diff options
Diffstat (limited to '')
| -rw-r--r-- | results/classifier/108/other/1910 | 77 | ||||
| -rw-r--r-- | results/classifier/108/other/1910505 | 91 | ||||
| -rw-r--r-- | results/classifier/108/other/1910540 | 25 | ||||
| -rw-r--r-- | results/classifier/108/other/1910603 | 236 | ||||
| -rw-r--r-- | results/classifier/108/other/1910605 | 64 | ||||
| -rw-r--r-- | results/classifier/108/other/1910723 | 236 | ||||
| -rw-r--r-- | results/classifier/108/other/1910826 | 126 | ||||
| -rw-r--r-- | results/classifier/108/other/1910941 | 145 |
8 files changed, 1000 insertions, 0 deletions
diff --git a/results/classifier/108/other/1910 b/results/classifier/108/other/1910 new file mode 100644 index 00000000..7c9446c9 --- /dev/null +++ b/results/classifier/108/other/1910 @@ -0,0 +1,77 @@ +debug: 0.867 +boot: 0.829 +performance: 0.739 +device: 0.678 +socket: 0.657 +PID: 0.607 +network: 0.595 +vnc: 0.551 +semantic: 0.529 +graphic: 0.529 +permissions: 0.511 +KVM: 0.380 +files: 0.354 +other: 0.315 + +Signal handlers in x86_64 userspace have wrongly aligned stack +Description of problem: +Various applications crash in signal handlers due to `movaps` getting a misaligned stack address. For some reason this is reported as a NULL deref, but `gdb` clearly shows the true cause. + +```plaintext +> qemu-x86_64 /usr/bin/ruby -e '`true`' +-e:1: [BUG] Segmentation fault at 0x0000000000000000 +ruby 3.2.2 (2023-03-30 revision e51014f9c0) [x86_64-linux-gnu] + +-- Control frame information ----------------------------------------------- +c:0003 p:---- s:0011 e:000010 CFUNC :` +c:0002 p:0005 s:0006 e:000005 EVAL -e:1 [FINISH] +c:0001 p:0000 s:0003 E:0015b0 DUMMY [FINISH] + +-- Ruby level backtrace information ---------------------------------------- +-e:1:in `<main>' +-e:1:in ``' + +-- Machine register context ------------------------------------------------ + RIP: 0x00002aaaab50f98a RBP: 0x00002aaaabb136b8 RSP: 0x00002aaaab2a9c98 + RAX: 0x0000000000000000 RBX: 0x0000000000004946 RCX: 0x0000000000000000 + RDX: 0x00002aaaab2a9c98 RDI: 0x000000000caf0000 RSI: 0x0000000000000000 + R8: 0x00002aaaab2aaa50 R9: 0x0000000000000050 R10: 0x0000000000000008 + R11: 0x0000000000000000 R12: 0x0000000000000002 R13: 0x0000000000007310 + R14: 0x0000000000005e10 R15: 0x00002aaab0537f20 EFL: 0x0000000000000246 + +-- C level backtrace information ------------------------------------------- +``` + +```plaintext +(gdb) x/i $pc +=> 0x2aaaab50f98a: movaps %xmm0,(%rsp) +(gdb) p/x $rsp +$3 = 0x2aaaab2a9998 +``` +Steps to reproduce: +1. ```qemu-x86_64 /usr/bin/ruby -e '`true`'``` +Additional information: +The x86_64 psABI says: + +> the value (%rsp − 8) is always a multiple of 16 when control is transferred to the function entry point. + +However, when QEMU jumps to the signal handler, $rsp is aligned to 16B, i.e. ends in `0x..0`. + +The relevant kernel code: + +https://elixir.bootlin.com/linux/v6.5.5/source/arch/x86/kernel/signal.c#L123 + +```plaintext + sp -= frame_size; + + if (ia32_frame) + /* + * Align the stack pointer according to the i386 ABI, + * i.e. so that on function entry ((sp + 4) & 15) == 0. + */ + sp = ((sp + 4) & -FRAME_ALIGNMENT) - 4; + else + sp = round_down(sp, FRAME_ALIGNMENT) - 8; +``` + +CC @lvivier @bonzini @rth7680 diff --git a/results/classifier/108/other/1910505 b/results/classifier/108/other/1910505 new file mode 100644 index 00000000..bf84f9e0 --- /dev/null +++ b/results/classifier/108/other/1910505 @@ -0,0 +1,91 @@ +other: 0.948 +permissions: 0.929 +graphic: 0.917 +performance: 0.916 +semantic: 0.907 +debug: 0.896 +PID: 0.891 +device: 0.888 +files: 0.874 +vnc: 0.865 +KVM: 0.857 +socket: 0.855 +network: 0.810 +boot: 0.803 + +atomic failure linking with --enable-sanitizers on 32-bit Linux hosts + +As of commit 50536341b47, using --enable-sanitizers on 32-bit Linux host: +- displays various warnings +- fails linking + +Using Ubuntu 18.04 (release 20201211.1) and Clang10 on i386: + +[139/675] Compiling C object softmmu.fa.p/softmmu_icount.c.o +In file included from ../softmmu/icount.c:31: +In file included from include/exec/exec-all.h:23: +In file included from ../target/mips/cpu.h:4: +In file included from ../target/mips/cpu-qom.h:23: +In file included from include/hw/core/cpu.h:23: +In file included from include/hw/qdev-core.h:5: +In file included from include/qemu/bitmap.h:16: +In file included from include/qemu/bitops.h:17: +include/qemu/atomic.h:463:12: warning: misaligned atomic operation may +incur significant performance penalty [-Watomic-alignment] + return qatomic_read__nocheck(ptr); + ^ +include/qemu/atomic.h:129:5: note: expanded from macro +'qatomic_read__nocheck' + __atomic_load_n(ptr, __ATOMIC_RELAXED) + ^ +include/qemu/atomic.h:473:5: warning: misaligned atomic operation may +incur significant performance penalty [-Watomic-alignment] + qatomic_set__nocheck(ptr, val); + ^ +include/qemu/atomic.h:138:5: note: expanded from macro +'qatomic_set__nocheck' + __atomic_store_n(ptr, i, __ATOMIC_RELAXED) + ^ +2 warnings generated. +[...] + +[850/2216] Linking target tests/test-hbitmap +FAILED: tests/test-hbitmap +clang -o tests/test-hbitmap tests/test-hbitmap.p/test-hbitmap.c.o +tests/test-hbitmap.p/iothread.c.o -Wl,--as-needed -Wl,--no-undefined +-pie -Wl,--whole-archive libblock.fa libcrypto.fa libauthz.fa libqom.fa +libio.fa -Wl,--no-whole-archive -Wl,--warn-common -fsanitize=undefined +-fsanitize=address -Wl,-z,relro -Wl,-z,now -m32 -ggdb +-fstack-protector-strong -Wl,--start-group libqemuutil.a +subprojects/libvhost-user/libvhost-user-glib.a +subprojects/libvhost-user/libvhost-user.a libblock.fa libcrypto.fa +libauthz.fa libqom.fa libio.fa @block.syms -lgio-2.0 -lgobject-2.0 +-lglib-2.0 -lgio-2.0 -lgobject-2.0 -lglib-2.0 -pthread -lutil -lgnutls +-lm -lgthread-2.0 -lglib-2.0 /usr/lib/i386-linux-gnu/libglib-2.0.so +-liscsi -lgthread-2.0 -lglib-2.0 -laio -lcurl +/usr/lib/i386-linux-gnu/libz.so -lrbd -lrados -lnettle -lgnutls +-Wl,--end-group +libblock.fa(block_io.c.o): In function `stat64_max': +include/qemu/stats64.h:58: undefined reference to `__atomic_load_8' +include/qemu/stats64.h:60: undefined reference to +`__atomic_compare_exchange_8' +libblock.fa(block_qapi.c.o): In function `stat64_get': +include/qemu/stats64.h:40: undefined reference to `__atomic_load_8' +libqemuutil.a(util_qsp.c.o): In function `qatomic_set_u64': +include/qemu/atomic.h:478: undefined reference to `__atomic_store_8' +libqemuutil.a(util_qsp.c.o): In function `qatomic_read_u64': +include/qemu/atomic.h:468: undefined reference to `__atomic_load_8' +clang: error: linker command failed with exit code 1 (use -v to see +invocation) + +Issue previously reported on the list here: +https://<email address hidden>/msg770128.html + + +This is an automated cleanup. This bug report has been moved to QEMU's +new bug tracker on gitlab.com and thus gets marked as 'invalid' now. +Please continue with the discussion here: + + https://gitlab.com/qemu-project/qemu/-/issues/235 + + diff --git a/results/classifier/108/other/1910540 b/results/classifier/108/other/1910540 new file mode 100644 index 00000000..8d88f1af --- /dev/null +++ b/results/classifier/108/other/1910540 @@ -0,0 +1,25 @@ +graphic: 0.808 +device: 0.784 +network: 0.782 +semantic: 0.697 +files: 0.593 +socket: 0.544 +vnc: 0.532 +performance: 0.529 +other: 0.376 +PID: 0.311 +boot: 0.308 +debug: 0.303 +permissions: 0.195 +KVM: 0.189 + +where the trace file "trace-*" + +I compile qemu-system-aarch64 with --enable-trace-backends=simple option, then start qemu with -trace nvme* , qemu start successful but I cann't find the trace file "trace-*" at qemu started directory. + +I tested qemu.git/master on Linux x86_64 to confirm that the simple trace backend works. trace-$pid files are written to the current working directory. + +If QEMU prints a warning that the trace event name does not exist, try escaping the asterisk on your command-line: -trace nvme\* + +You can find the trace-event files in the source tree, if you were talking about those. Anyway, this does not really sound like a bug, so I'm closing this ticket now. If you need general help, please use the qemu-discuss mailing list or the #qemu channel on OFTC IRC instead. + diff --git a/results/classifier/108/other/1910603 b/results/classifier/108/other/1910603 new file mode 100644 index 00000000..82ae9449 --- /dev/null +++ b/results/classifier/108/other/1910603 @@ -0,0 +1,236 @@ +other: 0.948 +permissions: 0.917 +semantic: 0.887 +device: 0.868 +KVM: 0.863 +vnc: 0.863 +debug: 0.857 +graphic: 0.850 +PID: 0.832 +performance: 0.818 +boot: 0.806 +files: 0.662 +network: 0.623 +socket: 0.595 + +[OSS-Fuzz] Issue 29174 sb16: Abrt in audio_bug + +=== Reproducer === +cat << EOF | ../build-system/qemu-system-i386 \ +-machine q35 -device sb16,audiodev=snd0 \ +-audiodev none,id=snd0 -nographic -nodefaults \ +-qtest stdio +outw 0x22c 0x41 +outb 0x22c 0x0 +outw 0x22c 0x1004 +outw 0x22c 0x1c +EOF + +=== Stack Trace === +A bug was just triggered in audio_calloc +Save all your work and restart without audio +I am sorry +Context: +Aborted + +#0 raise +#1 abort +#2 audio_bug /src/qemu/audio/audio.c:119:9 +#3 audio_calloc /src/qemu/audio/audio.c:154:9 +#4 audio_pcm_sw_alloc_resources_out /src/qemu/audio/audio_template.h:116:15 +#5 audio_pcm_sw_init_out /src/qemu/audio/audio_template.h:175:11 +#6 audio_pcm_create_voice_pair_out /src/qemu/audio/audio_template.h:410:9 +#7 AUD_open_out /src/qemu/audio/audio_template.h:503:14 +#8 continue_dma8 /src/qemu/hw/audio/sb16.c:216:20 +#9 dma_cmd8 /src/qemu/hw/audio/sb16.c:276:5 +#10 command /src/qemu/hw/audio/sb16.c:0 +#11 dsp_write /src/qemu/hw/audio/sb16.c:949:13 +#12 portio_write /src/qemu/softmmu/ioport.c:205:13 +#13 memory_region_write_accessor /src/qemu/softmmu/memory.c:491:5 +#14 access_with_adjusted_size /src/qemu/softmmu/memory.c:552:18 +#15 memory_region_dispatch_write /src/qemu/softmmu/memory.c:0:13 +#16 flatview_write_continue /src/qemu/softmmu/physmem.c:2759:23 +#17 flatview_write /src/qemu/softmmu/physmem.c:2799:14 +#18 address_space_write /src/qemu/softmmu/physmem.c:2891:18 +#19 cpu_outw /src/qemu/softmmu/ioport.c:70:5 + + +OSS-Fuzz Report: +https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29174 + +This is still reproducible with the current version of QEMU. Marking this as "Confirmed" + +While the SB16 seems to work up to 48000 Hz, the "Sound Blaster Series +Hardware Programming Guide" limit the sampling range from 4000 Hz to +44100 Hz (Section 3-9, 3-10: Digitized Sound I/O Programming, tables +3-2 and 3-3). + +Later, section 6-15 (DSP Commands) is more specific regarding the 41h / +42h registers (Set digitized sound output sampling rate): + + Valid sampling rates range from 5000 to 45000 Hz inclusive. + +There is no comment regarding error handling if the register is filled +with an out-of-range value. (See also section 3-28 "8-bit or 16-bit +Auto-initialize Transfer"). Assume limits are enforced in hardware. + +This fixes triggering an assertion in audio_calloc(): + + #1 abort + #2 audio_bug audio/audio.c:119:9 + #3 audio_calloc audio/audio.c:154:9 + #4 audio_pcm_sw_alloc_resources_out audio/audio_template.h:116:15 + #5 audio_pcm_sw_init_out audio/audio_template.h:175:11 + #6 audio_pcm_create_voice_pair_out audio/audio_template.h:410:9 + #7 AUD_open_out audio/audio_template.h:503:14 + #8 continue_dma8 hw/audio/sb16.c:216:20 + #9 dma_cmd8 hw/audio/sb16.c:276:5 + #10 command hw/audio/sb16.c:0 + #11 dsp_write hw/audio/sb16.c:949:13 + #12 portio_write softmmu/ioport.c:205:13 + #13 memory_region_write_accessor softmmu/memory.c:491:5 + #14 access_with_adjusted_size softmmu/memory.c:552:18 + #15 memory_region_dispatch_write softmmu/memory.c:0:13 + #16 flatview_write_continue softmmu/physmem.c:2759:23 + #17 flatview_write softmmu/physmem.c:2799:14 + #18 address_space_write softmmu/physmem.c:2891:18 + #19 cpu_outw softmmu/ioport.c:70:5 + +[*] http://www.baudline.com/solutions/full_duplex/sb16_pci/index.html + +Fixes: 85571bc7415 ("audio merge (malc)") +Buglink: https://bugs.launchpad.net/bugs/1910603 +OSS-Fuzz Report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29174 +Signed-off-by: Philippe Mathieu-Daudé <email address hidden> +--- + hw/audio/sb16.c | 14 ++++++++++ + tests/qtest/fuzz-sb16-test.c | 52 ++++++++++++++++++++++++++++++++++++ + MAINTAINERS | 1 + + tests/qtest/meson.build | 1 + + 4 files changed, 68 insertions(+) + create mode 100644 tests/qtest/fuzz-sb16-test.c + +diff --git a/hw/audio/sb16.c b/hw/audio/sb16.c +index 8b207004102..5cf121fe363 100644 +--- a/hw/audio/sb16.c ++++ b/hw/audio/sb16.c +@@ -115,6 +115,9 @@ struct SB16State { + PortioList portio_list; + }; + ++#define SAMPLE_RATE_MIN 5000 ++#define SAMPLE_RATE_MAX 45000 ++ + static void SB_audio_callback (void *opaque, int free); + + static int magic_of_irq (int irq) +@@ -241,6 +244,17 @@ static void dma_cmd8 (SB16State *s, int mask, int dma_len) + int tmp = (256 - s->time_const); + s->freq = (1000000 + (tmp / 2)) / tmp; + } ++ if (s->freq < SAMPLE_RATE_MIN) { ++ qemu_log_mask(LOG_GUEST_ERROR, ++ "sampling range too low: %d, increasing to %u\n", ++ s->freq, SAMPLE_RATE_MIN); ++ s->freq = SAMPLE_RATE_MIN; ++ } else if (s->freq > SAMPLE_RATE_MAX) { ++ qemu_log_mask(LOG_GUEST_ERROR, ++ "sampling range too high: %d, decreasing to %u\n", ++ s->freq, SAMPLE_RATE_MAX); ++ s->freq = SAMPLE_RATE_MAX; ++ } + + if (dma_len != -1) { + s->block_size = dma_len << s->fmt_stereo; +diff --git a/tests/qtest/fuzz-sb16-test.c b/tests/qtest/fuzz-sb16-test.c +new file mode 100644 +index 00000000000..51030cd7dc4 +--- /dev/null ++++ b/tests/qtest/fuzz-sb16-test.c +@@ -0,0 +1,52 @@ ++/* ++ * QTest fuzzer-generated testcase for sb16 audio device ++ * ++ * Copyright (c) 2021 Philippe Mathieu-Daudé <email address hidden> ++ * ++ * SPDX-License-Identifier: GPL-2.0-or-later ++ */ ++ ++#include "qemu/osdep.h" ++#include "libqos/libqtest.h" ++ ++/* ++ * This used to trigger the assert in audio_calloc ++ * https://bugs.launchpad.net/qemu/+bug/1910603 ++ */ ++static void test_fuzz_sb16_0x1c(void) ++{ ++ QTestState *s = qtest_init("-M q35 -display none " ++ "-device sb16,audiodev=snd0 " ++ "-audiodev none,id=snd0"); ++ qtest_outw(s, 0x22c, 0x41); ++ qtest_outb(s, 0x22c, 0x00); ++ qtest_outw(s, 0x22c, 0x1004); ++ qtest_outw(s, 0x22c, 0x001c); ++ qtest_quit(s); ++} ++ ++static void test_fuzz_sb16_0x91(void) ++{ ++ QTestState *s = qtest_init("-M pc -display none " ++ "-device sb16,audiodev=none " ++ "-audiodev id=none,driver=none"); ++ qtest_outw(s, 0x22c, 0xf141); ++ qtest_outb(s, 0x22c, 0x00); ++ qtest_outb(s, 0x22c, 0x24); ++ qtest_outb(s, 0x22c, 0x91); ++ qtest_quit(s); ++} ++ ++int main(int argc, char **argv) ++{ ++ const char *arch = qtest_get_arch(); ++ ++ g_test_init(&argc, &argv, NULL); ++ ++ if (strcmp(arch, "i386") == 0) { ++ qtest_add_func("fuzz/test_fuzz_sb16/1c", test_fuzz_sb16_0x1c); ++ qtest_add_func("fuzz/test_fuzz_sb16/91", test_fuzz_sb16_0x91); ++ } ++ ++ return g_test_run(); ++} +diff --git a/MAINTAINERS b/MAINTAINERS +index 5f55404f2fa..7edb26d2293 100644 +--- a/MAINTAINERS ++++ b/MAINTAINERS +@@ -2213,6 +2213,7 @@ F: qapi/audio.json + F: tests/qtest/ac97-test.c + F: tests/qtest/es1370-test.c + F: tests/qtest/intel-hda-test.c ++F: tests/qtest/fuzz-sb16-test.c + + Block layer core + M: Kevin Wolf <email address hidden> +diff --git a/tests/qtest/meson.build b/tests/qtest/meson.build +index c3a223a83d6..b03e8541700 100644 +--- a/tests/qtest/meson.build ++++ b/tests/qtest/meson.build +@@ -20,6 +20,7 @@ + qtests_generic = \ + (config_all_devices.has_key('CONFIG_MEGASAS_SCSI_PCI') ? ['fuzz-megasas-test'] : []) + \ + (config_all_devices.has_key('CONFIG_VIRTIO_SCSI') ? ['fuzz-virtio-scsi-test'] : []) + \ ++ (config_all_devices.has_key('CONFIG_SB16') ? ['fuzz-sb16-test'] : []) + \ + [ + 'cdrom-test', + 'device-introspect-test', +-- +2.26.3 + + + +OSS-Fuzz confirms this is fixed: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=30574#c4 + +Fixed by: +https://gitlab.com/qemu-project/qemu/-/commit/a2cd86a94a881b38a7d8bb67c619 + diff --git a/results/classifier/108/other/1910605 b/results/classifier/108/other/1910605 new file mode 100644 index 00000000..dbe9af69 --- /dev/null +++ b/results/classifier/108/other/1910605 @@ -0,0 +1,64 @@ +other: 0.899 +device: 0.886 +graphic: 0.885 +performance: 0.884 +network: 0.846 +files: 0.828 +PID: 0.806 +permissions: 0.795 +semantic: 0.782 +debug: 0.761 +socket: 0.735 +vnc: 0.708 +boot: 0.683 +KVM: 0.574 + +qemu-arm-static ioctl USBDEVFS_BULK return -1 (EFAULT) Bad address + + + +Snippet of code sample: + +struct usbdevfs_bulktransfer Bulk; +Bulk.ep = hUsb->UsbOut; +Bulk.len = Len; +Bulk.data = (void *)pData; +Bulk.timeout = Timeout; +Bytes = ioctl(hUsb->fd, USBDEVFS_BULK, &Bulk) + +The above code sample return -1 (EFAULT) Bad address when using qemu-arm-static but is running ok when on qemu-aarch64-static. + +I use a 64-bit intel laptop + +The QEMU project is currently moving its bug tracking to another system. +For this we need to know which bugs are still valid and which could be +closed already. Thus we are setting the bug state to "Incomplete" now. + +If the bug has already been fixed in the latest upstream version of QEMU, +then please close this ticket as "Fix released". + +If it is not fixed yet and you think that this bug report here is still +valid, then you have two options: + +1) If you already have an account on gitlab.com, please open a new ticket +for this problem in our new tracker here: + + https://gitlab.com/qemu-project/qemu/-/issues + +and then close this ticket here on Launchpad (or let it expire auto- +matically after 60 days). Please mention the URL of this bug ticket on +Launchpad in the new ticket on GitLab. + +2) If you don't have an account on gitlab.com and don't intend to get +one, but still would like to keep this ticket opened, then please switch +the state back to "New" or "Confirmed" within the next 60 days (other- +wise it will get closed as "Expired"). We will then eventually migrate +the ticket automatically to the new system (but you won't be the reporter +of the bug in the new system and thus you won't get notified on changes +anymore). + +Thank you and sorry for the inconvenience. + + +[Expired for QEMU because there has been no activity for 60 days.] + diff --git a/results/classifier/108/other/1910723 b/results/classifier/108/other/1910723 new file mode 100644 index 00000000..651be5fe --- /dev/null +++ b/results/classifier/108/other/1910723 @@ -0,0 +1,236 @@ +graphic: 0.769 +semantic: 0.653 +KVM: 0.633 +other: 0.620 +vnc: 0.598 +device: 0.562 +performance: 0.557 +permissions: 0.543 +PID: 0.519 +debug: 0.481 +boot: 0.463 +network: 0.445 +files: 0.401 +socket: 0.360 + +NULL pointer dereference issues in am53c974 SCSI host bus adapter + +Two NULL pointer dereference issues were found in the am53c974 SCSI host bus adapter emulation of QEMU. They could occur while handling the 'Information Transfer' command (CMD_TI) in function handle_ti() in hw/scsi/esp.c, and could be abused by a malicious guest to crash the QEMU process on the host resulting in a denial of service. + +Both issues were reported by Cheolwoo Myung (Seoul National University). To reproduce them, configure and run QEMU as follows. Please find attached the required disk images. + +$ ./configure --target-list=x86_64-softmmu --enable-kvm --enable-sanitizers +$ make +$ ./qemu-system-x86_64 -m 512 -drive file=./hyfuzz.img,index=0,media=disk,format=raw \ +-device am53c974,id=scsi -device scsi-hd,drive=SysDisk \ +-drive id=SysDisk,if=none,file=./disk.img + +Additional info: +RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1909766 +RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1909769 + +ASAN logs: +==672133== +hw/scsi/scsi-bus.c:1385:12: runtime error: member access within null pointer of type 'struct SCSIRequest' +AddressSanitizer:DEADLYSIGNAL +================================================================= +==672133==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000171 (pc 0x55bd63e20b85 bp 0x7f4b6fffdfa0 sp 0x7f4b6fffdf70 T7) +==672133==The signal is caused by a READ memory access. +==672133==Hint: address points to the zero page. + #0 0x55bd63e20b85 in scsi_req_continue hw/scsi/scsi-bus.c:1385 + #1 0x55bd63ab34fb in esp_do_dma hw/scsi/esp.c:453 + #2 0x55bd63ab4b3c in handle_ti hw/scsi/esp.c:549 + #3 0x55bd63ab72a9 in esp_reg_write hw/scsi/esp.c:691 + #4 0x55bd63d7b5dd in esp_pci_io_write hw/scsi/esp-pci.c:206 + #5 0x55bd645d55a3 in memory_region_write_accessor softmmu/memory.c:491 + #6 0x55bd645d5a24 in access_with_adjusted_size softmmu/memory.c:552 + #7 0x55bd645e2baa in memory_region_dispatch_write softmmu/memory.c:1501 + #8 0x55bd646b75ff in flatview_write_continue softmmu/physmem.c:2759 + #9 0x55bd646b79d1 in flatview_write softmmu/physmem.c:2799 + #10 0x55bd646b8341 in address_space_write softmmu/physmem.c:2891 + #11 0x55bd646b83f9 in address_space_rw softmmu/physmem.c:2901 + #12 0x55bd648c4736 in kvm_handle_io accel/kvm/kvm-all.c:2285 + #13 0x55bd648c69c8 in kvm_cpu_exec accel/kvm/kvm-all.c:2531 + #14 0x55bd647b2413 in kvm_vcpu_thread_fn accel/kvm/kvm-cpus.c:49 + #15 0x55bd64f560de in qemu_thread_start util/qemu-thread-posix.c:521 + #16 0x7f4b981763f8 in start_thread (/lib64/libpthread.so.0+0x93f8) + #17 0x7f4b980a3902 in __GI___clone (/lib64/libc.so.6+0x101902) + +--- + +==672020== +hw/scsi/esp.c:196:62: runtime error: member access within null pointer of type 'struct SCSIDevice' +AddressSanitizer:DEADLYSIGNAL +================================================================= +==672020==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000098 (pc 0x559bc99946fd bp 0x7f08bd737fb0 sp 0x7f08bd737f70 T7) +==672020==The signal is caused by a READ memory access. +==672020==Hint: address points to the zero page. + #0 0x559bc99946fd in do_busid_cmd hw/scsi/esp.c:196 + #1 0x559bc9994e71 in do_cmd hw/scsi/esp.c:220 + #2 0x559bc999ae81 in handle_ti hw/scsi/esp.c:555 + #3 0x559bc999d2a9 in esp_reg_write hw/scsi/esp.c:691 + #4 0x559bc9c615dd in esp_pci_io_write hw/scsi/esp-pci.c:206 + #5 0x559bca4bb5a3 in memory_region_write_accessor softmmu/memory.c:491 + #6 0x559bca4bba24 in access_with_adjusted_size softmmu/memory.c:552 + #7 0x559bca4c8baa in memory_region_dispatch_write softmmu/memory.c:1501 + #8 0x559bca59d5ff in flatview_write_continue softmmu/physmem.c:2759 + #9 0x559bca59d9d1 in flatview_write softmmu/physmem.c:2799 + #10 0x559bca59e341 in address_space_write softmmu/physmem.c:2891 + #11 0x559bca59e3f9 in address_space_rw softmmu/physmem.c:2901 + #12 0x559bca7aa736 in kvm_handle_io accel/kvm/kvm-all.c:2285 + #13 0x559bca7ac9c8 in kvm_cpu_exec accel/kvm/kvm-all.c:2531 + #14 0x559bca698413 in kvm_vcpu_thread_fn accel/kvm/kvm-cpus.c:49 + #15 0x559bcae3c0de in qemu_thread_start util/qemu-thread-posix.c:521 + #16 0x7f08e57ba3f8 in start_thread (/lib64/libpthread.so.0+0x93f8) + #17 0x7f08e56e7902 in __GI___clone (/lib64/libc.so.6+0x101902) + + + +QTest Reproducer for the first: +/* + * Autogenerated Fuzzer Test Case + * + * This work is licensed under the terms of the GNU GPL, version 2 or later. + * See the COPYING file in the top-level directory. + */ + +#include "qemu/osdep.h" + +#include "libqos/libqtest.h" + +/* + * cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, -m \ + * 512M -device am53c974,id=scsi -device scsi-hd,drive=disk0 -drive \ + * id=disk0,if=none,file=null-co://,format=raw -nodefaults -qtest stdio + * outl 0xcf8 0x80001010 + * outl 0xcfc 0xc000 + * outl 0xcf8 0x80001004 + * outw 0xcfc 0x05 + * outb 0xc046 0x02 + * outl 0xc00b 0xc100 + * outl 0xc040 0x03 + * outl 0xc040 0x03 + * write 0x0 0x1 0x41 + * outl 0xc00b 0xc100 + * outw 0xc040 0x02 + * outw 0xc040 0x81 + * outl 0xc00b 0x9000 + * EOF + */ +static void test_fuzz(void) +{ + QTestState *s = qtest_init( + "-display none , -m 512M -device am53c974,id=scsi -device " + "scsi-hd,drive=disk0 -drive " + "id=disk0,if=none,file=null-co://,format=raw -nodefaults"); + qtest_outl(s, 0xcf8, 0x80001010); + qtest_outl(s, 0xcfc, 0xc000); + qtest_outl(s, 0xcf8, 0x80001004); + qtest_outw(s, 0xcfc, 0x05); + qtest_outb(s, 0xc046, 0x02); + qtest_outl(s, 0xc00b, 0xc100); + qtest_outl(s, 0xc040, 0x03); + qtest_outl(s, 0xc040, 0x03); + qtest_bufwrite(s, 0x0, "\x41", 0x1); + qtest_outl(s, 0xc00b, 0xc100); + qtest_outw(s, 0xc040, 0x02); + qtest_outw(s, 0xc040, 0x81); + qtest_outl(s, 0xc00b, 0x9000); + qtest_quit(s); +} +int main(int argc, char **argv) +{ + const char *arch = qtest_get_arch(); + + g_test_init(&argc, &argv, NULL); + + if (strcmp(arch, "i386") == 0) { + qtest_add_func("fuzz/test_fuzz", test_fuzz); + } + + return g_test_run(); +} + +QTest Reproducer for the second: +/* + * Autogenerated Fuzzer Test Case + * + * This work is licensed under the terms of the GNU GPL, version 2 or + * later. See the COPYING file in the top-level directory. + */ + +#include "qemu/osdep.h" + +#include "libqos/libqtest.h" + +/* + * cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, \ + * -m 512M -device am53c974,id=scsi -device scsi-hd,drive=disk0 -drive \ + * id=disk0,if=none,file=null-co://,format=raw -nodefaults -qtest stdio + * outl 0xcf8 0x80001001 + * outl 0xcfc 0x01000000 + * outl 0xcf8 0x8000100e + * outl 0xcfc 0xef800000 + * outl 0xef8b 0x4100 + * outw 0xef80 0x01 + * outl 0xefc0 0x03 + * outl 0xef8b 0xc100 + * outl 0xef8b 0x9000 + * EOF + */ +static void test_fuzz(void) +{ + QTestState *s = qtest_init( + "-display none , -m 512M -device am53c974,id=scsi -device " + "scsi-hd,drive=disk0 -drive " + "id=disk0,if=none,file=null-co://,format=raw -nodefaults"); + qtest_outl(s, 0xcf8, 0x80001001); + qtest_outl(s, 0xcfc, 0x01000000); + qtest_outl(s, 0xcf8, 0x8000100e); + qtest_outl(s, 0xcfc, 0xef800000); + qtest_outl(s, 0xef8b, 0x4100); + qtest_outw(s, 0xef80, 0x01); + qtest_outl(s, 0xefc0, 0x03); + qtest_outl(s, 0xef8b, 0xc100); + qtest_outl(s, 0xef8b, 0x9000); + qtest_quit(s); +} +int main(int argc, char **argv) +{ + const char *arch = qtest_get_arch(); + + g_test_init(&argc, &argv, NULL); + + if (strcmp(arch, "i386") == 0) { + qtest_add_func("fuzz/test_fuzz", test_fuzz); + } + + return g_test_run(); +} + +Thank you both for the reproducers. Please see the proposed patchset here: + +https://lists.gnu.org/archive/html/qemu-devel/2021-03/msg06063.html + + +I can confirm this is fixed now, thank you Mark. + +Patchset v2: +https://lists.gnu.org/archive/html/qemu-devel/2021-03/msg06550.html + +Patchset v4: +https://lists.gnu.org/archive/html/qemu-devel/2021-04/msg01000.html + +Upstream commits: +https://git.qemu.org/?p=qemu.git;a=commit;h=0db895361b8a82e1114372ff9f4857abea605701 +https://git.qemu.org/?p=qemu.git;a=commit;h=e392255766071c8cac480da3a9ae4f94e56d7cbc +https://git.qemu.org/?p=qemu.git;a=commit;h=e5455b8c1c6170c788f3c0fd577cc3be53539a99 +https://git.qemu.org/?p=qemu.git;a=commit;h=c5fef9112b15c4b5494791cdf8bbb40bc1938dd3 +https://git.qemu.org/?p=qemu.git;a=commit;h=7b320a8e67a534925048cbabfa51431e0349dafd +https://git.qemu.org/?p=qemu.git;a=commit;h=99545751734035b76bd372c4e7215bb337428d89 +https://git.qemu.org/?p=qemu.git;a=commit;h=fa7505c154d4d00ad89a747be2eda556643ce00e +https://git.qemu.org/?p=qemu.git;a=commit;h=fbc6510e3379fa8f8370bf71198f0ce733bf07f9 +https://git.qemu.org/?p=qemu.git;a=commit;h=0ebb5fd80589835153a0c2baa1b8cc7a04e67a93 +https://git.qemu.org/?p=qemu.git;a=commit;h=324c8809897c8c53ad05c3a7147d272f1711cd5e +https://git.qemu.org/?p=qemu.git;a=commit;h=607206948cacda4a80be5b976dba490970a18a76 + diff --git a/results/classifier/108/other/1910826 b/results/classifier/108/other/1910826 new file mode 100644 index 00000000..1da5d03d --- /dev/null +++ b/results/classifier/108/other/1910826 @@ -0,0 +1,126 @@ +other: 0.894 +device: 0.821 +graphic: 0.780 +KVM: 0.763 +performance: 0.761 +permissions: 0.736 +vnc: 0.708 +semantic: 0.692 +debug: 0.665 +boot: 0.654 +files: 0.632 +network: 0.630 +PID: 0.572 +socket: 0.519 + +[OSS-Fuzz] Issue 29224 rtl8139: Stack-overflow in rtlNUMBER_transmit_one + +=== Reproducer === +cat << EOF | ../build/qemu-system-i386 -machine q35 \ +-nodefaults -device rtl8139,netdev=net0 \ +-netdev user,id=net0 -display none -qtest stdio +outl 0xcf8 0x80000804 +outb 0xcfc 0x26 +outl 0xcf8 0x80000817 +outb 0xcfc 0xff +write 0x1 0x1 0x42 +write 0x5 0x1 0x42 +write 0x9 0x1 0x42 +write 0xd 0x1 0x42 +write 0xff000044 0x4 0x11 +write 0xff000037 0x1 0x1c +writel 0xff000030 0xff000000 +write 0xff000040 0x4 0x100006 +write 0xff000010 0x4 0x01020 +EOF + +=== Stack Trace === +==2819215==ERROR: AddressSanitizer: stack-overflow on address 0x7ffd2c714040 (pc 0x5639b3a933d9 bp 0x7ffd2c716210 sp 0x7ffd2c714040 T0) +#0 rtl8139_transmit_one /src/qemu/hw/net/rtl8139.c:1815 +#1 rtl8139_transmit /src/qemu/hw/net/rtl8139.c:2388:9 +#2 rtl8139_TxStatus_write /src/qemu/hw/net/rtl8139.c:2442:5 +#3 rtl8139_io_writel /src/qemu/hw/net/rtl8139.c:2865:13 +#4 rtl8139_ioport_write /src/qemu/hw/net/rtl8139.c:3290:9 +#5 memory_region_write_accessor /src/qemu/softmmu/memory.c:491:5 +#6 access_with_adjusted_size /src/qemu/softmmu/memory.c:552:18 +#7 memory_region_dispatch_write /src/qemu/softmmu/memory.c:0:13 +#8 flatview_write_continue /src/qemu/softmmu/physmem.c:2759:23 +#9 flatview_write /src/qemu/softmmu/physmem.c:2799:14 +#10 address_space_write /src/qemu/softmmu/physmem.c:2891:18 +#11 address_space_rw /src/qemu/softmmu/physmem.c:2901:16 +#12 dma_memory_rw_relaxed /src/qemu/include/sysemu/dma.h:88:12 +#13 dma_memory_rw /src/qemu/include/sysemu/dma.h:127:12 +#14 pci_dma_rw /src/qemu/include/hw/pci/pci.h:801:12 +#15 pci_dma_write /src/qemu/include/hw/pci/pci.h:837:12 +#16 rtl8139_write_buffer /src/qemu/hw/net/rtl8139.c:778:5 +#17 rtl8139_do_receive /src/qemu/hw/net/rtl8139.c:1172:9 +#18 rtl8139_transfer_frame /src/qemu/hw/net/rtl8139.c:1798:9 +#19 rtl8139_transmit_one /src/qemu/hw/net/rtl8139.c:1845:5 +#20 rtl8139_transmit /src/qemu/hw/net/rtl8139.c:2388:9 +#21 rtl8139_TxStatus_write /src/qemu/hw/net/rtl8139.c:2442:5 +#22 rtl8139_io_writel /src/qemu/hw/net/rtl8139.c:2865:13 +#23 rtl8139_ioport_write /src/qemu/hw/net/rtl8139.c:3290:9 +#24 memory_region_write_accessor /src/qemu/softmmu/memory.c:491:5 +#25 access_with_adjusted_size /src/qemu/softmmu/memory.c:552:18 +#26 memory_region_dispatch_write /src/qemu/softmmu/memory.c:0:13 +#27 flatview_write_continue /src/qemu/softmmu/physmem.c:2759:23 +#28 flatview_write /src/qemu/softmmu/physmem.c:2799:14 +#29 address_space_write /src/qemu/softmmu/physmem.c:2891:18 +#30 address_space_rw /src/qemu/softmmu/physmem.c:2901:16 +#31 dma_memory_rw_relaxed /src/qemu/include/sysemu/dma.h:88:12 +#32 dma_memory_rw /src/qemu/include/sysemu/dma.h:127:12 +#33 pci_dma_rw /src/qemu/include/hw/pci/pci.h:801:12 +#34 pci_dma_write /src/qemu/include/hw/pci/pci.h:837:12 +#35 rtl8139_write_buffer /src/qemu/hw/net/rtl8139.c:778:5 +#36 rtl8139_do_receive /src/qemu/hw/net/rtl8139.c:1172:9 +#37 rtl8139_transfer_frame /src/qemu/hw/net/rtl8139.c:1798:9 +Repeat until we run out of stack + +https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29224 + +A more concise version and corresponding notes. Might help :) + +-- [ Reproducer + +cat << EOF | ../build/qemu-system-i386 -machine q35 \ +-nodefaults -device rtl8139,netdev=net0 \ +-netdev user,id=net0 -display none -qtest stdio +outl 0xcf8 0x80000804 +outb 0xcfc 0x06 +outl 0xcf8 0x80000817 +outb 0xcfc 0xff +write 0xff000037 0x1 0x0c +writel 0xff000030 0xff000010 +write 0xff000040 0x4 0x100006 +write 0xff000044 0x4 0x01 +write 0xff000010 0x4 0x01 +EOF + +-- [ Notes + +/* Make the MMIO region start from 0xff000000 */ +outl 0xcf8 0x80000817 +outb 0xcfc 0xff + +/*Command Register: enable receiver and transmitter*/ +write 0xff000037 0x1 0x0c + +/* set Receive (Rx) Buffer Start Address at 0xff000010 */ +/* Note: 0xff000010 - 0xff000000 = 0x10 is the offset of TSD0*/ +writel 0xff000030 0xff000010 + +/* TXRR, Tx Retry Count = 1 */ +/* set transmit mode into the loopback */ +write 0xff000040 0x4 0x100006 + +/* Receive Configuration Register: Accept All Packets */ +write 0xff000044 0x4 0x01 + +/* TSD0: set Descriptor Size to 1 and trigger a tranfer*/ +write 0xff000010 0x4 0x01 + + +OSS-Fuzz says this issue has been fixed. + +https://gitlab.com/qemu-project/qemu/-/commit/5311fb805a4403bba + diff --git a/results/classifier/108/other/1910941 b/results/classifier/108/other/1910941 new file mode 100644 index 00000000..c6c8d029 --- /dev/null +++ b/results/classifier/108/other/1910941 @@ -0,0 +1,145 @@ +KVM: 0.763 +other: 0.722 +vnc: 0.689 +performance: 0.612 +graphic: 0.591 +files: 0.586 +device: 0.583 +semantic: 0.567 +PID: 0.541 +permissions: 0.537 +network: 0.533 +socket: 0.520 +boot: 0.483 +debug: 0.414 + +Assertion `addr < cache->len && 2 <= cache->len - addr' in virtio-blk + +Hello, + +Using hypervisor fuzzer, hyfuzz, I found an assertion failure through virtio-blk emulator. + +A malicious guest user/process could use this flaw to abort the QEMU process on the host, resulting in a denial of service. + +This was found in version 5.2.0 (master) + +``` + +qemu-system-i386: /home/cwmyung/prj/hyfuzz/src/qemu-master/include/exec/memory_ldst_cached.h.inc:88: void address_space_stw_le_cached(MemoryRegionCache *, hwaddr, uint32_t, MemTxAttrs, MemTxResult *): Assertion `addr < cache->len && 2 <= cache->len - addr' failed. +[1] 1877 abort (core dumped) /home/cwmyung/prj/hyfuzz/src/qemu-master/build/i386-softmmu/qemu-system-i386 + +Program terminated with signal SIGABRT, Aborted. +#0 0x00007f71cc171f47 in __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:51 +#1 0x00007f71cc1738b1 in __GI_abort () at abort.c:79 +#2 0x00007f71cc16342a in __assert_fail_base (fmt=0x7f71cc2eaa38 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=assertion@entry=0x56537b324230 "addr < cache->len && 2 <= cache->len - addr", file=file@entry=0x56537b32425c "/home/cwmyung/prj/hyfuzz/src/qemu-master/include/exec/memory_ldst_cached.h.inc", line=line@entry=0x58, function=function@entry=0x56537b3242ab "void address_space_stw_le_cached(MemoryRegionCache *, hwaddr, uint32_t, MemTxAttrs, MemTxResult *)") at assert.c:92 +#3 0x00007f71cc1634a2 in __GI___assert_fail (assertion=0x56537b324230 "addr < cache->len && 2 <= cache->len - addr", file=0x56537b32425c "/home/cwmyung/prj/hyfuzz/src/qemu-master/include/exec/memory_ldst_cached.h.inc", line=0x58, function=0x56537b3242ab "void address_space_stw_le_cached(MemoryRegionCache *, hwaddr, uint32_t, MemTxAttrs, MemTxResult *)") at assert.c:101 +#4 0x000056537af3c917 in address_space_stw_le_cached (attrs=..., result=<optimized out>, cache=<optimized out>, addr=<optimized out>, val=<optimized out>) at /home/cwmyung/prj/hyfuzz/src/qemu-master/include/exec/memory_ldst_cached.h.inc:88 +#5 0x000056537af3c917 in stw_le_phys_cached (cache=<optimized out>, addr=<optimized out>, val=<optimized out>) at /home/cwmyung/prj/hyfuzz/src/qemu-master/include/exec/memory_ldst_phys.h.inc:121 +#6 0x000056537af3c917 in virtio_stw_phys_cached (vdev=<optimized out>, cache=<optimized out>, pa=<optimized out>, value=<optimized out>) at /home/cwmyung/prj/hyfuzz/src/qemu-master/include/hw/virtio/virtio-access.h:196 +#7 0x000056537af2b809 in vring_set_avail_event (vq=<optimized out>, val=0x0) at ../hw/virtio/virtio.c:429 +#8 0x000056537af2b809 in virtio_queue_split_set_notification (vq=<optimized out>, enable=<optimized out>) at ../hw/virtio/virtio.c:438 +#9 0x000056537af2b809 in virtio_queue_set_notification (vq=<optimized out>, enable=0x1) at ../hw/virtio/virtio.c:499 +#10 0x000056537b07ce1c in virtio_blk_handle_vq (s=0x56537d6bb3a0, vq=0x56537d6c0680) at ../hw/block/virtio-blk.c:795 +#11 0x000056537af3eb4d in virtio_queue_notify_aio_vq (vq=0x56537d6c0680) at ../hw/virtio/virtio.c:2326 +#12 0x000056537af3ba04 in virtio_queue_host_notifier_aio_read (n=<optimized out>) at ../hw/virtio/virtio.c:3533 +#13 0x000056537b20901c in aio_dispatch_handler (ctx=0x56537c4179f0, node=0x7f71a810b370) at ../util/aio-posix.c:329 +#14 0x000056537b20838c in aio_dispatch_handlers (ctx=<optimized out>) at ../util/aio-posix.c:372 +#15 0x000056537b20838c in aio_dispatch (ctx=0x56537c4179f0) at ../util/aio-posix.c:382 +#16 0x000056537b1f99cb in aio_ctx_dispatch (source=0x2, callback=0x7ffc8add9f90, user_data=0x0) at ../util/async.c:306 +#17 0x00007f71d1c10417 in g_main_context_dispatch () at /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0 +#18 0x000056537b1f1bab in glib_pollfds_poll () at ../util/main-loop.c:232 +#19 0x000056537b1f1bab in os_host_main_loop_wait (timeout=<optimized out>) at ../util/main-loop.c:255 +#20 0x000056537b1f1bab in main_loop_wait (nonblocking=<optimized out>) at ../util/main-loop.c:531 +#21 0x000056537af879d7 in qemu_main_loop () at ../softmmu/runstate.c:720 +#22 0x000056537a928a3b in main (argc=<optimized out>, argc@entry=0x15, argv=<optimized out>, argv@entry=0x7ffc8adda718, envp=<optimized out>) at ../softmmu/main.c:50 +#23 0x00007f71cc154b97 in __libc_start_main (main=0x56537a928a30 <main>, argc=0x15, argv=0x7ffc8adda718, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffc8adda708) at ../csu/libc-start.c:310 +#24 0x000056537a92894a in _start () + +``` + +To reproduce this issue, please run the QEMU with the following command line. + +``` + +# To reproduce this issue, please run the QEMU process with the following command line. + +$ qemu-system-i386 -m 512 -drive file=hyfuzz.img,index=0,media=disk,format=raw -device virtio-blk-pci,drive=drive0,id=virtblk0,num-queues=4 -drive file=disk.img,if=none,id=drive0 + +``` + +Please let me know if I can provide any further info. + +Thank you. + + + +This is OSS-Fuzz Issue 26797 + +=== Reproducer === +cat << EOF | ./qemu-system-i386 -machine q35 \ +-device virtio-blk,drive=disk0 \ +-drive file=null-co://,id=disk0,if=none,format=raw \ +-serial none -monitor none -qtest stdio -nographic +outl 0xcf8 0x80001890 +outl 0xcfc 0x4 +outl 0xcf8 0x8000188a +outl 0xcfc 0xd4624 +outl 0xcf8 0x80001894 +outl 0xcfc 0x20000002 +outl 0xcf8 0x80001889 +outl 0xcfc 0x18000000 +outl 0xcf8 0x80001896 +outl 0xcfc 0x0 +outl 0xcf8 0x8000188c +outw 0xcfc 0x20 +outl 0xcf8 0x80001894 +outl 0xcfc 0x1 +outl 0xcf8 0x8000188c +outw 0xcfc 0x1c +outl 0xcf8 0x80001895 +outl 0xcfc 0x0 +outl 0xcf8 0x80001889 +outl 0xcfc 0x18000000 +outl 0xcf8 0x80001894 +outl 0xcfc 0x40 +outl 0xcf8 0x8000188c +outw 0xcfc 0x14 +outl 0xcf8 0x80001894 +outl 0xcfc 0x1004 +EOF + +=== Stack Trace === +qemu-fuzz-i386-target-generic-fuzz-virtio-blk: /src/qemu/include/exec/memory_ldst_cached.h.inc:88: void address_space_stw_le_cached(MemoryRegionCache *, hwaddr, uint32_t, MemTxAttrs, MemTxResult *): Assertion `addr < cache->len && 2 <= cache->len - addr' failed. + +==2382430== ERROR: libFuzzer: deadly signal +#8 address_space_stw_le_cached /src/qemu/include/exec/memory_ldst_cached.h.inc:88:5 +#9 stw_le_phys_cached /src/qemu/include/exec/memory_ldst_phys.h.inc:121:5 +#10 virtio_stw_phys_cached /src/qemu/include/hw/virtio/virtio-access.h:196:9 +#11 vring_set_avail_event /src/qemu/hw/virtio/virtio.c:429:5 +#12 virtio_queue_split_set_notification /src/qemu/hw/virtio/virtio.c:438:9 +#13 virtio_queue_set_notification /src/qemu/hw/virtio/virtio.c:499:9 +#14 virtio_blk_handle_vq /src/qemu/hw/block/virtio-blk.c:795:13 +#15 virtio_blk_data_plane_handle_output /src/qemu/hw/block/dataplane/virtio-blk.c:165:12 +#16 virtio_queue_notify_aio_vq /src/qemu/hw/virtio/virtio.c:2326:15 +#17 virtio_queue_host_notifier_aio_read /src/qemu/hw/virtio/virtio.c:3533:9 +#18 aio_dispatch_handler /src/qemu/util/aio-posix.c:329:9 +#19 aio_dispatch_handlers /src/qemu/util/aio-posix.c:372:20 +#20 aio_dispatch /src/qemu/util/aio-posix.c:382:5 +#21 aio_ctx_dispatch /src/qemu/util/async.c:306:5 +#22 g_main_context_dispatch +#23 glib_pollfds_poll /src/qemu/util/main-loop.c:232:9 +#24 os_host_main_loop_wait /src/qemu/util/main-loop.c:255:5 +#25 main_loop_wait /src/qemu/util/main-loop.c:531:11 +#26 flush_events /src/qemu/tests/qtest/fuzz/fuzz.c:49:9 +#27 generic_fuzz /src/qemu/tests/qtest/fuzz/generic_fuzz.c:683:17 + +https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2qemu-fuzz-i386-target-generic-fuzz-virtio-blk: /src/qemu/include/exec/memory_ldst_cached.h.inc:88: void address_space_stw_le_cached(MemoryRegionCache *, hwaddr, uint32_t, MemTxAttrs, MemTxResult *): Assertion `addr < cache->len && 2 <= cache->len - addr' failed.6797 + + +This is an automated cleanup. This bug report has been moved to QEMU's +new bug tracker on gitlab.com and thus gets marked as 'expired' now. +Please continue with the discussion here: + + https://gitlab.com/qemu-project/qemu/-/issues/301 + + |