Skip to content
GitLab
Closed
Issue created by Alexander Bulekov@a1xndrReporter

Stack-overflow through virtio_blk_get_request

Hello,

Reproducer

# Build with --enable-sanitizers
cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, -m \
512M -machine q35 -device virtio-blk,drive=disk0 -drive \
file=null-co://,id=disk0,if=none,format=raw -qtest /dev/null -qtest \
stdio
outl 0xcf8 0x8000181f
outl 0xcfc 0x0a000000
outl 0xcf8 0x80001804
outl 0xcfc 0x03
outl 0xcf8 0x8000180e
outl 0xcfc 0xff800000
outl 0xff85 0xa1000000
outl 0xff8f 0x00
EOF

Stack-Trace

AddressSanitizer:DEADLYSIGNAL
=================================================================
==1915731==ERROR: AddressSanitizer: stack-overflow on address 0x7ffc7dd32c48 (pc 0x55a3e06dc1b8 bp 0x7ffc7dd39150 sp 0x7ffc7dd32be0 T0)
#0 0x55a3e06dc1b8 in virtqueue_pop /hw/virtio/virtio.c:1674
#1 0x55a3e04f515c in virtio_blk_get_request /hw/block/virtio-blk.c:258:27
#2 0x55a3e04f515c in virtio_blk_handle_vq /hw/block/virtio-blk.c:784:23
#3 0x55a3e06ef325 in virtio_queue_notify /hw/virtio/virtio.c:2335:9
#4 0x55a3e0421e06 in memory_region_write_accessor /softmmu/memory.c:492:5
#5 0x55a3e0421873 in access_with_adjusted_size /softmmu/memory.c:554:18
#6 0x55a3e0420fad in memory_region_dispatch_write /softmmu/memory.c
#7 0x55a3e0402c28 in address_space_stw_internal_cached_slow /memory_ldst.c.inc:415:13
#8 0x55a3e06d339b in vring_used_flags_set_bit /hw/virtio/virtio.c:384:5
#9 0x55a3e06d339b in virtio_queue_split_set_notification /hw/virtio/virtio.c:433:9
#10 0x55a3e06d339b in virtio_queue_set_notification /hw/virtio/virtio.c:490:9
#11 0x55a3e04f5130 in virtio_blk_handle_vq /hw/block/virtio-blk.c:781:13
#12 0x55a3e06ef325 in virtio_queue_notify /hw/virtio/virtio.c:2335:9
#13 0x55a3e0421e06 in memory_region_write_accessor /softmmu/memory.c:492:5
#14 0x55a3e0421873 in access_with_adjusted_size /softmmu/memory.c:554:18
#15 0x55a3e0420fad in memory_region_dispatch_write /softmmu/memory.c
#16 0x55a3e0402c28 in address_space_stw_internal_cached_slow /memory_ldst.c.inc:415:13
#17 0x55a3e06d2e76 in vring_used_flags_unset_bit /hw/virtio/virtio.c:401:5
#18 0x55a3e06d2e76 in virtio_queue_split_set_notification /hw/virtio/virtio.c:431:9
#19 0x55a3e06d2e76 in virtio_queue_set_notification /hw/virtio/virtio.c:490:9
#20 0x55a3e04f51b4 in virtio_blk_handle_vq /hw/block/virtio-blk.c:793:13
#21 0x55a3e06ef325 in virtio_queue_notify /hw/virtio/virtio.c:2335:9
...

OSS-Fuzz Report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43683

libqtest Reproducer: reproducer.c

Thank you

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information