openkylin
/
qemu
mirror of https://gitee.com/openkylin/qemu.git
9
0
Fork 0
Code Issues Projects Releases Wiki Activity
qemu/hw
History
Li Feng 0ac2e63575 vhost-user-blk: fix invalid memory access 
when s->inflight is freed, vhost_dev_free_inflight may try to access
s->inflight->addr, it will retrigger the following issue.

==7309==ERROR: AddressSanitizer: heap-use-after-free on address 0x604001020d18 at pc 0x555555ce948a bp 0x7fffffffb170 sp 0x7fffffffb160
READ of size 8 at 0x604001020d18 thread T0
    #0 0x555555ce9489 in vhost_dev_free_inflight /root/smartx/qemu-el7/qemu-test/hw/virtio/vhost.c:1473
    #1 0x555555cd86eb in virtio_reset /root/smartx/qemu-el7/qemu-test/hw/virtio/virtio.c:1214
    #2 0x5555560d3eff in virtio_pci_reset hw/virtio/virtio-pci.c:1859
    #3 0x555555f2ac53 in device_set_realized hw/core/qdev.c:893
    #4 0x5555561d572c in property_set_bool qom/object.c:1925
    #5 0x5555561de8de in object_property_set_qobject qom/qom-qobject.c:27
    #6 0x5555561d99f4 in object_property_set_bool qom/object.c:1188
    #7 0x555555e50ae7 in qdev_device_add /root/smartx/qemu-el7/qemu-test/qdev-monitor.c:626
    #8 0x555555e51213 in qmp_device_add /root/smartx/qemu-el7/qemu-test/qdev-monitor.c:806
    #9 0x555555e8ff40 in hmp_device_add /root/smartx/qemu-el7/qemu-test/hmp.c:1951
    #10 0x555555be889a in handle_hmp_command /root/smartx/qemu-el7/qemu-test/monitor.c:3404
    #11 0x555555beac8b in monitor_command_cb /root/smartx/qemu-el7/qemu-test/monitor.c:4296
    #12 0x555556433eb7 in readline_handle_byte util/readline.c:393
    #13 0x555555be89ec in monitor_read /root/smartx/qemu-el7/qemu-test/monitor.c:4279
    #14 0x5555563285cc in tcp_chr_read chardev/char-socket.c:470
    #15 0x7ffff670b968 in g_main_context_dispatch (/lib64/libglib-2.0.so.0+0x4a968)
    #16 0x55555640727c in glib_pollfds_poll util/main-loop.c:215
    #17 0x55555640727c in os_host_main_loop_wait util/main-loop.c:238
    #18 0x55555640727c in main_loop_wait util/main-loop.c:497
    #19 0x555555b2d0bf in main_loop /root/smartx/qemu-el7/qemu-test/vl.c:2013
    #20 0x555555b2d0bf in main /root/smartx/qemu-el7/qemu-test/vl.c:4776
    #21 0x7fffdd2eb444 in __libc_start_main (/lib64/libc.so.6+0x22444)
    #22 0x555555b3767a  (/root/smartx/qemu-el7/qemu-test/x86_64-softmmu/qemu-system-x86_64+0x5e367a)

0x604001020d18 is located 8 bytes inside of 40-byte region [0x604001020d10,0x604001020d38)
freed by thread T0 here:
    #0 0x7ffff6f00508 in __interceptor_free (/lib64/libasan.so.4+0xde508)
    #1 0x7ffff671107d in g_free (/lib64/libglib-2.0.so.0+0x5007d)

previously allocated by thread T0 here:
    #0 0x7ffff6f00a88 in __interceptor_calloc (/lib64/libasan.so.4+0xdea88)
    #1 0x7ffff6710fc5 in g_malloc0 (/lib64/libglib-2.0.so.0+0x4ffc5)

SUMMARY: AddressSanitizer: heap-use-after-free /root/smartx/qemu-el7/qemu-test/hw/virtio/vhost.c:1473 in vhost_dev_free_inflight
Shadow bytes around the buggy address:
  0x0c08801fc150: fa fa 00 00 00 00 04 fa fa fa fd fd fd fd fd fa
  0x0c08801fc160: fa fa fd fd fd fd fd fd fa fa 00 00 00 00 04 fa
  0x0c08801fc170: fa fa 00 00 00 00 00 01 fa fa 00 00 00 00 04 fa
  0x0c08801fc180: fa fa 00 00 00 00 00 01 fa fa 00 00 00 00 00 01
  0x0c08801fc190: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 04 fa
=>0x0c08801fc1a0: fa fa fd[fd]fd fd fd fa fa fa fd fd fd fd fd fa
  0x0c08801fc1b0: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
  0x0c08801fc1c0: fa fa 00 00 00 00 00 fa fa fa fd fd fd fd fd fd
  0x0c08801fc1d0: fa fa 00 00 00 00 00 01 fa fa fd fd fd fd fd fa
  0x0c08801fc1e0: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fd
  0x0c08801fc1f0: fa fa 00 00 00 00 00 01 fa fa fd fd fd fd fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==7309==ABORTING

Signed-off-by: Li Feng <fengli@smartx.com>
Message-Id: <20200417101707.14467-1-fengli@smartx.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Raphael Norwitz <raphael.norwitz@nutanix.com>
 		2020-05-04 10:25:02 -04:00
..
9pfs 9p/proxy: Fix export_flags 2020-03-10 16:12:49 +01:00
acpi acpi: add aml builder stubs 2020-05-04 10:25:02 -04:00
adc hw/*/Makefile.objs: Move many .o files to common-objs 2020-02-04 09:00:57 +01:00
alpha hw/ide: Do ide_drive_get() within pci_ide_create_devs() 2020-03-17 12:22:36 -04:00
arm hw/arm: versal-virt: Add support for the RTC 2020-05-04 11:11:28 +01:00
audio hw/audio/fmopl: fix segmentation fault 2020-03-25 09:55:40 +01:00
block vhost-user-blk: fix invalid memory access 2020-05-04 10:25:02 -04:00
char hw/char/cadence_uart: add clock support 2020-04-30 15:35:41 +01:00
core target-arm queue: 2020-04-30 15:45:34 +01:00
cpu cpu/arm11mpcore: Set number of GIC priority bits to 4 2020-02-28 16:14:57 +00:00
cris hw: Make MachineClass::is_default a boolean type 2020-02-28 14:57:19 -05:00
display virtio-vga: fix virtio-vga bar ordering 2020-05-04 10:25:02 -04:00
dma dma/xlnx-zdma: Fix descriptor loading (REG) wrt endianness 2020-04-30 11:52:25 +01:00
gpio hw/gpio/aspeed_gpio.c: Don't directly include assert.h 2020-04-03 19:24:53 +01:00
hppa hw/ide: Remove unneeded inclusion of hw/ide.h 2020-03-17 12:22:36 -04:00
hyperv add device_legacy_reset function to prepare for reset api change 2020-01-30 16:02:03 +00:00
i2c smbus: Fix spd_data_generate() for number of banks > 2 2020-04-29 08:01:52 +02:00
i386 acpi: add ISADeviceClass->build_aml() 2020-05-04 10:25:02 -04:00
ide cmd646-ide: use qdev gpio rather than qemu_allocate_irqs() 2020-03-27 14:30:08 -04:00
input hw/input: Do not enable CONFIG_PCKBD by default 2020-02-04 09:01:31 +01:00
intc bugfix: Use gicr_typer in arm_gicv3_icc_reset 2020-04-30 11:52:27 +01:00
ipack qdev: set properties with device_class_set_props() 2020-01-24 20:59:15 +01:00
ipmi qdev: set properties with device_class_set_props() 2020-01-24 20:59:15 +01:00
isa acpi: add ISADeviceClass->build_aml() 2020-05-04 10:25:02 -04:00
lm32 hw: Make MachineClass::is_default a boolean type 2020-02-28 14:57:19 -05:00
m68k hw/m68k: Use memory_region_init_rom() with read-only regions 2020-03-17 15:18:47 +01:00
mem spapr: Add NVDIMM device support 2020-02-21 09:15:04 +11:00
microblaze hw: Make MachineClass::is_default a boolean type 2020-02-28 14:57:19 -05:00
mips smbus: Fix spd_data_generate() error API violation 2020-04-29 08:01:52 +02:00
misc hw/misc/zynq_slcr: add clock generation for uarts 2020-04-30 15:35:41 +01:00
moxie hw: Make MachineClass::is_default a boolean type 2020-02-28 14:57:19 -05:00
net target-arm queue: 2020-04-30 15:45:34 +01:00
nios2 hw: Make MachineClass::is_default a boolean type 2020-02-28 14:57:19 -05:00
nubus hw/m68k: add Nubus support 2019-10-28 19:06:47 +01:00
nvram fw_cfg: Migrate ACPI table mr sizes separately 2020-04-13 06:55:54 -04:00
openrisc hw: Make MachineClass::is_default a boolean type 2020-02-28 14:57:19 -05:00
pci hw/pci/pcie: Replace PCI_DEVICE() casts with existing variable 2020-05-04 10:25:02 -04:00
pci-bridge pcie_root_port: Add hotplug disabling option 2020-03-08 09:18:29 -04:00
pci-host hw/pci-host: Use memory_region_init_rom() with read-only regions 2020-03-17 15:18:47 +01:00
pcmcia hw/*/Makefile.objs: Move many .o files to common-objs 2020-02-04 09:00:57 +01:00
ppc bamboo, sam460ex: Tidy up error message for unsupported RAM size 2020-04-29 08:01:52 +02:00
rdma hw/rdma: Destroy list mutex when list is destroyed 2020-05-02 21:31:17 +03:00
riscv hw/riscv/spike: Allow more than one CPUs 2020-04-29 13:16:38 -07:00
rtc rtc: add RTC_ISA_BASE 2020-05-04 10:25:02 -04:00
s390x s390x/s390-virtio-ccw: Fix build on systems without KVM 2020-04-29 14:36:19 +02:00
scsi various: Remove suspicious '\' character outside of #define in C code 2020-04-29 08:01:51 +02:00
sd various: Remove suspicious '\' character outside of #define in C code 2020-04-29 08:01:51 +02:00
semihosting semihosting: add qemu_semihosting_console_inc for SYS_READC 2020-01-09 11:41:29 +00:00
sh4 hw/sh4: Use memory_region_init_rom() with read-only regions 2020-03-17 15:18:47 +01:00
smbios hw/smbios/smbios: Remove unused include 2020-02-06 10:38:57 +01:00
sparc hw/sparc: Use memory_region_init_rom() with read-only regions 2020-03-17 15:18:48 +01:00
sparc64 hw/ide: Do ide_drive_get() within pci_ide_create_devs() 2020-03-17 12:22:36 -04:00
ssi aspeed/smc: Fix DMA support for AST2600 2020-03-23 17:22:30 +00:00
timer hw/timer/hpet: Include "exec/address-spaces.h" 2020-03-09 15:59:31 +01:00
tpm tpm: Add the SysBus TPM TIS device 2020-03-05 12:18:08 -05:00
tricore hw: Do not initialize MachineClass::is_default to 0 2020-02-28 14:57:19 -05:00
unicore32 hw: Make MachineClass::is_default a boolean type 2020-02-28 14:57:19 -05:00
usb hw/usb/xen-usb.c: Pass struct usbback_req* to usbback_packet_complete() 2020-04-07 16:13:26 +01:00
vfio vfio/spapr: Fix page size calculation 2020-04-07 08:55:10 +10:00
virtio vhost-user-blk: fix invalid memory access 2020-05-04 10:25:02 -04:00
watchdog qdev: set properties with device_class_set_props() 2020-01-24 20:59:15 +01:00
xen xen/pt: Fix flawed conversion to realize() 2020-04-29 08:01:52 +02:00
xenpv trivial: Remove xenfb_enabled from sysemu.h 2020-02-04 09:00:57 +01:00
xtensa hw/xtensa/xtfpga:fix leak of fdevice tree blob 2020-02-19 10:33:38 +01:00
Kconfig Remove the core bluetooth code 2019-12-17 09:01:14 +01:00
Makefile.objs Remove the core bluetooth code 2019-12-17 09:01:14 +01:00