[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: QEMU | Heap-use-after-free through ehci_flush_qh (#541)
From: |
Alexander Bulekov |
Subject: |
Re: QEMU | Heap-use-after-free through ehci_flush_qh (#541) |
Date: |
Mon, 23 Aug 2021 04:14:03 -0400 |
I'm not sure I understand. We try to avoid writing to MMIO regions in
fuzz_dma_read_cb to avoid such false-positives. E.g. that's why we have
code to do address_space_translate and manually walk the AddressSpace
and verify that we are writing to RAM, before doing the actual
qtest_memwrite. There is a fix to that code that need to be applied, but
those have to wait for the 6.1 release. BTW, since this is about the
generic-fuzzer rather than this bug, I cc-ed qemu-devel. Let's continue
the discussion there.
-Alex
On 210823 0132, 李秋豪 (@QiuhaoLi) wrote:
>
>
>
> 李秋豪 commented on a discussion:
> https://gitlab.com/qemu-project/qemu/-/issues/541#note_657305687
>
> Ok, I add a reply to my report about #540 and #541.
>
> Btw, it suddenly occurred to me that our generic-fuzzer can also make reentry
> issues. For example, a device tries to read from a mmio region while being
> fuzzed, but the fuzz_dma_read_cb() will write to that region, thus leading to
> positive-false reentry issues. In short, we change a read action to write.
> Should we add checks?
>
> --
> Reply to this email directly or view it on GitLab:
> https://gitlab.com/qemu-project/qemu/-/issues/541#note_657305687
> You're receiving this email because of your account on gitlab.com.
>
>
- Re: QEMU | Heap-use-after-free through ehci_flush_qh (#541),
Alexander Bulekov <=