Skip to content

Heap-buffer-overflow (read) in scsi_cdb_length through am53c974

Hello,

Reproducer

cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, -m \
512M -device am53c974,id=scsi -device scsi-hd,drive=disk0 -drive \
id=disk0,if=none,file=null-co://,format=raw -nodefaults -qtest stdio
outl 0xcf8 0x80001010
outl 0xcfc 0xc000
outl 0xcf8 0x80001004
outw 0xcfc 0x01
outb 0xc00c 0x43
outl 0xc00b 0x9100
outl 0xc009 0x02000000
outl 0xc000 0x0b
outl 0xc00b 0x00
outl 0xc00b 0x00
outl 0xc00b 0xc200
outl 0xc00b 0x1000
outl 0xc00b 0x9000
outb 0xc008 0x00
outb 0xc008 0x00
outl 0xc03f 0x0300
outl 0xc00b 0x00
outw 0xc00b 0x4200
outl 0xc00b 0x00
outw 0xc00b 0x1200
outl 0xc00b 0x00
outb 0xc00c 0x43
outl 0xc00b 0x00
outl 0xc00b 0x00
outl 0xc007 0x00
outl 0xc007 0x00
outl 0xc007 0x00
outl 0xc00b 0x1000
outl 0xc007 0x00
EOF

Stack-trace

==13428==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x5030000b81d0 at pc 0xaaaac35e2c78 bp 0xffffc6011e00 sp 0xffffc6011df8
READ of size 1 at 0x5030000b81d0 thread T0
    #0 0xaaaac35e2c74 in scsi_cdb_length /../scsi/utils.c:75:13
    #1 0xaaaac2e65d9c in esp_cdb_ready /../hw/scsi/esp.c:469:14
    #2 0xaaaac2e65d9c in esp_do_nodma /../hw/scsi/esp.c:843:17
    #3 0xaaaac2e67bc0 in esp_reg_write /../hw/scsi/esp.c
    #4 0xaaaac30ab77c in memory_region_write_accessor /../system/memory.c:490:5
    #5 0xaaaac30ab3b4 in access_with_adjusted_size /../system/memory.c:566:18
    #6 0xaaaac30aaff4 in memory_region_dispatch_write /../system/memory.c
    #7 0xaaaac30d789c in flatview_write_continue_step /../system/physmem.c:2972:18
    #8 0xaaaac30cb2a4 in flatview_write_continue /../system/physmem.c:3002:19
    #9 0xaaaac30cb2a4 in flatview_write /../system/physmem.c:3033:12
    #10 0xaaaac30cafcc in address_space_write /../system/physmem.c:3153:18
    #11 0xaaaac30a1514 in cpu_outl /../system/ioport.c:84:5
    #12 0xaaaac30dce70 in qtest_process_command /../system/qtest.c:476:13
    #13 0xaaaac30dce70 in qtest_process_inbuf /../system/qtest.c:770:9
    #14 0xaaaac3716c20 in fd_chr_read /../chardev/char-fd.c:72:9
    #15 0xffffac5df350  (/lib/aarch64-linux-gnu/libglib-2.0.so.0+0x5f350) (BuildId: 63b0b4861e1fc0c302ea39429492acac3b688944)
    #16 0xffffac5e2008 in g_main_context_dispatch (/lib/aarch64-linux-gnu/libglib-2.0.so.0+0x62008) (BuildId: 63b0b4861e1fc0c302ea39429492acac3b688944)
    #17 0xaaaac38ac9c0 in glib_pollfds_poll /../util/main-loop.c:287:9
    #18 0xaaaac38ac9c0 in os_host_main_loop_wait /../util/main-loop.c:310:5
    #19 0xaaaac38ac9c0 in main_loop_wait /../util/main-loop.c:589:11
    #20 0xaaaac30e3458 in qemu_main_loop /../system/runstate.c:905:9
    #21 0xaaaac3721544 in qemu_default_main /../system/main.c:50:14
    #22 0xaaaac372151c in main /../system/main.c:93:9
    #23 0xffffac0a2298 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #24 0xffffac0a2378 in __libc_start_main csu/../csu/libc-start.c:360:3
    #25 0xaaaac286c1ec in _start (Id: 65a1cf772cdd3437e39a429ba9536c7e787c0f0f)

0x5030000b81d0 is located 0 bytes after 32-byte region [0x5030000b81b0,0x5030000b81d0)
allocated by thread T0 here:
    #0 0xaaaac290ecc4 in malloc (Id: 65a1cf772cdd3437e39a429ba9536c7e787c0f0f)
    #1 0xffffac5e9adc in g_malloc (/lib/aarch64-linux-gnu/libglib-2.0.so.0+0x69adc) (BuildId: 63b0b4861e1fc0c302ea39429492acac3b688944)
    #2 0xaaaac3884f24 in fifo8_create /../util/fifo8.c:27:18
    #3 0xaaaac35353d4 in object_initialize_with_type /../qom/object.c:570:5
    #4 0xaaaac3535828 in object_initialize /../qom/object.c:578:5
    #5 0xaaaac3535828 in object_initialize_child_with_propsv /../qom/object.c:608:5
    #6 0xaaaac35356b8 in object_initialize_child_with_props /../qom/object.c:591:10
    #7 0xaaaac35353d4 in object_initialize_with_type /../qom/object.c:570:5
    #8 0xaaaac3536750 in object_new_with_type /../qom/object.c:774:5
    #9 0xaaaac3536750 in object_new /../qom/object.c:789:12
    #10 0xaaaac3528858 in qdev_new /../hw/core/qdev.c:149:19
    #11 0xaaaac30d9518 in qdev_device_add_from_qdict /../system/qdev-monitor.c:684:11
    #12 0xaaaac30d9da4 in qdev_device_add /../system/qdev-monitor.c:732:11
    #13 0xaaaac30939d8 in device_init_func /../system/vl.c:1208:11
    #14 0xaaaac38920a0 in qemu_opts_foreach /../util/qemu-option.c:1135:14
    #15 0xaaaac30896f8 in qemu_create_cli_devices /../system/vl.c:2745:5
    #16 0xaaaac30896f8 in qmp_x_exit_preconfig /../system/vl.c:2805:5
    #17 0xaaaac308ed08 in qemu_init /../system/vl.c:3840:9
    #18 0xaaaac372145c in main /../system/main.c:71:5
    #19 0xffffac0a2298 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #20 0xffffac0a2378 in __libc_start_main csu/../csu/libc-start.c:360:3

This is https://issues.oss-fuzz.com/issues/439878564

Thank you

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information