Skip to content

Out of bounds access in smc91c111_readb()

Host environment

  • Operating system: Ubuntu 20.04
  • OS/kernel version: Linux 5.4.0
  • Architecture: x86_64
  • QEMU version: commit fea445e8

Emulated/Virtualized environment

  • Operating system: Ubuntu 20.04
  • OS/kernel version: Linux 5.4.0
  • Architecture: arm

Description of problem

I detected an out-of-bounds access in smc91c111_readb with my fuzzer.

Stack trace (part):
hw/net/smc91c111.c:607:24: runtime error: index 175 out of bounds for
type 'uint8_t[4][2048]' (aka 'unsigned char[4][2048]')
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
hw/net/smc91c111.c:607:24 in
AddressSanitizer:DEADLYSIGNAL
=================================================================
==397944==ERROR: AddressSanitizer: SEGV on unknown address
0x629000077db4 (pc 0x56272aed3b8d bp 0x7ffd1471f290 sp 0x7ffd1471ea20
T0)
==397944==The signal is caused by a READ memory access.
    #0 0x56272aed3b8d in smc91c111_readb hw/net/smc91c111.c:607:24
    #1 0x56272aecfd61 in smc91c111_readfn hw/net/smc91c111.c:650:16
    #2 0x56272d4b228b in memory_region_read_accessor system/memory.c:445:11
    #3 0x56272d46fb85 in access_with_adjusted_size system/memory.c:573:18
    #4 0x56272d46c58e in memory_region_dispatch_read1 system/memory.c:1426:16
    #5 0x56272d46bcd7 in memory_region_dispatch_read system/memory.c:1459:9
    #6 0x56272d4e8e03 in flatview_read_continue_step system/physmem.c:2794:18
    #7 0x56272d4e871e in flatview_read_continue system/physmem.c:2835:19
    #8 0x56272d4e98b8 in flatview_read system/physmem.c:2865:12
    #9 0x56272d4e9388 in address_space_read_full system/physmem.c:2878:18
    #10 0x56272d6e7840 in address_space_read include/exec/memory.h:3026:18
...
Bug analysis: I found s->packet_num = 175 at line 599.

Steps to reproduce

Reproducer:
export QEMU_ARGS="-display none -machine accel=qtest, -m 512M -machine
mainstone"
cat << EOF | ./qemu-system-arm $QEMU_ARGS -qtest /dev/null -qtest stdio
outl 0xcf8 0x80000010
outl 0xcfc 0x10000300
outl 0xcf8 0x80000004
outl 0xcfc 0x07
writel 0x1000030c 0x66027cd6
writel 0x10000300 0x64af8eda
readw 0x10000308
EOF

Additional information

Ack: Chuhong Yuan (hslester96@gmail.com)

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information