[Bug 1892761] [NEW] Heap-use-after-free through double-fetch in ehci

[Alexander Bulekov]

Public bug reported:

Hello,
I don't have a qtest reproducer for this crash because it involves a DMA 
double-fetch, and I don't think we can reproduce those with qtest.

Instead, I attached the pseudo-qtest trace produced by the fuzzer, along with 
some trace events.
The lines annotated with [DMA] are write commands that were triggered by a 
callback from a DMA read by the device. The lines annotated with [DOUBLE-FETCH] 
are DMA accesses that hit the same address more than once (possible 
double-fetches).

I am still thinking of nicer ways of presenting this trace and providing a 
reproducer.
-Alex

** Affects: qemu
     Importance: Undecided
         Status: New

** Attachment added: "ehci"
   https://bugs.launchpad.net/bugs/1892761/+attachment/5404187/+files/ehci

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1892761

Title:
  Heap-use-after-free through double-fetch in ehci

Status in QEMU:
  New

Bug description:
  Hello,
  I don't have a qtest reproducer for this crash because it involves a DMA 
double-fetch, and I don't think we can reproduce those with qtest.

  Instead, I attached the pseudo-qtest trace produced by the fuzzer, along with 
some trace events.
  The lines annotated with [DMA] are write commands that were triggered by a 
callback from a DMA read by the device. The lines annotated with [DOUBLE-FETCH] 
are DMA accesses that hit the same address more than once (possible 
double-fetches).

  I am still thinking of nicer ways of presenting this trace and providing a 
reproducer.
  -Alex

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1892761/+subscriptions