diff for duplicates of <e4a34525-dbd1-1f85-475b-b5004885215b@redhat.com> diff --git a/a/1.txt b/N1/1.txt index fde9acd..8e38a01 100644 --- a/a/1.txt +++ b/N1/1.txt @@ -1,4 +1,3 @@ - On 2020/7/10 下午6:37, Li Qiang wrote: > Paolo Bonzini <pbonzini@redhat.com> 于2020年7月10日周五 上午1:36写道: >> On 09/07/20 17:51, Li Qiang wrote: @@ -57,3 +56,155 @@ Thanks > >> Paolo >> + +-- +You received this bug notification because you are a member of qemu- +devel-ml, which is subscribed to QEMU. +https://bugs.launchpad.net/bugs/1886362 + +Title: + Heap use-after-free in lduw_he_p through e1000e_write_to_rx_buffers + +Status in QEMU: + New + +Bug description: + Hello, + This reproducer causes a heap-use-after free. QEMU Built with --enable-sanitizers: + cat << EOF | ./i386-softmmu/qemu-system-i386 -M q35,accel=qtest \ + -qtest stdio -nographic -monitor none -serial none + outl 0xcf8 0x80001010 + outl 0xcfc 0xe1020000 + outl 0xcf8 0x80001014 + outl 0xcf8 0x80001004 + outw 0xcfc 0x7 + outl 0xcf8 0x800010a2 + write 0xe102003b 0x1 0xff + write 0xe1020103 0x1e 0xffffff055c5e5c30be4511d084ffffffffffffffffffffffffffffffffff + write 0xe1020420 0x4 0xffffffff + write 0xe1020424 0x4 0xffffffff + write 0xe102042b 0x1 0xff + write 0xe1020430 0x4 0x055c5e5c + write 0x5c041 0x1 0x04 + write 0x5c042 0x1 0x02 + write 0x5c043 0x1 0xe1 + write 0x5c048 0x1 0x8a + write 0x5c04a 0x1 0x31 + write 0x5c04b 0x1 0xff + write 0xe1020403 0x1 0xff + EOF + + The Output: + ==22689==ERROR: AddressSanitizer: heap-use-after-free on address 0x62500026800e at pc 0x55b93bb18bfa bp 0x7fffdbe844f0 sp 0x7fffdbe83cb8 + READ of size 2 at 0x62500026800e thread T0 + #0 in __asan_memcpy (/build/i386-softmmu/qemu-system-i386+) + #1 in lduw_he_p /include/qemu/bswap.h:332:5 + #2 in ldn_he_p /include/qemu/bswap.h:550:1 + #3 in flatview_write_continue /exec.c:3145:19 + #4 in flatview_write /exec.c:3186:14 + #5 in address_space_write /exec.c:3280:18 + #6 in address_space_rw /exec.c:3290:16 + #7 in dma_memory_rw_relaxed /include/sysemu/dma.h:87:18 + #8 in dma_memory_rw /include/sysemu/dma.h:113:12 + #9 in pci_dma_rw /include/hw/pci/pci.h:789:5 + #10 in pci_dma_write /include/hw/pci/pci.h:802:12 + #11 in e1000e_write_to_rx_buffers /hw/net/e1000e_core.c:1412:9 + #12 in e1000e_write_packet_to_guest /hw/net/e1000e_core.c:1582:21 + #13 in e1000e_receive_iov /hw/net/e1000e_core.c:1709:9 + #14 in e1000e_nc_receive_iov /hw/net/e1000e.c:213:12 + #15 in net_tx_pkt_sendv /hw/net/net_tx_pkt.c:544:9 + #16 in net_tx_pkt_send /hw/net/net_tx_pkt.c:620:9 + #17 in net_tx_pkt_send_loopback /hw/net/net_tx_pkt.c:633:11 + #18 in e1000e_tx_pkt_send /hw/net/e1000e_core.c:664:16 + #19 in e1000e_process_tx_desc /hw/net/e1000e_core.c:743:17 + #20 in e1000e_start_xmit /hw/net/e1000e_core.c:934:9 + #21 in e1000e_set_tctl /hw/net/e1000e_core.c:2431:9 + #22 in e1000e_core_write /hw/net/e1000e_core.c:3265:9 + #23 in e1000e_mmio_write /hw/net/e1000e.c:109:5 + #24 in memory_region_write_accessor /memory.c:483:5 + #25 in access_with_adjusted_size /memory.c:544:18 + #26 in memory_region_dispatch_write /memory.c:1476:16 + #27 in flatview_write_continue /exec.c:3146:23 + #28 in flatview_write /exec.c:3186:14 + #29 in address_space_write /exec.c:3280:18 + #30 in qtest_process_command /qtest.c:567:9 + #31 in qtest_process_inbuf /qtest.c:710:9 + #32 in qtest_read /qtest.c:722:5 + #33 in qemu_chr_be_write_impl /chardev/char.c:188:9 + #34 in qemu_chr_be_write /chardev/char.c:200:9 + #35 in fd_chr_read /chardev/char-fd.c:68:9 + #36 in qio_channel_fd_source_dispatch /io/channel-watch.c:84:12 + #37 in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+) + #38 in glib_pollfds_poll /util/main-loop.c:219:9 + #39 in os_host_main_loop_wait /util/main-loop.c:242:5 + #40 in main_loop_wait /util/main-loop.c:518:11 + #41 in qemu_main_loop /softmmu/vl.c:1664:9 + #42 in main /softmmu/main.c:52:5 + #43 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+) + #44 in _start (/build/i386-softmmu/qemu-system-i386+) + + 0x62500026800e is located 14 bytes inside of 138-byte region [0x625000268000,0x62500026808a) + freed by thread T0 here: + #0 in free (/build/i386-softmmu/qemu-system-i386+) + #1 in qemu_vfree /util/oslib-posix.c:238:5 + #2 in address_space_unmap /exec.c:3616:5 + #3 in dma_memory_unmap /include/sysemu/dma.h:148:5 + #4 in pci_dma_unmap /include/hw/pci/pci.h:839:5 + #5 in net_tx_pkt_reset /hw/net/net_tx_pkt.c:453:9 + #6 in e1000e_process_tx_desc /hw/net/e1000e_core.c:749:9 + #7 in e1000e_start_xmit /hw/net/e1000e_core.c:934:9 + #8 in e1000e_set_tctl /hw/net/e1000e_core.c:2431:9 + #9 in e1000e_core_write /hw/net/e1000e_core.c:3265:9 + #10 in e1000e_mmio_write /hw/net/e1000e.c:109:5 + #11 in memory_region_write_accessor /memory.c:483:5 + #12 in access_with_adjusted_size /memory.c:544:18 + #13 in memory_region_dispatch_write /memory.c:1476:16 + #14 in flatview_write_continue /exec.c:3146:23 + #15 in flatview_write /exec.c:3186:14 + #16 in address_space_write /exec.c:3280:18 + #17 in address_space_rw /exec.c:3290:16 + #18 in dma_memory_rw_relaxed /include/sysemu/dma.h:87:18 + #19 in dma_memory_rw /include/sysemu/dma.h:113:12 + #20 in pci_dma_rw /include/hw/pci/pci.h:789:5 + #21 in pci_dma_write /include/hw/pci/pci.h:802:12 + #22 in e1000e_write_to_rx_buffers /hw/net/e1000e_core.c:1412:9 + #23 in e1000e_write_packet_to_guest /hw/net/e1000e_core.c:1582:21 + #24 in e1000e_receive_iov /hw/net/e1000e_core.c:1709:9 + #25 in e1000e_nc_receive_iov /hw/net/e1000e.c:213:12 + #26 in net_tx_pkt_sendv /hw/net/net_tx_pkt.c:544:9 + #27 in net_tx_pkt_send /hw/net/net_tx_pkt.c:620:9 + #28 in net_tx_pkt_send_loopback /hw/net/net_tx_pkt.c:633:11 + #29 in e1000e_tx_pkt_send /hw/net/e1000e_core.c:664:16 + + previously allocated by thread T0 here: + #0 in posix_memalign (/build/i386-softmmu/qemu-system-i386+) + #1 in qemu_try_memalign /util/oslib-posix.c:198:11 + #2 in qemu_memalign /util/oslib-posix.c:214:27 + #3 in address_space_map /exec.c:3558:25 + #4 in dma_memory_map /include/sysemu/dma.h:138:9 + #5 in pci_dma_map /include/hw/pci/pci.h:832:11 + #6 in net_tx_pkt_add_raw_fragment /hw/net/net_tx_pkt.c:391:24 + #7 in e1000e_process_tx_desc /hw/net/e1000e_core.c:731:14 + #8 in e1000e_start_xmit /hw/net/e1000e_core.c:934:9 + #9 in e1000e_set_tctl /hw/net/e1000e_core.c:2431:9 + #10 in e1000e_core_write /hw/net/e1000e_core.c:3265:9 + #11 in e1000e_mmio_write /hw/net/e1000e.c:109:5 + #12 in memory_region_write_accessor /memory.c:483:5 + #13 in access_with_adjusted_size /memory.c:544:18 + #14 in memory_region_dispatch_write /memory.c:1476:16 + #15 in flatview_write_continue /exec.c:3146:23 + #16 in flatview_write /exec.c:3186:14 + #17 in address_space_write /exec.c:3280:18 + #18 in qtest_process_command /qtest.c:567:9 + #19 in qtest_process_inbuf /qtest.c:710:9 + #20 in qtest_read /qtest.c:722:5 + #21 in qemu_chr_be_write_impl /chardev/char.c:188:9 + #22 in qemu_chr_be_write /chardev/char.c:200:9 + #23 in fd_chr_read /chardev/char-fd.c:68:9 + #24 in qio_channel_fd_source_dispatch /io/channel-watch.c:84:12 + #25 in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+) + + -Alex + +To manage notifications about this bug go to: +https://bugs.launchpad.net/qemu/+bug/1886362/+subscriptions diff --git a/a/content_digest b/N1/content_digest index d683191..a8c53c5 100644 --- a/a/content_digest +++ b/N1/content_digest @@ -2,30 +2,16 @@ "ref\000159400349818.1851.7243060688419202620.malonedeb\@wampee.canonical.com\0" ] [ - "ref\0CAKXe6S+J3nARveToQjECbwV224gs66WkqGHybUhfw35t1+V8og\@mail.gmail.com\0" -] -[ - "ref\0002cbdf822-c74c-1af9-e5e6-7dd71412201e\@redhat.com\0" -] -[ - "ref\0CAKXe6S+ct7D+ibGmrAMJnqKBBKyUpwVnCem8=d=jB-0tUT-N2Q\@mail.gmail.com\0" -] -[ - "From\0Jason Wang <jasowang\@redhat.com>\0" + "From\0Jason Wang <1886362\@bugs.launchpad.net>\0" ] [ "Subject\0Re: [Bug 1886362] [NEW] Heap use-after-free in lduw_he_p through e1000e_write_to_rx_buffers\0" ] [ - "Date\0Tue, 14 Jul 2020 16:56:05 +0800\0" -] -[ - "To\0Li Qiang <liq3ea\@gmail.com>", - " Paolo Bonzini <pbonzini\@redhat.com>\0" + "Date\0Tue, 14 Jul 2020 08:56:05 -0000\0" ] [ - "Cc\0Bug 1886362 <1886362\@bugs.launchpad.net>", - " Qemu Developers <qemu-devel\@nongnu.org>\0" + "To\0qemu-devel\@nongnu.org\0" ] [ "\0000:1\0" @@ -34,7 +20,6 @@ "b\0" ] [ - "\n", "On 2020/7/10 \344\270\213\345\215\2106:37, Li Qiang wrote:\n", "> Paolo Bonzini <pbonzini\@redhat.com> \344\272\2162020\345\271\2647\346\234\21010\346\227\245\345\221\250\344\272\224 \344\270\212\345\215\2101:36\345\206\231\351\201\223\357\274\232\n", ">> On 09/07/20 17:51, Li Qiang wrote:\n", @@ -92,7 +77,159 @@ "> Li Qiang\n", ">\n", ">> Paolo\n", - ">>" + ">>\n", + "\n", + "-- \n", + "You received this bug notification because you are a member of qemu-\n", + "devel-ml, which is subscribed to QEMU.\n", + "https://bugs.launchpad.net/bugs/1886362\n", + "\n", + "Title:\n", + " Heap use-after-free in lduw_he_p through e1000e_write_to_rx_buffers\n", + "\n", + "Status in QEMU:\n", + " New\n", + "\n", + "Bug description:\n", + " Hello,\n", + " This reproducer causes a heap-use-after free. QEMU Built with --enable-sanitizers:\n", + " cat << EOF | ./i386-softmmu/qemu-system-i386 -M q35,accel=qtest \\\n", + " -qtest stdio -nographic -monitor none -serial none\n", + " outl 0xcf8 0x80001010\n", + " outl 0xcfc 0xe1020000\n", + " outl 0xcf8 0x80001014\n", + " outl 0xcf8 0x80001004\n", + " outw 0xcfc 0x7\n", + " outl 0xcf8 0x800010a2\n", + " write 0xe102003b 0x1 0xff\n", + " write 0xe1020103 0x1e 0xffffff055c5e5c30be4511d084ffffffffffffffffffffffffffffffffff\n", + " write 0xe1020420 0x4 0xffffffff\n", + " write 0xe1020424 0x4 0xffffffff\n", + " write 0xe102042b 0x1 0xff\n", + " write 0xe1020430 0x4 0x055c5e5c\n", + " write 0x5c041 0x1 0x04\n", + " write 0x5c042 0x1 0x02\n", + " write 0x5c043 0x1 0xe1\n", + " write 0x5c048 0x1 0x8a\n", + " write 0x5c04a 0x1 0x31\n", + " write 0x5c04b 0x1 0xff\n", + " write 0xe1020403 0x1 0xff\n", + " EOF\n", + "\n", + " The Output:\n", + " ==22689==ERROR: AddressSanitizer: heap-use-after-free on address 0x62500026800e at pc 0x55b93bb18bfa bp 0x7fffdbe844f0 sp 0x7fffdbe83cb8\n", + " READ of size 2 at 0x62500026800e thread T0\n", + " #0 in __asan_memcpy (/build/i386-softmmu/qemu-system-i386+)\n", + " #1 in lduw_he_p /include/qemu/bswap.h:332:5\n", + " #2 in ldn_he_p /include/qemu/bswap.h:550:1\n", + " #3 in flatview_write_continue /exec.c:3145:19\n", + " #4 in flatview_write /exec.c:3186:14\n", + " #5 in address_space_write /exec.c:3280:18\n", + " #6 in address_space_rw /exec.c:3290:16\n", + " #7 in dma_memory_rw_relaxed /include/sysemu/dma.h:87:18\n", + " #8 in dma_memory_rw /include/sysemu/dma.h:113:12\n", + " #9 in pci_dma_rw /include/hw/pci/pci.h:789:5\n", + " #10 in pci_dma_write /include/hw/pci/pci.h:802:12\n", + " #11 in e1000e_write_to_rx_buffers /hw/net/e1000e_core.c:1412:9\n", + " #12 in e1000e_write_packet_to_guest /hw/net/e1000e_core.c:1582:21\n", + " #13 in e1000e_receive_iov /hw/net/e1000e_core.c:1709:9\n", + " #14 in e1000e_nc_receive_iov /hw/net/e1000e.c:213:12\n", + " #15 in net_tx_pkt_sendv /hw/net/net_tx_pkt.c:544:9\n", + " #16 in net_tx_pkt_send /hw/net/net_tx_pkt.c:620:9\n", + " #17 in net_tx_pkt_send_loopback /hw/net/net_tx_pkt.c:633:11\n", + " #18 in e1000e_tx_pkt_send /hw/net/e1000e_core.c:664:16\n", + " #19 in e1000e_process_tx_desc /hw/net/e1000e_core.c:743:17\n", + " #20 in e1000e_start_xmit /hw/net/e1000e_core.c:934:9\n", + " #21 in e1000e_set_tctl /hw/net/e1000e_core.c:2431:9\n", + " #22 in e1000e_core_write /hw/net/e1000e_core.c:3265:9\n", + " #23 in e1000e_mmio_write /hw/net/e1000e.c:109:5\n", + " #24 in memory_region_write_accessor /memory.c:483:5\n", + " #25 in access_with_adjusted_size /memory.c:544:18\n", + " #26 in memory_region_dispatch_write /memory.c:1476:16\n", + " #27 in flatview_write_continue /exec.c:3146:23\n", + " #28 in flatview_write /exec.c:3186:14\n", + " #29 in address_space_write /exec.c:3280:18\n", + " #30 in qtest_process_command /qtest.c:567:9\n", + " #31 in qtest_process_inbuf /qtest.c:710:9\n", + " #32 in qtest_read /qtest.c:722:5\n", + " #33 in qemu_chr_be_write_impl /chardev/char.c:188:9\n", + " #34 in qemu_chr_be_write /chardev/char.c:200:9\n", + " #35 in fd_chr_read /chardev/char-fd.c:68:9\n", + " #36 in qio_channel_fd_source_dispatch /io/channel-watch.c:84:12\n", + " #37 in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+)\n", + " #38 in glib_pollfds_poll /util/main-loop.c:219:9\n", + " #39 in os_host_main_loop_wait /util/main-loop.c:242:5\n", + " #40 in main_loop_wait /util/main-loop.c:518:11\n", + " #41 in qemu_main_loop /softmmu/vl.c:1664:9\n", + " #42 in main /softmmu/main.c:52:5\n", + " #43 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+)\n", + " #44 in _start (/build/i386-softmmu/qemu-system-i386+)\n", + "\n", + " 0x62500026800e is located 14 bytes inside of 138-byte region [0x625000268000,0x62500026808a)\n", + " freed by thread T0 here:\n", + " #0 in free (/build/i386-softmmu/qemu-system-i386+)\n", + " #1 in qemu_vfree /util/oslib-posix.c:238:5\n", + " #2 in address_space_unmap /exec.c:3616:5\n", + " #3 in dma_memory_unmap /include/sysemu/dma.h:148:5\n", + " #4 in pci_dma_unmap /include/hw/pci/pci.h:839:5\n", + " #5 in net_tx_pkt_reset /hw/net/net_tx_pkt.c:453:9\n", + " #6 in e1000e_process_tx_desc /hw/net/e1000e_core.c:749:9\n", + " #7 in e1000e_start_xmit /hw/net/e1000e_core.c:934:9\n", + " #8 in e1000e_set_tctl /hw/net/e1000e_core.c:2431:9\n", + " #9 in e1000e_core_write /hw/net/e1000e_core.c:3265:9\n", + " #10 in e1000e_mmio_write /hw/net/e1000e.c:109:5\n", + " #11 in memory_region_write_accessor /memory.c:483:5\n", + " #12 in access_with_adjusted_size /memory.c:544:18\n", + " #13 in memory_region_dispatch_write /memory.c:1476:16\n", + " #14 in flatview_write_continue /exec.c:3146:23\n", + " #15 in flatview_write /exec.c:3186:14\n", + " #16 in address_space_write /exec.c:3280:18\n", + " #17 in address_space_rw /exec.c:3290:16\n", + " #18 in dma_memory_rw_relaxed /include/sysemu/dma.h:87:18\n", + " #19 in dma_memory_rw /include/sysemu/dma.h:113:12\n", + " #20 in pci_dma_rw /include/hw/pci/pci.h:789:5\n", + " #21 in pci_dma_write /include/hw/pci/pci.h:802:12\n", + " #22 in e1000e_write_to_rx_buffers /hw/net/e1000e_core.c:1412:9\n", + " #23 in e1000e_write_packet_to_guest /hw/net/e1000e_core.c:1582:21\n", + " #24 in e1000e_receive_iov /hw/net/e1000e_core.c:1709:9\n", + " #25 in e1000e_nc_receive_iov /hw/net/e1000e.c:213:12\n", + " #26 in net_tx_pkt_sendv /hw/net/net_tx_pkt.c:544:9\n", + " #27 in net_tx_pkt_send /hw/net/net_tx_pkt.c:620:9\n", + " #28 in net_tx_pkt_send_loopback /hw/net/net_tx_pkt.c:633:11\n", + " #29 in e1000e_tx_pkt_send /hw/net/e1000e_core.c:664:16\n", + "\n", + " previously allocated by thread T0 here:\n", + " #0 in posix_memalign (/build/i386-softmmu/qemu-system-i386+)\n", + " #1 in qemu_try_memalign /util/oslib-posix.c:198:11\n", + " #2 in qemu_memalign /util/oslib-posix.c:214:27\n", + " #3 in address_space_map /exec.c:3558:25\n", + " #4 in dma_memory_map /include/sysemu/dma.h:138:9\n", + " #5 in pci_dma_map /include/hw/pci/pci.h:832:11\n", + " #6 in net_tx_pkt_add_raw_fragment /hw/net/net_tx_pkt.c:391:24\n", + " #7 in e1000e_process_tx_desc /hw/net/e1000e_core.c:731:14\n", + " #8 in e1000e_start_xmit /hw/net/e1000e_core.c:934:9\n", + " #9 in e1000e_set_tctl /hw/net/e1000e_core.c:2431:9\n", + " #10 in e1000e_core_write /hw/net/e1000e_core.c:3265:9\n", + " #11 in e1000e_mmio_write /hw/net/e1000e.c:109:5\n", + " #12 in memory_region_write_accessor /memory.c:483:5\n", + " #13 in access_with_adjusted_size /memory.c:544:18\n", + " #14 in memory_region_dispatch_write /memory.c:1476:16\n", + " #15 in flatview_write_continue /exec.c:3146:23\n", + " #16 in flatview_write /exec.c:3186:14\n", + " #17 in address_space_write /exec.c:3280:18\n", + " #18 in qtest_process_command /qtest.c:567:9\n", + " #19 in qtest_process_inbuf /qtest.c:710:9\n", + " #20 in qtest_read /qtest.c:722:5\n", + " #21 in qemu_chr_be_write_impl /chardev/char.c:188:9\n", + " #22 in qemu_chr_be_write /chardev/char.c:200:9\n", + " #23 in fd_chr_read /chardev/char-fd.c:68:9\n", + " #24 in qio_channel_fd_source_dispatch /io/channel-watch.c:84:12\n", + " #25 in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+)\n", + "\n", + " -Alex\n", + "\n", + "To manage notifications about this bug go to:\n", + "https://bugs.launchpad.net/qemu/+bug/1886362/+subscriptions" ] -fefd147c018ca6d517725e6f59a35740e235819690f9ac0181c2a701774dfea3 +8b214ec78ecde9e3bac12688cee3ea42be2e8cb09f40bf62dff8ba5b89ff6b80
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.