Hello Ren, Alex,
+-- On Wed, 13 May 2020, Ding, Ren wrote --+
| We couldn’t reproduce the bug with the patch provided by our reproducer
| earlier, though we did not dig into the details of it. Meanwhile, we do also
| see the null pointer dereference crash with the current upstream
| (https://
Hi all,
We couldn’t reproduce the bug with the patch provided by our reproducer
earlier, though we did not dig into the details of it. Meanwhile, we do also
see the null pointer dereference crash with the current upstream
(https://bugs.launchpad.net/qemu/+bug/1878259).
Ren
On May 13, 2020, at
+-- On Wed, 13 May 2020, Alexander Bulekov wrote --+
| They are not necessary, but for me QEMU crashes before qtest ever tries to
| parse them. Is your QEMU built with ASAN?
Yes, it is
QEMU_CFLAGS -I/usr/include/pixman-1 -Werror -fsanitize=address
QEMU_LDFLAGS -Wl,--warn-common -fs
On 200513 1919, P J P wrote:
> Hello Alex,
>
> +-- On Tue, 12 May 2020, Alexander Bulekov wrote --+
> | I noticed this since I found a similar issue recently, using a fuzzer. I
> | applied your patches, but I can still reproduce the heap-overflow, unless
> | I'm missing something:
>
> Strange
On 200513 1919, P J P wrote:
> Hello Alex,
>
> +-- On Tue, 12 May 2020, Alexander Bulekov wrote --+
> | I noticed this since I found a similar issue recently, using a fuzzer. I
> | applied your patches, but I can still reproduce the heap-overflow, unless
> | I'm missing something:
>
> Strange
Hello Alex,
+-- On Tue, 12 May 2020, Alexander Bulekov wrote --+
| I noticed this since I found a similar issue recently, using a fuzzer. I
| applied your patches, but I can still reproduce the heap-overflow, unless
| I'm missing something:
Strange, because with uint16_t type, 'reply_queue_he
Hello Alex,
+-- On Tue, 12 May 2020, Alexander Bulekov wrote --+
| ==20527==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x7f79f968a5e0 at pc 0x55b6bb84ce28 bp 0x7ffcbca04eb0 sp 0x7ffcbca04ea8
| READ of size 8 at 0x7f79f968a5e0 thread T0
|
| #0 0x55fbeb2bdafc in megasas_lookup_fram
+-- On Tue, 12 May 2020, Philippe Mathieu-Daudé wrote --+
| The cover describes the bug as OOB, so I suppose this is a security issue.
| Now a 6 months embargo surprises me. I was expecting some period in a
| 30-90days range to be the default. However reading the 'Publication embargo'
| chapter
c-André
Lureau<mailto:marcandre.lur...@redhat.com>
主题: Re: [PATCH 0/2] use unsigned type for MegasasState fields
+-- On Tue, 12 May 2020, Philippe Mathieu-Daudé wrote --+
| Cc'ing Marc-André our signed/unsigned conversion expert (with Paolo).
megasas_init_firmware
pa_lo = le32_to_
On 200512 2259, Philippe Mathieu-Daudé wrote:
> On 5/12/20 9:48 PM, Alexander Bulekov wrote:
> > Oops I realized I posted a bad stacktrace and a bad reproducer :)
> > Fixed stacktrace:
> >
> > ==20527==ERROR: AddressSanitizer: heap-buffer-overflow on address
> > 0x7f79f968a5e0 at pc 0x55b6bb84ce2
On 5/12/20 9:48 PM, Alexander Bulekov wrote:
Oops I realized I posted a bad stacktrace and a bad reproducer :)
Fixed stacktrace:
==20527==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x7f79f968a5e0 at pc 0x55b6bb84ce28 bp 0x7ffcbca04eb0 sp 0x7ffcbca04ea8
READ of size 8 at 0x7f79f968
ppe Mathieu-Daudé <mailto:phi...@redhat.com>
*抄送: *QEMU Developers <mailto:qemu-devel@nongnu.org>; Fam Zheng
<mailto:f...@euphon.net>; Paolo Bonzini <mailto:pbonz...@redhat.com>;
Ding, Ren <mailto:rd...@gatech.edu>; Marc-André Lureau
<mailto:marcandre.lur...@redhat.com&g
Oops I realized I posted a bad stacktrace and a bad reproducer :)
Fixed stacktrace:
==20527==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x7f79f968a5e0 at pc 0x55b6bb84ce28 bp 0x7ffcbca04eb0 sp 0x7ffcbca04ea8
READ of size 8 at 0x7f79f968a5e0 thread T0
#0 0x55fbeb2bdafc in megasas_lo
Hello Prasad,
I noticed this since I found a similar issue recently, using a fuzzer.
I applied your patches, but I can still reproduce the heap-overflow,
unless I'm missing something:
==20527==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x7f79f968a5e0 at pc 0x55b6bb84ce28 bp 0x7ffcbc
+-- On Tue, 12 May 2020, Philippe Mathieu-Daudé wrote --+
| Cc'ing Marc-André our signed/unsigned conversion expert (with Paolo).
megasas_init_firmware
pa_lo = le32_to_cpu(initq->pi_addr_lo);
pa_hi = le32_to_cpu(initq->pi_addr_hi);
s->producer_pa = ((uint64_t) pa_hi << 32) | pa_lo;
Cc'ing Marc-André our signed/unsigned conversion expert (with Paolo).
On 5/7/20 12:57 PM, P J P wrote:
From: Prasad J Pandit
Hello,
* This series fixes an OOB access issue which may occur when a guest user
sets 's->reply_queue_head' field to a negative(or large positive) value,
via 'str
+-- On Thu, 7 May 2020, P J P wrote --+
| Hello,
|
| * This series fixes an OOB access issue which may occur when a guest user
| sets 's->reply_queue_head' field to a negative(or large positive) value,
| via 'struct mfi_init_qinfo' object in megasas_init_firmware().
|
| * Second patch updates
From: Prasad J Pandit
Hello,
* This series fixes an OOB access issue which may occur when a guest user
sets 's->reply_queue_head' field to a negative(or large positive) value,
via 'struct mfi_init_qinfo' object in megasas_init_firmware().
* Second patch updates other numeric fields of Megas
18 matches
Mail list logo
