diff options
Diffstat (limited to 'results/classifier/105/other/1878651')
| -rw-r--r-- | results/classifier/105/other/1878651 | 124 |
1 files changed, 124 insertions, 0 deletions
diff --git a/results/classifier/105/other/1878651 b/results/classifier/105/other/1878651 new file mode 100644 index 00000000..1d2a6d7d --- /dev/null +++ b/results/classifier/105/other/1878651 @@ -0,0 +1,124 @@ +other: 0.852 +KVM: 0.831 +vnc: 0.804 +instruction: 0.778 +graphic: 0.776 +mistranslation: 0.756 +device: 0.736 +assembly: 0.733 +semantic: 0.703 +socket: 0.686 +boot: 0.680 +network: 0.665 + +Assertion failure in e1000e_write_to_rx_buffers + +Hello, +While fuzzing, I found an input which triggers an assertion failure in e1000e_write_to_rx_buffers: +/home/alxndr/Development/qemu/hw/net/e1000e_core.c:1424: void e1000e_write_to_rx_buffers(E1000ECore *, hwaddr (*)[4], e1000e_ba_state *, const char *, dma_addr_t): Assertion `bastate->cur_idx < MAX_PS_BUFFERS' failed. +#0 0x00007ffff686d761 in __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:50 +#1 0x00007ffff685755b in __GI_abort () at abort.c:79 +#2 0x00007ffff685742f in __assert_fail_base (fmt=0x7ffff69bdb48 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=0x555557f691e0 <str> "bastate->cur_idx < MAX_PS_BUFFERS", file=0x555557f5a080 <str> "/home/alxndr/Development/qemu/hw/net/e1000e_core.c", line=0x590, function=<optimized out>) at assert.c:92 +#3 0x00007ffff6866092 in __GI___assert_fail (assertion=0x555557f691e0 <str> "bastate->cur_idx < MAX_PS_BUFFERS", file=0x555557f5a080 <str> "/home/alxndr/Development/qemu/hw/net/e1000e_core.c", line=0x590, function=0x555557f69240 <__PRETTY_FUNCTION__.e1000e_write_to_rx_buffers> "void e1000e_write_to_rx_buffers(E1000ECore *, hwaddr (*)[4], e1000e_ba_state *, const char *, dma_addr_t)") at assert.c:101 +#4 0x0000555556f8fbcd in e1000e_write_to_rx_buffers (core=0x7fffee07c4e0, ba=0x7fffffff8860, bastate=0x7fffffff88a0, data=0x7fffe61b8021 "", data_len=0x2000) at /home/alxndr/Development/qemu/hw/net/e1000e_core.c:1424 +#5 0x0000555556f82f14 in e1000e_write_packet_to_guest (core=0x7fffee07c4e0, pkt=0x61100004b900, rxr=0x7fffffff8d10, rss_info=0x7fffffff8d30) at /home/alxndr/Development/qemu/hw/net/e1000e_core.c:1582 +#6 0x0000555556f80960 in e1000e_receive_iov (core=0x7fffee07c4e0, iov=0x61900004e780, iovcnt=0x4) at /home/alxndr/Development/qemu/hw/net/e1000e_core.c:1709 +#7 0x0000555556f7d457 in e1000e_nc_receive_iov (nc=0x614000007460, iov=0x61900004e780, iovcnt=0x4) at /home/alxndr/Development/qemu/hw/net/e1000e.c:213 +#8 0x0000555556f64738 in net_tx_pkt_sendv (pkt=0x631000028800, nc=0x614000007460, iov=0x61900004e780, iov_cnt=0x4) at /home/alxndr/Development/qemu/hw/net/net_tx_pkt.c:544 +#9 0x0000555556f63f0e in net_tx_pkt_send (pkt=0x631000028800, nc=0x614000007460) at /home/alxndr/Development/qemu/hw/net/net_tx_pkt.c:620 +#10 0x0000555556f650e5 in net_tx_pkt_send_loopback (pkt=0x631000028800, nc=0x614000007460) at /home/alxndr/Development/qemu/hw/net/net_tx_pkt.c:633 +#11 0x0000555556fb026a in e1000e_tx_pkt_send (core=0x7fffee07c4e0, tx=0x7fffee09c748, queue_index=0x0) at /home/alxndr/Development/qemu/hw/net/e1000e_core.c:664 +#12 0x0000555556faebf6 in e1000e_process_tx_desc (core=0x7fffee07c4e0, tx=0x7fffee09c748, dp=0x7fffffff9520, queue_index=0x0) at /home/alxndr/Development/qemu/hw/net/e1000e_core.c:743 +#13 0x0000555556fadfa8 in e1000e_start_xmit (core=0x7fffee07c4e0, txr=0x7fffffff9720) at /home/alxndr/Development/qemu/hw/net/e1000e_core.c:934 +#14 0x0000555556fa308b in e1000e_set_tdt (core=0x7fffee07c4e0, index=0xe06, val=0x563) at /home/alxndr/Development/qemu/hw/net/e1000e_core.c:2451 +#15 0x0000555556f84d7e in e1000e_core_write (core=0x7fffee07c4e0, addr=0x438, val=0x563, size=0x4) at /home/alxndr/Development/qemu/hw/net/e1000e_core.c:3261 +#16 0x0000555556f79497 in e1000e_mmio_write (opaque=0x7fffee079800, addr=0x438, val=0x563, size=0x4) at /home/alxndr/Development/qemu/hw/net/e1000e.c:109 +#17 0x00005555564938b5 in memory_region_write_accessor (mr=0x7fffee07c110, addr=0x438, value=0x7fffffff9d90, size=0x4, shift=0x0, mask=0xffffffff, attrs=...) at /home/alxndr/Development/qemu/memory.c:483 +#18 0x000055555649328a in access_with_adjusted_size (addr=0x438, value=0x7fffffff9d90, size=0x2, access_size_min=0x4, access_size_max=0x4, access_fn=0x555556493360 <memory_region_write_accessor>, mr=0x7fffee07c110, attrs=...) at /home/alxndr/Development/qemu/memory.c:544 +#19 0x0000555556491df6 in memory_region_dispatch_write (mr=0x7fffee07c110, addr=0x438, data=0x563, op=MO_16, attrs=...) at /home/alxndr/Development/qemu/memory.c:1476 +#20 0x00005555562cbbf4 in flatview_write_continue (fv=0x606000037820, addr=0xe1020438, attrs=..., ptr=0x61900009ba80, len=0x2, addr1=0x438, l=0x2, mr=0x7fffee07c110) at /home/alxndr/Development/qemu/exec.c:3137 +#21 0x00005555562bbad9 in flatview_write (fv=0x606000037820, addr=0xe1020023, attrs=..., buf=0x61900009ba80, len=0x417) at /home/alxndr/Development/qemu/exec.c:3177 +#22 0x00005555562bb609 in address_space_write (as=0x6080000027a0, addr=0xe1020023, attrs=..., buf=0x61900009ba80, len=0x417) at /home/alxndr/Development/qemu/exec.c:3268 +#23 0x0000555556488c07 in qtest_process_command (chr=0x555559691d00 <qtest_chr>, words=0x60400001e210) at /home/alxndr/Development/qemu/qtest.c:567 +#24 0x000055555647f187 in qtest_process_inbuf (chr=0x555559691d00 <qtest_chr>, inbuf=0x61900000f680) at /home/alxndr/Development/qemu/qtest.c:710 +#25 0x000055555647e8b4 in qtest_read (opaque=0x555559691d00 <qtest_chr>, buf=0x7fffffffc9e0 "e2d1b0002e10000000006ff4d055e2d1b0002e10000000006ff4f055e2d1b0002e10000000006ff51055e2d1b0002e10000000006ff53055e2d1b0002e10000000006ff55055e2d1b0002e10000000006ff57055e2d1b0002e10000000006ff59055e2d1b0002e10000000006ff5b055e2d1b0002e10000000006ff5d055e2d1b0002e10000000006ff5f055e2d1b0002e10000000006ff61055e2d1b0002e10000000006ff6305\n-M pc-q35-5.0 -device sdhci-pci,sd-spec-version=3 -device sd-card,drive=mydrive -drive if=sd,index=0,file=null-co://,format=raw,id=mydrive -nographic -nographic\n002e10000000006ff27055e2d1b0002e10000000006ff29055e2d1b0002e10000000006ff2b055e2d1b0002e10000000006ff2d055e2d1b0002e10000000006ff2f055e2d1b0002e10000000006ff31055e2d1b0002e10000000006ff33055e2d1b0002e10000000006ff35055e2d1b0002e10000000006ff37055e2d1b0002e10000000006ff39055e2d1b0002e10000000006ff3b055e2d1b0002e10000000006ff3d055e2d1b0002e10000000006ff3f055e2d1b0002e10000000006ff41055e2d1b0002e10000000006ff43055e2d1b0002e10000000006ff45055e2d1b0002e10000000006ff47055e2d1b0002e10000000006ff49055e2d1b0002e10000000006ff4b055\360U", size=0x1f2) at /home/alxndr/Development/qemu/qtest.c:722 +#26 0x00005555579c260c in qemu_chr_be_write_impl (s=0x60f000001d50, buf=0x7fffffffc9e0 "e2d1b0002e10000000006ff4d055e2d1b0002e10000000006ff4f055e2d1b0002e10000000006ff51055e2d1b0002e10000000006ff53055e2d1b0002e10000000006ff55055e2d1b0002e10000000006ff57055e2d1b0002e10000000006ff59055e2d1b0002e10000000006ff5b055e2d1b0002e10000000006ff5d055e2d1b0002e10000000006ff5f055e2d1b0002e10000000006ff61055e2d1b0002e10000000006ff6305\n-M pc-q35-5.0 -device sdhci-pci,sd-spec-version=3 -device sd-card,drive=mydrive -drive if=sd,index=0,file=null-co://,format=raw,id=mydrive -nographic -nographic\n002e10000000006ff27055e2d1b0002e10000000006ff29055e2d1b0002e10000000006ff2b055e2d1b0002e10000000006ff2d055e2d1b0002e10000000006ff2f055e2d1b0002e10000000006ff31055e2d1b0002e10000000006ff33055e2d1b0002e10000000006ff35055e2d1b0002e10000000006ff37055e2d1b0002e10000000006ff39055e2d1b0002e10000000006ff3b055e2d1b0002e10000000006ff3d055e2d1b0002e10000000006ff3f055e2d1b0002e10000000006ff41055e2d1b0002e10000000006ff43055e2d1b0002e10000000006ff45055e2d1b0002e10000000006ff47055e2d1b0002e10000000006ff49055e2d1b0002e10000000006ff4b055\360U", len=0x1f2) at /home/alxndr/Development/qemu/chardev/char.c:183 +#27 0x00005555579c275b in qemu_chr_be_write (s=0x60f000001d50, buf=0x7fffffffc9e0 "e2d1b0002e10000000006ff4d055e2d1b0002e10000000006ff4f055e2d1b0002e10000000006ff51055e2d1b0002e10000000006ff53055e2d1b0002e10000000006ff55055e2d1b0002e10000000006ff57055e2d1b0002e10000000006ff59055e2d1b0002e10000000006ff5b055e2d1b0002e10000000006ff5d055e2d1b0002e10000000006ff5f055e2d1b0002e10000000006ff61055e2d1b0002e10000000006ff6305\n-M pc-q35-5.0 -device sdhci-pci,sd-spec-version=3 -device sd-card,drive=mydrive -drive if=sd,index=0,file=null-co://,format=raw,id=mydrive -nographic -nographic\n002e10000000006ff27055e2d1b0002e10000000006ff29055e2d1b0002e10000000006ff2b055e2d1b0002e10000000006ff2d055e2d1b0002e10000000006ff2f055e2d1b0002e10000000006ff31055e2d1b0002e10000000006ff33055e2d1b0002e10000000006ff35055e2d1b0002e10000000006ff37055e2d1b0002e10000000006ff39055e2d1b0002e10000000006ff3b055e2d1b0002e10000000006ff3d055e2d1b0002e10000000006ff3f055e2d1b0002e10000000006ff41055e2d1b0002e10000000006ff43055e2d1b0002e10000000006ff45055e2d1b0002e10000000006ff47055e2d1b0002e10000000006ff49055e2d1b0002e10000000006ff4b055\360U", len=0x1f2) at /home/alxndr/Development/qemu/chardev/char.c:195 +#28 0x00005555579cb97a in fd_chr_read (chan=0x6080000026a0, cond=G_IO_IN, opaque=0x60f000001d50) at /home/alxndr/Development/qemu/chardev/char-fd.c:68 +#29 0x0000555557a530ea in qio_channel_fd_source_dispatch (source=0x60c00002b780, callback=0x5555579cb540 <fd_chr_read>, user_data=0x60f000001d50) at /home/alxndr/Development/qemu/io/channel-watch.c:84 +#30 0x00007ffff7ca8898 in g_main_context_dispatch () at /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0 +#31 0x0000555557c10b85 in glib_pollfds_poll () at /home/alxndr/Development/qemu/util/main-loop.c:219 +#32 0x0000555557c0f57e in os_host_main_loop_wait (timeout=0x39c63cc8) at /home/alxndr/Development/qemu/util/main-loop.c:242 +#33 0x0000555557c0f177 in main_loop_wait (nonblocking=0x0) at /home/alxndr/Development/qemu/util/main-loop.c:518 +#34 0x000055555689fd1e in qemu_main_loop () at /home/alxndr/Development/qemu/softmmu/vl.c:1664 +#35 0x0000555557a6a29d in main (argc=0x13, argv=0x7fffffffe0e8, envp=0x7fffffffe188) at /home/alxndr/Development/qemu/softmmu/main.c:49 + + +I can reproduce this in qemu 5.0 using these qtest commands: + +cat << EOF | ./qemu-system-i386 \ +-qtest stdio -nographic -monitor none -serial none \ +-M pc-q35-5.0 +outl 0xcf8 0x80001010 +outl 0xcfc 0xe1020000 +outl 0xcf8 0x80001014 +outl 0xcf8 0x80001004 +outw 0xcfc 0x7 +outl 0xcf8 0x800010a2 +write 0xe1020618 0x14 0x0000d0ff2d05575f215e1b0000000000d0ff2d05 +write 0x27 0x800c 0x08004500feffffff00007b06f +write 0x1b8006 0x8001 0x2f0 +write 0xe1020023 0x417 0x0002e10000000006ffcf055e2d1b0002e10000000006ffd1055e2d1b0002e10000000006ffd3055e2d1b0002e10000000006ffd5055e2d1b0002e10000000006ffd7055e2d1b0002e10000000006ffd9055e2d1b0002e10000000006ffdb055e2d1b0002e10000000006ffdd055e2d1b0002e10000000006ffdf055e2d1b0002e10000000006ffe1055e2d1b0002e10000000006ffe3055e2d1b0002e10000000006ffe5055e2d1b0002e10000000006ffe7055e2d1b0002e10000000006ffe9055e2d1b0002e10000000006ffeb055e2d1b0002e10000000006ffed055e2d1b0002e10000000006ffef055e2d1b0002e10000000006fff1055e2d1b0002e10000000006fff3055e2d1b0002e10000000006fff5055e2d1b0002e10000000006fff7055e2d1b0002e10000000006fff9055e2d1b0002e10000000006fffb055e2d1b0002e10000000006fffd055e2d1b0002e10000000006ffff055e2d1b0002e10000000006ff01055e2d1b0002e10000000006ff03055e2d1b0002e10000000006ff05055e2d1b0002e10000000006ff07055e2d1b0002e10000000006ff09055e2d1b0002e10000000006ff0b055e2d1b0002e10000000006ff0d055e2d1b0002e10000000006ff0f055e2d1b0002e10000000006ff11055e2d1b0002e10000000006ff13055e2d1b0002e10000000006ff15055e2d1b0002e10000000006ff17055e2d1b0002e10000000006ff19055e2d1b0002e10000000006ff1b055e2d1b0002e10000000006ff1d055e2d1b0002e10000000006ff1f055e2d1b0002e10000000006ff21055e2d1b0002e10000000006ff23055e2d1b0002e10000000006ff25055e2d1b0002e10000000006ff27055e2d1b0002e10000000006ff29055e2d1b0002e10000000006ff2b055e2d1b0002e10000000006ff2d055e2d1b0002e10000000006ff2f055e2d1b0002e10000000006ff31055e2d1b0002e10000000006ff33055e2d1b0002e10000000006ff35055e2d1b0002e10000000006ff37055e2d1b0002e10000000006ff39055e2d1b0002e10000000006ff3b055e2d1b0002e10000000006ff3d055e2d1b0002e10000000006ff3f055e2d1b0002e10000000006ff41055e2d1b0002e10000000006ff43055e2d1b0002e10000000006ff45055e2d1b0002e10000000006ff47055e2d1b0002e10000000006ff49055e2d1b0002e10000000006ff4b055e2d1b0002e10000000006ff4d055e2d1b0002e10000000006ff4f055e2d1b0002e10000000006ff51055e2d1b0002e10000000006ff53055e2d1b0002e10000000006ff55055e2d1b0002e10000000006ff57055e2d1b0002e10000000006ff59055e2d1b0002e10000000006ff5b055e2d1b0002e10000000006ff5d055e2d1b0002e10000000006ff5f055e2d1b0002e10000000006ff61055e2d1b0002e10000000006ff6305 +EOF + +Also attaching them to this report, in case they are formatted incorrectly: +./qemu-system-i386 \ +-qtest stdio -nographic -monitor none -serial none \ +-M pc-q35-5.0 < attachment + +Please let me know if I can provide any further info. +-Alex + + + +This was reported by OSS-Fuzz as Issue 27389 +Here is a minimized reproducer: + +=== Reproducer === +cat << EOF | ./qemu-system-i386 -display none\ + -machine accel=qtest -m 512M -machine q35 -nodefaults \ +-device e1000e,netdev=net0 -netdev user,id=net0 -qtest stdio +outl 0xcf8 0x80000811 +outl 0xcfc 0xc600 +outl 0xcf8 0x80000813 +outl 0xcfc 0x9d +outl 0xcf8 0x80000801 +outl 0xcfc 0x16000000 +write 0x9dc6500a 0x2 0x2080 +write 0x9dc6011a 0x2 0x1040 +write 0x9dc60120 0x1 0xa0 +write 0x9dc60102 0x2 0x4e04 +outl 0xcf8 0x80000811 +outl 0xcfc 0x5ac600 +write 0x5ac6042a 0x2 0x00ff +write 0x5ac60402 0x2 0x020 +write 0x10 0x1 0xff +write 0x11 0x1 0x01 +write 0x19 0x1 0xe7 +write 0x1b 0x1 0x11 +write 0x20b 0x1 0x08 +write 0x20d 0x1 0x15 +write 0xac7 0x1 0x10 +write 0x5ac6043a 0x1 0x10 +EOF + +While the crash with the original reproducer seems to be gone, the minimized reproducer from comment #2 still triggers this issue. Setting to "Confirmed". + +I moved this report over to QEMU's new bug tracker on gitlab.com. +Please continue with the discussion here: + +https://gitlab.com/qemu-project/qemu/-/issues/537 + +Thanks for moving it over! ... let's close this one here on Launchpad now. + + |