Public bug reported:

Hello,
Reproducer:
cat << EOF | ./qemu-system-i386 -M pc \
-drive file=null-co://,if=none,format=raw,id=disk0 \
-device ide-hd,drive=disk0,bus=ide.1,unit=1 \
-display none -nodefaults -display none -qtest stdio -accel qtest
outw 0x176 0x35b3
outb 0x376 0x5f
outb 0x376 0x40
outl 0xcf8 0x80000904
outl 0xcfc 0x5c0525b7
outb 0x176 0x0
outl 0xcf8 0x8000091e
outl 0xcfc 0xd7580584
write 0x187 0x1 0x34
write 0x277 0x1 0x34
write 0x44f 0x1 0x5c
write 0x53f 0x1 0x5c
write 0x717 0x1 0x34
write 0x807 0x1 0x34
write 0x9df 0x1 0x5c
write 0xbb7 0x1 0x34
write 0xca7 0x1 0x34
write 0xe7f 0x1 0x5c
write 0xf6f 0x1 0x5c
outb 0xd758 0x5f
outb 0xd758 0x40
EOF


Trace:
[S +0.083320] OK
[R +0.083328] outb 0xd758 0x5f
OK
[S +0.084167] OK
[R +0.084183] outb 0xd758 0x40
../block/block-backend.c:714:17: runtime error: member access within null 
pointer of type 'BlockBackend' (aka 'struct BlockBackend')
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior 
../block/block-backend.c:714:17 in 
AddressSanitizer:DEADLYSIGNAL
=================================================================
==843136==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000010 (pc 
0x5593520d8ebc bp 0x7ffc0bb9e0b0 sp 0x7ffc0bb9e010 T0)
==843136==The signal is caused by a READ memory access.
==843136==Hint: address points to the zero page.
    #0 0x5593520d8ebc in blk_bs 
/home/alxndr/Development/qemu/general-fuzz/build/../block/block-backend.c:714:12
    #1 0x5593520d2d07 in blk_drain 
/home/alxndr/Development/qemu/general-fuzz/build/../block/block-backend.c:1715:28
    #2 0x55935096e9dc in ide_cancel_dma_sync 
/home/alxndr/Development/qemu/general-fuzz/build/../hw/ide/core.c:723:9
    #3 0x55934f96b9ed in bmdma_cmd_writeb 
/home/alxndr/Development/qemu/general-fuzz/build/../hw/ide/pci.c:298:13
    #4 0x55934fea0547 in bmdma_write 
/home/alxndr/Development/qemu/general-fuzz/build/../hw/ide/piix.c:75:9
    #5 0x55935175dde0 in memory_region_write_accessor 
/home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:483:5
    #6 0x55935175d2bd in access_with_adjusted_size 
/home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:544:18
    #7 0x55935175af70 in memory_region_dispatch_write 
/home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:1466:16
    #8 0x5593513b98a6 in flatview_write_continue 
/home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3176:23
    #9 0x5593513a2878 in flatview_write 
/home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3216:14
    #10 0x5593513a23a8 in address_space_write 
/home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3308:18
    #11 0x559351803e07 in cpu_outb 
/home/alxndr/Development/qemu/general-fuzz/build/../softmmu/ioport.c:60:5
    #12 0x5593516c7b6d in qtest_process_command 
/home/alxndr/Development/qemu/general-fuzz/build/../softmmu/qtest.c:392:13
    #13 0x5593516c363e in qtest_process_inbuf 
/home/alxndr/Development/qemu/general-fuzz/build/../softmmu/qtest.c:710:9
    #14 0x5593516c23e3 in qtest_read 
/home/alxndr/Development/qemu/general-fuzz/build/../softmmu/qtest.c:722:5
    #15 0x5593527c8762 in qemu_chr_be_write_impl 
/home/alxndr/Development/qemu/general-fuzz/build/../chardev/char.c:188:9
    #16 0x5593527c88aa in qemu_chr_be_write 
/home/alxndr/Development/qemu/general-fuzz/build/../chardev/char.c:200:9
    #17 0x5593527ee514 in fd_chr_read 
/home/alxndr/Development/qemu/general-fuzz/build/../chardev/char-fd.c:68:9
    #18 0x5593526da736 in qio_channel_fd_source_dispatch 
/home/alxndr/Development/qemu/general-fuzz/build/../io/channel-watch.c:84:12
    #19 0x7f3be18ef4cd in g_main_context_dispatch 
(/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x504cd)
    #20 0x559352c65c67 in glib_pollfds_poll 
/home/alxndr/Development/qemu/general-fuzz/build/../util/main-loop.c:217:9
    #21 0x559352c63567 in os_host_main_loop_wait 
/home/alxndr/Development/qemu/general-fuzz/build/../util/main-loop.c:240:5
    #22 0x559352c62f47 in main_loop_wait 
/home/alxndr/Development/qemu/general-fuzz/build/../util/main-loop.c:516:11
    #23 0x55935144108d in qemu_main_loop 
/home/alxndr/Development/qemu/general-fuzz/build/../softmmu/vl.c:1676:9
    #24 0x55934edd351c in main 
/home/alxndr/Development/qemu/general-fuzz/build/../softmmu/main.c:50:5
    #25 0x7f3be10f8cc9 in __libc_start_main csu/../csu/libc-start.c:308:16
    #26 0x55934ed28cf9 in _start 
(/home/alxndr/Development/qemu/general-fuzz/build/qemu-system-i386+0x2cb0cf9)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV 
/home/alxndr/Development/qemu/general-fuzz/build/../block/block-backend.c:714:12
 in blk_bs
==843136==ABORTING

-Alex

** Affects: qemu
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1892966

Title:
  Null-pointer dereference in blk_bs through ide_cancel_dma_sync

Status in QEMU:
  New

Bug description:
  Hello,
  Reproducer:
  cat << EOF | ./qemu-system-i386 -M pc \
  -drive file=null-co://,if=none,format=raw,id=disk0 \
  -device ide-hd,drive=disk0,bus=ide.1,unit=1 \
  -display none -nodefaults -display none -qtest stdio -accel qtest
  outw 0x176 0x35b3
  outb 0x376 0x5f
  outb 0x376 0x40
  outl 0xcf8 0x80000904
  outl 0xcfc 0x5c0525b7
  outb 0x176 0x0
  outl 0xcf8 0x8000091e
  outl 0xcfc 0xd7580584
  write 0x187 0x1 0x34
  write 0x277 0x1 0x34
  write 0x44f 0x1 0x5c
  write 0x53f 0x1 0x5c
  write 0x717 0x1 0x34
  write 0x807 0x1 0x34
  write 0x9df 0x1 0x5c
  write 0xbb7 0x1 0x34
  write 0xca7 0x1 0x34
  write 0xe7f 0x1 0x5c
  write 0xf6f 0x1 0x5c
  outb 0xd758 0x5f
  outb 0xd758 0x40
  EOF

  
  Trace:
  [S +0.083320] OK
  [R +0.083328] outb 0xd758 0x5f
  OK
  [S +0.084167] OK
  [R +0.084183] outb 0xd758 0x40
  ../block/block-backend.c:714:17: runtime error: member access within null 
pointer of type 'BlockBackend' (aka 'struct BlockBackend')
  SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior 
../block/block-backend.c:714:17 in 
  AddressSanitizer:DEADLYSIGNAL
  =================================================================
  ==843136==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000010 (pc 
0x5593520d8ebc bp 0x7ffc0bb9e0b0 sp 0x7ffc0bb9e010 T0)
  ==843136==The signal is caused by a READ memory access.
  ==843136==Hint: address points to the zero page.
      #0 0x5593520d8ebc in blk_bs 
/home/alxndr/Development/qemu/general-fuzz/build/../block/block-backend.c:714:12
      #1 0x5593520d2d07 in blk_drain 
/home/alxndr/Development/qemu/general-fuzz/build/../block/block-backend.c:1715:28
      #2 0x55935096e9dc in ide_cancel_dma_sync 
/home/alxndr/Development/qemu/general-fuzz/build/../hw/ide/core.c:723:9
      #3 0x55934f96b9ed in bmdma_cmd_writeb 
/home/alxndr/Development/qemu/general-fuzz/build/../hw/ide/pci.c:298:13
      #4 0x55934fea0547 in bmdma_write 
/home/alxndr/Development/qemu/general-fuzz/build/../hw/ide/piix.c:75:9
      #5 0x55935175dde0 in memory_region_write_accessor 
/home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:483:5
      #6 0x55935175d2bd in access_with_adjusted_size 
/home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:544:18
      #7 0x55935175af70 in memory_region_dispatch_write 
/home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:1466:16
      #8 0x5593513b98a6 in flatview_write_continue 
/home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3176:23
      #9 0x5593513a2878 in flatview_write 
/home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3216:14
      #10 0x5593513a23a8 in address_space_write 
/home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3308:18
      #11 0x559351803e07 in cpu_outb 
/home/alxndr/Development/qemu/general-fuzz/build/../softmmu/ioport.c:60:5
      #12 0x5593516c7b6d in qtest_process_command 
/home/alxndr/Development/qemu/general-fuzz/build/../softmmu/qtest.c:392:13
      #13 0x5593516c363e in qtest_process_inbuf 
/home/alxndr/Development/qemu/general-fuzz/build/../softmmu/qtest.c:710:9
      #14 0x5593516c23e3 in qtest_read 
/home/alxndr/Development/qemu/general-fuzz/build/../softmmu/qtest.c:722:5
      #15 0x5593527c8762 in qemu_chr_be_write_impl 
/home/alxndr/Development/qemu/general-fuzz/build/../chardev/char.c:188:9
      #16 0x5593527c88aa in qemu_chr_be_write 
/home/alxndr/Development/qemu/general-fuzz/build/../chardev/char.c:200:9
      #17 0x5593527ee514 in fd_chr_read 
/home/alxndr/Development/qemu/general-fuzz/build/../chardev/char-fd.c:68:9
      #18 0x5593526da736 in qio_channel_fd_source_dispatch 
/home/alxndr/Development/qemu/general-fuzz/build/../io/channel-watch.c:84:12
      #19 0x7f3be18ef4cd in g_main_context_dispatch 
(/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x504cd)
      #20 0x559352c65c67 in glib_pollfds_poll 
/home/alxndr/Development/qemu/general-fuzz/build/../util/main-loop.c:217:9
      #21 0x559352c63567 in os_host_main_loop_wait 
/home/alxndr/Development/qemu/general-fuzz/build/../util/main-loop.c:240:5
      #22 0x559352c62f47 in main_loop_wait 
/home/alxndr/Development/qemu/general-fuzz/build/../util/main-loop.c:516:11
      #23 0x55935144108d in qemu_main_loop 
/home/alxndr/Development/qemu/general-fuzz/build/../softmmu/vl.c:1676:9
      #24 0x55934edd351c in main 
/home/alxndr/Development/qemu/general-fuzz/build/../softmmu/main.c:50:5
      #25 0x7f3be10f8cc9 in __libc_start_main csu/../csu/libc-start.c:308:16
      #26 0x55934ed28cf9 in _start 
(/home/alxndr/Development/qemu/general-fuzz/build/qemu-system-i386+0x2cb0cf9)

  AddressSanitizer can not provide additional info.
  SUMMARY: AddressSanitizer: SEGV 
/home/alxndr/Development/qemu/general-fuzz/build/../block/block-backend.c:714:12
 in blk_bs
  ==843136==ABORTING

  -Alex

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1892966/+subscriptions

Reply via email to