Re: [Bug 1891354] [NEW] Heap-use-after-free in usb_packet

qemu-devel
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Bug 1891354] [NEW] Heap-use-after-free in usb_packet_unmap

From:	Li Qiang
Subject:	Re: [Bug 1891354] [NEW] Heap-use-after-free in usb_packet_unmap
Date:	Thu, 13 Aug 2020 09:26:37 +0800
Alexander Bulekov <alxndr@bu.edu> 于2020年8月13日周四 上午12:56写道：
>
> On 200813 0024, Li Qiang wrote:
> > Alexander Bulekov <1891354@bugs.launchpad.net> 于2020年8月13日周四 上午12:21写道：
> > >
> > > Public bug reported:
> > >
> > > Hello,
> > > Reproducer:
> > >
> > > cat << EOF | ./i386-softmmu/qemu-system-i386 -device nec-usb-xhci \
> > > -trace usb\* -device usb-audio -device usb-storage,drive=mydrive \
> > > -drive id=mydrive,file=null-co://,size=2M,format=raw,if=none \
> > > -nodefaults -nographic -qtest stdio
> > > outl 0xcf8 0x80001010
> > > outl 0xcfc 0xc0202
> > > outl 0xcf8 0x80001004
> > > outl 0xcfc 0x1c77695e
> > > writel 0xc0040 0xffffd855
> > > writeq 0xc2000 0xff05140100000000
> > > write 0x1d 0x1 0x27
> > > write 0x2d 0x1 0x2e
> > > write 0x17232 0x1 0x03
> > > write 0x17254 0x1 0x05
> > > write 0x17276 0x1 0x72
> > > write 0x17278 0x1 0x02
> > > write 0x3d 0x1 0x27
> > > write 0x40 0x1 0x2e
> > > write 0x41 0x1 0x72
> > > write 0x42 0x1 0x01
> > > write 0x4d 0x1 0x2e
> > > write 0x4f 0x1 0x01
> > > write 0x2007c 0x1 0xc7
> > > writeq 0xc2000 0x5c05140100000000
> > > write 0x20070 0x1 0x80
> > > write 0x20078 0x1 0x08
> > > write 0x2007c 0x1 0xfe
> > > write 0x2007d 0x1 0x08
> > > write 0x20081 0x1 0xff
> > > write 0x20082 0x1 0x0b
> > > write 0x20089 0x1 0x8c
> > > write 0x2008d 0x1 0x04
> > > write 0x2009d 0x1 0x10
> > > writeq 0xc2000 0x2505ef019e092f00
> > > EOF
> > >
> > > 20091==ERROR: AddressSanitizer: heap-use-after-free on address 
> > > 0x611000045030 at pc 0x55db79edeef2 bp 0x7ffc4020b2b0 sp 0x7ffc4020b2a8
> > > READ of size 4 at 0x611000045030 thread T0
> > >     #0 0x55db79edeef1 in usb_packet_unmap hw/usb/libhw.c:64:28
> > >     #1 0x55db79ede66f in usb_packet_map hw/usb/libhw.c:54:5
> > >     #2 0x55db79f6d5f1 in xhci_setup_packet hw/usb/hcd-xhci.c:1618:5
> > >     #3 0x55db79f67143 in xhci_fire_ctl_transfer hw/usb/hcd-xhci.c:1722:9
> > >     #4 0x55db79f67143 in xhci_kick_epctx hw/usb/hcd-xhci.c:1991:13
> > >     #5 0x55db79f8837d in xhci_doorbell_write hw/usb/hcd-xhci.c:3162:13
> > >     #6 0x55db792c6b8e in memory_region_write_accessor 
> > > softmmu/memory.c:483:5
> > >     #7 0x55db792c658b in access_with_adjusted_size softmmu/memory.c:544:18
> > >     #8 0x55db792c5d9b in memory_region_dispatch_write softmmu/memory.c
> > >     #9 0x55db78d094d2 in flatview_write_continue exec.c:3176:23
> > >     #10 0x55db78cfee6b in flatview_write exec.c:3216:14
> > >     #11 0x55db78cfee6b in address_space_write exec.c:3308:18
> > >     #12 0x55db793072a9 in qtest_process_command softmmu/qtest.c:452:13
> > >     #13 0x55db79304087 in qtest_process_inbuf softmmu/qtest.c:710:9
> > >     #14 0x55db7a7d7293 in fd_chr_read chardev/char-fd.c:68:9
> > >     #15 0x7fc5d7f1a897 in g_main_context_dispatch
> > >     #16 0x55db7aa571b3 in glib_pollfds_poll util/main-loop.c:217:9
> > >     #17 0x55db7aa571b3 in os_host_main_loop_wait util/main-loop.c:240:5
> > >     #18 0x55db7aa571b3 in main_loop_wait util/main-loop.c:516:11
> > >     #19 0x55db79315008 in qemu_main_loop softmmu/vl.c:1676:9
> > >     #20 0x55db7a8860fd in main softmmu/main.c:49:5
> > >
> > > 0x611000045030 is located 48 bytes inside of 256-byte region 
> > > [0x611000045000,0x611000045100)
> > > freed by thread T0 here:
> > >     #0 0x55db78cac16d in free 
> > > (build/i386-softmmu/qemu-system-i386+0x250e16d)
> > >     #1 0x55db79f7c0e8 in xhci_ep_nuke_xfers hw/usb/hcd-xhci.c:1252:9
> > >     #2 0x55db79f7b454 in xhci_disable_ep hw/usb/hcd-xhci.c:1279:5
> > >     #3 0x55db79f79af7 in xhci_disable_slot hw/usb/hcd-xhci.c:2048:13
> > >     #4 0x55db79f5aea3 in xhci_reset hw/usb/hcd-xhci.c:2706:9
> > >     #5 0x55db79f82f49 in xhci_oper_write hw/usb/hcd-xhci.c:2966:13
> > >     #6 0x55db792c6b8e in memory_region_write_accessor 
> > > softmmu/memory.c:483:5
> > >     #7 0x55db792c658b in access_with_adjusted_size softmmu/memory.c:544:18
> > >     #8 0x55db792c5d9b in memory_region_dispatch_write softmmu/memory.c
> > >     #9 0x55db78d094d2 in flatview_write_continue exec.c:3176:23
> > >     #10 0x55db78cfee6b in flatview_write exec.c:3216:14
> > >     #11 0x55db78cfee6b in address_space_write exec.c:3308:18
> > >     #12 0x55db78d01fe7 in address_space_unmap exec.c:3634:9
> > >     #13 0x55db79edebbb in dma_memory_unmap include/sysemu/dma.h:145:5
> > >     #14 0x55db79edebbb in usb_packet_unmap hw/usb/libhw.c:65:9
> > >     #15 0x55db79ede66f in usb_packet_map hw/usb/libhw.c:54:5
> > >     #16 0x55db79f6d5f1 in xhci_setup_packet hw/usb/hcd-xhci.c:1618:5
> > >     #17 0x55db79f67143 in xhci_fire_ctl_transfer hw/usb/hcd-xhci.c:1722:9
> > >     #18 0x55db79f67143 in xhci_kick_epctx hw/usb/hcd-xhci.c:1991:13
> > >     #19 0x55db79f8837d in xhci_doorbell_write hw/usb/hcd-xhci.c:3162:13
> > >     #20 0x55db792c6b8e in memory_region_write_accessor 
> > > softmmu/memory.c:483:5
> > >     #21 0x55db792c658b in access_with_adjusted_size 
> > > softmmu/memory.c:544:18
> > >     #22 0x55db792c5d9b in memory_region_dispatch_write softmmu/memory.c
> > >     #23 0x55db78d094d2 in flatview_write_continue exec.c:3176:23
> > >     #24 0x55db78cfee6b in flatview_write exec.c:3216:14
> > >     #25 0x55db78cfee6b in address_space_write exec.c:3308:18
> > >     #26 0x55db793072a9 in qtest_process_command softmmu/qtest.c:452:13
> > >     #27 0x55db79304087 in qtest_process_inbuf softmmu/qtest.c:710:9
> > >     #28 0x55db7a7d7293 in fd_chr_read chardev/char-fd.c:68:9
> > >     #29 0x7fc5d7f1a897 in g_main_context_dispatch
> > >
> >
> > This issue as far as I can see, is the DMA to MMIO issue.
>
> Another one - Interesting...
> So it joins these:
> https://bugs.launchpad.net/qemu/+bug/1888606
> https://bugs.launchpad.net/qemu/+bug/1886362
>
> Could this one be dealt with by moving xhci_reset into a BH?

If we would want to use BH to solve this issue using BH. I think we
should use it in the first MMIO write.
xhci_doorbell_write->xhci_kick_epctx. But we may think out a more
general method to solve these issues,
maybe in the core code other than per-device solution.


Thanks,
Li Qiang

      #0 0x55db78cac16d in free (build/i386-softmmu/qemu-system-i386+0x250e16d)
      #1 0x55db79f7c0e8 in xhci_ep_nuke_xfers hw/usb/hcd-xhci.c:1252:9
      #2 0x55db79f7b454 in xhci_disable_ep hw/usb/hcd-xhci.c:1279:5
      #3 0x55db79f79af7 in xhci_disable_slot hw/usb/hcd-xhci.c:2048:13
      #4 0x55db79f5aea3 in xhci_reset hw/usb/hcd-xhci.c:2706:9
      #5 0x55db79f82f49 in xhci_oper_write hw/usb/hcd-xhci.c:2966:13
      #6 0x55db792c6b8e in memory_region_write_accessor softmmu/memory.c:483:5
      #7 0x55db792c658b in access_with_adjusted_size softmmu/memory.c:544:18
      #8 0x55db792c5d9b in memory_region_dispatch_write softmmu/memory.c
      #9 0x55db78d094d2 in flatview_write_continue exec.c:3176:23
      #10 0x55db78cfee6b in flatview_write exec.c:3216:14
      #11 0x55db78cfee6b in address_space_write exec.c:3308:18
      #12 0x55db78d01fe7 in address_space_unmap exec.c:3634:9
      #13 0x55db79edebbb in dma_memory_unmap include/sysemu/dma.h:145:5
      #14 0x55db79edebbb in usb_packet_unmap hw/usb/libhw.c:65:9
      #15 0x55db79ede66f in usb_packet_map hw/usb/libhw.c:54:5
      #16 0x55db79f6d5f1 in xhci_setup_packet hw/usb/hcd-xhci.c:1618:5
      #17 0x55db79f67143 in xhci_fire_ctl_transfer hw/usb/hcd-xhci.c:1722:9
      #18 0x55db79f67143 in xhci_kick_epctx hw/usb/hcd-xhci.c:1991:13
      #19 0x55db79f8837d in xhci_doorbell_write hw/usb/hcd-xhci.c:3162:13
-->Here use a BH.
      #20 0x55db792c6b8e in memory_region_write_accessor softmmu/memory.c:483:5
      #21 0x55db792c658b in access_with_adjusted_size softmmu/memory.c:544:18
      #22 0x55db792c5d9b in memory_region_dispatch_write softmmu/memory.c
      #23 0x55db78d094d2 in flatview_write_continue exec.c:3176:23
      #24 0x55db78cfee6b in flatview_write exec.c:3216:14
      #25 0x55db78cfee6b in address_space_write exec.c:3308:18
      #26 0x55db793072a9 in qtest_process_command softmmu/qtest.c:452:13
      #27 0x55db79304087 in qtest_process_inbuf softmmu/qtest.c:710:9
      #28 0x55db7a7d7293 in fd_chr_read chardev/char-fd.c:68:9
      #29 0x7fc5d7f1a897 in g_main_context_dispatch

> -Alex
>
> > Thanks,
> > Li Qiang
> >
> >
> > > previously allocated by thread T0 here:
> > >     #0 0x55db78cac562 in calloc 
> > > (build/i386-softmmu/qemu-system-i386+0x250e562)
> > >     #1 0x7fc5d7f20548 in g_malloc0 
> > > (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x54548)
> > >     #2 0x55db79f8837d in xhci_doorbell_write hw/usb/hcd-xhci.c:3162:13
> > >     #3 0x55db792c6b8e in memory_region_write_accessor 
> > > softmmu/memory.c:483:5
> > >     #4 0x55db792c658b in access_with_adjusted_size softmmu/memory.c:544:18
> > >     #5 0x55db792c5d9b in memory_region_dispatch_write softmmu/memory.c
> > >     #6 0x55db78d094d2 in flatview_write_continue exec.c:3176:23
> > >     #7 0x55db78cfee6b in flatview_write exec.c:3216:14
> > >     #8 0x55db78cfee6b in address_space_write exec.c:3308:18
> > >     #9 0x55db793072a9 in qtest_process_command softmmu/qtest.c:452:13
> > >     #10 0x55db79304087 in qtest_process_inbuf softmmu/qtest.c:710:9
> > >     #11 0x55db7a7d7293 in fd_chr_read chardev/char-fd.c:68:9
> > >     #12 0x7fc5d7f1a897 in g_main_context_dispatch
> > >
> > > -Alex
> > >
> > > ** Affects: qemu
> > >      Importance: Undecided
> > >          Status: New
> > >
> > > --
> > > You received this bug notification because you are a member of qemu-
> > > devel-ml, which is subscribed to QEMU.
> > > https://bugs.launchpad.net/bugs/1891354
> > >
> > > Title:
> > >   Heap-use-after-free in usb_packet_unmap
> > >
> > > Status in QEMU:
> > >   New
> > >
> > > Bug description:
> > >   Hello,
> > >   Reproducer:
> > >
> > >   cat << EOF | ./i386-softmmu/qemu-system-i386 -device nec-usb-xhci \
> > >   -trace usb\* -device usb-audio -device usb-storage,drive=mydrive \
> > >   -drive id=mydrive,file=null-co://,size=2M,format=raw,if=none \
> > >   -nodefaults -nographic -qtest stdio
> > >   outl 0xcf8 0x80001010
> > >   outl 0xcfc 0xc0202
> > >   outl 0xcf8 0x80001004
> > >   outl 0xcfc 0x1c77695e
> > >   writel 0xc0040 0xffffd855
> > >   writeq 0xc2000 0xff05140100000000
> > >   write 0x1d 0x1 0x27
> > >   write 0x2d 0x1 0x2e
> > >   write 0x17232 0x1 0x03
> > >   write 0x17254 0x1 0x05
> > >   write 0x17276 0x1 0x72
> > >   write 0x17278 0x1 0x02
> > >   write 0x3d 0x1 0x27
> > >   write 0x40 0x1 0x2e
> > >   write 0x41 0x1 0x72
> > >   write 0x42 0x1 0x01
> > >   write 0x4d 0x1 0x2e
> > >   write 0x4f 0x1 0x01
> > >   write 0x2007c 0x1 0xc7
> > >   writeq 0xc2000 0x5c05140100000000
> > >   write 0x20070 0x1 0x80
> > >   write 0x20078 0x1 0x08
> > >   write 0x2007c 0x1 0xfe
> > >   write 0x2007d 0x1 0x08
> > >   write 0x20081 0x1 0xff
> > >   write 0x20082 0x1 0x0b
> > >   write 0x20089 0x1 0x8c
> > >   write 0x2008d 0x1 0x04
> > >   write 0x2009d 0x1 0x10
> > >   writeq 0xc2000 0x2505ef019e092f00
> > >   EOF
> > >
> > >   20091==ERROR: AddressSanitizer: heap-use-after-free on address 
> > > 0x611000045030 at pc 0x55db79edeef2 bp 0x7ffc4020b2b0 sp 0x7ffc4020b2a8
> > >   READ of size 4 at 0x611000045030 thread T0
> > >       #0 0x55db79edeef1 in usb_packet_unmap hw/usb/libhw.c:64:28
> > >       #1 0x55db79ede66f in usb_packet_map hw/usb/libhw.c:54:5
> > >       #2 0x55db79f6d5f1 in xhci_setup_packet hw/usb/hcd-xhci.c:1618:5
> > >       #3 0x55db79f67143 in xhci_fire_ctl_transfer hw/usb/hcd-xhci.c:1722:9
> > >       #4 0x55db79f67143 in xhci_kick_epctx hw/usb/hcd-xhci.c:1991:13
> > >       #5 0x55db79f8837d in xhci_doorbell_write hw/usb/hcd-xhci.c:3162:13
> > >       #6 0x55db792c6b8e in memory_region_write_accessor 
> > > softmmu/memory.c:483:5
> > >       #7 0x55db792c658b in access_with_adjusted_size 
> > > softmmu/memory.c:544:18
> > >       #8 0x55db792c5d9b in memory_region_dispatch_write softmmu/memory.c
> > >       #9 0x55db78d094d2 in flatview_write_continue exec.c:3176:23
> > >       #10 0x55db78cfee6b in flatview_write exec.c:3216:14
> > >       #11 0x55db78cfee6b in address_space_write exec.c:3308:18
> > >       #12 0x55db793072a9 in qtest_process_command softmmu/qtest.c:452:13
> > >       #13 0x55db79304087 in qtest_process_inbuf softmmu/qtest.c:710:9
> > >       #14 0x55db7a7d7293 in fd_chr_read chardev/char-fd.c:68:9
> > >       #15 0x7fc5d7f1a897 in g_main_context_dispatch
> > >       #16 0x55db7aa571b3 in glib_pollfds_poll util/main-loop.c:217:9
> > >       #17 0x55db7aa571b3 in os_host_main_loop_wait util/main-loop.c:240:5
> > >       #18 0x55db7aa571b3 in main_loop_wait util/main-loop.c:516:11
> > >       #19 0x55db79315008 in qemu_main_loop softmmu/vl.c:1676:9
> > >       #20 0x55db7a8860fd in main softmmu/main.c:49:5
> > >
> > >   0x611000045030 is located 48 bytes inside of 256-byte region 
> > > [0x611000045000,0x611000045100)
> > >   freed by thread T0 here:
> > >       #0 0x55db78cac16d in free 
> > > (build/i386-softmmu/qemu-system-i386+0x250e16d)
> > >       #1 0x55db79f7c0e8 in xhci_ep_nuke_xfers hw/usb/hcd-xhci.c:1252:9
> > >       #2 0x55db79f7b454 in xhci_disable_ep hw/usb/hcd-xhci.c:1279:5
> > >       #3 0x55db79f79af7 in xhci_disable_slot hw/usb/hcd-xhci.c:2048:13
> > >       #4 0x55db79f5aea3 in xhci_reset hw/usb/hcd-xhci.c:2706:9
> > >       #5 0x55db79f82f49 in xhci_oper_write hw/usb/hcd-xhci.c:2966:13
> > >       #6 0x55db792c6b8e in memory_region_write_accessor 
> > > softmmu/memory.c:483:5
> > >       #7 0x55db792c658b in access_with_adjusted_size 
> > > softmmu/memory.c:544:18
> > >       #8 0x55db792c5d9b in memory_region_dispatch_write softmmu/memory.c
> > >       #9 0x55db78d094d2 in flatview_write_continue exec.c:3176:23
> > >       #10 0x55db78cfee6b in flatview_write exec.c:3216:14
> > >       #11 0x55db78cfee6b in address_space_write exec.c:3308:18
> > >       #12 0x55db78d01fe7 in address_space_unmap exec.c:3634:9
> > >       #13 0x55db79edebbb in dma_memory_unmap include/sysemu/dma.h:145:5
> > >       #14 0x55db79edebbb in usb_packet_unmap hw/usb/libhw.c:65:9
> > >       #15 0x55db79ede66f in usb_packet_map hw/usb/libhw.c:54:5
> > >       #16 0x55db79f6d5f1 in xhci_setup_packet hw/usb/hcd-xhci.c:1618:5
> > >       #17 0x55db79f67143 in xhci_fire_ctl_transfer 
> > > hw/usb/hcd-xhci.c:1722:9
> > >       #18 0x55db79f67143 in xhci_kick_epctx hw/usb/hcd-xhci.c:1991:13
> > >       #19 0x55db79f8837d in xhci_doorbell_write hw/usb/hcd-xhci.c:3162:13
> > >       #20 0x55db792c6b8e in memory_region_write_accessor 
> > > softmmu/memory.c:483:5
> > >       #21 0x55db792c658b in access_with_adjusted_size 
> > > softmmu/memory.c:544:18
> > >       #22 0x55db792c5d9b in memory_region_dispatch_write softmmu/memory.c
> > >       #23 0x55db78d094d2 in flatview_write_continue exec.c:3176:23
> > >       #24 0x55db78cfee6b in flatview_write exec.c:3216:14
> > >       #25 0x55db78cfee6b in address_space_write exec.c:3308:18
> > >       #26 0x55db793072a9 in qtest_process_command softmmu/qtest.c:452:13
> > >       #27 0x55db79304087 in qtest_process_inbuf softmmu/qtest.c:710:9
> > >       #28 0x55db7a7d7293 in fd_chr_read chardev/char-fd.c:68:9
> > >       #29 0x7fc5d7f1a897 in g_main_context_dispatch
> > >
> > >   previously allocated by thread T0 here:
> > >       #0 0x55db78cac562 in calloc 
> > > (build/i386-softmmu/qemu-system-i386+0x250e562)
> > >       #1 0x7fc5d7f20548 in g_malloc0 
> > > (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x54548)
> > >       #2 0x55db79f8837d in xhci_doorbell_write hw/usb/hcd-xhci.c:3162:13
> > >       #3 0x55db792c6b8e in memory_region_write_accessor 
> > > softmmu/memory.c:483:5
> > >       #4 0x55db792c658b in access_with_adjusted_size 
> > > softmmu/memory.c:544:18
> > >       #5 0x55db792c5d9b in memory_region_dispatch_write softmmu/memory.c
> > >       #6 0x55db78d094d2 in flatview_write_continue exec.c:3176:23
> > >       #7 0x55db78cfee6b in flatview_write exec.c:3216:14
> > >       #8 0x55db78cfee6b in address_space_write exec.c:3308:18
> > >       #9 0x55db793072a9 in qtest_process_command softmmu/qtest.c:452:13
> > >       #10 0x55db79304087 in qtest_process_inbuf softmmu/qtest.c:710:9
> > >       #11 0x55db7a7d7293 in fd_chr_read chardev/char-fd.c:68:9
> > >       #12 0x7fc5d7f1a897 in g_main_context_dispatch
> > >
> > >   -Alex
> > >
> > > To manage notifications about this bug go to:
> > > https://bugs.launchpad.net/qemu/+bug/1891354/+subscriptions
> > >
> >
[Prev in Thread]
Current Thread
[Next in Thread]
[Bug 1891354] [NEW] Heap-use-after-free in usb_packet_unmap, Alexander Bulekov, 2020/08/12
- Re: [Bug 1891354] [NEW] Heap-use-after-free in usb_packet_unmap, Li Qiang, 2020/08/12
  - Re: [Bug 1891354] [NEW] Heap-use-after-free in usb_packet_unmap, Alexander Bulekov, 2020/08/12
    - Re: [Bug 1891354] [NEW] Heap-use-after-free in usb_packet_unmap, Li Qiang <=
Prev by Date: Re: [RFC PATCH v3 8/8] target/s390x: Use start-powered-off CPUState property
Next by Date: Re: [PATCH v1 0/2] Add timeout mechanism to qmp actions
Previous by thread: Re: [Bug 1891354] [NEW] Heap-use-after-free in usb_packet_unmap
Next by thread: Re: [PULL 3/3] configure: Allow to build tools without pixman
Index(es):
- Date
- Thread