[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PULL 0/5] 9p queue 2022-02-10
|
From: |
Peter Maydell |
|
Subject: |
Re: [PULL 0/5] 9p queue 2022-02-10 |
|
Date: |
Sun, 13 Feb 2022 20:33:10 +0000 |
On Thu, 10 Feb 2022 at 11:33, Christian Schoenebeck
<qemu_oss@crudebyte.com> wrote:
>
> The following changes since commit 0a301624c2f4ced3331ffd5bce85b4274fe132af:
>
> Merge remote-tracking branch
> 'remotes/pmaydell/tags/pull-target-arm-20220208' into staging (2022-02-08
> 11:40:08 +0000)
>
> are available in the Git repository at:
>
> https://github.com/cschoenebeck/qemu.git tags/pull-9p-20220210
>
> for you to fetch changes up to de19c79dad6a2cad54ae04ce754d47c07bf9bc93:
>
> 9pfs: Fix segfault in do_readdir_many caused by struct dirent overread
> (2022-02-10 11:56:01 +0100)
>
> ----------------------------------------------------------------
> 9pfs: fixes and cleanup
>
> * Fifth patch fixes a 9pfs server crash that happened on some systems due
> to incorrect (system dependant) handling of struct dirent size.
>
> * Tests: Second patch fixes a test error that happened on some systems due
> mkdir() being called twice for creating the test directory for the 9p
> 'local' tests.
>
> * Tests: Third patch fixes a memory leak.
>
> * Tests: The remaining two patches are code cleanup.
>
> ----------------------------------------------------------------
Hi; this fails CI for the build-oss-fuzz job, which finds
a heap-buffer-overflow:
https://gitlab.com/qemu-project/qemu/-/jobs/2087610013
8/152 qemu:qtest+qtest-i386 / qtest-i386/qos-test ERROR 66.74s killed
by signal 6 SIGABRT
>>> QTEST_QEMU_BINARY=./qemu-system-i386
>>> QTEST_QEMU_STORAGE_DAEMON_BINARY=./storage-daemon/qemu-storage-daemon
>>> MALLOC_PERTURB_=120
>>> G_TEST_DBUS_DAEMON=/builds/qemu-project/qemu/tests/dbus-vmstate-daemon.sh
>>> QTEST_QEMU_IMG=./qemu-img
>>> /builds/qemu-project/qemu/build-oss-fuzz/tests/qtest/qos-test --tap -k
――――――――――――――――――――――――――――――――――――― ✀ ―――――――――――――――――――――――――――――――――――――
Listing only the last 100 lines from a long log.
For details see https://github.com/google/sanitizers/issues/189
==7270==WARNING: ASan doesn't fully support makecontext/swapcontext
functions and may produce false positives in some cases!
==7270==WARNING: ASan is ignoring requested __asan_handle_no_return:
stack type: default top: 0x7ffc79fb0000; bottom 0x7ff908ffd000; size:
0x000370fb3000 (14780411904)
False positive error reports may follow
For details see https://github.com/google/sanitizers/issues/189
==7276==WARNING: ASan doesn't fully support makecontext/swapcontext
functions and may produce false positives in some cases!
==7276==WARNING: ASan is ignoring requested __asan_handle_no_return:
stack type: default top: 0x7fff7e4a8000; bottom 0x7fd6363fd000; size:
0x0029480ab000 (177302319104)
False positive error reports may follow
For details see https://github.com/google/sanitizers/issues/189
==7282==WARNING: ASan doesn't fully support makecontext/swapcontext
functions and may produce false positives in some cases!
==7282==WARNING: ASan is ignoring requested __asan_handle_no_return:
stack type: default top: 0x7ffee6e7f000; bottom 0x7f32fb5fd000; size:
0x00cbeb882000 (875829927936)
False positive error reports may follow
For details see https://github.com/google/sanitizers/issues/189
==7288==WARNING: ASan doesn't fully support makecontext/swapcontext
functions and may produce false positives in some cases!
==7288==WARNING: ASan is ignoring requested __asan_handle_no_return:
stack type: default top: 0x7ffc6118e000; bottom 0x7f6391cfd000; size:
0x0098cf491000 (656312700928)
False positive error reports may follow
For details see https://github.com/google/sanitizers/issues/189
==7294==WARNING: ASan doesn't fully support makecontext/swapcontext
functions and may produce false positives in some cases!
==7294==WARNING: ASan is ignoring requested __asan_handle_no_return:
stack type: default top: 0x7ffef665d000; bottom 0x7f69dc8fd000; size:
0x009519d60000 (640383582208)
False positive error reports may follow
For details see https://github.com/google/sanitizers/issues/189
==7300==WARNING: ASan doesn't fully support makecontext/swapcontext
functions and may produce false positives in some cases!
==7300==WARNING: ASan is ignoring requested __asan_handle_no_return:
stack type: default top: 0x7ffe33db0000; bottom 0x7f01421fd000; size:
0x00fcf1bb3000 (1086387335168)
False positive error reports may follow
For details see https://github.com/google/sanitizers/issues/189
==7306==WARNING: ASan doesn't fully support makecontext/swapcontext
functions and may produce false positives in some cases!
==7306==WARNING: ASan is ignoring requested __asan_handle_no_return:
stack type: default top: 0x7ffebd618000; bottom 0x7ff1179fd000; size:
0x000da5c1b000 (58615508992)
False positive error reports may follow
For details see https://github.com/google/sanitizers/issues/189
=================================================================
==7306==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x612000030768 at pc 0x562351066c74 bp 0x7ff1078c3a90 sp
0x7ff1078c3240
READ of size 48830 at 0x612000030768 thread T4
#0 0x562351066c73 in __interceptor_memcpy.part.0 asan_interceptors.cpp.o
#1 0x7ff1290d443f in g_memdup (/lib64/libglib-2.0.so.0+0x6e43f)
#2 0x56235134537a in do_readdir_many
/builds/qemu-project/qemu/build-oss-fuzz/../hw/9pfs/codir.c:146:19
#3 0x56235134537a in v9fs_co_readdir_many
/builds/qemu-project/qemu/build-oss-fuzz/../hw/9pfs/codir.c:225:5
#4 0x56235132d626 in v9fs_do_readdir
/builds/qemu-project/qemu/build-oss-fuzz/../hw/9pfs/9p.c:2430:13
#5 0x56235132d626 in v9fs_readdir
/builds/qemu-project/qemu/build-oss-fuzz/../hw/9pfs/9p.c:2543:13
#6 0x56235257101e in coroutine_trampoline
/builds/qemu-project/qemu/build-oss-fuzz/../util/coroutine-ucontext.c:173:9
#7 0x7ff126e0e84f (/lib64/libc.so.6+0x5784f)
0x612000030768 is located 0 bytes to the right of 296-byte region
[0x612000030640,0x612000030768)
allocated by thread T4 here:
#0 0x5623510a4e47 in malloc
(/builds/qemu-project/qemu/build-oss-fuzz/qemu-system-i386+0x1146e47)
#1 0x7ff1290c03d8 in g_malloc (/lib64/libglib-2.0.so.0+0x5a3d8)
#2 0x56235131e659 in synth_opendir
/builds/qemu-project/qemu/build-oss-fuzz/../hw/9pfs/9p-synth.c:185:18
#3 0x5623513462f5 in v9fs_co_opendir
/builds/qemu-project/qemu/build-oss-fuzz/../hw/9pfs/codir.c:321:5
#4 0x5623513257d7 in v9fs_open
/builds/qemu-project/qemu/build-oss-fuzz/../hw/9pfs/9p.c:1959:15
#5 0x56235257101e in coroutine_trampoline
/builds/qemu-project/qemu/build-oss-fuzz/../util/coroutine-ucontext.c:173:9
#6 0x7ff126e0e84f (/lib64/libc.so.6+0x5784f)
Thread T4 created by T0 here:
#0 0x562351015926 in pthread_create
(/builds/qemu-project/qemu/build-oss-fuzz/qemu-system-i386+0x10b7926)
#1 0x5623525351ea in qemu_thread_create
/builds/qemu-project/qemu/build-oss-fuzz/../util/qemu-thread-posix.c:596:11
#2 0x5623525a4588 in do_spawn_thread
/builds/qemu-project/qemu/build-oss-fuzz/../util/thread-pool.c:134:5
#3 0x5623525a4588 in spawn_thread_bh_fn
/builds/qemu-project/qemu/build-oss-fuzz/../util/thread-pool.c:142:5
#4 0x562352569814 in aio_bh_call
/builds/qemu-project/qemu/build-oss-fuzz/../util/async.c:141:5
#5 0x562352569814 in aio_bh_poll
/builds/qemu-project/qemu/build-oss-fuzz/../util/async.c:169:13
#6 0x5623525248cc in aio_dispatch
/builds/qemu-project/qemu/build-oss-fuzz/../util/aio-posix.c:415:5
#7 0x56235256c34c in aio_ctx_dispatch
/builds/qemu-project/qemu/build-oss-fuzz/../util/async.c:311:5
#8 0x7ff1290bb05e in g_main_context_dispatch (/lib64/libglib-2.0.so.0+0x5505e)
SUMMARY: AddressSanitizer: heap-buffer-overflow
asan_interceptors.cpp.o in __interceptor_memcpy.part.0
Shadow bytes around the buggy address:
0x0c247fffe090: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c247fffe0a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c247fffe0b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa
0x0c247fffe0c0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c247fffe0d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c247fffe0e0: 00 00 00 00 00 00 00 00 00 00 00 00 00[fa]fa fa
0x0c247fffe0f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c247fffe100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c247fffe110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c247fffe120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c247fffe130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==7306==ABORTING
thanks
-- PMM
- [PULL 0/5] 9p queue 2022-02-10, Christian Schoenebeck, 2022/02/10
- [PULL 4/5] tests/9pfs: Use g_autofree and g_autoptr where possible, Christian Schoenebeck, 2022/02/10
- [PULL 2/5] tests/9pfs: fix mkdir() being called twice, Christian Schoenebeck, 2022/02/10
- [PULL 3/5] tests/9pfs: Fix leak of local_test_path, Christian Schoenebeck, 2022/02/10
- [PULL 5/5] 9pfs: Fix segfault in do_readdir_many caused by struct dirent overread, Christian Schoenebeck, 2022/02/10
- [PULL 1/5] tests/9pfs: use g_autofree where possible, Christian Schoenebeck, 2022/02/10
- Re: [PULL 0/5] 9p queue 2022-02-10,
Peter Maydell <=
- Re: [PULL 0/5] 9p queue 2022-02-10, Christian Schoenebeck, 2022/02/14
- Re: [PULL 0/5] 9p queue 2022-02-10, Greg Kurz, 2022/02/14
- Re: [PULL 0/5] 9p queue 2022-02-10, Christian Schoenebeck, 2022/02/14
- Re: [PULL 0/5] 9p queue 2022-02-10, Vitaly Chikunov, 2022/02/14
- Re: [PULL 0/5] 9p queue 2022-02-10, Christian Schoenebeck, 2022/02/14
- Re: [PULL 0/5] 9p queue 2022-02-10, Greg Kurz, 2022/02/15
- Re: [PULL 0/5] 9p queue 2022-02-10, Christian Schoenebeck, 2022/02/16
- Re: [PULL 0/5] 9p queue 2022-02-10, Greg Kurz, 2022/02/16