Null pointer access in nvme_directive_receive()
Host environment
- Operating system: Ubuntu 20.04
- OS/kernel version: Linux 5.4.0-148
- Architecture: x86_64
- QEMU flavor: qemu-system-x86_64
- QEMU version: commit at c167c80b
- QEMU command line:
QEMU_FUZZ_ARGS='-machine q35 -nodefaults -drive file=null-co://,if=none,format=raw,id=disk0 -device nvme,drive=disk0,serial=1' QEMU_FUZZ_OBJECTS='*nvme*' ./qemu-fuzz-x86_64 --fuzz-target=generic-fuzz
Description of problem
Got an access within null pointer error when fuzzing nvme.
Steps to reproduce
Minimized reproducer for the error:
cat << EOF | ./qemu-system-x86_64 -display none -machine accel=qtest, -m 512M -machine q35 \
-nodefaults -drive file=null-co://,if=none,format=raw,id=disk0 -device \
nvme,drive=disk0,serial=1 -qtest /dev/null -qtest stdio
outl 0xcf8 0x80000810
outl 0xcfc 0xe0000000
outl 0xcf8 0x80000804
outw 0xcfc 0x06
write 0xe0000024 0x4 0x040002
write 0xe0000014 0x4 0x61004600
write 0xe0001000 0x1 0x04
write 0x0 0x1 0x1a
write 0x4 0x1 0x01
write 0x2c 0x1 0x01
EOF
Additional information
The crash report triggered by the reproducer is:
[I 0.000000] OPENED
[R +0.025407] outl 0xcf8 0x80000810
[S +0.025443] OK
OK
[R +0.025456] outl 0xcfc 0xe0000000
[S +0.025470] OK
OK
[R +0.025476] outl 0xcf8 0x80000804
[S +0.025483] OK
OK
[R +0.025489] outw 0xcfc 0x06
[S +0.025934] OK
OK
[R +0.025946] write 0xe0000024 0x4 0x040002
[S +0.025958] OK
OK
[R +0.025964] write 0xe0000014 0x4 0x61004600
[S +0.025988] OK
OK
[R +0.026025] write 0xe0001000 0x1 0x04
[S +0.026041] OK
OK
[R +0.026048] write 0x0 0x1 0x1a
[S +0.026256] OK
OK
[R +0.026268] write 0x4 0x1 0x01
[S +0.026279] OK
OK
[R +0.026292] write 0x2c 0x1 0x01
[S +0.026303] OK
OK
../hw/nvme/ctrl.c:6890:29: runtime error: member access within null pointer of type 'NvmeEnduranceGroup' (aka 'struct NvmeEnduranceGroup')
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../hw/nvme/ctrl.c:6890:29 in
AddressSanitizer:DEADLYSIGNAL
=================================================================
==1085476==ERROR: AddressSanitizer: SEGV on unknown address 0x000000001fc8 (pc 0x56306b765ebf bp 0x7ffff17fd890 sp 0x7ffff17f6a00 T0)
==1085476==The signal is caused by a READ memory access.
#0 0x56306b765ebf in nvme_directive_receive ../hw/nvme/ctrl.c:6890:33
#1 0x56306b765ebf in nvme_admin_cmd ../hw/nvme/ctrl.c:6958:16
#2 0x56306b765ebf in nvme_process_sq ../hw/nvme/ctrl.c:7015:13
#3 0x56306cda2c3b in aio_bh_call ../util/async.c:169:5
#4 0x56306cda3384 in aio_bh_poll ../util/async.c:216:13
#5 0x56306cd3f15b in aio_dispatch ../util/aio-posix.c:423:5
#6 0x56306cda72da in aio_ctx_dispatch ../util/async.c:358:5
#7 0x7fa321cc417c in g_main_context_dispatch (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x5217c) (BuildId: 5fdb313daf182a33a858ba2cc945211b11d34561)
#8 0x56306cda840f in glib_pollfds_poll ../util/main-loop.c:290:9
#9 0x56306cda840f in os_host_main_loop_wait ../util/main-loop.c:313:5
#10 0x56306cda840f in main_loop_wait ../util/main-loop.c:592:11
#11 0x56306bd17f76 in qemu_main_loop ../softmmu/runstate.c:732:9
#12 0x56306c721835 in qemu_default_main ../softmmu/main.c:37:14
#13 0x7fa320aeb082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
#14 0x56306af0309d in _start (./qemu-system-x86_64+0x1e9109d)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ../hw/nvme/ctrl.c:6890:33 in nvme_directive_receive