qemu/tests/qtest
Li Qiang 1153cf9f5b qtest: add tulip test case
The tulip networking card emulation has an OOB issue in
'tulip_copy_tx_buffers' when the guest provide malformed descriptor.
This test will trigger a ASAN heap overflow crash. To trigger this
issue we can construct the data as following:

1. construct a 'tulip_descriptor'. Its control is set to
'0x7ff | 0x7ff << 11', this will make the 'tulip_copy_tx_buffers's
'len1' and 'len2' to 0x7ff(2047). So 'len1+len2' will overflow
'TULIPState's 'tx_frame' field. This descriptor's 'buf_addr1' and
'buf_addr2' should set to a guest address.

2. write this descriptor to tulip device's CSR4 register. This will
set the 'TULIPState's 'current_tx_desc' field.

3. write 'CSR6_ST' to tulip device's CSR6 register. This will trigger
'tulip_xmit_list_update' and finally calls 'tulip_copy_tx_buffers'.

Following shows the backtrack of crash:

==31781==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x628000007cd0 at pc 0x7fe03c5a077a bp 0x7fff05b46770 sp 0x7fff05b45f18
WRITE of size 2047 at 0x628000007cd0 thread T0
    #0 0x7fe03c5a0779  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x79779)
    #1 0x5575fb6daa6a in flatview_read_continue /home/test/qemu/exec.c:3194
    #2 0x5575fb6daccb in flatview_read /home/test/qemu/exec.c:3227
    #3 0x5575fb6dae66 in address_space_read_full /home/test/qemu/exec.c:3240
    #4 0x5575fb6db0cb in address_space_rw /home/test/qemu/exec.c:3268
    #5 0x5575fbdfd460 in dma_memory_rw_relaxed /home/test/qemu/include/sysemu/dma.h:87
    #6 0x5575fbdfd4b5 in dma_memory_rw /home/test/qemu/include/sysemu/dma.h:110
    #7 0x5575fbdfd866 in pci_dma_rw /home/test/qemu/include/hw/pci/pci.h:787
    #8 0x5575fbdfd8a3 in pci_dma_read /home/test/qemu/include/hw/pci/pci.h:794
    #9 0x5575fbe02761 in tulip_copy_tx_buffers hw/net/tulip.c:585
    #10 0x5575fbe0366b in tulip_xmit_list_update hw/net/tulip.c:678
    #11 0x5575fbe04073 in tulip_write hw/net/tulip.c:783

Signed-off-by: Li Qiang <liq3ea@163.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
2020-03-31 21:14:35 +08:00
..
fuzz Use &error_abort instead of separate assert() 2020-03-17 16:05:40 +01:00
libqos ppc patch queue 2020-03-17 2020-03-18 15:07:57 +00:00
ac97-test.c test: Move qtests to a separate directory 2020-01-12 11:42:41 +01:00
acpi-utils.c test: Move qtests to a separate directory 2020-01-12 11:42:41 +01:00
acpi-utils.h test: Move qtests to a separate directory 2020-01-12 11:42:41 +01:00
ahci-test.c test: Move qtests to a separate directory 2020-01-12 11:42:41 +01:00
arm-cpu-features.c target/arm/cpu: Add the kvm-no-adjvtime CPU property 2020-01-30 16:02:06 +00:00
bios-tables-test-allowed-diff.h test: Move qtests to a separate directory 2020-01-12 11:42:41 +01:00
bios-tables-test.c bios-tables-test: default diff command 2020-02-25 08:23:18 -05:00
boot-order-test.c boot-order-test: fix memleaks in boot-order-test 2020-02-04 09:00:57 +01:00
boot-sector.c test: Move qtests to a separate directory 2020-01-12 11:42:41 +01:00
boot-sector.h test: Move qtests to a separate directory 2020-01-12 11:42:41 +01:00
boot-serial-test.c tests: Silence various warnings with pseries 2020-02-03 11:33:11 +11:00
cdrom-test.c hw/ppc/prep: Remove the deprecated "prep" machine and the OpenHackware BIOS 2020-02-02 14:07:57 +11:00
cpu-plug-test.c test: Move qtests to a separate directory 2020-01-12 11:42:41 +01:00
dbus-vmstate1.xml test: Move qtests to a separate directory 2020-01-12 11:42:41 +01:00
dbus-vmstate-test.c test: Move qtests to a separate directory 2020-01-12 11:42:41 +01:00
device-introspect-test.c test: Move qtests to a separate directory 2020-01-12 11:42:41 +01:00
device-plug-test.c test: Move qtests to a separate directory 2020-01-12 11:42:41 +01:00
display-vga-test.c test: Move qtests to a separate directory 2020-01-12 11:42:41 +01:00
drive_del-test.c test: Move qtests to a separate directory 2020-01-12 11:42:41 +01:00
ds1338-test.c test: Move qtests to a separate directory 2020-01-12 11:42:41 +01:00
e1000-test.c test: Move qtests to a separate directory 2020-01-12 11:42:41 +01:00
e1000e-test.c test: Move qtests to a separate directory 2020-01-12 11:42:41 +01:00
eepro100-test.c test: Move qtests to a separate directory 2020-01-12 11:42:41 +01:00
endianness-test.c hw/ppc/prep: Remove the deprecated "prep" machine and the OpenHackware BIOS 2020-02-02 14:07:57 +11:00
es1370-test.c test: Move qtests to a separate directory 2020-01-12 11:42:41 +01:00
fdc-test.c test: Move qtests to a separate directory 2020-01-12 11:42:41 +01:00
fw_cfg-test.c test: Move qtests to a separate directory 2020-01-12 11:42:41 +01:00
hd-geo-test.c hd-geo-test: Clean up use of buf[] in create_qcow2_with_mbr() 2020-03-17 10:23:14 -04:00
hexloader-test.c test: Move qtests to a separate directory 2020-01-12 11:42:41 +01:00
i440fx-test.c test: Move qtests to a separate directory 2020-01-12 11:42:41 +01:00
i82801b11-test.c test: Move qtests to a separate directory 2020-01-12 11:42:41 +01:00
ide-test.c tests/ide-test: Create a single unit-test covering more PRDT cases 2020-01-27 17:07:31 -05:00
intel-hda-test.c test: Move qtests to a separate directory 2020-01-12 11:42:41 +01:00
ioh3420-test.c test: Move qtests to a separate directory 2020-01-12 11:42:41 +01:00
ipmi-bt-test.c test: Move qtests to a separate directory 2020-01-12 11:42:41 +01:00
ipmi-kcs-test.c test: Move qtests to a separate directory 2020-01-12 11:42:41 +01:00
ipoctal232-test.c test: Move qtests to a separate directory 2020-01-12 11:42:41 +01:00
ivshmem-test.c test: Move qtests to a separate directory 2020-01-12 11:42:41 +01:00
libqtest-single.h test: Move qtests to a separate directory 2020-01-12 11:42:41 +01:00
libqtest.c libqtest: make bufwrite rely on the TransportOps 2020-02-22 08:26:47 +00:00
libqtest.h libqtest: make bufwrite rely on the TransportOps 2020-02-22 08:26:47 +00:00
m25p80-test.c test: Move qtests to a separate directory 2020-01-12 11:42:41 +01:00
m48t59-test.c test: Move qtests to a separate directory 2020-01-12 11:42:41 +01:00
machine-none-test.c Add rx-softmmu 2020-03-19 17:58:05 +01:00
Makefile.include qtest: add tulip test case 2020-03-31 21:14:35 +08:00
megasas-test.c test: Move qtests to a separate directory 2020-01-12 11:42:41 +01:00
microbit-test.c test: Move qtests to a separate directory 2020-01-12 11:42:41 +01:00
migration-helpers.c test: Move qtests to a separate directory 2020-01-12 11:42:41 +01:00
migration-helpers.h test: Move qtests to a separate directory 2020-01-12 11:42:41 +01:00
migration-test.c tests/migration: Reduce autoconverge initial bandwidth 2020-03-25 12:31:38 +00:00
modules-test.c test: Move qtests to a separate directory 2020-01-12 11:42:41 +01:00
ne2000-test.c test: Move qtests to a separate directory 2020-01-12 11:42:41 +01:00
numa-test.c tests:numa-test: use explicit memdev to specify node RAM 2020-02-19 16:50:02 +00:00
nvme-test.c test: Move qtests to a separate directory 2020-01-12 11:42:41 +01:00
pca9552-test.c libqos: rename i2c_send and i2c_recv 2020-02-22 08:26:48 +00:00
pci-test.c test: Move qtests to a separate directory 2020-01-12 11:42:41 +01:00
pcnet-test.c test: Move qtests to a separate directory 2020-01-12 11:42:41 +01:00
pflash-cfi02-test.c test: Move qtests to a separate directory 2020-01-12 11:42:41 +01:00
pnv-xscom-test.c test: Move qtests to a separate directory 2020-01-12 11:42:41 +01:00
prom-env-test.c tests: Silence various warnings with pseries 2020-02-03 11:33:11 +11:00
pvpanic-test.c test: Move qtests to a separate directory 2020-01-12 11:42:41 +01:00
pxe-test.c tests: Silence various warnings with pseries 2020-02-03 11:33:11 +11:00
q35-test.c tests: q35: MCH: add default SMBASE SMRAM lock test 2020-01-22 00:23:07 -05:00
qmp-cmd-test.c test: Move qtests to a separate directory 2020-01-12 11:42:41 +01:00
qmp-test.c qapi: Split control.json off misc.json 2020-02-17 13:53:47 +01:00
qom-test.c test: Move qtests to a separate directory 2020-01-12 11:42:41 +01:00
qos-test.c libqos: move useful qos-test funcs to qos_external 2020-02-22 08:26:48 +00:00
rtas-test.c test: Move qtests to a separate directory 2020-01-12 11:42:41 +01:00
rtc-test.c test: Move qtests to a separate directory 2020-01-12 11:42:41 +01:00
rtl8139-test.c test: Move qtests to a separate directory 2020-01-12 11:42:41 +01:00
sdhci-test.c test: Move qtests to a separate directory 2020-01-12 11:42:41 +01:00
spapr-phb-test.c test: Move qtests to a separate directory 2020-01-12 11:42:41 +01:00
tco-test.c test: Move qtests to a separate directory 2020-01-12 11:42:41 +01:00
test-arm-mptimer.c test: Move qtests to a separate directory 2020-01-12 11:42:41 +01:00
test-filter-mirror.c test: Move qtests to a separate directory 2020-01-12 11:42:41 +01:00
test-filter-redirector.c test: Move qtests to a separate directory 2020-01-12 11:42:41 +01:00
test-hmp.c test: Move qtests to a separate directory 2020-01-12 11:42:41 +01:00
test-netfilter.c test: Move qtests to a separate directory 2020-01-12 11:42:41 +01:00
test-x86-cpuid-compat.c test: Move qtests to a separate directory 2020-01-12 11:42:41 +01:00
tmp105-test.c test: Move qtests to a separate directory 2020-01-12 11:42:41 +01:00
tpm-crb-swtpm-test.c test: tpm-tis: Get prepared to share tests between ISA and sysbus devices 2020-03-05 12:18:39 -05:00
tpm-crb-test.c test: tpm-tis: Get prepared to share tests between ISA and sysbus devices 2020-03-05 12:18:39 -05:00
tpm-emu.c test: Move qtests to a separate directory 2020-01-12 11:42:41 +01:00
tpm-emu.h test: Move qtests to a separate directory 2020-01-12 11:42:41 +01:00
tpm-tests.c test: tpm: pass optional machine options to swtpm test functions 2020-03-05 12:18:33 -05:00
tpm-tests.h test: tpm: pass optional machine options to swtpm test functions 2020-03-05 12:18:33 -05:00
tpm-tis-device-swtpm-test.c test: tpm-tis: Add Sysbus TPM-TIS device test 2020-03-05 12:18:47 -05:00
tpm-tis-device-test.c test: tpm-tis: Add Sysbus TPM-TIS device test 2020-03-05 12:18:47 -05:00
tpm-tis-swtpm-test.c test: tpm-tis: Get prepared to share tests between ISA and sysbus devices 2020-03-05 12:18:39 -05:00
tpm-tis-test.c test: tpm-tis: Get prepared to share tests between ISA and sysbus devices 2020-03-05 12:18:39 -05:00
tpm-tis-util.c test: tpm-tis: Get prepared to share tests between ISA and sysbus devices 2020-03-05 12:18:39 -05:00
tpm-tis-util.h test: tpm-tis: Get prepared to share tests between ISA and sysbus devices 2020-03-05 12:18:39 -05:00
tpm-util.c test: tpm-tis: Get prepared to share tests between ISA and sysbus devices 2020-03-05 12:18:39 -05:00
tpm-util.h test: tpm-tis: Get prepared to share tests between ISA and sysbus devices 2020-03-05 12:18:39 -05:00
tulip-test.c qtest: add tulip test case 2020-03-31 21:14:35 +08:00
usb-hcd-ehci-test.c test: Move qtests to a separate directory 2020-01-12 11:42:41 +01:00
usb-hcd-ohci-test.c test: Move qtests to a separate directory 2020-01-12 11:42:41 +01:00
usb-hcd-uhci-test.c test: Move qtests to a separate directory 2020-01-12 11:42:41 +01:00
usb-hcd-xhci-test.c test: Move qtests to a separate directory 2020-01-12 11:42:41 +01:00
vhost-user-test.c tests/qtest/vhost-user-test: Fix memory leaks 2020-01-16 17:01:25 +01:00
virtio-9p-test.c tests/virtio-9p: added readdir test 2020-02-08 09:29:04 +01:00
virtio-blk-test.c test: Move qtests to a separate directory 2020-01-12 11:42:41 +01:00
virtio-ccw-test.c test: Move qtests to a separate directory 2020-01-12 11:42:41 +01:00
virtio-net-test.c test: Move qtests to a separate directory 2020-01-12 11:42:41 +01:00
virtio-rng-test.c test: Move qtests to a separate directory 2020-01-12 11:42:41 +01:00
virtio-scsi-test.c test: Move qtests to a separate directory 2020-01-12 11:42:41 +01:00
virtio-serial-test.c test: Move qtests to a separate directory 2020-01-12 11:42:41 +01:00
virtio-test.c test: Move qtests to a separate directory 2020-01-12 11:42:41 +01:00
vmgenid-test.c test: Move qtests to a separate directory 2020-01-12 11:42:41 +01:00
vmxnet3-test.c test: Move qtests to a separate directory 2020-01-12 11:42:41 +01:00
wdt_ib700-test.c test: Move qtests to a separate directory 2020-01-12 11:42:41 +01:00