esp: heap-buffer-overflow in esp_fifo_pop_buf
Hello,
Reproducer
cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, -m \
512M -device am53c974,id=scsi -device scsi-hd,drive=disk0 -drive \
id=disk0,if=none,file=null-co://,format=raw -nodefaults -qtest stdio
outl 0xcf8 0x80001010
outl 0xcfc 0xc000
outl 0xcf8 0x80001004
outw 0xcfc 0x01
outl 0xc007 0x2500
outl 0xc00a 0x410000
outl 0xc00a 0x410000
outw 0xc00b 0x0200
outw 0xc040 0x03
outw 0xc009 0x00
outw 0xc00b 0x00
outw 0xc009 0x00
outw 0xc00b 0x00
outw 0xc009 0x00
outw 0xc003 0x1000
outw 0xc00b 0x1000
outl 0xc00b 0x9000
outw 0xc00b 0x1000
EOF
Stack-Trace
==60844==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x625000217009 at pc 0x5615068f764a bp 0x7ffcf2ae0630 sp 0x7ffcf2adfdf8
WRITE of size 2 at 0x625000217009 thread T0
#0 0x5615068f7649 in __asan_memcpy (qemu-system-i386+0x2c38649)
#1 0x5615073c039e in esp_fifo_pop_buf ../hw/scsi/esp.c:132:9
#2 0x5615073c039e in esp_do_nodma ../hw/scsi/esp.c:758:9
#3 0x5615073c7d99 in handle_ti ../hw/scsi/esp.c:887:9
#4 0x5615073c3ad0 in esp_reg_write ../hw/scsi/esp.c:1048:13
#5 0x5615073d4fb3 in esp_pci_io_write ../hw/scsi/esp-pci.c:214:9
#6 0x561507c575a6 in memory_region_write_accessor ../softmmu/memory.c:492:5
#7 0x561507c57013 in access_with_adjusted_size ../softmmu/memory.c:554:18
#8 0x561507c56870 in memory_region_dispatch_write ../softmmu/memory.c
#9 0x561507c35156 in flatview_write_continue ../softmmu/physmem.c:2779:23
#10 0x561507c2ab3b in flatview_write ../softmmu/physmem.c:2819:14
#11 0x561507c2ab3b in address_space_write ../softmmu/physmem.c:2911:18
0x625000217009 is located 4105 bytes to the right of 4096-byte region [0x625000215000,0x625000216000)
allocated by thread T0 here:
#0 0x5615068f8bf7 in posix_memalign (qemu-system-i386+0x2c39bf7)
#1 0x561508bc33fd in qemu_try_memalign ../util/oslib-posix.c:210:11
#2 0x561508bc3840 in qemu_memalign ../util/oslib-posix.c:226:27
#3 0x5615073854fe in scsi_disk_emulate_command ../hw/scsi/scsi-disk.c:1920:27
#4 0x5615073598de in scsi_req_enqueue ../hw/scsi/scsi-bus.c:889:10
#5 0x5615073ccebe in do_command_phase ../hw/scsi/esp.c:291:15
#6 0x5615073ccebe in do_cmd ../hw/scsi/esp.c:339:5
#7 0x5615073c319d in esp_reg_write ../hw/scsi/esp.c:1077:13
#8 0x5615073d4fb3 in esp_pci_io_write ../hw/scsi/esp-pci.c:214:9
#9 0x561507c575a6 in memory_region_write_accessor ../softmmu/memory.c:492:5
#10 0x561507c57013 in access_with_adjusted_size ../softmmu/memory.c:554:18
#11 0x561507c56870 in memory_region_dispatch_write ../softmmu/memory.c
#12 0x561507c35156 in flatview_write_continue ../softmmu/physmem.c:2779:23
#13 0x561507c2ab3b in flatview_write ../softmmu/physmem.c:2819:14
#14 0x561507c2ab3b in address_space_write ../softmmu/physmem.c:2911:18
OSS-Fuzz Report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=36937
libqtest Reproducer: repro.c
Thank you