Re: [PULL 1/1] hw/ufs: Fix buffer overflow bug

[Thomas Huth]

On 30/04/2024 02.17, Richard Henderson wrote:
> On 4/28/24 20:25, Jeuk Kim wrote:
> > From: Jeuk Kim <jeuk20.kim@samsung.com>
> >
> > It fixes the buffer overflow vulnerability in the ufs device.
> > The bug was detected by sanitizers.
> >
> > You can reproduce it by:
> >
> > cat << EOF |\
> > qemu-system-x86_64 \
> > -display none -machine accel=qtest -m 512M -M q35 -nodefaults -drive \
> > file=null-co://,if=none,id=disk0 -device ufs,id=ufs_bus -device \
> > ufs-lu,drive=disk0,bus=ufs_bus -qtest stdio
> > outl 0xcf8 0x80000810
> > outl 0xcfc 0xe0000000
> > outl 0xcf8 0x80000804
> > outw 0xcfc 0x06
> > write 0xe0000058 0x1 0xa7
> > write 0xa 0x1 0x50
> > EOF
> >
> > Resolves: #2299
> > Fixes: 329f16624499 ("hw/ufs: Support for Query Transfer Requests")
> > Reported-by: Zheyu Ma <zheyuma97@gmail.com>
> > Signed-off-by: Jeuk Kim <jeuk20.kim@samsung.com>
> > ---
> >   hw/ufs/ufs.c | 8 ++++++++
> >   1 file changed, 8 insertions(+)
>
> For some reason this appears to cause failures on s390x:
>
>    https://gitlab.com/qemu-project/qemu/-/jobs/6740883283
>
> All of the timeouts are new with this patch alone applied,
> and go away when reverted.
>
> I wasn't aware that these tests used ufs, but I have no
> other explanation...

I don't know for sure, but the test failure might instead be related to the 
problem that gets fixed by 
https://lore.kernel.org/qemu-devel/20240429075908.36302-1-thuth@redhat.com/ 
... I'm preparing a pull request for that fix right now, so maybe you could 
try this ufs pull request afterwards again to see whether the problem is fixed?

 Thomas