[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH 131/147] meson: link emulators without Makefile.target
|
From: |
Philippe Mathieu-Daudé |
|
Subject: |
Re: [PATCH 131/147] meson: link emulators without Makefile.target |
|
Date: |
Tue, 11 Aug 2020 18:16:35 +0200 |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.5.0 |
On 8/11/20 4:59 PM, Alexander Bulekov wrote:
> Hi Paolo,
> I looked through the code changes related to fuzzing and tested the
> following builds:
> - qemu-fuzz-i386
> - qemu-fuzz-arm
> - qemu-system-i386 (with --enable-fuzzing)
> - configure --enable-fuzzing with GCC (should fail)
> - ./scripts/oss-fuzz/build.sh (in my local environment)
> - ./scripts/oss-fuzz/build.sh (in the oss-fuzz Docker)
> I examined the symbols to ensure that the fuzzer linker-script is doing what
> it
> needs to be doing. The sizes of the binaries have roughly stayed the same, and
> there are no major differences between the symbols.
> Only the oss-fuzz Docker build failed with a complaint about the
> linker-script,
> but it fails for the current master, too! I think the problem might be related
> to the fact that the docker uses a bleeding edge clang-12 compiler. I'll have
> to look into it more.
> I ran the existing fuzzers for a couple thousand runs. It looks like there is
> some problem with the virtio-scsi arguments, but it's not specific to
> fuzzing. It will probably be caught once this runs through CI:
>
> ./qemu-system-i386 -display none -machine accel=qtest -m 64 -M pc \
> -drive id=drv0,if=none,file=null-co://,file.read-zeroes=on,format=raw \
> -device virtio-scsi-pci,id=vs0,addr=04.0 \
> -device scsi-hd,bus=vs0.0,drive=drv0 \
> -drive
> file=blkdebug::null-co://,file.image.read-zeroes=on,if=none,id=dr1,format=raw,file.align=4k
> \
> -device scsi-hd,drive=dr1,lun=0,scsi-id=1 -qtest /dev/null -qtest-log
> /dev/null
>
> Immediately crashes with:
> ../block.c:442:10: runtime error: index 0 out of bounds for type 'const char
> *[0]'
> SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../block.c:442:10 in
> ../block.c:442:10: runtime error: load of address 0x5581a17161e0 with
> insufficient space for an object of type 'const char *'
> 0x5581a17161e0: note: pointer points here
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00 00 00 00 00 00 00 00
> ^
> SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../block.c:442:10 in
> =================================================================
> ==26813==ERROR: AddressSanitizer: global-buffer-overflow on address
> 0x5581a17161e0 at pc 0x55819e05f1bd bp 0x7ffed60bdcc0 sp 0x7ffed60bdcb8
> READ of size 8 at 0x5581a17161e0 thread T0
> #0 0x55819e05f1bc in bdrv_format_is_whitelisted
> /tmp/qemu/build/../block.c:442:10
> #1 0x55819e05f1bc in bdrv_is_whitelisted /tmp/qemu/build/../block.c:463:12
> #2 0x55819e075e5f in bdrv_open_common /tmp/qemu/build/../block.c:1680:32
> #3 0x55819e075e5f in bdrv_open_inherit /tmp/qemu/build/../block.c:3420:11
> #4 0x55819e07d1db in bdrv_open_child_bs /tmp/qemu/build/../block.c:3053:10
> #5 0x55819e074b61 in bdrv_open_inherit /tmp/qemu/build/../block.c:3367:19
> #6 0x55819e07dac4 in bdrv_open /tmp/qemu/build/../block.c:3513:12
> #7 0x55819e2d78c5 in blk_new_open
> /tmp/qemu/build/../block/block-backend.c:421:10
> #8 0x55819d4242ee in blockdev_init /tmp/qemu/build/../blockdev.c:617:15
> #9 0x55819d4242ee in drive_new /tmp/qemu/build/../blockdev.c:1005:11
> #10 0x55819da17085 in drive_init_func
> /tmp/qemu/build/../softmmu/vl.c:1000:12
> #11 0x55819e61bd4c in qemu_opts_foreach
> /tmp/qemu/build/../util/qemu-option.c:1172:14
> #12 0x55819da0aab2 in configure_blockdev
> /tmp/qemu/build/../softmmu/vl.c:1067:9
> #13 0x55819da0aab2 in qemu_init /tmp/qemu/build/../softmmu/vl.c:4145:5
> #14 0x55819c72a5b8 in main /tmp/qemu/build/../softmmu/main.c:48:5
> #15 0x7faba3b86e0a in __libc_start_main
> (/lib/x86_64-linux-gnu/libc.so.6+0x26e0a)
> #16 0x55819c680659 in _start (/tmp/qemu/build/qemu-system-i386+0x254d659)
>
> 0x5581a17161e0 is located 32 bytes to the left of global variable
> 'whitelist_ro' defined in '../block.c:437:24' (0x5581a1716200) of size 0
> 'whitelist_ro' is ascii string ''
> 0x5581a17161e0 is located 0 bytes to the right of global variable
> 'whitelist_rw' defined in '../block.c:434:24' (0x5581a17161e0) of size 0
> 'whitelist_rw' is ascii string ''
> SUMMARY: AddressSanitizer: global-buffer-overflow
> /tmp/qemu/build/../block.c:442:10 in bdrv_format_is_whitelisted
>
> This doesn't happen on master.
The problem is in "[PATCH 139/147] meson: replace create-config
with meson configure_file".
- [PATCH 128/147] meson: bsd-user, (continued)
- [PATCH 128/147] meson: bsd-user, Paolo Bonzini, 2020/08/10
- [PATCH 125/147] meson: target, Paolo Bonzini, 2020/08/10
- [PATCH 126/147] meson: accel, Paolo Bonzini, 2020/08/10
- [PATCH 127/147] meson: linux-user, Paolo Bonzini, 2020/08/10
- [PATCH 130/147] meson: plugins, Paolo Bonzini, 2020/08/10
- [PATCH 129/147] meson: cpu-emu, Paolo Bonzini, 2020/08/10
- [PATCH 133/147] rules.mak: remove version.o, Paolo Bonzini, 2020/08/10
- [PATCH 132/147] meson: convert systemtap files, Paolo Bonzini, 2020/08/10
- [PATCH 131/147] meson: link emulators without Makefile.target, Paolo Bonzini, 2020/08/10
- [PATCH 134/147] remove Makefile.target, Paolo Bonzini, 2020/08/10
- [PATCH 135/147] meson: sphinx-build, Paolo Bonzini, 2020/08/10
- Re: [PATCH 135/147] meson: sphinx-build, Peter Maydell, 2020/08/10
- Re: [PATCH 135/147] meson: sphinx-build, Paolo Bonzini, 2020/08/10
- Re: [PATCH 135/147] meson: sphinx-build, Peter Maydell, 2020/08/10
- Re: [PATCH 135/147] meson: sphinx-build, Paolo Bonzini, 2020/08/10
- Re: [PATCH 135/147] meson: sphinx-build, Peter Maydell, 2020/08/10
- Re: [PATCH 135/147] meson: sphinx-build, Paolo Bonzini, 2020/08/10
- Re: [PATCH 135/147] meson: sphinx-build, Peter Maydell, 2020/08/10
- Re: [PATCH 135/147] meson: sphinx-build, Paolo Bonzini, 2020/08/10