Heap buffer overflow in Xilinx DPDMA
Host environment
-
Operating system:
Ubuntu
-
OS/kernel version:
Linux Mewtwo 6.11.0-25-generic #25~24.04.1-Ubuntu SMP PREEMPT_DYNAMIC Tue Apr 15 17:20:50 UTC 2 x86_64 x86_64 x86_64 GNU/Linux
-
Architecture:
x86
-
QEMU flavor:
qemu-system-aarch64
-
QEMU version:
-
QEMU command line:
-
OS/kernel version:
-
Architecture:
Description of problem
Steps to reproduce
#!/bin/bash
QEMU="./build-asan/qemu-system-aarch64"
ASAN_OPTIONS=abort_on_error=1:halt_on_error=1 \
$QEMU -machine xlnx-zcu102 -m 2G \
-display none \
-serial none \
-monitor none \
-qtest stdio <<'EOF'
writel 0xfd4a0194 0x00000780
writel 0xfd4a0198 0x00000438
writel 0xfd4ab000 0x00000000
writel 0xfd4a0080 0x00000001
writel 0xfd4a0084 0x00000001
writel 0x40000000 0x080400A5
writel 0x40000004 0xDEADBEEF
writel 0x40000008 0x01000000
writel 0x4000000c 0x04001000
writel 0x40000010 0x00000000
writel 0x40000014 0x00000000
writel 0x40000018 0x00000000
writel 0x4000001c 0x00000000
writel 0x40000020 0x50000000
writel 0x40000024 0x00000000
writel 0x40000028 0x00000000
writel 0x4000002c 0x00000000
writel 0x40000030 0x00000000
writel 0x40000034 0x00000000
writel 0x40000038 0x00000000
writel 0x4000003c 0x00000000
writel 0xfd4c0500 0x00000000
writel 0xfd4c0504 0x40000000
writel 0xfd4c0518 0x00000001
writel 0xfd4c0104 0x00000008
EOFand the output
=================================================================
==91673==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f4a36017800 at pc 0x55d620e921ca bp 0x7fff87165fb0 sp 0x7fff87165780
WRITE of size 4096 at 0x7f4a36017800 thread T0
#0 0x55d620e921c9 in __asan_memcpy (/workspace/build-asan/qemu-system-aarch64+0x209c1c9) (BuildId: b369e578cf923e64b47757829222198df0753e48)
#1 0x55d622c64a5a in memcpy /usr/include/x86_64-linux-gnu/bits/string_fortified.h:29:10
#2 0x55d622c64a5a in flatview_read_continue_step /workspace/build-asan/../system/physmem.c:2893:9
#3 0x55d622c64636 in flatview_read_continue /workspace/build-asan/../system/physmem.c:2910:19
#4 0x55d622c653c3 in flatview_read /workspace/build-asan/../system/physmem.c:2940:12
#5 0x55d622c650d3 in address_space_read_full /workspace/build-asan/../system/physmem.c:2953:18
#6 0x55d6213629ab in dma_memory_rw_relaxed /workspace/include/sysemu/dma.h:87:12
#7 0x55d6213629ab in dma_memory_rw /workspace/include/sysemu/dma.h:130:12
#8 0x55d6213629ab in dma_memory_read /workspace/include/sysemu/dma.h:150:12
#9 0x55d6213629ab in xlnx_dpdma_start_operation /workspace/build-asan/../hw/dma/xlnx_dpdma.c:773:25
#10 0x55d622c23841 in memory_region_write_accessor /workspace/build-asan/../system/memory.c:497:5
#11 0x55d622c22c9a in access_with_adjusted_size /workspace/build-asan/../system/memory.c:573:18
#12 0x55d622c2241b in memory_region_dispatch_write /workspace/build-asan/../system/memory.c
#13 0x55d622c78a4a in flatview_write_continue_step /workspace/build-asan/../system/physmem.c:2788:18
#14 0x55d622c659bf in flatview_write_continue /workspace/build-asan/../system/physmem.c:2818:19
#15 0x55d622c659bf in flatview_write /workspace/build-asan/../system/physmem.c:2849:12
#16 0x55d622c65653 in address_space_write /workspace/build-asan/../system/physmem.c:2969:18
#17 0x55d621f0c7a5 in qtest_process_command /workspace/build-asan/../system/qtest.c:527:13
#18 0x55d621f0a928 in qtest_process_inbuf /workspace/build-asan/../system/qtest.c:776:9
#19 0x55d62326fb94 in fd_chr_read /workspace/build-asan/../chardev/char-fd.c:72:9
#20 0x7f4b0da5c5de in g_main_context_dispatch (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x545de) (BuildId: 0035e382f733cc430b52aad2f3f6a4f9d3c5e3b7)
#21 0x55d6234eb49b in glib_pollfds_poll /workspace/build-asan/../util/main-loop.c:287:9
#22 0x55d6234eb49b in os_host_main_loop_wait /workspace/build-asan/../util/main-loop.c:310:5
#23 0x55d6234eb49b in main_loop_wait /workspace/build-asan/../util/main-loop.c:589:11
#24 0x55d621f18b06 in qemu_main_loop /workspace/build-asan/../system/runstate.c:826:9
#25 0x55d623283135 in qemu_default_main /workspace/build-asan/../system/main.c:37:14
#26 0x7f4b0d6d8249 (/lib/x86_64-linux-gnu/libc.so.6+0x27249) (BuildId: 6196744a316dbd57c0fd8968df1680aac482cec4)
#27 0x7f4b0d6d8304 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x27304) (BuildId: 6196744a316dbd57c0fd8968df1680aac482cec4)
#28 0x55d620e0ffa0 in _start (/workspace/build-asan/qemu-system-aarch64+0x2019fa0) (BuildId: b369e578cf923e64b47757829222198df0753e48)
0x7f4a36017800 is located 0 bytes to the right of 8294400-byte region [0x7f4a3582e800,0x7f4a36017800)
allocated by thread T0 here:
#0 0x55d620e92fd8 in __interceptor_calloc (/workspace/build-asan/qemu-system-aarch64+0x209cfd8) (BuildId: b369e578cf923e64b47757829222198df0753e48)
#1 0x7f4b0dd9a269 (/lib/x86_64-linux-gnu/libpixman-1.so.0+0x1b269) (BuildId: e5244cc62abe869e5fb0a4e43b3f1dec189dbef9)
SUMMARY: AddressSanitizer: heap-buffer-overflow (/workspace/build-asan/qemu-system-aarch64+0x209c1c9) (BuildId: b369e578cf923e64b47757829222198df0753e48) in __asan_memcpy
Shadow bytes around the buggy address:
0x0fe9c6bfaeb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe9c6bfaec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe9c6bfaed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe9c6bfaee0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe9c6bfaef0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0fe9c6bfaf00:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fe9c6bfaf10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fe9c6bfaf20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fe9c6bfaf30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fe9c6bfaf40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fe9c6bfaf50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==91673==ABORTING