tests/qtest/fdc-test: Add a regression test for CVE-2021-20196
Without the previous commit, when running 'make check-qtest-i386'
with QEMU configured with '--enable-sanitizers' we get:
AddressSanitizer:DEADLYSIGNAL
=================================================================
==287878==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000344
==287878==The signal is caused by a WRITE memory access.
==287878==Hint: address points to the zero page.
#0 0x564b2e5bac27 in blk_inc_in_flight block/block-backend.c:1346:5
#1 0x564b2e5bb228 in blk_pwritev_part block/block-backend.c:1317:5
#2 0x564b2e5bcd57 in blk_pwrite block/block-backend.c:1498:11
#3 0x564b2ca1cdd3 in fdctrl_write_data hw/block/fdc.c:2221:17
#4 0x564b2ca1b2f7 in fdctrl_write hw/block/fdc.c:829:9
#5 0x564b2dc49503 in portio_write softmmu/ioport.c:201:9
Add the reproducer for CVE-2021-20196.
Suggested-by: Alexander Bulekov <alxndr@bu.edu>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 20211124161536.631563-4-philmd@redhat.com
Signed-off-by: John Snow <jsnow@redhat.com>
This commit is contained in:
Philippe Mathieu-Daudé
John Snow
parent
1ab95af033
commit
cc20926e9b
|
|
@ -32,6 +32,9 @@
|
|||
/* TODO actually test the results and get rid of this */
|
||||
#define qmp_discard_response(...) qobject_unref(qmp(__VA_ARGS__))
|
||||
|
||||
#define DRIVE_FLOPPY_BLANK \
|
||||
"-drive if=floppy,file=null-co://,file.read-zeroes=on,format=raw,size=1440k"
|
||||
|
||||
#define TEST_IMAGE_SIZE 1440 * 1024
|
||||
|
||||
#define FLOPPY_BASE 0x3f0
|
||||
|
|
@ -546,6 +549,40 @@ static void fuzz_registers(void)
|
|||
}
|
||||
}
|
||||
|
||||
static bool qtest_check_clang_sanitizer(void)
|
||||
{
|
||||
#if defined(__SANITIZE_ADDRESS__) || __has_feature(address_sanitizer)
|
||||
return true;
|
||||
#else
|
||||
g_test_skip("QEMU not configured using --enable-sanitizers");
|
||||
return false;
|
||||
#endif
|
||||
}
|
||||
static void test_cve_2021_20196(void)
|
||||
{
|
||||
QTestState *s;
|
||||
|
||||
if (!qtest_check_clang_sanitizer()) {
|
||||
return;
|
||||
}
|
||||
|
||||
s = qtest_initf("-nographic -m 32M -nodefaults " DRIVE_FLOPPY_BLANK);
|
||||
|
||||
qtest_outw(s, 0x3f4, 0x0500);
|
||||
qtest_outb(s, 0x3f5, 0x00);
|
||||
qtest_outb(s, 0x3f5, 0x00);
|
||||
qtest_outw(s, 0x3f4, 0x0000);
|
||||
qtest_outb(s, 0x3f5, 0x00);
|
||||
qtest_outw(s, 0x3f1, 0x0400);
|
||||
qtest_outw(s, 0x3f4, 0x0000);
|
||||
qtest_outw(s, 0x3f4, 0x0000);
|
||||
qtest_outb(s, 0x3f5, 0x00);
|
||||
qtest_outb(s, 0x3f5, 0x01);
|
||||
qtest_outw(s, 0x3f1, 0x0500);
|
||||
qtest_outb(s, 0x3f5, 0x00);
|
||||
qtest_quit(s);
|
||||
}
|
||||
|
||||
int main(int argc, char **argv)
|
||||
{
|
||||
int fd;
|
||||
|
|
@ -576,6 +613,7 @@ int main(int argc, char **argv)
|
|||
qtest_add_func("/fdc/read_no_dma_18", test_read_no_dma_18);
|
||||
qtest_add_func("/fdc/read_no_dma_19", test_read_no_dma_19);
|
||||
qtest_add_func("/fdc/fuzz-registers", fuzz_registers);
|
||||
qtest_add_func("/fdc/fuzz/cve_2021_20196", test_cve_2021_20196);
|
||||
|
||||
ret = g_test_run();
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue