From fb7f4c55613c9dc376c83e82ded63d5b89cf9336 Mon Sep 17 00:00:00 2001 From: Pierrick Bouvier Date: Tue, 3 Dec 2024 20:55:11 -0800 Subject: [PATCH] fix ubsan vvfat Command: /home/user/.work/qemu/build/qemu-system-aarch64 -display none -vga none -chardev socket,i d=mon,fd=5 -mon chardev=mon,mode=control -machine sbsa-ref -chardev socket,id=console,fd=10 -serial charde v:console -cpu max,x-rme=on,pauth-impdef=on -m 2G -M sbsa-ref -drive file=/home/user/.work/qemu/build/test s/functional/aarch64/test_aarch64_rme_sbsaref.Aarch64RMESbsaRefMachine.test_aarch64_rme_sbsaref/scratch/rm e-stack-op-tee-4.2.0-cca-v4-sbsa/images/SBSA_FLASH0.fd,format=raw,if=pflash -drive file=/home/user/.work/q emu/build/tests/functional/aarch64/test_aarch64_rme_sbsaref.Aarch64RMESbsaRefMachine.test_aarch64_rme_sbsa ref/scratch/rme-stack-op-tee-4.2.0-cca-v4-sbsa/images/SBSA_FLASH1.fd,format=raw,if=pflash -drive file=fat: rw:/home/user/.work/qemu/build/tests/functional/aarch64/test_aarch64_rme_sbsaref.Aarch64RMESbsaRefMachine. test_aarch64_rme_sbsaref/scratch/rme-stack-op-tee-4.2.0-cca-v4-sbsa/images/disks/virtual,format=raw -drive format=raw,if=none,file=/home/user/.work/qemu/build/tests/functional/aarch64/test_aarch64_rme_sbsaref.Aar ch64RMESbsaRefMachine.test_aarch64_rme_sbsaref/scratch/rme-stack-op-tee-4.2.0-cca-v4-sbsa/out-br/images/ro otfs.ext4,id=hd0 -device virtio-blk-pci,drive=hd0 -device virtio-9p-pci,fsdev=shr0,mount_tag=shr0 -fsdev l ocal,security_model=none,path=/home/user/.work/qemu/build/tests/functional/aarch64/test_aarch64_rme_sbsare f.Aarch64RMESbsaRefMachine.test_aarch64_rme_sbsaref/scratch/rme-stack-op-tee-4.2.0-cca-v4-sbsa,id=shr0 -de vice virtio-net-pci,netdev=net0 -netdev user,id=net0 Output: ==2622567==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may p roduce false positives in some cases! ../block/vvfat.c:433:24: runtime error: index 14 out of bounds for type 'uint8_t [11]' #0 0x56151a66b93a in create_long_filename ../block/vvfat.c:433 #1 0x56151a66f3d7 in create_short_and_long_name ../block/vvfat.c:725 #2 0x56151a670403 in read_directory ../block/vvfat.c:804 #3 0x56151a674432 in init_directories ../block/vvfat.c:964 #4 0x56151a67867b in vvfat_open ../block/vvfat.c:1258 #5 0x56151a3b8e19 in bdrv_open_driver ../block.c:1660 #6 0x56151a3bb666 in bdrv_open_common ../block.c:1985 #7 0x56151a3cadb9 in bdrv_open_inherit ../block.c:4153 #8 0x56151a3c8850 in bdrv_open_child_bs ../block.c:3731 #9 0x56151a3ca832 in bdrv_open_inherit ../block.c:4098 #10 0x56151a3cbe40 in bdrv_open ../block.c:4248 #11 0x56151a46344f in blk_new_open ../block/block-backend.c:457 #12 0x56151a388bd9 in blockdev_init ../blockdev.c:612 #13 0x56151a38ab2d in drive_new ../blockdev.c:1006 #14 0x5615190fca41 in drive_init_func ../system/vl.c:649 #15 0x56151aa796dd in qemu_opts_foreach ../util/qemu-option.c:1135 #16 0x5615190fd2b6 in configure_blockdev ../system/vl.c:708 #17 0x56151910a307 in qemu_create_early_backends ../system/vl.c:2004 #18 0x561519113fcf in qemu_init ../system/vl.c:3685 #19 0x56151a7e438e in main ../system/main.c:47 #20 0x7f72d1a46249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 #21 0x7f72d1a46304 in __libc_start_main_impl ../csu/libc-start.c:360 #22 0x561517e98510 in _start (/home/user/.work/qemu/build/qemu-system-aarch64+0x3b9b510) SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../block/vvfat.c:433:24 in --- block/vvfat.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/block/vvfat.c b/block/vvfat.c index 8ffe8b3b9bfaf..a7040248cdead 100644 --- a/block/vvfat.c +++ b/block/vvfat.c @@ -242,7 +242,7 @@ typedef struct mbr_t { } QEMU_PACKED mbr_t; typedef struct direntry_t { - uint8_t name[8 + 3]; + uint8_t name[8 + 3]; /* file name + extension */ uint8_t attributes; uint8_t reserved[2]; uint16_t ctime; @@ -426,6 +426,7 @@ static direntry_t *create_long_filename(BDRVVVFATState *s, const char *filename) else if(offset<22) offset=14+offset-10; else offset=28+offset-22; entry=array_get(&(s->directory),s->directory.next-1-(i/26)); + offset = MIN(offset, sizeof(entry->name) - 1); if (i >= 2 * length + 2) { entry->name[offset] = 0xff; } else if (i % 2 == 0) {