From: David Hildenbrand <david@redhat.com>
To: "Philippe Mathieu-Daudé" <philmd@redhat.com>,
"Alexander Bulekov" <alxndr@bu.edu>
Cc: QEMU Developers <qemu-devel@nongnu.org>,
Stefan Hajnoczi <stefanha@redhat.com>,
"Michael S. Tsirkin" <mst@redhat.com>
Subject: Re: Null-pointer dereference through virtio-balloon
Date: Mon, 18 May 2020 09:40:10 +0200 [thread overview]
Message-ID: <6a82c69c-0b9b-ba4b-c92a-843acc5eb397@redhat.com> (raw)
In-Reply-To: <CAP+75-WyjYTDcERsxYG3YyN4mWH3aRi-OYyQcPAWEa10htv6Lw@mail.gmail.com>
On 16.05.20 13:35, Philippe Mathieu-Daudé wrote:
> +David (virtio-balloon maintainer)
>
> On Mon, May 11, 2020 at 6:42 AM Alexander Bulekov <alxndr@bu.edu> wrote:
>>
>> Hello,
>> While fuzzing, I found an input that triggers a null-ptr dereference in
>> aio_bh_enqueue, through virtio-balloon. Based on the stacktrace below,
>> I am not positive that this is specific to virtio-balloon, however
>> I have not encountered the same issue for any of the other virtio
>> devices I am fuzzing.
>>
>> AddressSanitizer: SEGV on unknown address 0x000000000000
>>
>> #0 0x55ee5b93eb28 in aio_bh_enqueue util/async.c:69:27
>> #1 0x55ee5b93eb28 in qemu_bh_schedule util/async.c:181:5
>> #2 0x55ee5ae71465 in virtio_queue_notify hw/virtio/virtio.c:2364:9
>> #3 0x55ee5b51142d in virtio_mmio_write hw/virtio/virtio-mmio.c:369:13
>> #4 0x55ee5ad0d2d6 in memory_region_write_accessor memory.c:483:5
>> #5 0x55ee5ad0cc7f in access_with_adjusted_size memory.c:544:18
>> #6 0x55ee5ad0cc7f in memory_region_dispatch_write memory.c:1476:16
>> #7 0x55ee5ac221d3 in flatview_write_continue exec.c:3137:23
>> #8 0x55ee5ac1ab97 in flatview_write exec.c:3177:14
>> #9 0x55ee5ac1ab97 in address_space_write exec.c:3268:18
>>
>> I can reproduce it in a qemu 5.0 build using:
>> cat << EOF | qemu-system-i386 -M pc-q35-5.0 -M microvm,x-option-roms=off,pit=off,pic=off,isa-serial=off,rtc=off -nographic -device virtio-balloon-device,free-page-hint=true,deflate-on-oom=true -nographic -monitor none -display none -serial none -qtest stdio
>> write 0xc0000e30 0x24 0x030000000300000003000000030000000300000003000000030000000300000003000000
>> EOF
>
> If you start QEMU this way, you get a warning:
>
> qemu-system-i386: -device
> virtio-balloon-device,free-page-hint=true,deflate-on-oom=true:
> iothread is missing
>
> if (s->iothread) {
> s->free_page_bh =
> aio_bh_new(iothread_get_aio_context(s->iothread), ...
> ...
> } else {
> ...
> virtio_error(vdev, "iothread is missing");
> }
>
> Shouldn't we call error_setg(errp, "iothread is missing") and return instead?
Yes, that error handling is just messed up. The issue is that we create
a queue but leave free_page_bh set to 0. The virtio_error() will be
cleared by a device reset, the feature is not indicated but the queue
exists and can be notified.
Somebody requested the feature, so we should bail out if we cannot make
it work.
I'll send a fix, thanks!
--
Thanks,
David / dhildenb
prev parent reply other threads:[~2020-05-18 7:41 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-11 4:41 Null-pointer dereference through virtio-balloon Alexander Bulekov
2020-05-16 11:35 ` Philippe Mathieu-Daudé
2020-05-18 7:40 ` David Hildenbrand [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=6a82c69c-0b9b-ba4b-c92a-843acc5eb397@redhat.com \
--to=david@redhat.com \
--cc=alxndr@bu.edu \
--cc=mst@redhat.com \
--cc=philmd@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=stefanha@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).