| Message ID | 20211218160912.1591633-4-philmd@redhat.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | hw/audio/intel-hda: Restrict DMA engine to memories (non-MMIO devices) | expand |
On 18/12/2021 17.09, Philippe Mathieu-Daudé wrote: > Include the qtest reproducer provided by Alexander Bulekov > in https://gitlab.com/qemu-project/qemu/-/issues/542. > Without the previous commit, we get: > > $ make check-qtest-i386 > ... > Running test tests/qtest/intel-hda-test > AddressSanitizer:DEADLYSIGNAL > ================================================================= > ==1580408==ERROR: AddressSanitizer: stack-overflow on address 0x7ffc3d566fe0 > #0 0x63d297cf in address_space_translate_internal softmmu/physmem.c:356 > #1 0x63d27260 in flatview_do_translate softmmu/physmem.c:499:15 > #2 0x63d27af5 in flatview_translate softmmu/physmem.c:565:15 > #3 0x63d4ce84 in flatview_write softmmu/physmem.c:2850:10 > #4 0x63d4cb18 in address_space_write softmmu/physmem.c:2950:18 > #5 0x63d4d387 in address_space_rw softmmu/physmem.c:2960:16 > #6 0x62ae12f2 in dma_memory_rw_relaxed include/sysemu/dma.h:89:12 > #7 0x62ae104a in dma_memory_rw include/sysemu/dma.h:132:12 > #8 0x62ae6157 in dma_memory_write include/sysemu/dma.h:173:12 > #9 0x62ae5ec0 in stl_le_dma include/sysemu/dma.h:275:1 > #10 0x62ae5ba2 in stl_le_pci_dma include/hw/pci/pci.h:871:1 > #11 0x62ad59a6 in intel_hda_response hw/audio/intel-hda.c:372:12 > #12 0x62ad2afb in hda_codec_response hw/audio/intel-hda.c:107:5 > #13 0x62aec4e1 in hda_audio_command hw/audio/hda-codec.c:655:5 > #14 0x62ae05d9 in intel_hda_send_command hw/audio/intel-hda.c:307:5 > #15 0x62adff54 in intel_hda_corb_run hw/audio/intel-hda.c:342:9 > #16 0x62adc13b in intel_hda_set_corb_wp hw/audio/intel-hda.c:548:5 > #17 0x62ae5942 in intel_hda_reg_write hw/audio/intel-hda.c:977:9 > #18 0x62ada10a in intel_hda_mmio_write hw/audio/intel-hda.c:1054:5 > #19 0x63d8f383 in memory_region_write_accessor softmmu/memory.c:492:5 > #20 0x63d8ecc1 in access_with_adjusted_size softmmu/memory.c:554:18 > #21 0x63d8d5d6 in memory_region_dispatch_write softmmu/memory.c:1504:16 > #22 0x63d5e85e in flatview_write_continue softmmu/physmem.c:2812:23 > #23 0x63d4d05b in flatview_write softmmu/physmem.c:2854:12 > #24 0x63d4cb18 in address_space_write softmmu/physmem.c:2950:18 > #25 0x63d4d387 in address_space_rw softmmu/physmem.c:2960:16 > #26 0x62ae12f2 in dma_memory_rw_relaxed include/sysemu/dma.h:89:12 > #27 0x62ae104a in dma_memory_rw include/sysemu/dma.h:132:12 > #28 0x62ae6157 in dma_memory_write include/sysemu/dma.h:173:12 > #29 0x62ae5ec0 in stl_le_dma include/sysemu/dma.h:275:1 > #30 0x62ae5ba2 in stl_le_pci_dma include/hw/pci/pci.h:871:1 > #31 0x62ad59a6 in intel_hda_response hw/audio/intel-hda.c:372:12 > #32 0x62ad2afb in hda_codec_response hw/audio/intel-hda.c:107:5 > #33 0x62aec4e1 in hda_audio_command hw/audio/hda-codec.c:655:5 > #34 0x62ae05d9 in intel_hda_send_command hw/audio/intel-hda.c:307:5 > #35 0x62adff54 in intel_hda_corb_run hw/audio/intel-hda.c:342:9 > #36 0x62adc13b in intel_hda_set_corb_wp hw/audio/intel-hda.c:548:5 > #37 0x62ae5942 in intel_hda_reg_write hw/audio/intel-hda.c:977:9 > #38 0x62ada10a in intel_hda_mmio_write hw/audio/intel-hda.c:1054:5 > #39 0x63d8f383 in memory_region_write_accessor softmmu/memory.c:492:5 > #40 0x63d8ecc1 in access_with_adjusted_size softmmu/memory.c:554:18 > #41 0x63d8d5d6 in memory_region_dispatch_write softmmu/memory.c:1504:16 > #42 0x63d5e85e in flatview_write_continue softmmu/physmem.c:2812:23 > #43 0x63d4d05b in flatview_write softmmu/physmem.c:2854:12 > #44 0x63d4cb18 in address_space_write softmmu/physmem.c:2950:18 > #45 0x63d4d387 in address_space_rw softmmu/physmem.c:2960:16 > #46 0x62ae12f2 in dma_memory_rw_relaxed include/sysemu/dma.h:89:12 > #47 0x62ae104a in dma_memory_rw include/sysemu/dma.h:132:12 > #48 0x62ae6157 in dma_memory_write include/sysemu/dma.h:173:12 > ... > SUMMARY: AddressSanitizer: stack-overflow softmmu/physmem.c:356 in address_space_translate_internal > ==1580408==ABORTING > Broken pipe > Aborted (core dumped) > > Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> > --- > tests/qtest/intel-hda-test.c | 34 ++++++++++++++++++++++++++++++++++ > 1 file changed, 34 insertions(+) > > diff --git a/tests/qtest/intel-hda-test.c b/tests/qtest/intel-hda-test.c > index fc25ccc33cc..a58c98e4d11 100644 > --- a/tests/qtest/intel-hda-test.c > +++ b/tests/qtest/intel-hda-test.c > @@ -29,11 +29,45 @@ static void ich9_test(void) > qtest_end(); > } > > +/* > + * https://gitlab.com/qemu-project/qemu/-/issues/542 > + * Used to trigger: > + * AddressSanitizer: stack-overflow > + */ > +static void test_issue542_ich6(void) > +{ > + QTestState *s; > + > + s = qtest_init("-nographic -nodefaults -M pc-q35-6.2 " > + "-device intel-hda,id=" HDA_ID CODEC_DEVICES); > + > + qtest_outl(s, 0xcf8, 0x80000804); > + qtest_outw(s, 0xcfc, 0x06); > + qtest_bufwrite(s, 0xff0d060f, "\x03", 1); > + qtest_bufwrite(s, 0x0, "\x12", 1); > + qtest_bufwrite(s, 0x2, "\x2a", 1); > + qtest_writeb(s, 0x0, 0x12); > + qtest_writeb(s, 0x2, 0x2a); > + qtest_outl(s, 0xcf8, 0x80000811); > + qtest_outl(s, 0xcfc, 0x006a4400); > + qtest_bufwrite(s, 0x6a44005a, "\x01", 1); > + qtest_bufwrite(s, 0x6a44005c, "\x02", 1); > + qtest_bufwrite(s, 0x6a442050, "\x00\x00\x44\x6a", 4); > + qtest_bufwrite(s, 0x6a44204a, "\x01", 1); > + qtest_bufwrite(s, 0x6a44204c, "\x02", 1); > + qtest_bufwrite(s, 0x6a44005c, "\x02", 1); > + qtest_bufwrite(s, 0x6a442050, "\x00\x00\x44\x6a", 4); > + qtest_bufwrite(s, 0x6a44204a, "\x01", 1); > + qtest_bufwrite(s, 0x6a44204c, "\x02", 1); > + qtest_quit(s); > +} > + > int main(int argc, char **argv) > { > g_test_init(&argc, &argv, NULL); > qtest_add_func("/intel-hda/ich6", ich6_test); > qtest_add_func("/intel-hda/ich9", ich9_test); > + qtest_add_func("/intel-hda/fuzz/issue542", test_issue542_ich6); > > return g_test_run(); > } Acked-by: Thomas Huth <thuth@redhat.com>
diff --git a/tests/qtest/intel-hda-test.c b/tests/qtest/intel-hda-test.c index fc25ccc33cc..a58c98e4d11 100644 --- a/tests/qtest/intel-hda-test.c +++ b/tests/qtest/intel-hda-test.c @@ -29,11 +29,45 @@ static void ich9_test(void) qtest_end(); } +/* + * https://gitlab.com/qemu-project/qemu/-/issues/542 + * Used to trigger: + * AddressSanitizer: stack-overflow + */ +static void test_issue542_ich6(void) +{ + QTestState *s; + + s = qtest_init("-nographic -nodefaults -M pc-q35-6.2 " + "-device intel-hda,id=" HDA_ID CODEC_DEVICES); + + qtest_outl(s, 0xcf8, 0x80000804); + qtest_outw(s, 0xcfc, 0x06); + qtest_bufwrite(s, 0xff0d060f, "\x03", 1); + qtest_bufwrite(s, 0x0, "\x12", 1); + qtest_bufwrite(s, 0x2, "\x2a", 1); + qtest_writeb(s, 0x0, 0x12); + qtest_writeb(s, 0x2, 0x2a); + qtest_outl(s, 0xcf8, 0x80000811); + qtest_outl(s, 0xcfc, 0x006a4400); + qtest_bufwrite(s, 0x6a44005a, "\x01", 1); + qtest_bufwrite(s, 0x6a44005c, "\x02", 1); + qtest_bufwrite(s, 0x6a442050, "\x00\x00\x44\x6a", 4); + qtest_bufwrite(s, 0x6a44204a, "\x01", 1); + qtest_bufwrite(s, 0x6a44204c, "\x02", 1); + qtest_bufwrite(s, 0x6a44005c, "\x02", 1); + qtest_bufwrite(s, 0x6a442050, "\x00\x00\x44\x6a", 4); + qtest_bufwrite(s, 0x6a44204a, "\x01", 1); + qtest_bufwrite(s, 0x6a44204c, "\x02", 1); + qtest_quit(s); +} + int main(int argc, char **argv) { g_test_init(&argc, &argv, NULL); qtest_add_func("/intel-hda/ich6", ich6_test); qtest_add_func("/intel-hda/ich9", ich9_test); + qtest_add_func("/intel-hda/fuzz/issue542", test_issue542_ich6); return g_test_run(); }
Include the qtest reproducer provided by Alexander Bulekov in https://gitlab.com/qemu-project/qemu/-/issues/542. Without the previous commit, we get: $ make check-qtest-i386 ... Running test tests/qtest/intel-hda-test AddressSanitizer:DEADLYSIGNAL ================================================================= ==1580408==ERROR: AddressSanitizer: stack-overflow on address 0x7ffc3d566fe0 #0 0x63d297cf in address_space_translate_internal softmmu/physmem.c:356 #1 0x63d27260 in flatview_do_translate softmmu/physmem.c:499:15 #2 0x63d27af5 in flatview_translate softmmu/physmem.c:565:15 #3 0x63d4ce84 in flatview_write softmmu/physmem.c:2850:10 #4 0x63d4cb18 in address_space_write softmmu/physmem.c:2950:18 #5 0x63d4d387 in address_space_rw softmmu/physmem.c:2960:16 #6 0x62ae12f2 in dma_memory_rw_relaxed include/sysemu/dma.h:89:12 #7 0x62ae104a in dma_memory_rw include/sysemu/dma.h:132:12 #8 0x62ae6157 in dma_memory_write include/sysemu/dma.h:173:12 #9 0x62ae5ec0 in stl_le_dma include/sysemu/dma.h:275:1 #10 0x62ae5ba2 in stl_le_pci_dma include/hw/pci/pci.h:871:1 #11 0x62ad59a6 in intel_hda_response hw/audio/intel-hda.c:372:12 #12 0x62ad2afb in hda_codec_response hw/audio/intel-hda.c:107:5 #13 0x62aec4e1 in hda_audio_command hw/audio/hda-codec.c:655:5 #14 0x62ae05d9 in intel_hda_send_command hw/audio/intel-hda.c:307:5 #15 0x62adff54 in intel_hda_corb_run hw/audio/intel-hda.c:342:9 #16 0x62adc13b in intel_hda_set_corb_wp hw/audio/intel-hda.c:548:5 #17 0x62ae5942 in intel_hda_reg_write hw/audio/intel-hda.c:977:9 #18 0x62ada10a in intel_hda_mmio_write hw/audio/intel-hda.c:1054:5 #19 0x63d8f383 in memory_region_write_accessor softmmu/memory.c:492:5 #20 0x63d8ecc1 in access_with_adjusted_size softmmu/memory.c:554:18 #21 0x63d8d5d6 in memory_region_dispatch_write softmmu/memory.c:1504:16 #22 0x63d5e85e in flatview_write_continue softmmu/physmem.c:2812:23 #23 0x63d4d05b in flatview_write softmmu/physmem.c:2854:12 #24 0x63d4cb18 in address_space_write softmmu/physmem.c:2950:18 #25 0x63d4d387 in address_space_rw softmmu/physmem.c:2960:16 #26 0x62ae12f2 in dma_memory_rw_relaxed include/sysemu/dma.h:89:12 #27 0x62ae104a in dma_memory_rw include/sysemu/dma.h:132:12 #28 0x62ae6157 in dma_memory_write include/sysemu/dma.h:173:12 #29 0x62ae5ec0 in stl_le_dma include/sysemu/dma.h:275:1 #30 0x62ae5ba2 in stl_le_pci_dma include/hw/pci/pci.h:871:1 #31 0x62ad59a6 in intel_hda_response hw/audio/intel-hda.c:372:12 #32 0x62ad2afb in hda_codec_response hw/audio/intel-hda.c:107:5 #33 0x62aec4e1 in hda_audio_command hw/audio/hda-codec.c:655:5 #34 0x62ae05d9 in intel_hda_send_command hw/audio/intel-hda.c:307:5 #35 0x62adff54 in intel_hda_corb_run hw/audio/intel-hda.c:342:9 #36 0x62adc13b in intel_hda_set_corb_wp hw/audio/intel-hda.c:548:5 #37 0x62ae5942 in intel_hda_reg_write hw/audio/intel-hda.c:977:9 #38 0x62ada10a in intel_hda_mmio_write hw/audio/intel-hda.c:1054:5 #39 0x63d8f383 in memory_region_write_accessor softmmu/memory.c:492:5 #40 0x63d8ecc1 in access_with_adjusted_size softmmu/memory.c:554:18 #41 0x63d8d5d6 in memory_region_dispatch_write softmmu/memory.c:1504:16 #42 0x63d5e85e in flatview_write_continue softmmu/physmem.c:2812:23 #43 0x63d4d05b in flatview_write softmmu/physmem.c:2854:12 #44 0x63d4cb18 in address_space_write softmmu/physmem.c:2950:18 #45 0x63d4d387 in address_space_rw softmmu/physmem.c:2960:16 #46 0x62ae12f2 in dma_memory_rw_relaxed include/sysemu/dma.h:89:12 #47 0x62ae104a in dma_memory_rw include/sysemu/dma.h:132:12 #48 0x62ae6157 in dma_memory_write include/sysemu/dma.h:173:12 ... SUMMARY: AddressSanitizer: stack-overflow softmmu/physmem.c:356 in address_space_translate_internal ==1580408==ABORTING Broken pipe Aborted (core dumped) Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> --- tests/qtest/intel-hda-test.c | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+)