Re: [PULL 1/1] hw/ufs: Fix buffer overflow bug

[Thomas Huth <thuth@redhat.com>]

On 30/04/2024 06.32, Thomas Huth wrote:
> On 30/04/2024 02.17, Richard Henderson wrote:
>> On 4/28/24 20:25, Jeuk Kim wrote:
>>> From: Jeuk Kim <jeuk20.kim@samsung.com>
>>>
>>> It fixes the buffer overflow vulnerability in the ufs device.
>>> The bug was detected by sanitizers.
>>>
>>> You can reproduce it by:
>>>
>>> cat << EOF |\
>>> qemu-system-x86_64 \
>>> -display none -machine accel=qtest -m 512M -M q35 -nodefaults -drive \
>>> file=null-co://,if=none,id=disk0 -device ufs,id=ufs_bus -device \
>>> ufs-lu,drive=disk0,bus=ufs_bus -qtest stdio
>>> outl 0xcf8 0x80000810
>>> outl 0xcfc 0xe0000000
>>> outl 0xcf8 0x80000804
>>> outw 0xcfc 0x06
>>> write 0xe0000058 0x1 0xa7
>>> write 0xa 0x1 0x50
>>> EOF
>>>
>>> Resolves: #2299
>>> Fixes: 329f16624499 ("hw/ufs: Support for Query Transfer Requests")
>>> Reported-by: Zheyu Ma <zheyuma97@gmail.com>
>>> Signed-off-by: Jeuk Kim <jeuk20.kim@samsung.com>
>>> ---
>>>   hw/ufs/ufs.c | 8 ++++++++
>>>   1 file changed, 8 insertions(+)
>>
>> For some reason this appears to cause failures on s390x:
>>
>>    https://gitlab.com/qemu-project/qemu/-/jobs/6740883283
>>
>> All of the timeouts are new with this patch alone applied,
>> and go away when reverted.
>>
>> I wasn't aware that these tests used ufs, but I have no
>> other explanation...
> 
> I don't know for sure, but the test failure might instead be related to the 
> problem that gets fixed by 
> https://lore.kernel.org/qemu-devel/20240429075908.36302-1-thuth@redhat.com/ 
> ... I'm preparing a pull request for that fix right now, so maybe you could 
> try this ufs pull request afterwards again to see whether the problem is fixed?

Hmm, thinking about it twice, it cannot be the reason: That bug affects 
aarch64/arm only, and in above CI run, some other targets were failing. So 
the problem must be something else, indeed.

  Thomas