From patchwork Thu Nov 18 11:57:32 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= X-Patchwork-Id: 12626821 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 48E05C433EF for ; Thu, 18 Nov 2021 11:58:55 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id D441260EBD for ; Thu, 18 Nov 2021 11:58:54 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org D441260EBD Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=nongnu.org Received: from localhost ([::1]:54318 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mng45-0003fU-Su for qemu-devel@archiver.kernel.org; Thu, 18 Nov 2021 06:58:53 -0500 Received: from eggs.gnu.org ([209.51.188.92]:59384) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mng31-0001b8-Bi for qemu-devel@nongnu.org; Thu, 18 Nov 2021 06:57:47 -0500 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]:29448) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mng2x-0002Kx-8m for qemu-devel@nongnu.org; Thu, 18 Nov 2021 06:57:47 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1637236662; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=lzuKn55Ra2wJ3rJCLCQizOMIU4b9FmjwBEXrIOw78PQ=; b=GBXB10CgdpaZz6NIi4QtUo7BLS85j+gojFpbtGoNahhtJzlQbcM9uecEpCsX7zAxrz3NGj ujLub6JDZOMzyyzMTrBD5E8IQBudxTFvgYDm5rXjKjfc9MSq8izWk9DZmyDyqFr5UV9CPv hy79PWWADmLVKyURNeEEflDpxqIljaA= Received: from mail-wm1-f72.google.com (mail-wm1-f72.google.com [209.85.128.72]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-190-czcLtpefM5eUG36xn3n9Ag-1; Thu, 18 Nov 2021 06:57:41 -0500 X-MC-Unique: czcLtpefM5eUG36xn3n9Ag-1 Received: by mail-wm1-f72.google.com with SMTP id m18-20020a05600c3b1200b0033283ea5facso2147004wms.1 for ; Thu, 18 Nov 2021 03:57:41 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=lzuKn55Ra2wJ3rJCLCQizOMIU4b9FmjwBEXrIOw78PQ=; b=JHUeFJcoaZBdishnm9mzV/7bmIiLLV5Ut10bBZsDToS0sIrnRRBek9bfXrQiCi3boz 8WjsrWKLmLXX8Qxjk3alEne4lmcjuCXd4rsDri/T+gdaFICWBA7xD/KFQ5omze/jXSZY ZB2+sRBv1/BY+Ck2tEtM5ItgRwfvycbgghcMaUblNVS+6VDsHnB3NYhFXFp1+KcNmDMV YUMc7RB9/Dfx32Faz0bOGeM4+33C+x+IbyPg3+jORa3CaIZTv2LBWAXRD36dEi9vuycR pxLQXnbigOpW9/s1KSfD0CGZJv3Wr6VOH6l9f/RL25Ljcma7qTi1KFd5KuRTUURUwbAM u8uw== X-Gm-Message-State: AOAM531HrgtFqb/Bqi6l8M6C+lmv5Gs0EK8WSljqhJe1isZt+rqbjrqf CY/Ilj0EpSmDdBttIDYjyDArVjoCBAUURVbqRqed/swvwxognB1RPlEA3uSKMfEQCtp2xdOBeA8 Q1ME9+WfwXCX1Xgx+20tnmBVeW/Y4Mn4d1E06cEFIceSw8vGzciIN8O11bQiBGfNo X-Received: by 2002:a05:6000:381:: with SMTP id u1mr30807014wrf.302.1637236660156; Thu, 18 Nov 2021 03:57:40 -0800 (PST) X-Google-Smtp-Source: ABdhPJzdp0aWMtmZRvlrchyr32NULq7lw+F8Vt9m4D8MyUnucb5PwN2Bv9qCPaKbiA8EO5mDAgKOSw== X-Received: by 2002:a05:6000:381:: with SMTP id u1mr30806954wrf.302.1637236659809; Thu, 18 Nov 2021 03:57:39 -0800 (PST) Received: from x1w.. (62.red-83-57-168.dynamicip.rima-tde.net. [83.57.168.62]) by smtp.gmail.com with ESMTPSA id f7sm11461195wmg.6.2021.11.18.03.57.38 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 18 Nov 2021 03:57:39 -0800 (PST) From: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Subject: [PATCH-for-6.2 1/2] hw/block/fdc: Prevent end-of-track overrun (CVE-2021-3507) Date: Thu, 18 Nov 2021 12:57:32 +0100 Message-Id: <20211118115733.4038610-2-philmd@redhat.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20211118115733.4038610-1-philmd@redhat.com> References: <20211118115733.4038610-1-philmd@redhat.com> MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=philmd@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Received-SPF: pass client-ip=170.10.133.124; envelope-from=philmd@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -34 X-Spam_score: -3.5 X-Spam_bar: --- X-Spam_report: (-3.5 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.698, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Kevin Wolf , Laurent Vivier , Thomas Huth , Prasad J Pandit , qemu-block@nongnu.org, Darren Kenny , =?utf-8?q?Ph?= =?utf-8?q?ilippe_Mathieu-Daud=C3=A9?= , qemu-stable@nongnu.org, Alexander Bulekov , Hanna Reitz , =?utf-8?q?Herv=C3=A9_Poussineau?= , Paolo Bonzini , John Snow Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" Per the 82078 datasheet, if the end-of-track (EOT byte in the FIFO) is more than the number of sectors per side, the command is terminated unsuccessfully: * 5.2.5 DATA TRANSFER TERMINATION The 82078 supports terminal count explicitly through the TC pin and implicitly through the underrun/over- run and end-of-track (EOT) functions. For full sector transfers, the EOT parameter can define the last sector to be transferred in a single or multisector transfer. If the last sector to be transferred is a par- tial sector, the host can stop transferring the data in mid-sector, and the 82078 will continue to complete the sector as if a hardware TC was received. The only difference between these implicit functions and TC is that they return "abnormal termination" result status. Such status indications can be ignored if they were expected. * 6.1.3 READ TRACK This command terminates when the EOT specified number of sectors have been read. If the 82078 does not find an I D Address Mark on the diskette after the second· occurrence of a pulse on the INDX# pin, then it sets the IC code in Status Regis- ter 0 to "01" (Abnormal termination), sets the MA bit in Status Register 1 to "1", and terminates the com- mand. * 6.1.6 VERIFY Refer to Table 6-6 and Table 6-7 for information concerning the values of MT and EC versus SC and EOT value. * Table 6·6. Result Phase Table * Table 6-7. Verify Command Result Phase Table Fix by aborting the transfer when EOT > # Sectors Per Side. Cc: qemu-stable@nongnu.org Cc: Hervé Poussineau Fixes: baca51faff0 ("floppy driver: disk geometry auto detect") Reported-by: Alexander Bulekov Resolves: https://gitlab.com/qemu-project/qemu/-/issues/339 Signed-off-by: Philippe Mathieu-Daudé Reviewed-by: Hanna Reitz --- hw/block/fdc.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/hw/block/fdc.c b/hw/block/fdc.c index fa933cd3263..d21b717b7d6 100644 --- a/hw/block/fdc.c +++ b/hw/block/fdc.c @@ -1512,6 +1512,14 @@ static void fdctrl_start_transfer(FDCtrl *fdctrl, int direction) int tmp; fdctrl->data_len = 128 << (fdctrl->fifo[5] > 7 ? 7 : fdctrl->fifo[5]); tmp = (fdctrl->fifo[6] - ks + 1); + if (tmp < 0) { + FLOPPY_DPRINTF("invalid EOT: %d\n", tmp); + fdctrl_stop_transfer(fdctrl, FD_SR0_ABNTERM, FD_SR1_MA, 0x00); + fdctrl->fifo[3] = kt; + fdctrl->fifo[4] = kh; + fdctrl->fifo[5] = ks; + return; + } if (fdctrl->fifo[0] & 0x80) tmp += fdctrl->fifo[6]; fdctrl->data_len *= tmp; From patchwork Thu Nov 18 11:57:33 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= X-Patchwork-Id: 12626823 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id BFA68C433EF for ; Thu, 18 Nov 2021 11:59:02 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 5ADC4610A1 for ; Thu, 18 Nov 2021 11:59:02 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 5ADC4610A1 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=nongnu.org Received: from localhost ([::1]:54836 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mng4D-00041A-FY for qemu-devel@archiver.kernel.org; Thu, 18 Nov 2021 06:59:01 -0500 Received: from eggs.gnu.org ([209.51.188.92]:59444) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mng36-0001rt-3v for qemu-devel@nongnu.org; Thu, 18 Nov 2021 06:57:52 -0500 Received: from us-smtp-delivery-124.mimecast.com ([170.10.129.124]:43452) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mng33-0002NI-NF for qemu-devel@nongnu.org; Thu, 18 Nov 2021 06:57:51 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1637236669; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=KXqu6cI8Td7cyUbAVYGjEIQ094Z6gc+ZX3XJfUB2WR4=; b=fQQiscwfJw3AZHkEuq1HnF6XbAvjpZdHyw8e02g2Px1OJDPpbo1NkQ+MKeroK6bZ5PIqU9 w5MQdYkmNeyrE52ZxhjlpcYdWM4excMLYGMoOp9bn/4RR0+/teqBG3xOLW/FflAbVn2BIk b5rGWIGpB+fiU/6uk+y2KK0ck/ldErs= Received: from mail-wm1-f69.google.com (mail-wm1-f69.google.com [209.85.128.69]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-397-_ZDtSy4yMwyF3q7cGIPnSw-1; Thu, 18 Nov 2021 06:57:48 -0500 X-MC-Unique: _ZDtSy4yMwyF3q7cGIPnSw-1 Received: by mail-wm1-f69.google.com with SMTP id n41-20020a05600c502900b003335ab97f41so3004157wmr.3 for ; Thu, 18 Nov 2021 03:57:48 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=KXqu6cI8Td7cyUbAVYGjEIQ094Z6gc+ZX3XJfUB2WR4=; b=AU7wwSDlbHQWM8t/99nZ+6/Vt2fm3aWXpJ0frPWgHuadNrB4Hzxsd3+ihcSDArJrL+ 0SfjQAVlUZK5XTU2ucKzJPSJ/ZTO2cbZVnsdYgM2aSyYYdbk0x98Eh/rQDao2Afq3zoz my5w8NPZCbJcmlaE4zf5MfChJXu5/ZIK3KpgpnN8yE+mraNt9IM+ZW6OanlCS/Mpfe2A z28XPgT/+pKFS8SJ/ReUbjIOeGrQM4dRAedF4FjrKZWD2qL/ls5hJbrxcf8UlkmB9Geg cWLs7Np9f0HzSr8/wpH+47ksOf8nsWD3dlu2RuQ6blPMbelowm8lifQshirIqqI2tWTC tnWQ== X-Gm-Message-State: AOAM530Klga+/I98EdunuQUAyrbzg30F6OhZ5q0Vjo6291ya0ZNAWpkE AYKARPNTrzdcA63oX7F2tTZ11ZESW5BBAO5f2G/6fw+qHHC3l3iGfJGdCsjZoVc6P3WqWlekZHK F0FCGBC1OB+X6E6mKVB2H+G2Hvy2bU3Unx7zRklCGCHxRPHTgQFn4c5Mw9JmkaodG X-Received: by 2002:a05:600c:2052:: with SMTP id p18mr9605123wmg.3.1637236664853; Thu, 18 Nov 2021 03:57:44 -0800 (PST) X-Google-Smtp-Source: ABdhPJwZEzmTMZG8+3e2xwjnrgJhhk9IWOOoQ90eGXVipQfu5+RT6mb1PZrqtpztaF1lqJ+WXakY3A== X-Received: by 2002:a05:600c:2052:: with SMTP id p18mr9605064wmg.3.1637236664465; Thu, 18 Nov 2021 03:57:44 -0800 (PST) Received: from x1w.. (62.red-83-57-168.dynamicip.rima-tde.net. [83.57.168.62]) by smtp.gmail.com with ESMTPSA id y12sm2937767wrn.73.2021.11.18.03.57.43 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 18 Nov 2021 03:57:44 -0800 (PST) From: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Subject: [PATCH-for-6.2 2/2] tests/qtest/fdc-test: Add a regression test for CVE-2021-3507 Date: Thu, 18 Nov 2021 12:57:33 +0100 Message-Id: <20211118115733.4038610-3-philmd@redhat.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20211118115733.4038610-1-philmd@redhat.com> References: <20211118115733.4038610-1-philmd@redhat.com> MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=philmd@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Received-SPF: pass client-ip=170.10.129.124; envelope-from=philmd@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -34 X-Spam_score: -3.5 X-Spam_bar: --- X-Spam_report: (-3.5 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.698, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Kevin Wolf , Laurent Vivier , Thomas Huth , Prasad J Pandit , qemu-block@nongnu.org, Darren Kenny , =?utf-8?q?Ph?= =?utf-8?q?ilippe_Mathieu-Daud=C3=A9?= , Alexander Bulekov , Hanna Reitz , =?utf-8?q?Herv=C3=A9_Poussineau?= , Paolo Bonzini , John Snow Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" Add the reproducer from https://gitlab.com/qemu-project/qemu/-/issues/339 Without the previous commit, when running 'make check-qtest-i386' with QEMU configured with '--enable-sanitizers' we get: ==4028352==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x619000062a00 at pc 0x5626d03c491a bp 0x7ffdb4199410 sp 0x7ffdb4198bc0 READ of size 786432 at 0x619000062a00 thread T0 #0 0x5626d03c4919 in __asan_memcpy (qemu-system-i386+0x1e65919) #1 0x5626d1c023cc in flatview_write_continue softmmu/physmem.c:2787:13 #2 0x5626d1bf0c0f in flatview_write softmmu/physmem.c:2822:14 #3 0x5626d1bf0798 in address_space_write softmmu/physmem.c:2914:18 #4 0x5626d1bf0f37 in address_space_rw softmmu/physmem.c:2924:16 #5 0x5626d1bf14c8 in cpu_physical_memory_rw softmmu/physmem.c:2933:5 #6 0x5626d0bd5649 in cpu_physical_memory_write include/exec/cpu-common.h:82:5 #7 0x5626d0bd0a07 in i8257_dma_write_memory hw/dma/i8257.c:452:9 #8 0x5626d09f825d in fdctrl_transfer_handler hw/block/fdc.c:1616:13 #9 0x5626d0a048b4 in fdctrl_start_transfer hw/block/fdc.c:1539:13 #10 0x5626d09f4c3e in fdctrl_write_data hw/block/fdc.c:2266:13 #11 0x5626d09f22f7 in fdctrl_write hw/block/fdc.c:829:9 #12 0x5626d1c20bc5 in portio_write softmmu/ioport.c:207:17 0x619000062a00 is located 0 bytes to the right of 512-byte region [0x619000062800,0x619000062a00) allocated by thread T0 here: #0 0x5626d03c66ec in posix_memalign (qemu-system-i386+0x1e676ec) #1 0x5626d2b988d4 in qemu_try_memalign util/oslib-posix.c:210:11 #2 0x5626d2b98b0c in qemu_memalign util/oslib-posix.c:226:27 #3 0x5626d09fbaf0 in fdctrl_realize_common hw/block/fdc.c:2341:20 #4 0x5626d0a150ed in isabus_fdc_realize hw/block/fdc-isa.c:113:5 #5 0x5626d2367935 in device_set_realized hw/core/qdev.c:531:13 SUMMARY: AddressSanitizer: heap-buffer-overflow (qemu-system-i386+0x1e65919) in __asan_memcpy Shadow bytes around the buggy address: 0x0c32800044f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3280004500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c3280004510: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c3280004520: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c3280004530: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c3280004540:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3280004550: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3280004560: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3280004570: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3280004580: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3280004590: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Heap left redzone: fa Freed heap region: fd ==4028352==ABORTING Reported-by: Alexander Bulekov Signed-off-by: Philippe Mathieu-Daudé Reviewed-by: Alexander Bulekov --- tests/qtest/fdc-test.c | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/tests/qtest/fdc-test.c b/tests/qtest/fdc-test.c index 26b69f7c5cd..f164d972d10 100644 --- a/tests/qtest/fdc-test.c +++ b/tests/qtest/fdc-test.c @@ -546,6 +546,25 @@ static void fuzz_registers(void) } } +static void test_cve_2021_3507(void) +{ + QTestState *s; + + s = qtest_initf("-nographic -m 32M -nodefaults " + "-drive file=%s,format=raw,if=floppy", test_image); + qtest_outl(s, 0x9, 0x0a0206); + qtest_outw(s, 0x3f4, 0x1600); + qtest_outw(s, 0x3f4, 0x0000); + qtest_outw(s, 0x3f4, 0x0000); + qtest_outw(s, 0x3f4, 0x0000); + qtest_outw(s, 0x3f4, 0x0200); + qtest_outw(s, 0x3f4, 0x0200); + qtest_outw(s, 0x3f4, 0x0000); + qtest_outw(s, 0x3f4, 0x0000); + qtest_outw(s, 0x3f4, 0x0000); + qtest_quit(s); +} + int main(int argc, char **argv) { int fd; @@ -576,6 +595,7 @@ int main(int argc, char **argv) qtest_add_func("/fdc/read_no_dma_18", test_read_no_dma_18); qtest_add_func("/fdc/read_no_dma_19", test_read_no_dma_19); qtest_add_func("/fdc/fuzz-registers", fuzz_registers); + qtest_add_func("/fdc/fuzz/cve_2021_3507", test_cve_2021_3507); ret = g_test_run();