READ memory access in /hw/acpi/pcihp.c
Hello qemu team, An invalid pointer initialization issue was found in /hw/acpi/pcihp.c:470:9 of QEMU in versions 6.2.0-rc2.
Reproducer
cat << EOF | ./qemu-system-i386 \
-M pc -nodefaults -netdev user,id=user0 -device virtio-net,netdev=user0 \
-qtest stdio
outl 0xcf8 0x80000b00
inw 0xcfc
outl 0xcf8 0x80000b04
inw 0xcfc
outl 0xcf8 0x80000b04
outw 0xcfc 0x7
outl 0xcf8 0x80000b04
inw 0xcfc
outl 0xcf8 0x80000000
inw 0xcfc
outl 0xcf8 0x80000004
inw 0xcfc
outl 0xcf8 0x80000004
outw 0xcfc 0x7
outl 0xcf8 0x80000004
inw 0xcfc
outl 0xcf8 0x80000800
inw 0xcfc
outl 0xcf8 0x80000804
inw 0xcfc
outl 0xcf8 0x80000804
outw 0xcfc 0x7
outl 0xcf8 0x80000804
inw 0xcfc
outl 0xcf8 0x80000900
inw 0xcfc
outl 0xcf8 0x80000920
outl 0xcfc 0xffffffff
outl 0xcf8 0x80000920
inl 0xcfc
outl 0xcf8 0x80000920
outl 0xcfc 0xc001
outl 0xcf8 0x80000904
inw 0xcfc
outl 0xcf8 0x80000904
outw 0xcfc 0x7
outl 0xcf8 0x80000904
inw 0xcfc
outl 0xcf8 0x80001000
inw 0xcfc
outl 0xcf8 0x80001010
outl 0xcfc 0xffffffff
outl 0xcf8 0x80001010
inl 0xcfc
outl 0xcf8 0x80001010
outl 0xcfc 0xc021
outl 0xcf8 0x80001014
outl 0xcfc 0xffffffff
outl 0xcf8 0x80001014
inl 0xcfc
outl 0xcf8 0x80001014
outl 0xcfc 0xe0000000
outl 0xcf8 0x80001020
outl 0xcfc 0xffffffff
outl 0xcf8 0x80001020
inl 0xcfc
outl 0xcf8 0x80001020
outl 0xcfc 0xe0004000
outl 0xcf8 0x80001004
inw 0xcfc
outl 0xcf8 0x80001004
outw 0xcfc 0x7
outl 0xcf8 0x80001004
inw 0xcfc
clock_step
outl 0xae10 0x15
outl 0xae10 0x585a5564
outl 0xae10 0x15
outl 0xcf8 0x80000b06
outl 0xcfc 0xdd58fb5a
outl 0xae14 0x64296572
clock_step
outl 0xae10 0x15
outl 0xae10 0x585a5564
outl 0xae10 0x15
outl 0xcf8 0x80000b06
outl 0xcfc 0xdd58fb5a
outl 0xae14 0x64296572
EOF
Stack-Trace
AddressSanitizer:DEADLYSIGNAL
=================================================================
==4191==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000050 (pc 0x564df8697958 bp 0x7ffe620c13f0 sp 0x7ffe620c12a0 T0)
==4191==The signal is caused by a READ memory access.
==4191==Hint: address points to the zero page.
#0 0x564df8697958 in pci_write /home/test/Desktop/qemu-6.2.0-rc2/build/../hw/acpi/pcihp.c:470:9
#1 0x564df941eb3c in memory_region_write_accessor /home/test/Desktop/qemu-6.2.0-rc2/build/../softmmu/memory.c:492:5
#2 0x564df941e63b in access_with_adjusted_size /home/test/Desktop/qemu-6.2.0-rc2/build/../softmmu/memory.c:554:18
#3 0x564df941de40 in memory_region_dispatch_write /home/test/Desktop/qemu-6.2.0-rc2/build/../softmmu/memory.c
#4 0x564df93fbe1b in flatview_write_continue /home/test/Desktop/qemu-6.2.0-rc2/build/../softmmu/physmem.c:2782:23
#5 0x564df93f15ab in flatview_write /home/test/Desktop/qemu-6.2.0-rc2/build/../softmmu/physmem.c:2822:14
#6 0x564df93f15ab in address_space_write /home/test/Desktop/qemu-6.2.0-rc2/build/../softmmu/physmem.c:2914:18
#7 0x564df9408182 in cpu_outl /home/test/Desktop/qemu-6.2.0-rc2/build/../softmmu/ioport.c:80:5
#8 0x564df9461975 in qtest_process_command /home/test/Desktop/qemu-6.2.0-rc2/build/../softmmu/qtest.c:499:13
#9 0x564df945f6e7 in qtest_process_inbuf /home/test/Desktop/qemu-6.2.0-rc2/build/../softmmu/qtest.c:813:9
#10 0x564df945f43d in qtest_server_inproc_recv /home/test/Desktop/qemu-6.2.0-rc2/build/../softmmu/qtest.c:945:9
#11 0x564df9f43460 in qtest_sendf /home/test/Desktop/qemu-6.2.0-rc2/build/../tests/qtest/libqtest.c:448:5
#12 0x564df9f43a3e in qtest_out /home/test/Desktop/qemu-6.2.0-rc2/build/../tests/qtest/libqtest.c:1018:5
#13 0x564df9f43a3e in qtest_outl /home/test/Desktop/qemu-6.2.0-rc2/build/../tests/qtest/libqtest.c:1034:5
#14 0x564df82aee6d in op_out /home/test/Desktop/qemu-6.2.0-rc2/build/../tests/qtest/fuzz/generic_fuzz.c:403:13
#15 0x564df82ad1e5 in generic_fuzz /home/test/Desktop/qemu-6.2.0-rc2/build/../tests/qtest/fuzz/generic_fuzz.c:713:17
#16 0x564df829d45b in LLVMFuzzerTestOneInput /home/test/Desktop/qemu-6.2.0-rc2/build/../tests/qtest/fuzz/fuzz.c:151:5
#17 0x564df81a4c61 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/test/Desktop/qemu-6.2.0-rc2/build/qemu-fuzz-i386+0x2ca8c61)
#18 0x564df81a61a5 in fuzzer::Fuzzer::TryDetectingAMemoryLeak(unsigned char const*, unsigned long, bool) (/home/test/Desktop/qemu-6.2.0-rc2/build/qemu-fuzz-i386+0x2caa1a5)
#19 0x564df81903ea in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/home/test/Desktop/qemu-6.2.0-rc2/build/qemu-fuzz-i386+0x2c943ea)
#20 0x564df8195e86 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/test/Desktop/qemu-6.2.0-rc2/build/qemu-fuzz-i386+0x2c99e86)
#21 0x564df81beb42 in main (/home/test/Desktop/qemu-6.2.0-rc2/build/qemu-fuzz-i386+0x2cc2b42)
#22 0x7ffa92067bf6 in __libc_start_main /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310
#23 0x564df816aa79 in _start (/home/test/Desktop/qemu-6.2.0-rc2/build/qemu-fuzz-i386+0x2c6ea79)