Include the qtest reproducer provided by Alexander Bulekov
in https://gitlab.com/qemu-project/qemu/-/issues/451. Without
the previous commit, we get:
$ make check-qtest-i386
...
Running test qtest-i386/fuzz-sdcard-test
==447470==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61500002a080 at pc 0x564c71766d48 bp 0x7ffc126c62b0 sp 0x7ffc126c62a8
READ of size 1 at 0x61500002a080 thread T0
#0 0x564c71766d47 in sdhci_read_dataport hw/sd/sdhci.c:474:18
#1 0x564c7175f139 in sdhci_read hw/sd/sdhci.c:1022:19
#2 0x564c721b937b in memory_region_read_accessor softmmu/memory.c:440:11
#3 0x564c72171e51 in access_with_adjusted_size softmmu/memory.c:554:18
#4 0x564c7216f47c in memory_region_dispatch_read1 softmmu/memory.c:1424:16
#5 0x564c7216ebb9 in memory_region_dispatch_read softmmu/memory.c:1452:9
#6 0x564c7212db5d in flatview_read_continue softmmu/physmem.c:2879:23
#7 0x564c7212f958 in flatview_read softmmu/physmem.c:2921:12
#8 0x564c7212f418 in address_space_read_full softmmu/physmem.c:2934:18
#9 0x564c721305a9 in address_space_rw softmmu/physmem.c:2962:16
#10 0x564c7175a392 in dma_memory_rw_relaxed include/sysemu/dma.h:89:12
#11 0x564c7175a0ea in dma_memory_rw include/sysemu/dma.h:132:12
#12 0x564c71759684 in dma_memory_read include/sysemu/dma.h:152:12
#13 0x564c7175518c in sdhci_do_adma hw/sd/sdhci.c:823:27
#14 0x564c7174bf69 in sdhci_data_transfer hw/sd/sdhci.c:935:13
#15 0x564c7176aaa7 in sdhci_send_command hw/sd/sdhci.c:376:9
#16 0x564c717629ee in sdhci_write hw/sd/sdhci.c:1212:9
#17 0x564c72172513 in memory_region_write_accessor softmmu/memory.c:492:5
#18 0x564c72171e51 in access_with_adjusted_size softmmu/memory.c:554:18
#19 0x564c72170766 in memory_region_dispatch_write softmmu/memory.c:1504:16
#20 0x564c721419ee in flatview_write_continue softmmu/physmem.c:2812:23
#21 0x564c721301eb in flatview_write softmmu/physmem.c:2854:12
#22 0x564c7212fca8 in address_space_write softmmu/physmem.c:2950:18
#23 0x564c721d9a53 in qtest_process_command softmmu/qtest.c:727:9
0x61500002a080 is located 0 bytes to the right of 512-byte region [0x615000029e80,0x61500002a080)
allocated by thread T0 here:
#0 0x564c708e1737 in __interceptor_calloc (qemu-system-i386+0x1e6a737)
#1 0x7ff05567b5e0 in g_malloc0 (/lib64/libglib-2.0.so.0+0x5a5e0)
#2 0x564c71774adb in sdhci_pci_realize hw/sd/sdhci-pci.c:36:5
SUMMARY: AddressSanitizer: heap-buffer-overflow hw/sd/sdhci.c:474:18 in sdhci_read_dataport
Shadow bytes around the buggy address:
0x0c2a7fffd3c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2a7fffd3d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2a7fffd3e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2a7fffd3f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2a7fffd400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c2a7fffd410:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2a7fffd420: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2a7fffd430: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2a7fffd440: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2a7fffd450: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2a7fffd460: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Heap left redzone: fa
Freed heap region: fd
==447470==ABORTING
Broken pipe
ERROR qtest-i386/fuzz-sdcard-test - too few tests run (expected 3, got 2)
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Acked-by: Thomas Huth <thuth@redhat.com>
Message-Id: <20211215205656.488940-4-philmd@redhat.com>
[thuth: Replaced "-m 4G" with "-m 512M"]
Signed-off-by: Thomas Huth <thuth@redhat.com>
27801168ec