Skip to content

Heap-overflow in scsi_disk_emulate_write_same

Hello, I bisected this to 356c4c44 ("scsi-disk: allow MODE SELECT block descriptor to set the block size")

Reproducer

cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, -m \
4G -device am53c974,id=scsi -device scsi-hd,drive=disk0 -drive \
id=disk0,if=none,file=null-co://,format=raw -nodefaults -qtest stdio
outl 0xcf8 0x80001010
outl 0xcfc 0xc000
outl 0xcf8 0x80001004
outw 0xcfc 0x05
outw 0xc03f 0x0300
outb 0xc044 0xf
outw 0xc00b 0x4100
outw 0xc03f 0x0300
write 0x0 0x1 0x55
write 0x1 0x1 0x10
write 0x8 0x1 0x10
outw 0xc00b 0xc100
outw 0xc03f 0x0300
write 0x7 0x1 0x08
write 0xe 0x1 0x41
outw 0xc00b 0x9000
outb 0xc044 0x40
outw 0xc03f 0x0300
write 0x0 0x1 0x41
write 0x1 0x1 0x00
outw 0xc00b 0xc100
outw 0xc00b 0x9000
EOF

Stack-Trace

==1135819==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f486ecff000 at pc 0x55daef27386a bp 0x7ffe56594370 sp 0x7ffe56593b40
WRITE of size 16640 at 0x7f486ecff000 thread T0
    #0 0x55daef273869 in __asan_memcpy (/home/alxndr/Development/qemu/build/qemu-system-i386+0x2083869) (BuildId: 3e308de988390293f500de8e9b27a0cede65b0f5)
    #1 0x55daefab9119 in scsi_disk_emulate_write_same /home/alxndr/Development/qemu/build/../hw/scsi/scsi-disk.c:1895:9
    #2 0x55daefab9119 in scsi_disk_emulate_write_data /home/alxndr/Development/qemu/build/../hw/scsi/scsi-disk.c:1940:9
    #3 0x55daefa8836b in scsi_req_continue /home/alxndr/Development/qemu/build/../hw/scsi/scsi-bus.c
    #4 0x55daefaea516 in esp_do_dma /home/alxndr/Development/qemu/build/../hw/scsi/esp.c:703:9
    #5 0x55daefaf1fcb in handle_ti /home/alxndr/Development/qemu/build/../hw/scsi/esp.c:912:9
    #6 0x55daefaef62d in esp_reg_write /home/alxndr/Development/qemu/build/../hw/scsi/esp.c:1077:13
    #7 0x55daefb02466 in esp_pci_io_write /home/alxndr/Development/qemu/build/../hw/scsi/esp-pci.c:214:9
    #8 0x55daf07a8428 in memory_region_write_accessor /home/alxndr/Development/qemu/build/../softmmu/memory.c:492:5
    #9 0x55daf07a7f7a in access_with_adjusted_size /home/alxndr/Development/qemu/build/../softmmu/memory.c:554:18
    #10 0x55daf07a78e3 in memory_region_dispatch_write /home/alxndr/Development/qemu/build/../softmmu/memory.c
    #11 0x55daf07f34b0 in flatview_write_continue /home/alxndr/Development/qemu/build/../softmmu/physmem.c:2825:23
    #12 0x55daf07ea953 in flatview_write /home/alxndr/Development/qemu/build/../softmmu/physmem.c:2867:12
    #13 0x55daf07ea663 in address_space_write /home/alxndr/Development/qemu/build/../softmmu/physmem.c:2963:18
    #14 0x55daf079b247 in cpu_outw /home/alxndr/Development/qemu/build/../softmmu/ioport.c:70:5
    #15 0x55daf07fe3a9 in qtest_process_command /home/alxndr/Development/qemu/build/../softmmu/qtest.c:480:13
    #16 0x55daf07fcf48 in qtest_process_inbuf /home/alxndr/Development/qemu/build/../softmmu/qtest.c:796:9
    #17 0x55daf0e84684 in fd_chr_read /home/alxndr/Development/qemu/build/../chardev/char-fd.c:72:9
    #18 0x7f48747d8eb3 in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x53eb3) (BuildId: c072de7723cebd5bc4cd2f736d2c2b689117f17a)
    #19 0x55daf10f7b43 in glib_pollfds_poll /home/alxndr/Development/qemu/build/../util/main-loop.c:297:9
    #20 0x55daf10f7b43 in os_host_main_loop_wait /home/alxndr/Development/qemu/build/../util/main-loop.c:320:5
    #21 0x55daf10f7b43 in main_loop_wait /home/alxndr/Development/qemu/build/../util/main-loop.c:596:11
    #22 0x55daefe53d66 in qemu_main_loop /home/alxndr/Development/qemu/build/../softmmu/runstate.c:726:9
    #23 0x55daef2b187c in qemu_main /home/alxndr/Development/qemu/build/../softmmu/main.c:36:5
    #24 0x55daef2b187c in main /home/alxndr/Development/qemu/build/../softmmu/main.c:45:12
    #25 0x7f48734137ec in __libc_start_main csu/../csu/libc-start.c:332:16
    #26 0x55daef1f1649 in _start (/home/alxndr/Development/qemu/build/qemu-system-i386+0x2001649) (BuildId: 3e308de988390293f500de8e9b27a0cede65b0f5)

0x7f486ecff000 is located 0 bytes to the right of 524288-byte region [0x7f486ec7f000,0x7f486ecff000)
allocated by thread T0 here:
    #0 0x55daef275007 in posix_memalign (/home/alxndr/Development/qemu/build/qemu-system-i386+0x2085007) (BuildId: 3e308de988390293f500de8e9b27a0cede65b0f5)
    #1 0x55daf10aaffa in qemu_try_memalign /home/alxndr/Development/qemu/build/../util/memalign.c:53:11
    #2 0x55daf10ab382 in qemu_memalign /home/alxndr/Development/qemu/build/../util/memalign.c:73:15
    #3 0x55daefa8836b in scsi_req_continue /home/alxndr/Development/qemu/build/../hw/scsi/scsi-bus.c
    #4 0x55daefaea516 in esp_do_dma /home/alxndr/Development/qemu/build/../hw/scsi/esp.c:703:9
    #5 0x55daefaf1fcb in handle_ti /home/alxndr/Development/qemu/build/../hw/scsi/esp.c:912:9
    #6 0x55daefaef62d in esp_reg_write /home/alxndr/Development/qemu/build/../hw/scsi/esp.c:1077:13
    #7 0x55daefb02466 in esp_pci_io_write /home/alxndr/Development/qemu/build/../hw/scsi/esp-pci.c:214:9
    #8 0x55daf07a8428 in memory_region_write_accessor /home/alxndr/Development/qemu/build/../softmmu/memory.c:492:5
    #9 0x55daf07a7f7a in access_with_adjusted_size /home/alxndr/Development/qemu/build/../softmmu/memory.c:554:18

OSS-Fuzz Report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=49219

libqtest Reproducer: repro.c

Thank you

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information