Skip to content
This repository has been archived by the owner on Apr 14, 2023. It is now read-only.

FAILED: libcommon.fa.p/hw_misc_apple_spmi_pmu.c.o #20

Closed
p0ryae opened this issue Mar 4, 2022 · 2 comments
Closed

FAILED: libcommon.fa.p/hw_misc_apple_spmi_pmu.c.o #20

p0ryae opened this issue Mar 4, 2022 · 2 comments

Comments

@p0ryae
Copy link

p0ryae commented Mar 4, 2022

Hello, it's me again,

I tried the other documentation, and it was successful until some time later only. It got stuck on another module this time:

FAILED: libcommon.fa.p/hw_misc_apple_spmi_pmu.c.o 
cc -Ilibcommon.fa.p -I/usr/include/pixman-1 -I/usr/include/libpng16 -I/usr/include/p11-kit-1 -I/usr/include/SDL2 -I/usr/include/glib-2.0 -I/usr/lib/glib-2.0/include -I/usr/include/sysprof-4 -I/usr/include/libmount -I/usr/include/blkid -I/usr/include/gio-unix-2.0 -I/usr/local/include -I/usr/include/slirp -I/usr/include/gtk-3.0 -I/usr/include/pango-1.0 -I/usr/include/harfbuzz -I/usr/include/freetype2 -I/usr/include/fribidi -I/usr/include/cairo -I/usr/include/lzo -I/usr/include/gdk-pixbuf-2.0 -I/usr/include/cloudproviders -I/usr/include/atk-1.0 -I/usr/include/at-spi2-atk/2.0 -I/usr/include/dbus-1.0 -I/usr/lib/dbus-1.0/include -I/usr/include/at-spi-2.0 -I/usr/include/vte-2.91 -I/usr/include/virgl -I/usr/include/cacard -I/usr/include/nss -I/usr/include/nspr -I/usr/include/libusb-1.0 -fdiagnostics-color=auto -Wall -Winvalid-pch -std=gnu11 -O2 -g -isystem /home/porya/qemu-t8030/linux-headers -isystem linux-headers -iquote . -iquote /home/porya/qemu-t8030 -iquote /home/porya/qemu-t8030/include -iquote /home/porya/qemu-t8030/disas/libvixl -iquote /home/porya/qemu-t8030/tcg/i386 -pthread -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -m64 -mcx16 -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -Wstrict-prototypes -Wredundant-decls -Wundef -Wwrite-strings -Wmissing-prototypes -fno-strict-aliasing -fno-common -fwrapv -Wold-style-declaration -Wold-style-definition -Wtype-limits -Wformat-security -Wformat-y2k -Winit-self -Wignored-qualifiers -Wempty-body -Wnested-externs -Wendif-labels -Wexpansion-to-defined -Wimplicit-fallthrough=2 -Wno-missing-include-dirs -Wno-shift-negative-value -Wno-psabi -fstack-protector-strong -fPIE -D_DEFAULT_SOURCE -D_XOPEN_SOURCE=600 -DNCURSES_WIDECHAR -D_REENTRANT -Wno-undef -DSTRUCT_IOVEC_DEFINED -MD -MQ libcommon.fa.p/hw_misc_apple_spmi_pmu.c.o -MF libcommon.fa.p/hw_misc_apple_spmi_pmu.c.o.d -o libcommon.fa.p/hw_misc_apple_spmi_pmu.c.o -c ../hw/misc/apple_spmi_pmu.c
../hw/misc/apple_spmi_pmu.c:51:26: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘__attribute__’ before ‘tick_to_ns’
   51 | static uint64_t __unused tick_to_ns(AppleSPMIPMUState *p, uint64_t tick)
      |                          ^~~~~~~~~~
[1349/3071] Compiling C object libcommon.fa.p/hw_misc_aspeed_xdma.c.o
[1350/3071] Compiling C object libcommon.fa.p/hw_misc_nrf51_rng.c.o
[1351/3071] Compiling C object libcommon.fa.p/hw_misc_msf2-sysreg.c.o
[1352/3071] Compiling C object libcommon.fa.p/hw_misc_aspeed_sdmc.c.o
[1353/3071] Compiling C object libcommon.fa.p/hw_misc_aspeed_scu.c.o
[1354/3071] Compiling C object libcommon.fa.p/hw_net_ne2000-pci.c.o
[1355/3071] Compiling C object libcommon.fa.p/hw_misc_apple_smc.c.o
../hw/misc/apple_smc.c: In function ‘smc_key_mbse_write’:
../hw/misc/apple_smc.c:238:10: warning: multi-character character constant [-Wmultichar]
  238 |     case 'off1':
      |          ^~~~~~
../hw/misc/apple_smc.c:241:10: warning: multi-character character constant [-Wmultichar]
  241 |     case 'susp':
      |          ^~~~~~
../hw/misc/apple_smc.c:251:10: warning: multi-character character constant [-Wmultichar]
  251 |     case 'rest':
      |          ^~~~~~
../hw/misc/apple_smc.c:254:10: warning: multi-character character constant [-Wmultichar]
  254 |     case 'slpw':
      |          ^~~~~~
../hw/misc/apple_smc.c: In function ‘smc_key_nesn_write’:
../hw/misc/apple_smc.c:281:14: warning: unused variable ‘p’ [-Wunused-variable]
  281 |     uint8_t *p = (uint8_t *)payload;
      |              ^
../hw/misc/apple_smc.c: In function ‘apple_smc_handle_key_endpoint’:
../hw/misc/apple_smc.c:354:34: warning: taking address of packed member of ‘struct key_response’ may result in an unaligned pointer value [-Waddress-of-packed-member]
  354 |             bswap32s((uint32_t *)r.response);
      |                                  ^
../hw/misc/apple_smc.c: In function ‘apple_smc_create’:
../hw/misc/apple_smc.c:428:9: warning: unused variable ‘i’ [-Wunused-variable]
  428 |     int i;
      |         ^
../hw/misc/apple_smc.c: In function ‘apple_smc_realize’:
../hw/misc/apple_smc.c:529:28: warning: multi-character character constant [-Wmultichar]
  529 |     smc_create_key_func(s, '#KEY', 4, bswap32('ui32'), SMC_ATTR_LITTLE_ENDIAN,
      |                            ^~~~~~
../hw/misc/apple_smc.c:529:47: warning: multi-character character constant [-Wmultichar]
  529 |     smc_create_key_func(s, '#KEY', 4, bswap32('ui32'), SMC_ATTR_LITTLE_ENDIAN,
      |                                               ^~~~~~
../hw/misc/apple_smc.c:532:23: warning: multi-character character constant [-Wmultichar]
  532 |     smc_create_key(s, 'CLKH', 8, 0x7b636c68, SMC_ATTR_LITTLE_ENDIAN, data);
      |                       ^~~~~~
../hw/misc/apple_smc.c:535:23: warning: multi-character character constant [-Wmultichar]
  535 |     smc_create_key(s, 'RGEN', 1, bswap32('ui8 '), SMC_ATTR_LITTLE_ENDIAN, data);
      |                       ^~~~~~
../hw/misc/apple_smc.c:535:42: warning: multi-character character constant [-Wmultichar]
  535 |     smc_create_key(s, 'RGEN', 1, bswap32('ui8 '), SMC_ATTR_LITTLE_ENDIAN, data);
      |                                          ^~~~~~
../hw/misc/apple_smc.c:538:23: warning: multi-character character constant [-Wmultichar]
  538 |     smc_create_key(s, 'aDC#', 4, bswap32('ui32'), SMC_ATTR_LITTLE_ENDIAN, &value);
      |                       ^~~~~~
../hw/misc/apple_smc.c:538:42: warning: multi-character character constant [-Wmultichar]
  538 |     smc_create_key(s, 'aDC#', 4, bswap32('ui32'), SMC_ATTR_LITTLE_ENDIAN, &value);
      |                                          ^~~~~~
../hw/misc/apple_smc.c:540:28: warning: multi-character character constant [-Wmultichar]
  540 |     smc_create_key_func(s, 'MBSE', 4, bswap32('hex_'), SMC_ATTR_LITTLE_ENDIAN,
      |                            ^~~~~~
../hw/misc/apple_smc.c:540:47: warning: multi-character character constant [-Wmultichar]
  540 |     smc_create_key_func(s, 'MBSE', 4, bswap32('hex_'), SMC_ATTR_LITTLE_ENDIAN,
      |                                               ^~~~~~
../hw/misc/apple_smc.c:543:28: warning: multi-character character constant [-Wmultichar]
  543 |     smc_create_key_func(s, 'LGPB', 1, bswap32('flag'), SMC_ATTR_LITTLE_ENDIAN,
      |                            ^~~~~~
../hw/misc/apple_smc.c:543:47: warning: multi-character character constant [-Wmultichar]
  543 |     smc_create_key_func(s, 'LGPB', 1, bswap32('flag'), SMC_ATTR_LITTLE_ENDIAN,
      |                                               ^~~~~~
../hw/misc/apple_smc.c:545:28: warning: multi-character character constant [-Wmultichar]
  545 |     smc_create_key_func(s, 'LGPE', 1, bswap32('flag'), SMC_ATTR_LITTLE_ENDIAN,
      |                            ^~~~~~
../hw/misc/apple_smc.c:545:47: warning: multi-character character constant [-Wmultichar]
  545 |     smc_create_key_func(s, 'LGPE', 1, bswap32('flag'), SMC_ATTR_LITTLE_ENDIAN,
      |                                               ^~~~~~
../hw/misc/apple_smc.c:547:28: warning: multi-character character constant [-Wmultichar]
  547 |     smc_create_key_func(s, 'NESN', 4, bswap32('hex_'), SMC_ATTR_LITTLE_ENDIAN,
      |                            ^~~~~~
../hw/misc/apple_smc.c:547:47: warning: multi-character character constant [-Wmultichar]
  547 |     smc_create_key_func(s, 'NESN', 4, bswap32('hex_'), SMC_ATTR_LITTLE_ENDIAN,
      |                                               ^~~~~~
At top level:
../hw/misc/apple_smc.c:415:13: warning: ‘apple_smc_set_irq’ defined but not used [-Wunused-function]
  415 | static void apple_smc_set_irq(void *opaque, int irq_num, int level)
      |             ^~~~~~~~~~~~~~~~~
../hw/misc/apple_smc.c:213:16: warning: ‘smc_key_copy_write’ defined but not used [-Wunused-function]
  213 | static uint8_t smc_key_copy_write(AppleSMCState *s, smc_key *k,
      |                ^~~~~~~~~~~~~~~~~~
[1356/3071] Compiling C object libcommon.fa.p/hw_net_ne2000.c.o
[1357/3071] Compiling C object libcommon.fa.p/hw_misc_apple_mbox.c.o
In file included from ../hw/misc/apple_mbox.c:3:
../hw/misc/apple_mbox.c: In function ‘apple_mbox_iop_reg_read’:
../hw/misc/apple_mbox.c:836:38: warning: format ‘%llx’ expects argument of type ‘long long unsigned int’, but argument 4 has type ‘uint64_t’ {aka ‘long unsigned int’} [-Wformat=]
  836 |             qemu_log_mask(LOG_UNIMP, "%s: AppleA7IOP AKF unknown IOP reg READ @ 0x"
      |                                      ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  837 |                                      TARGET_FMT_plx " ret: 0x%08llx\n",
  838 |                                      s->role, addr, ret);
      |                                                     ~~~
      |                                                     |
      |                                                     uint64_t {aka long unsigned int}
/home/porya/qemu-t8030/include/qemu/log.h:120:22: note: in definition of macro ‘qemu_log_mask’
  120 |             qemu_log(FMT, ## __VA_ARGS__);              \
      |                      ^~~
[1358/3071] Compiling C object libcommon.fa.p/hw_net_pcnet-pci.c.o
[1359/3071] Compiling C object libcommon.fa.p/hw_misc_apple_aes.c.o
../hw/misc/apple_aes.c: In function ‘key_mode’:
../hw/misc/apple_aes.c:92:1: warning: control reaches end of non-void function [-Wreturn-type]
   92 | }
      | ^
[1360/3071] Compiling C object libcommon.fa.p/hw_net_eepro100.c.o
[1361/3071] Compiling C object libcommon.fa.p/hw_net_pcnet.c.o
[1362/3071] Compiling C object libcommon.fa.p/hw_net_e1000.c.o
[1363/3071] Compiling C object libcommon.fa.p/hw_display_cirrus_vga.c.o
ninja: build stopped: subcommand failed.
make: *** [Makefile:156: run-ninja] Error 1
@asdfugil
Copy link

asdfugil commented Mar 4, 2022
edited
Loading

Remove __unused from ../hw/misc/apple_spmi_pmu.c

There are a few more source files that fail for the same reason. Remove __unused from them as well.

Duplicate of #17

@p0ryae
Copy link
Author

p0ryae commented Mar 4, 2022

Remove __unused from ../hw/misc/apple_spmi_pmu.c

There are a few more source files that fail for the same reason. Remove __unused from them as well.

Duplicate of #17

I confirm that solves the issue. I only needed to fix 2 files. One was apple_spmi_pmu.c and apple_wtd.c

@TrungNguyen1909 TrungNguyen1909 mentioned this issue Mar 7, 2022
Closed
shannon2893 pushed a commit to shannon2893/qemu-t8030 that referenced this issue Jul 25, 2022
@philmd @huth
tests/qtest/intel-hda-test: Add reproducer for issue #542
19a5452 
Include the qtest reproducer provided by Alexander Bulekov
in https://gitlab.com/qemu-project/qemu/-/issues/542.
Without the previous commit, we get:

  $ make check-qtest-i386
  ...
  Running test tests/qtest/intel-hda-test
  AddressSanitizer:DEADLYSIGNAL
  =================================================================
  ==1580408==ERROR: AddressSanitizer: stack-overflow on address 0x7ffc3d566fe0
      #0 0x63d297cf in address_space_translate_internal softmmu/physmem.c:356
      TrungNguyen1909#1 0x63d27260 in flatview_do_translate softmmu/physmem.c:499:15
      TrungNguyen1909#2 0x63d27af5 in flatview_translate softmmu/physmem.c:565:15
      TrungNguyen1909#3 0x63d4ce84 in flatview_write softmmu/physmem.c:2850:10
      TrungNguyen1909#4 0x63d4cb18 in address_space_write softmmu/physmem.c:2950:18
      TrungNguyen1909#5 0x63d4d387 in address_space_rw softmmu/physmem.c:2960:16
      TrungNguyen1909#6 0x62ae12f2 in dma_memory_rw_relaxed include/sysemu/dma.h:89:12
      TrungNguyen1909#7 0x62ae104a in dma_memory_rw include/sysemu/dma.h:132:12
      TrungNguyen1909#8 0x62ae6157 in dma_memory_write include/sysemu/dma.h:173:12
      TrungNguyen1909#9 0x62ae5ec0 in stl_le_dma include/sysemu/dma.h:275:1
      TrungNguyen1909#10 0x62ae5ba2 in stl_le_pci_dma include/hw/pci/pci.h:871:1
      TrungNguyen1909#11 0x62ad59a6 in intel_hda_response hw/audio/intel-hda.c:372:12
      TrungNguyen1909#12 0x62ad2afb in hda_codec_response hw/audio/intel-hda.c:107:5
      TrungNguyen1909#13 0x62aec4e1 in hda_audio_command hw/audio/hda-codec.c:655:5
      TrungNguyen1909#14 0x62ae05d9 in intel_hda_send_command hw/audio/intel-hda.c:307:5
      TrungNguyen1909#15 0x62adff54 in intel_hda_corb_run hw/audio/intel-hda.c:342:9
      TrungNguyen1909#16 0x62adc13b in intel_hda_set_corb_wp hw/audio/intel-hda.c:548:5
      TrungNguyen1909#17 0x62ae5942 in intel_hda_reg_write hw/audio/intel-hda.c:977:9
      TrungNguyen1909#18 0x62ada10a in intel_hda_mmio_write hw/audio/intel-hda.c:1054:5
      TrungNguyen1909#19 0x63d8f383 in memory_region_write_accessor softmmu/memory.c:492:5
      TrungNguyen1909#20 0x63d8ecc1 in access_with_adjusted_size softmmu/memory.c:554:18
      TrungNguyen1909#21 0x63d8d5d6 in memory_region_dispatch_write softmmu/memory.c:1504:16
      TrungNguyen1909#22 0x63d5e85e in flatview_write_continue softmmu/physmem.c:2812:23
      TrungNguyen1909#23 0x63d4d05b in flatview_write softmmu/physmem.c:2854:12
      TrungNguyen1909#24 0x63d4cb18 in address_space_write softmmu/physmem.c:2950:18
      TrungNguyen1909#25 0x63d4d387 in address_space_rw softmmu/physmem.c:2960:16
      TrungNguyen1909#26 0x62ae12f2 in dma_memory_rw_relaxed include/sysemu/dma.h:89:12
      #27 0x62ae104a in dma_memory_rw include/sysemu/dma.h:132:12
      TrungNguyen1909#28 0x62ae6157 in dma_memory_write include/sysemu/dma.h:173:12
      TrungNguyen1909#29 0x62ae5ec0 in stl_le_dma include/sysemu/dma.h:275:1
      TrungNguyen1909#30 0x62ae5ba2 in stl_le_pci_dma include/hw/pci/pci.h:871:1
      TrungNguyen1909#31 0x62ad59a6 in intel_hda_response hw/audio/intel-hda.c:372:12
      TrungNguyen1909#32 0x62ad2afb in hda_codec_response hw/audio/intel-hda.c:107:5
      TrungNguyen1909#33 0x62aec4e1 in hda_audio_command hw/audio/hda-codec.c:655:5
      TrungNguyen1909#34 0x62ae05d9 in intel_hda_send_command hw/audio/intel-hda.c:307:5
      TrungNguyen1909#35 0x62adff54 in intel_hda_corb_run hw/audio/intel-hda.c:342:9
      TrungNguyen1909#36 0x62adc13b in intel_hda_set_corb_wp hw/audio/intel-hda.c:548:5
      TrungNguyen1909#37 0x62ae5942 in intel_hda_reg_write hw/audio/intel-hda.c:977:9
      TrungNguyen1909#38 0x62ada10a in intel_hda_mmio_write hw/audio/intel-hda.c:1054:5
      TrungNguyen1909#39 0x63d8f383 in memory_region_write_accessor softmmu/memory.c:492:5
      TrungNguyen1909#40 0x63d8ecc1 in access_with_adjusted_size softmmu/memory.c:554:18
      TrungNguyen1909#41 0x63d8d5d6 in memory_region_dispatch_write softmmu/memory.c:1504:16
      TrungNguyen1909#42 0x63d5e85e in flatview_write_continue softmmu/physmem.c:2812:23
      TrungNguyen1909#43 0x63d4d05b in flatview_write softmmu/physmem.c:2854:12
      TrungNguyen1909#44 0x63d4cb18 in address_space_write softmmu/physmem.c:2950:18
      TrungNguyen1909#45 0x63d4d387 in address_space_rw softmmu/physmem.c:2960:16
      TrungNguyen1909#46 0x62ae12f2 in dma_memory_rw_relaxed include/sysemu/dma.h:89:12
      TrungNguyen1909#47 0x62ae104a in dma_memory_rw include/sysemu/dma.h:132:12
      TrungNguyen1909#48 0x62ae6157 in dma_memory_write include/sysemu/dma.h:173:12
      ...
  SUMMARY: AddressSanitizer: stack-overflow softmmu/physmem.c:356 in address_space_translate_internal
  ==1580408==ABORTING
  Broken pipe
  Aborted (core dumped)

Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Acked-by: Thomas Huth <thuth@redhat.com>
Message-Id: <20211218160912.1591633-4-philmd@redhat.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>
shannon2893 pushed a commit to shannon2893/qemu-t8030 that referenced this issue Jul 25, 2022
@philmd @huth
hw/sd/sdhci: Prohibit DMA accesses to devices
799f7f0 
The issue reported by OSS-Fuzz produces the following backtrace:

  ==447470==ERROR: AddressSanitizer: heap-buffer-overflow
  READ of size 1 at 0x61500002a080 thread T0
      #0 0x71766d47 in sdhci_read_dataport hw/sd/sdhci.c:474:18
      TrungNguyen1909#1 0x7175f139 in sdhci_read hw/sd/sdhci.c:1022:19
      TrungNguyen1909#2 0x721b937b in memory_region_read_accessor softmmu/memory.c:440:11
      TrungNguyen1909#3 0x72171e51 in access_with_adjusted_size softmmu/memory.c:554:18
      TrungNguyen1909#4 0x7216f47c in memory_region_dispatch_read1 softmmu/memory.c:1424:16
      TrungNguyen1909#5 0x7216ebb9 in memory_region_dispatch_read softmmu/memory.c:1452:9
      TrungNguyen1909#6 0x7212db5d in flatview_read_continue softmmu/physmem.c:2879:23
      TrungNguyen1909#7 0x7212f958 in flatview_read softmmu/physmem.c:2921:12
      TrungNguyen1909#8 0x7212f418 in address_space_read_full softmmu/physmem.c:2934:18
      TrungNguyen1909#9 0x721305a9 in address_space_rw softmmu/physmem.c:2962:16
      TrungNguyen1909#10 0x7175a392 in dma_memory_rw_relaxed include/sysemu/dma.h:89:12
      TrungNguyen1909#11 0x7175a0ea in dma_memory_rw include/sysemu/dma.h:132:12
      TrungNguyen1909#12 0x71759684 in dma_memory_read include/sysemu/dma.h:152:12
      TrungNguyen1909#13 0x7175518c in sdhci_do_adma hw/sd/sdhci.c:823:27
      TrungNguyen1909#14 0x7174bf69 in sdhci_data_transfer hw/sd/sdhci.c:935:13
      TrungNguyen1909#15 0x7176aaa7 in sdhci_send_command hw/sd/sdhci.c:376:9
      TrungNguyen1909#16 0x717629ee in sdhci_write hw/sd/sdhci.c:1212:9
      TrungNguyen1909#17 0x72172513 in memory_region_write_accessor softmmu/memory.c:492:5
      TrungNguyen1909#18 0x72171e51 in access_with_adjusted_size softmmu/memory.c:554:18
      TrungNguyen1909#19 0x72170766 in memory_region_dispatch_write softmmu/memory.c:1504:16
      TrungNguyen1909#20 0x721419ee in flatview_write_continue softmmu/physmem.c:2812:23
      TrungNguyen1909#21 0x721301eb in flatview_write softmmu/physmem.c:2854:12
      TrungNguyen1909#22 0x7212fca8 in address_space_write softmmu/physmem.c:2950:18
      TrungNguyen1909#23 0x721d9a53 in qtest_process_command softmmu/qtest.c:727:9

A DMA descriptor is previously filled in RAM. An I/O access to the
device (frames TrungNguyen1909#22 to TrungNguyen1909#16) start the DMA engine (frame TrungNguyen1909#13). The
engine fetch the descriptor and execute the request, which itself
accesses the SDHCI I/O registers (frame TrungNguyen1909#1 and #0), triggering a
re-entrancy issue.

Fix by prohibit transactions from the DMA to devices. The DMA engine
is thus restricted to memories.

Reported-by: OSS-Fuzz (Issue 36391)
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/451
Message-Id: <20211215205656.488940-3-philmd@redhat.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>
shannon2893 pushed a commit to shannon2893/qemu-t8030 that referenced this issue Jul 25, 2022
@philmd @huth
tests/qtest/fuzz-sdcard-test: Add reproducer for OSS-Fuzz (Issue 29225)
2780116 
Include the qtest reproducer provided by Alexander Bulekov
in https://gitlab.com/qemu-project/qemu/-/issues/451. Without
the previous commit, we get:

  $ make check-qtest-i386
  ...
  Running test qtest-i386/fuzz-sdcard-test
  ==447470==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61500002a080 at pc 0x564c71766d48 bp 0x7ffc126c62b0 sp 0x7ffc126c62a8
  READ of size 1 at 0x61500002a080 thread T0
      #0 0x564c71766d47 in sdhci_read_dataport hw/sd/sdhci.c:474:18
      TrungNguyen1909#1 0x564c7175f139 in sdhci_read hw/sd/sdhci.c:1022:19
      TrungNguyen1909#2 0x564c721b937b in memory_region_read_accessor softmmu/memory.c:440:11
      TrungNguyen1909#3 0x564c72171e51 in access_with_adjusted_size softmmu/memory.c:554:18
      TrungNguyen1909#4 0x564c7216f47c in memory_region_dispatch_read1 softmmu/memory.c:1424:16
      TrungNguyen1909#5 0x564c7216ebb9 in memory_region_dispatch_read softmmu/memory.c:1452:9
      TrungNguyen1909#6 0x564c7212db5d in flatview_read_continue softmmu/physmem.c:2879:23
      TrungNguyen1909#7 0x564c7212f958 in flatview_read softmmu/physmem.c:2921:12
      TrungNguyen1909#8 0x564c7212f418 in address_space_read_full softmmu/physmem.c:2934:18
      TrungNguyen1909#9 0x564c721305a9 in address_space_rw softmmu/physmem.c:2962:16
      TrungNguyen1909#10 0x564c7175a392 in dma_memory_rw_relaxed include/sysemu/dma.h:89:12
      TrungNguyen1909#11 0x564c7175a0ea in dma_memory_rw include/sysemu/dma.h:132:12
      TrungNguyen1909#12 0x564c71759684 in dma_memory_read include/sysemu/dma.h:152:12
      TrungNguyen1909#13 0x564c7175518c in sdhci_do_adma hw/sd/sdhci.c:823:27
      TrungNguyen1909#14 0x564c7174bf69 in sdhci_data_transfer hw/sd/sdhci.c:935:13
      TrungNguyen1909#15 0x564c7176aaa7 in sdhci_send_command hw/sd/sdhci.c:376:9
      TrungNguyen1909#16 0x564c717629ee in sdhci_write hw/sd/sdhci.c:1212:9
      TrungNguyen1909#17 0x564c72172513 in memory_region_write_accessor softmmu/memory.c:492:5
      TrungNguyen1909#18 0x564c72171e51 in access_with_adjusted_size softmmu/memory.c:554:18
      TrungNguyen1909#19 0x564c72170766 in memory_region_dispatch_write softmmu/memory.c:1504:16
      TrungNguyen1909#20 0x564c721419ee in flatview_write_continue softmmu/physmem.c:2812:23
      TrungNguyen1909#21 0x564c721301eb in flatview_write softmmu/physmem.c:2854:12
      TrungNguyen1909#22 0x564c7212fca8 in address_space_write softmmu/physmem.c:2950:18
      TrungNguyen1909#23 0x564c721d9a53 in qtest_process_command softmmu/qtest.c:727:9

  0x61500002a080 is located 0 bytes to the right of 512-byte region [0x615000029e80,0x61500002a080)
  allocated by thread T0 here:
      #0 0x564c708e1737 in __interceptor_calloc (qemu-system-i386+0x1e6a737)
      TrungNguyen1909#1 0x7ff05567b5e0 in g_malloc0 (/lib64/libglib-2.0.so.0+0x5a5e0)
      TrungNguyen1909#2 0x564c71774adb in sdhci_pci_realize hw/sd/sdhci-pci.c:36:5

  SUMMARY: AddressSanitizer: heap-buffer-overflow hw/sd/sdhci.c:474:18 in sdhci_read_dataport
  Shadow bytes around the buggy address:
    0x0c2a7fffd3c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    0x0c2a7fffd3d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    0x0c2a7fffd3e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    0x0c2a7fffd3f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    0x0c2a7fffd400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  =>0x0c2a7fffd410:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    0x0c2a7fffd420: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
    0x0c2a7fffd430: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
    0x0c2a7fffd440: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
    0x0c2a7fffd450: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
    0x0c2a7fffd460: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  Shadow byte legend (one shadow byte represents 8 application bytes):
    Addressable:           00
    Heap left redzone:       fa
    Freed heap region:       fd
  ==447470==ABORTING
  Broken pipe
  ERROR qtest-i386/fuzz-sdcard-test - too few tests run (expected 3, got 2)

Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Acked-by: Thomas Huth <thuth@redhat.com>
Message-Id: <20211215205656.488940-4-philmd@redhat.com>
[thuth: Replaced "-m 4G" with "-m 512M"]
Signed-off-by: Thomas Huth <thuth@redhat.com>
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@TrungNguyen1909 @asdfugil @p0ryae