On 220902 1851, Juan Quintela wrote:
> Hi
>
> For a long, long time I have had local hacks on my tree to be able to
> run "make tests" when I have a minimal configure guest. This is a
> first try to upstream some of it.
>
> - by default we always setup -display none (it already was the
> defau
On 221107 2312, Philippe Mathieu-Daudé wrote:
> When sdhci_write_block_to_card() is called to transfer data from
> the FIFO to the SD bus, the data is already present in the buffer
> and we have to consume it directly.
>
> See the description of the 'Buffer Write Enable' bit from the
> 'Present St
On 221108 1225, Alexander Bulekov wrote:
> On 221107 2312, Philippe Mathieu-Daudé wrote:
> > When sdhci_write_block_to_card() is called to transfer data from
> > the FIFO to the SD bus, the data is already present in the buffer
> > and we have to consume it directly.
> &g
On 200224 1135, Stefan Hajnoczi wrote:
> On Sat, Feb 22, 2020 at 05:34:29AM -0600, Eric Blake wrote:
> > On 2/22/20 2:50 AM, Stefan Hajnoczi wrote:
> > > From: Alexander Bulekov
> > >
> > > fork() is a simple way to ensure that state does not leak in betwe
Object *) args);
>
> -qmp_marshal_qom_list_types(args, &response, &err);
> -assert(!err);
> +qmp_marshal_qom_list_types(args, &response, &error_abort);
> lst = qobject_to(QList, response);
> apply_to_qlist(lst, false);
> qobject_unref(response);
> --
> 2.21.1
>
Thanks!
Acked-by: Alexander Bulekov
sert if accessing an illegal group
>
> hw/sd/sd.c | 30 ++
> hw/sd/trace-events | 2 +-
> 2 files changed, 23 insertions(+), 9 deletions(-)
>
> --
> 2.26.2
>
Hi Phil,
For this series:
Tested-by: Alexander Bulekov
Thanks
-Alex
; scsi_cdb_length(cdb) >= cdb_len' failed.
tests/qtest/libqtest.c:181: kill_qemu() detected QEMU death from signal 6
(Aborted) (core dumped)
ERROR qtest-x86_64/fuzz-test - too few tests run (expected 1, got 0)
Signed-off-by: Alexander Bulekov
Signed-off-by: Philippe Mathieu-Daudé
g>
> ---
Reviewed-by: Alexander Bulekov
> hw/sd/sd.c | 24
> 1 file changed, 16 insertions(+), 8 deletions(-)
>
> diff --git a/hw/sd/sd.c b/hw/sd/sd.c
> index 5ab945dade..0f048358ab 100644
> --- a/hw/sd/sd.c
> +++ b/hw/sd/sd.c
> @@ -1175,8 +1175,
Here's a qtest reproducer for this one:
cat << EOF |./i386-softmmu/qemu-system-i386 -nodefaults \
-device sdhci-pci -device sd-card,drive=mydrive \
-drive if=sd,index=0,file=null-co://,format=raw,id=mydrive \
-nographic -accel qtest -qtest stdio -nographic
outl 0xcf8 0x80001001
outl 0xcfc 0x7e6f25
I fuzzed the SDHCI with this applied. There are still bugs in SDHCI, but
this fixes the ones triggered by my initial bug-reproducers, and doesn't
appear to create any new bugs.
In the interest of incrementally fixing the issues, for this series:
Tested-by: Alexander Bulekov
On 200903
For this series:
Tested-by: Alexander Bulekov
On 200901 1604, Philippe Mathieu-Daudé wrote:
> Fix the SDHCI issue reported last week by Alexander:
> https://bugs.launchpad.net/qemu/+bug/1892960
>
> The field is 12-bit (4KiB) but the guest can set
> up to 16-bit (64KiB), leadin
with the NULL buffer.
> This is the LP#1884693:
>
> -->https://bugs.launchpad.net/qemu/+bug/1884693
>
> Reported-by: Alexander Bulekov
> Signed-off-by: Li Qiang
I'm not very familiar with the IDE code, but this seems like a simple
null-ptr check, and Li has not received
> 0x0c3280004590: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
> Shadow byte legend (one shadow byte represents 8 application bytes):
> Addressable: 00
> Heap left redzone: fa
> Freed heap region: fd
> ==4028352==ABORTING
>
> Repor
On 211123 1449, Philippe Mathieu-Daudé wrote:
> On 11/23/21 14:42, Hanna Reitz wrote:
> > On 18.11.21 13:06, Philippe Mathieu-Daudé wrote:
> >> From: Alexander Bulekov
> >>
> >> Without the previous commit, when running 'make check-qtest-i386'
>
This protects devices from bh->mmio reentrancy issues.
Signed-off-by: Alexander Bulekov
---
hw/9pfs/xen-9p-backend.c| 4 +++-
hw/block/dataplane/virtio-blk.c | 3 ++-
hw/block/dataplane/xen-block.c | 5 +++--
hw/block/virtio-blk.c | 5 +++--
hw/char/virtio-serial-bu
Devices can pass their MemoryReentrancyGuard (from their DeviceState),
when creating new BHes. Then, the async API will toggle the guard
before/after calling the BH call-back. This prevents bh->mmio reentrancy
issues.
Signed-off-by: Alexander Bulekov
---
docs/devel/multiple-iothreads.txt |
On 230125 1624, Stefan Hajnoczi wrote:
> On Thu, Jan 19, 2023 at 02:03:07AM -0500, Alexander Bulekov wrote:
> > Devices can pass their MemoryReentrancyGuard (from their DeviceState),
> > when creating new BHes. Then, the async API will toggle the guard
> > before/after cal
This protects devices from bh->mmio reentrancy issues.
Reviewed-by: Stefan Hajnoczi
Signed-off-by: Alexander Bulekov
---
hw/9pfs/xen-9p-backend.c| 4 +++-
hw/block/dataplane/virtio-blk.c | 3 ++-
hw/block/dataplane/xen-block.c | 5 +++--
hw/block/virtio-blk.c | 5 +++--
Devices can pass their MemoryReentrancyGuard (from their DeviceState),
when creating new BHes. Then, the async API will toggle the guard
before/after calling the BH call-back. This prevents bh->mmio reentrancy
issues.
Signed-off-by: Alexander Bulekov
---
docs/devel/multiple-iothreads.txt |
Devices can pass their MemoryReentrancyGuard (from their DeviceState),
when creating new BHes. Then, the async API will toggle the guard
before/after calling the BH call-back. This prevents bh->mmio reentrancy
issues.
Reviewed-by: Darren Kenny
Signed-off-by: Alexander Bulekov
---
docs/de
This protects devices from bh->mmio reentrancy issues.
Reviewed-by: Darren Kenny
Reviewed-by: Stefan Hajnoczi
Signed-off-by: Alexander Bulekov
---
hw/9pfs/xen-9p-backend.c| 4 +++-
hw/block/dataplane/virtio-blk.c | 3 ++-
hw/block/dataplane/xen-block.c | 5 +++--
hw/char/vir
On 210623 2000, Philippe Mathieu-Daudé wrote:
> Hi Ubi-Wan Kenubi and Tom,
>
> In commit a9bcedd (SD card size has to be power of 2) we decided
> to restrict SD card size to avoid security problems (CVE-2020-13253)
> but this became not practical to some users.
>
> This RFC series tries to remove
On 210624 1012, Philippe Mathieu-Daudé wrote:
> On 6/24/21 4:50 AM, Alexander Bulekov wrote:
> > On 210623 2000, Philippe Mathieu-Daudé wrote:
> >> Hi Ubi-Wan Kenubi and Tom,
> >>
> >> In commit a9bcedd (SD card size has to be power of 2) we decided
> >&g
Bin Meng
> Message-Id: <20210624142209.1193073-2-f4...@amsat.org>
Reviewed-by: Alexander Bulekov
> ---
> hw/sd/sd.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/hw/sd/sd.c b/hw/sd/sd.c
> index 282d39a7042..d8fdf84f4db 100644
> --- a/hw/sd/s
2d ("hw/sd: fix out-of-bounds check
> for multi block reads"), check the address range before sending
> the status of the write protection bits.
>
> Include the qtest reproducer provided by Alexander Bulekov:
>
> $ make check-qtest-i386
> ...
> Running test qte
the first addressed group. If the addresses of the last groups
> are outside the valid range, then the corresponding write protection
> bits shall be set to 0.
>
> Signed-off-by: Philippe Mathieu-Daudé
Reviewed-by: Alexander Bulekov
-Alex
> ---
> hw/sd/sd.c | 9 -
>
$ sed -i -e s/wp_groups/wp_group_bmap/ \
>-e s/wpgrps_size/wp_group_bits/ hw/sd/sd.c
>
> Signed-off-by: Philippe Mathieu-Daudé
Reviewed-by: Alexander Bulekov
-Alex
> ---
> hw/sd/sd.c | 28 ++--
> 1 file changed, 14 insertions(+), 14 deletion
i-v3 -jobs=4 -workers=4 \
-focus_function=sd_wpbits \
~/oss-fuzz/qemu_qemu-fuzz-i386-target-generic-fuzz-sdhci-v3/
Tested-by: Alexander Bulekov
Thanks!
> hw/sd/sd.c | 9 -
> tests/qtest/fuzz-sdcard-test.c | 36 ++
&
On 210811 1147, Thomas Huth wrote:
> vhost-user-blk-test needs the qemu-storage-deamon, otherwise it
> currently hangs. So make sure that we build the daemon before running
> the tests.
>
> Signed-off-by: Thomas Huth
> ---
Tested-by: Alexander Bulekov
ible.
>
> Signed-off-by: Thomas Huth
I manually removed ./storage-daemon/qemu-storage-daemon and re-ran
qos-test. The test errored-out without hanging.
Reviewed-by: Alexander Bulekov
Tested-by: Alexander Bulekov
On 210909 0120, Philippe Mathieu-Daudé wrote:
> Hi,
>
> This series is experimental! The goal is to better limit the
> boundary of what code is considerated security critical, and
> what is less critical (but still important!).
>
> This approach was quickly discussed few months ago with Markus
>
0
outb 0x3f5 0x0
outb 0x3f5 0x01
outw 0x3f1 0x0500
outb 0x3f5 0x00
EOF
Signed-off-by: Alexander Bulekov
---
Might be useful for reproducing/regression testing
tests/qtest/fuzz-test.c | 54 +
1 file changed, 54 insertions(+)
diff --git a/tests/qtest/fuzz-te
0
outb 0x3f5 0x0
outb 0x3f5 0x01
outw 0x3f1 0x0500
outb 0x3f5 0x00
EOF
Signed-off-by: Alexander Bulekov
---
Since this looks very similar to CVE-2021-20196 (I believe Li pointed
out that issue in this thread), I'm also posting the reproducer for that
here.
tests/qtest/fuzz-
On 210319 1054, Markus Armbruster wrote:
> Paolo Bonzini writes:
>
> > On 19/03/21 06:53, Markus Armbruster wrote:
> >> I guess this is a reproducer. Please also describe actual and expected
> >> result. Same for PATCH 2.
> >
> > Isn't it in the patch itself?
>
> A commit message should tell m
On 210319 1026, Paolo Bonzini wrote:
> On 19/03/21 06:53, Markus Armbruster wrote:
> > I guess this is a reproducer. Please also describe actual and expected
> > result. Same for PATCH 2.
>
> Isn't it in the patch itself?
>
> Alexander, I think these reproducers are self-contained enough (no wr
b).
Suggested-by: Hervé Poussineau
Signed-off-by: Alexander Bulekov
---
I ran through tests/qtest/fdc-test, and ran fdformat on a dummy disk -
nothing exploded, but since I don't use floppies very often, more eyes
definitely won't hurt. In particular, I'm not sure about the
f
This protects devices from bh->mmio reentrancy issues.
Thanks: Thomas Huth for diagnosing OS X test failure.
Reviewed-by: Darren Kenny
Reviewed-by: Stefan Hajnoczi
Reviewed-by: Michael S. Tsirkin
Reviewed-by: Paul Durrant
Signed-off-by: Alexander Bulekov
---
hw/9pfs/xen-9p-backen
Devices can pass their MemoryReentrancyGuard (from their DeviceState),
when creating new BHes. Then, the async API will toggle the guard
before/after calling the BH call-back. This prevents bh->mmio reentrancy
issues.
Reviewed-by: Darren Kenny
Signed-off-by: Alexander Bulekov
---
docs/de
Devices can pass their MemoryReentrancyGuard (from their DeviceState),
when creating new BHes. Then, the async API will toggle the guard
before/after calling the BH call-back. This prevents bh->mmio reentrancy
issues.
Reviewed-by: Darren Kenny
Signed-off-by: Alexander Bulekov
---
docs/de
This protects devices from bh->mmio reentrancy issues.
Thanks: Thomas Huth for diagnosing OS X test failure.
Reviewed-by: Darren Kenny
Reviewed-by: Stefan Hajnoczi
Reviewed-by: Michael S. Tsirkin
Reviewed-by: Paul Durrant
Signed-off-by: Alexander Bulekov
Reviewed-by: Thomas Huth
---
This is useful for using unit-tests/fuzzing to detect bugs introduced by
the re-entrancy guard mechanism into devices that are intentionally
re-entrant.
Signed-off-by: Alexander Bulekov
---
softmmu/memory.c | 3 +++
util/async.c | 3 +++
2 files changed, 6 insertions(+)
diff --git a
This is useful for using unit-tests/fuzzing to detect bugs introduced by
the re-entrancy guard mechanism into devices that are intentionally
re-entrant.
Signed-off-by: Alexander Bulekov
Reviewed-by: Thomas Huth
---
softmmu/memory.c | 3 +++
util/async.c | 3 +++
2 files changed, 6
Devices can pass their MemoryReentrancyGuard (from their DeviceState),
when creating new BHes. Then, the async API will toggle the guard
before/after calling the BH call-back. This prevents bh->mmio reentrancy
issues.
Reviewed-by: Darren Kenny
Signed-off-by: Alexander Bulekov
---
docs/de
This protects devices from bh->mmio reentrancy issues.
Thanks: Thomas Huth for diagnosing OS X test failure.
Reviewed-by: Darren Kenny
Reviewed-by: Stefan Hajnoczi
Reviewed-by: Michael S. Tsirkin
Reviewed-by: Paul Durrant
Signed-off-by: Alexander Bulekov
Reviewed-by: Thomas Huth
---
On 230426 1219, Alexander Bulekov wrote:
> This is useful for using unit-tests/fuzzing to detect bugs introduced by
> the re-entrancy guard mechanism into devices that are intentionally
> re-entrant.
>
> Signed-off-by: Alexander Bulekov
> Reviewed-by: Thomas Huth
> ---
Thi
This protects devices from bh->mmio reentrancy issues.
Thanks: Thomas Huth for diagnosing OS X test failure.
Reviewed-by: Darren Kenny
Reviewed-by: Stefan Hajnoczi
Reviewed-by: Michael S. Tsirkin
Reviewed-by: Paul Durrant
Signed-off-by: Alexander Bulekov
Reviewed-by: Thomas Huth
---
Devices can pass their MemoryReentrancyGuard (from their DeviceState),
when creating new BHes. Then, the async API will toggle the guard
before/after calling the BH call-back. This prevents bh->mmio reentrancy
issues.
Reviewed-by: Darren Kenny
Signed-off-by: Alexander Bulekov
---
docs/de
ned-off-by: Alexander Bulekov
---
util/async.c | 14 --
1 file changed, 8 insertions(+), 6 deletions(-)
diff --git a/util/async.c b/util/async.c
index 9df7674b4e..055070ffbd 100644
--- a/util/async.c
+++ b/util/async.c
@@ -156,18 +156,20 @@ void aio_bh_call(QEMUBH *bh)
{
T flag is set (in
fdctrl_handle_format_track) is closely followed by the same flag being
unset, with no possibility to call fdctrl_format_sector in between.
This removes fdctrl_format_sector and the unncessary setting/unsetting
of the FD_STATE_FORMAT flag.
Signed-off-by: Alexander Bulekov
---
hw
Looks like one reported by OSS-Fuzz:
Here's a reproducer
cat << EOF | ./qemu-system-i386 -qtest stdio -display none \
-machine q35,accel=qtest -m 512M -nodefaults \
-device megasas -device scsi-cd,drive=null0 \
-blockdev driver=null-co,read-zeroes=on,node-name=null0
outl 0xcf8 0x8801
outl 0x
On 210115 1609, Philippe Mathieu-Daudé wrote:
> This test fails when QEMU is built without the megasas device,
> restrict it to its availability.
Should we just make a separate directory for fuzzer tests and have a
separate source file for each reproducer (or for each device)? That way,
we avoid c
cmd_fis is mapped as DMA_DIRECTION_FROM_DEVICE, however, it is read
from, and not written to anywhere. Fix the DMA_DIRECTION and mark
cmd_fis as read-only in the code.
Signed-off-by: Alexander Bulekov
---
hw/ide/ahci.c | 12 ++--
1 file changed, 6 insertions(+), 6 deletions(-)
diff
On 210126 1851, Thomas Huth wrote:
> On 26/01/2021 12.16, Philippe Mathieu-Daudé wrote:
> > This test fails when QEMU is built without the megasas device,
> > restrict it to its availability.
> >
> > Signed-off-by: Philippe Mathieu-Daudé
> > ---
> > tests/qtest/fuzz-megasas-test.c | 49
5
> > > >> #3 0x55ab476f102a in pci_qdev_realize hw/pci/pci.c:2108:9
> > > >> #4 0x55ab48baaad2 in device_set_realized hw/core/qdev.c:761:13
> > > >>
> > > >> SUMMARY: AddressSanitizer: heap-buffer-overflow
> > > >>
On 210211 1526, Philippe Mathieu-Daudé wrote:
> The null-co driver doesn't zeroize buffer in its default config,
> because it is designed for testing and tests want to run fast.
> However this confuses security researchers (access to uninit
> buffers).
>
Interesting.. Is there an example bug repo
u.org
> Fixes: CVE-2020-17380
> Fixes: CVE-2020-25085
> Reported-by: Alexander Bulekov
> Reported-by: Sergej Schumilo (Ruhr-University Bochum)
> Reported-by: Cornelius Aschermann (Ruhr-University Bochum)
> Reported-by: Simon Wrner (Ruhr-University Bochum)
Reported-by: Muhammad Ramdh
u.org
> Fixes: CVE-2020-17380
> Fixes: CVE-2020-25085
> Reported-by: Alexander Bulekov
> Reported-by: Sergej Schumilo (Ruhr-University Bochum)
> Reported-by: Cornelius Aschermann (Ruhr-University Bochum)
> Reported-by: Simon Wrner (Ruhr-University Bochum)
> Buglink: https://bugs.l
able: 00
> Heap left redzone: fa
> Freed heap region: fd
> ==2686219==ABORTING
>
> Fixes: CVE-2020-17380
> Fixes: CVE-2020-25085
> Signed-off-by: Philippe Mathieu-Daudé
I applied this along with <1612868085-72809-1-git-send-email-bmeng..
On 210211 2045, Philippe Mathieu-Daudé wrote:
> Hi Alexander,
>
> On 2/11/21 6:04 PM, Alexander Bulekov wrote:
> > On 210208 2034, Philippe Mathieu-Daudé wrote:
> >> Per the "SD Host Controller Simplified Specification Version 2.00"
> >
On 210211 1154, Alexander Bulekov wrote:
...
> I applied this along with <20210208193450.2689517-1-f4...@amsat.org>
> "hw/sd/sdhci: Do not modify BlockSizeRegister if transaction in progress"
>
> I ran through the entire OSS-Fuzz corpus, and could not reproduce
Hi Bin,
Thank you for this. I ran through the OSS-Fuzz tests again, and it found
one thing:
Maybe this is already much better than the current state of the code, so
this one can be fixed in a later patch?
cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest \
-m 512M -nodefaults -de
On 210216 0855, Bin Meng wrote:
> Hi Alex,
>
> On Tue, Feb 16, 2021 at 12:48 AM Alexander Bulekov wrote:
> >
> > Hi Bin,
> > Thank you for this. I ran through the OSS-Fuzz tests again, and it found
> > one thing:
>
> Thanks for testing. Are there instruct
Hi Bin,
For this series,
Tested-by: Alexander Bulekov
Thank you
-Alex
On 210216 1146, Bin Meng wrote:
> This series includes several fixes to CVE-2020-17380, CVE-2020-25085
> and CVE-2021-3409 that are heap-based buffer overflow issues existing
> in the sdhci model.
>
> These
On 210216 1146, Bin Meng wrote:
> s->prnsts is updated in both branches of the if () else () statement.
> Move the common bits outside so that it is cleaner.
>
> Signed-off-by: Bin Meng
Reviewed-by: Alexander Bulekov
> ---
>
> (no changes since v1)
>
> hw/sd
t; One consequence of the prior behavior was that setting zero sectors
> >> per track could lead to an FPE within ide_set_sector(). Thanks to
> >> Alexander Bulekov for reporting this issue.
> >>
> >> Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1243
> >&g
65 matches
Mail list logo
