stat64_add() takes uint64_t as 2nd argument, but both
"p->next_packet_size" and "p->packet_len" are uint32_t.
Thus, theyr sum may overflow uint32_t.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Signed-off-by: Dmitry Frolov
---
migration/multifd.c
a specific build.
Signed-off-by: Dmitry Frolov
---
scripts/mtest2make.py | 2 ++
1 file changed, 2 insertions(+)
diff --git a/scripts/mtest2make.py b/scripts/mtest2make.py
index eb01a05ddb..ff60b62724 100644
--- a/scripts/mtest2make.py
+++ b/scripts/mtest2make.py
@@ -27,7 +27,9 @@ def names(
More time for some tests needed when qemu is built with
"--enable-asan --enable-ubsan"
Signed-off-by: Dmitry Frolov
---
tests/qtest/meson.build | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/tests/qtest/meson.build b/tests/qtest/meson.build
index aa93e98418..
t header
Signed-off-by: Dmitry Frolov
---
tests/qtest/qos-test.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/tests/qtest/qos-test.c b/tests/qtest/qos-test.c
index 114f6bef27..e8ac00f0f7 100644
--- a/tests/qtest/qos-test.c
+++ b/tests/qtest/qos-test.c
@@ -326,7 +
"int main(int argc, char **argv, char** envp)" is non-standart
Microsoft`s extention of the C language and it`s not portable.
In my particular case (Debian 13, clang-16) this raises wild-pointer
dereference with ASAN message "heap-use-after-free".
Signed-off-by: Dmitry Frol
If pcmc->pci_enabled is false, pcms->pcibus is NULL and is passed
to pc_nic_init() where it is being dereferenced.
Found making check with enabled sanitizers.
Signed-off-by: Dmitry Frolov
---
hw/i386/pc_piix.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/h
Both timeout and return value of imx_gpt_update_count() are unsigned.
Thus "limit" can not be negative, but obviously it was implied.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Signed-off-by: Dmitry Frolov
---
hw/timer/imx_gpt.c | 2 +-
1 file changed, 1 inser
The product "icnto * s->tcntb" may overflow uint32_t.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Signed-off-by: Dmitry Frolov
---
hw/timer/exynos4210_mct.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/timer/exynos4210_mct
The sum "cluster_index + count" may overflow uint32_t.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Signed-off-by: Dmitry Frolov
---
block/parallels.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/block/parallels.c b/block/paralle
The sum offset + length may overflow uint32. Since this sum is
compared with uint64_t return value of get_lsa_size(), it makes
sense to choose uint64_t type for offset and length.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Signed-off-by: Dmitry Frolov
---
hw/cxl/cxl
The product bs->bl.zone_size * (bs->bl.nr_zones - 1) may overflow
uint32.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Signed-off-by: Dmitry Frolov
---
hw/block/virtio-blk.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/block/virtio-blk.
Memory, allocated by the first call of g_strdup_printf() is lost at
the second call.
Signed-off-by: Dmitry Frolov
---
hw/arm/sbsa-ref.c | 14 --
1 file changed, 4 insertions(+), 10 deletions(-)
diff --git a/hw/arm/sbsa-ref.c b/hw/arm/sbsa-ref.c
index ae37a92301..10984fc339 100644
memcpy() is trying to READ 512 bytes from memory,
pointed by info->kernel_cmdline,
which was (presumable) allocated by g_strdup("");
Found with ASAN, making check with enabled sanitizers.
Signed-off-by: Dmitry Frolov
---
hw/loongarch/boot.c | 2 +-
1 file changed, 1 insertion(+
ough.
Also, the second qvirtqueue_add() call with corresponding comment are redundant.
v1: https://patchew.org/QEMU/20240523102813.396750-2-fro...@swemel.ru/
v2: modified error-check & clean-up
Signed-off-by: Dmitry Frolov
---
tests/qtest/fuzz/virtio_net_fuzz.c | 20 ++--
A crash found while fuzzing device virtio-net-socket-check-used.
Assertion "offset == 0" in iov_copy() fails if less than guest_hdr_len bytes
were transmited.
Signed-off-by: Dmitry Frolov
---
v1: https://patchew.org/QEMU/20240527133140.218300-2-fro...@swemel.ru/
v2: broken
v3: goto
A crash found while fuzzing device virtio-net-socket-check-used.
Assertion "offset == 0" in iov_copy() fails if less than guest_hdr_len bytes
were transmited.
Signed-off-by: Dmitry Frolov
---
v1: https://patchew.org/QEMU/20240527133140.218300-2-fro...@swemel.ru/
v2: replaced repeating
A crash found while fuzzing device virtio-net-socket-check-used.
Assertion "offset == 0" in iov_copy() fails if less than guest_hdr_len bytes
were transmited.
Signed-off-by: Dmitry Frolov
---
hw/net/virtio-net.c | 6 ++
1 file changed, 6 insertions(+)
diff --git a/hw/net/virtio-
If QTestState was already CLOSED due to error, calling qtest_clock_step()
afterwards makes no sense and only raises false-crash with message:
"assertion timer != NULL failed".
Signed-off-by: Dmitry Frolov
---
tests/qtest/fuzz/virtio_net_fuzz.c | 3 +++
1 file changed, 3 insertion
Found with fuzzing for qemu-8.2, but also relevant for master
Signed-off-by: Dmitry Frolov
---
tests/qtest/fuzz/qos_fuzz.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/tests/qtest/fuzz/qos_fuzz.c b/tests/qtest/fuzz/qos_fuzz.c
index b71e945c5f..d3839bf999 100644
--- a/tests/qtest/fuzz
vdev is being dereferenced in the first line of the function.
The following NULL-check makes no sense.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Signed-off-by: Dmitry Frolov
---
hw/virtio/virtio-bus.c | 6 ++
1 file changed, 2 insertions(+), 4 deletions(-)
diff
== stats[0]
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Signed-off-by: Dmitry Frolov
---
ui/vnc-enc-tight.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/ui/vnc-enc-tight.c b/ui/vnc-enc-tight.c
index 41f559eb83..f1249ab136 100644
--- a/ui/vnc-enc-tight.c
+++ b/ui/vnc-enc
It seems that comments to transitional/non-transitional devices are
mixed up.
Signed-off-by: Dmitry Frolov
---
include/hw/virtio/virtio-pci.h | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/include/hw/virtio/virtio-pci.h b/include/hw/virtio/virtio-pci.h
index 5a3f182f99
blk_bs() may return NULL, which will be dereferenced without a check in
bdrv_commit().
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Signed-off-by: Dmitry Frolov
---
block/monitor/block-hmp-cmds.c | 8 +++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a
uring precopy")
Signed-off-by: Dmitry Frolov
---
migration/ram.c | 5 +
1 file changed, 5 insertions(+)
diff --git a/migration/ram.c b/migration/ram.c
index e4bfd39f08..bd4b7574e1 100644
--- a/migration/ram.c
+++ b/migration/ram.c
@@ -4281,6 +4281,11 @@ static void ram_mig_ram_blo
Center (linuxtesting.org) with SVACE.
v2: assert added
v3: assert removed
Fixes: c28db9e000 ("hw/pci-bridge: Make PCIe and CXL PXB Devices inherit from
TYPE_PXB_DEV")
Signed-off-by: Dmitry Frolov
---
include/hw/cxl/cxl.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --
/pci-bridge: Make PCIe and CXL PXB Devices inherit from
TYPE_PXB_DEV")
Signed-off-by: Dmitry Frolov
---
v2: assert added
---
hw/cxl/cxl-host.c| 1 +
include/hw/cxl/cxl.h | 2 +-
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/hw/cxl/cxl-host.c b/hw/cxl/cxl-host.c
index 034c78
/pci-bridge: Make PCIe and CXL PXB Devices inherit from
TYPE_PXB_DEV")
Signed-off-by: Dmitry Frolov
---
include/hw/cxl/cxl.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/include/hw/cxl/cxl.h b/include/hw/cxl/cxl.h
index 56c9e7676e..4944725849 100644
--- a/include/hw
bdrv_open_child() may return NULL.
Usually return value is checked for this function.
Check for return value is more reliable.
Fixes: 24bc15d1f6 ("vmdk: Use BdrvChild instead of BDS for references to
extents")
Signed-off-by: Dmitry Frolov
---
block/vmdk.c | 2 +-
1 file changed, 1
init fails")
Signed-off-by: Dmitry Frolov
---
v2: Moved declarations in the beginning.
v3: Fixed errors in v2.
ui/gtk.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/ui/gtk.c b/ui/gtk.c
index 8ba41c8f13..7db972732b 100644
--- a/ui/gtk.c
+++ b/ui/gtk.c
@@ -2360,7 +2360,7
init fails")
Signed-off-by: Dmitry Frolov
---
v2: Moved declarations in the beginning.
ui/gtk.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/ui/gtk.c b/ui/gtk.c
index 8ba41c8f13..23a78787df 100644
--- a/ui/gtk.c
+++ b/ui/gtk.c
@@ -2360,7 +2360,7 @@ static void g
Fuzzing causes thousands of identical crashes with message:
"AddressSanitizer: 3744 byte(s) leaked in 1 allocation(s)"
Fixes: 060ab76356 ("gtk: don't exit early in case gtk init fails")
Signed-off-by: Dmitry Frolov
---
ui/gtk.c | 8
1 file changed, 4 i
31 matches
Mail list logo
