Re: QEMU | Heap-use-after-free through ehci_flush_qh (#541)

[Alexander Bulekov]

I'm not sure I understand. We try to avoid writing to MMIO regions in
fuzz_dma_read_cb to avoid such false-positives. E.g. that's why we have
code to do address_space_translate and manually walk the AddressSpace
and verify that we are writing to RAM, before doing the actual
qtest_memwrite. There is a fix to that code that need to be applied, but
those have to wait for the 6.1 release. BTW, since this is about the
generic-fuzzer rather than this bug, I cc-ed qemu-devel. Let's continue
the discussion there.

-Alex

On 210823 0132, 李秋豪 (@QiuhaoLi) wrote:
> 
> 
> 
> 李秋豪 commented on a discussion: 
> https://gitlab.com/qemu-project/qemu/-/issues/541#note_657305687
> 
> Ok, I add a reply to my report about #540 and #541.
> 
> Btw, it suddenly occurred to me that our generic-fuzzer can also make reentry 
> issues. For example, a device tries to read from a mmio region while being 
> fuzzed, but the fuzz_dma_read_cb() will write to that region, thus leading to 
> positive-false reentry issues. In short, we change a read action to write. 
> Should we add checks?
> 
> -- 
> Reply to this email directly or view it on GitLab: 
> https://gitlab.com/qemu-project/qemu/-/issues/541#note_657305687
> You're receiving this email because of your account on gitlab.com.
> 
>