qemu-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v4 3/3] tests/qtest/fdc-test: Add a regression test for CVE-2

From: Hanna Reitz
Subject: Re: [PATCH v4 3/3] tests/qtest/fdc-test: Add a regression test for CVE-2021-20196
Date: Thu, 25 Nov 2021 12:57:30 +0100
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.3.0 
On 24.11.21 17:15, Philippe Mathieu-Daudé wrote:

Without the previous commit, when running 'make check-qtest-i386'
with QEMU configured with '--enable-sanitizers' we get:

   AddressSanitizer:DEADLYSIGNAL
   =================================================================
   ==287878==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000344
   ==287878==The signal is caused by a WRITE memory access.
   ==287878==Hint: address points to the zero page.
       #0 0x564b2e5bac27 in blk_inc_in_flight block/block-backend.c:1346:5
       #1 0x564b2e5bb228 in blk_pwritev_part block/block-backend.c:1317:5
       #2 0x564b2e5bcd57 in blk_pwrite block/block-backend.c:1498:11
       #3 0x564b2ca1cdd3 in fdctrl_write_data hw/block/fdc.c:2221:17
       #4 0x564b2ca1b2f7 in fdctrl_write hw/block/fdc.c:829:9
       #5 0x564b2dc49503 in portio_write softmmu/ioport.c:201:9

Add the reproducer for CVE-2021-20196.

Suggested-by: Alexander Bulekov <alxndr@bu.edu>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
---
  tests/qtest/fdc-test.c | 38 ++++++++++++++++++++++++++++++++++++++
  1 file changed, 38 insertions(+)

diff --git a/tests/qtest/fdc-test.c b/tests/qtest/fdc-test.c
index 26b69f7c5cd..8f6eee84a47 100644
--- a/tests/qtest/fdc-test.c
+++ b/tests/qtest/fdc-test.c
@@ -32,6 +32,9 @@
  /* TODO actually test the results and get rid of this */
  #define qmp_discard_response(...) qobject_unref(qmp(__VA_ARGS__))
+#define DRIVE_FLOPPY_BLANK \ 
+    "-drive 
if=floppy,file=null-co://,file.read-zeroes=on,format=raw,size=1440k"
+
  #define TEST_IMAGE_SIZE 1440 * 1024
#define FLOPPY_BASE 0x3f0 
@@ -546,6 +549,40 @@ static void fuzz_registers(void)
      }
  }
+static bool qtest_check_clang_sanitizer(void) 
+{
+#if defined(__SANITIZE_ADDRESS__) || __has_feature(address_sanitizer)
+    return true;
+#else
+    g_test_skip("QEMU not configured using --enable-sanitizers");
+    return false;
+#endif
+}
+static void test_cve_2021_20196(void)
+{
+    QTestState *s;
+
+    if (!qtest_check_clang_sanitizer()) {
+        return;
+    }
+
+    s = qtest_initf("-nographic -m 32M -nodefaults " DRIVE_FLOPPY_BLANK);
+
+    qtest_outw(s, 0x3f4, 0x0500);
+    qtest_outb(s, 0x3f5, 0x00);
+    qtest_outb(s, 0x3f5, 0x00);
+    qtest_outw(s, 0x3f4, 0x0000);
+    qtest_outb(s, 0x3f5, 0x00);
+    qtest_outw(s, 0x3f1, 0x0400);
+    qtest_outw(s, 0x3f4, 0x0000);
+    qtest_outw(s, 0x3f4, 0x0000);
+    qtest_outb(s, 0x3f5, 0x00);
+    qtest_outb(s, 0x3f5, 0x01);
+    qtest_outw(s, 0x3f1, 0x0500);
+    qtest_outb(s, 0x3f5, 0x00);
+    qtest_quit(s);
+}
+
Now this works as a reproducer for me, but... this is a completely different I/O sequence now, right?
Can’t complain, though, I didn’t understand the previous one, I can’t claim I need to understand this one or why they’re different. 

All the rest looks good to me, so all in all:

Reviewed-by: Hanna Reitz <hreitz@redhat.com>
reply via email to
[Prev in Thread] Current Thread [Next in Thread]