55915c484d92 bp 0x7ffcde114a00 sp 0x7ffcde1149f8
  READ of size 2 at 0x629000022b84 thread T0
      #0 0x55915c484d91 in address_space_lookup_region 
/home/alxndr/Development/qemu/build/../softmmu/physmem.c:345:36
      #1 0x55915c484d91 in address_space_translate_internal 
/home/alxndr/Development/qemu/build/../softmmu/physmem.c:359:15
      #2 0x55915c481d90 in flatview_do_translate 
/home/alxndr/Development/qemu/build/../softmmu/physmem.c:497:15
      #3 0x55915c48214e in flatview_translate 
/home/alxndr/Development/qemu/build/../softmmu/physmem.c:563:15
      #4 0x55915c107ff9 in address_space_read 
/home/alxndr/Development/qemu/include/exec/memory.h:2477:18
      #5 0x55915c107ff9 in qtest_process_command 
/home/alxndr/Development/qemu/build/../softmmu/qtest.c:572:13
      #6 0x55915c102b97 in qtest_process_inbuf 
/home/alxndr/Development/qemu/build/../softmmu/qtest.c:797:9
      #7 0x55915c953286 in fd_chr_read 
/home/alxndr/Development/qemu/build/../chardev/char-fd.c:68:9
      #8 0x7f02be25daae in g_main_context_dispatch 
(/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x51aae)
      #9 0x55915cfae363 in glib_pollfds_poll 
/home/alxndr/Development/qemu/build/../util/main-loop.c:232:9
      #10 0x55915cfae363 in os_host_main_loop_wait 
/home/alxndr/Development/qemu/build/../util/main-loop.c:255:5
      #11 0x55915cfae363 in main_loop_wait 
/home/alxndr/Development/qemu/build/../util/main-loop.c:531:11
      #12 0x55915c069599 in qemu_main_loop 
/home/alxndr/Development/qemu/build/../softmmu/runstate.c:721:9
      #13 0x55915a2f61fd in main 
/home/alxndr/Development/qemu/build/../softmmu/main.c:50:5
      #14 0x7f02bdd02cc9 in __libc_start_main csu/../csu/libc-start.c:308:16
      #15 0x55915a249bc9 in _start 
(/home/alxndr/Development/qemu/build/qemu-system-aarch64+0x3350bc9)

  0x629000022b84 is located 660 bytes to the right of 18160-byte region 
[0x62900001e200,0x6290000228f0)
  allocated by thread T0 here:
      #0 0x55915a2c3c3d in malloc 
(/home/alxndr/Development/qemu/build/qemu-system-aarch64+0x33cac3d)
      #1 0x7f02be263a88 in g_malloc 
(/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x57a88)
      #2 0x55915c932cbd in qdev_new 
/home/alxndr/Development/qemu/build/../hw/core/qdev.c:153:19
      #3 0x55915b559360 in create_gic 
/home/alxndr/Development/qemu/build/../hw/arm/virt.c:631:16
      #4 0x55915b5449d2 in machvirt_init 
/home/alxndr/Development/qemu/build/../hw/arm/virt.c:1966:5
      #5 0x55915a62bac0 in machine_run_board_init 
/home/alxndr/Development/qemu/build/../hw/core/machine.c:1169:5
      #6 0x55915c02b8d8 in qemu_init_board 
/home/alxndr/Development/qemu/build/../softmmu/vl.c:2455:5
      #7 0x55915c02b8d8 in qmp_x_exit_preconfig 
/home/alxndr/Development/qemu/build/../softmmu/vl.c:2526:5
      #8 0x55915c035d91 in qemu_init 
/home/alxndr/Development/qemu/build/../softmmu/vl.c:3533:9
      #9 0x55915a2f61f8 in main 
/home/alxndr/Development/qemu/build/../softmmu/main.c:49:5
      #10 0x7f02bdd02cc9 in __libc_start_main csu/../csu/libc-start.c:308:16

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1913916/+subscriptions

[Bug 1913916] Re: aarch64-virt: heap-buffer-overflow in address_space_lookup_region

Reply via email to