motorhead/qemu
1
0
Fork 0
mirror of https://github.com/Motorhead1991/qemu.git synced 2026-01-04 13:37:41 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions
qemu/hw/block
History
Philippe Mathieu-Daudé 6e7e387b79 hw/block/nand: Fix out-of-bound access in NAND block buffer 
nand_command() and nand_getio() don't check @offset points
into the block, nor the available data length (s->iolen) is
not negative.

In order to fix:

- check the offset is in range in nand_blk_load_NAND_PAGE_SIZE(),
- do not set @iolen if blk_load() failed.

Reproducer:

  $ cat << EOF | qemu-system-arm -machine tosa \
                                 -monitor none -serial none \
                                 -display none -qtest stdio
  write 0x10000111 0x1 0xca
  write 0x10000104 0x1 0x47
  write 0x1000ca04 0x1 0xd7
  write 0x1000ca01 0x1 0xe0
  write 0x1000ca04 0x1 0x71
  write 0x1000ca00 0x1 0x50
  write 0x1000ca04 0x1 0xd7
  read 0x1000ca02 0x1
  write 0x1000ca01 0x1 0x10
  EOF

=================================================================
==15750==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61f000000de0
 at pc 0x560e61557210 bp 0x7ffcfc4a59f0 sp 0x7ffcfc4a59e8
READ of size 1 at 0x61f000000de0 thread T0
    #0 0x560e6155720f in mem_and hw/block/nand.c:101:20
    #1 0x560e6155ac9c in nand_blk_write_512 hw/block/nand.c:663:9
    #2 0x560e61544200 in nand_command hw/block/nand.c:293:13
    #3 0x560e6153cc83 in nand_setio hw/block/nand.c:520:13
    #4 0x560e61a0a69e in tc6393xb_nand_writeb hw/display/tc6393xb.c:380:13
    #5 0x560e619f9bf7 in tc6393xb_writeb hw/display/tc6393xb.c:524:9
    #6 0x560e647c7d03 in memory_region_write_accessor softmmu/memory.c:492:5
    #7 0x560e647c7641 in access_with_adjusted_size softmmu/memory.c:554:18
    #8 0x560e647c5f66 in memory_region_dispatch_write softmmu/memory.c:1514:16
    #9 0x560e6485409e in flatview_write_continue softmmu/physmem.c:2825:23
    #10 0x560e648421eb in flatview_write softmmu/physmem.c:2867:12
    #11 0x560e64841ca8 in address_space_write softmmu/physmem.c:2963:18
    #12 0x560e61170162 in qemu_writeb tests/qtest/videzzo/videzzo_qemu.c:1080:5
    #13 0x560e6116eef7 in dispatch_mmio_write tests/qtest/videzzo/videzzo_qemu.c:1227:28

0x61f000000de0 is located 0 bytes to the right of 3424-byte region [0x61f000000080,0x61f000000de0)
allocated by thread T0 here:
    #0 0x560e611276cf in malloc /root/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3
    #1 0x7f7959a87e98 in g_malloc (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x57e98)
    #2 0x560e64b98871 in object_new qom/object.c:749:12
    #3 0x560e64b5d1a1 in qdev_new hw/core/qdev.c:153:19
    #4 0x560e61547ea5 in nand_init hw/block/nand.c:639:11
    #5 0x560e619f8772 in tc6393xb_init hw/display/tc6393xb.c:558:16
    #6 0x560e6390bad2 in tosa_init hw/arm/tosa.c:250:12

SUMMARY: AddressSanitizer: heap-buffer-overflow hw/block/nand.c:101:20 in mem_and
==15750==ABORTING

Broken since introduction in commit 3e3d5815cb ("NAND Flash memory
emulation and ECC calculation helpers for use by NAND controllers").

Cc: qemu-stable@nongnu.org
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1445
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1446
Reported-by: Qiang Liu <cyruscyliu@gmail.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-Id: <20240409135944.24997-4-philmd@linaro.org>
(cherry picked from commit d39fdfff34)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2024-04-10 20:32:12 +03:00
..
dataplane virtio-blk: remove batch notification BH 2023-10-31 15:42:17 +01:00
block.c pflash: Fix blk_pread_nonzeroes() 2023-03-07 16:53:18 +01:00
cdrom.c Include qemu-common.h exactly where needed 2019-06-12 13:20:20 +02:00
ecc.c vmstate: Constify some VMStateDescriptions 2021-05-02 17:24:50 +02:00
fdc-internal.h hw/block/fdc: Declare shared prototypes in fdc-internal.h 2021-06-25 08:53:28 -04:00
fdc-isa.c hw: Replace isa_get_irq() by isa_bus_get_irq() when ISABus is available 2023-02-27 22:29:02 +01:00
fdc-sysbus.c hw/block/fdc-sysbus: Always mark sysbus floppy controllers as not having DMA 2022-06-11 11:36:14 +02:00
fdc.c hw/block: replace TABs with space 2023-03-24 11:45:46 +01:00
hd-geometry.c hw/other: spelling fixes 2023-09-21 11:31:16 +03:00
Kconfig hw/block/fdc: Extract SysBus floppy controllers to fdc-sysbus.c 2021-06-25 08:53:28 -04:00
m25p80.c m25p80: Introduce an helper to retrieve the BlockBackend of a device 2023-09-01 11:40:04 +02:00
m25p80_sfdp.c m25p80: Add the is25wp256 SFPD table 2023-02-07 09:02:04 +01:00
m25p80_sfdp.h m25p80: Add the is25wp256 SFPD table 2023-02-07 09:02:04 +01:00
meson.build meson: Replace softmmu_ss -> system_ss 2023-06-20 10:01:30 +02:00
nand.c hw/block/nand: Fix out-of-bound access in NAND block buffer 2024-04-10 20:32:12 +03:00
onenand.c hw/block: replace TABs with space 2023-03-24 11:45:46 +01:00
pflash_cfi01.c hw/pflash: implement update buffer for block writes 2024-01-20 13:43:42 +03:00
pflash_cfi02.c hw/pflash: implement update buffer for block writes 2024-01-20 13:43:42 +03:00
swim.c swim: update IWM/ISM register block decoding 2023-10-06 10:33:43 +02:00
tc58128.c hw/block: replace TABs with space 2023-03-24 11:45:46 +01:00
trace-events hw/pflash: implement update buffer for block writes 2024-01-20 13:43:42 +03:00
trace.h trace: switch position of headers to what Meson requires 2020-08-21 06:18:24 -04:00
vhost-user-blk.c vhost-user: fix the reconnect error 2023-12-02 15:56:49 -05:00
virtio-blk-common.c virtio-blk: add zoned storage emulation for zoned devices 2023-05-15 08:18:10 -04:00
virtio-blk.c block/virtio-blk: Fix memory leak from virtio_blk_zone_report 2024-04-09 20:13:20 +03:00
xen-block.c hw/xen: clean up xen_block_find_free_vdev() to avoid Coverity false positive 2023-11-21 11:45:06 +00:00
xen_blkif.h xen: Import other xen/io/*.h 2019-06-24 10:42:30 +01:00