summary refs log tree commit diff stats
path: root/results/classifier/gemma3:12b/device/2548
diff options
context:
space:
mode:
Diffstat (limited to 'results/classifier/gemma3:12b/device/2548')
-rw-r--r--results/classifier/gemma3:12b/device/2548407
1 files changed, 407 insertions, 0 deletions
diff --git a/results/classifier/gemma3:12b/device/2548 b/results/classifier/gemma3:12b/device/2548
new file mode 100644
index 00000000..bacc484a
--- /dev/null
+++ b/results/classifier/gemma3:12b/device/2548
@@ -0,0 +1,407 @@
+
+Assert failure in `usb_ep_get` : Assertion `pid == USB_TOKEN_IN || pid == USB_TOKEN_OUT` failed.
+Description of problem:
+Assert failure in `usb_ep_get` : Assertion `pid == USB_TOKEN_IN || pid == USB_TOKEN_OUT` failed.
+
+The TD PID needs to be either `USB_TOKEN_IN` or `USB_TOKEN_OUT` in `usb_ep_get`, but in the caller `uhci_handle_td` it may be `USB_TOKEN_SETUP`. 
+
+An unprivileged guest user may be able to reach the assertion, I think this bug is quite akin to CVE-2024-3567 (https://gitlab.com/qemu-project/qemu/-/issues/2273) :
+
+Users are not directly able to craft URBs, however as a user, one might be able to find a kernel path that would send a TD with PID `USB_TOKEN_SETUP` to QEMU (which is called `USB_PID_SETUP` in Linux).
+For instance in the Linux Kernel,  `uhci_submit_control` in `drivers/usb/host/uhci-q.c:789`  does link a `USB_PID_SETUP` TD to the URB.
+Steps to reproduce:
+Minimized reproducer:
+
+```
+cat << EOF | ./qemu/build2/qemu-system-x86_64 -machine q35 -nodefaults \
+-device \
+ich9-usb-ehci1,bus=pcie.0,addr=1d.7,multifunction=on,id=ich9-ehci-1 \
+-device ich9-usb-uhci1,bus=pcie.0,addr=1d.0,multifunction=on,masterbus=i\
+ch9-ehci-1.0,firstport=0 -device ich9-usb-uhci2,bus=pcie.0,addr=1d.1,mul\
+tifunction=on,masterbus=ich9-ehci-1.0,firstport=2 -device ich9-usb-uhci3\
+,bus=pcie.0,addr=1d.2,multifunction=on,masterbus=ich9-ehci-1.0,firstport\
+=4 -drive if=none,id=usbcdrom,media=cdrom -device \
+usb-tablet,bus=ich9-ehci-1.0,port=1,usb_version=1 -device \
+usb-storage,bus=ich9-ehci-1.0,port=2,drive=usbcdrom -qtest stdio
+outl 0xcf8 0x8000e900
+inw 0xcfc
+outl 0xcf8 0x8000e920
+outl 0xcfc 0xffffffff
+outl 0xcf8 0x8000e920
+inl 0xcfc
+outl 0xcf8 0x8000e920
+outl 0xcfc 0xc001
+outl 0xcf8 0x8000e904
+inw 0xcfc
+outl 0xcf8 0x8000e904
+outw 0xcfc 0x7
+outl 0xcf8 0x8000e904
+inw 0xcfc
+outl 0xcf8 0x8000ef00
+inw 0xcfc
+outl 0xcf8 0x8000ef10
+outl 0xcfc 0xffffffff
+outl 0xcf8 0x8000ef10
+inl 0xcfc
+outl 0xcf8 0x8000ef10
+outl 0xcfc 0xe0000000
+outl 0xcf8 0x8000ef04
+inw 0xcfc
+outl 0xcf8 0x8000ef04
+outw 0xcfc 0x7
+outl 0xcf8 0x8000ef04
+inw 0xcfc
+outl 0xcf8 0x8000ea00
+inw 0xcfc
+outl 0xcf8 0x8000ea20
+outl 0xcfc 0xffffffff
+outl 0xcf8 0x8000ea20
+inl 0xcfc
+outl 0xcf8 0x8000ea20
+outl 0xcfc 0xc021
+outl 0xcf8 0x8000ea04
+inw 0xcfc
+outl 0xcf8 0x8000ea04
+outw 0xcfc 0x7
+outl 0xcf8 0x8000ea04
+inw 0xcfc
+outl 0xcf8 0x8000e800
+inw 0xcfc
+outl 0xcf8 0x8000e820
+outl 0xcfc 0xffffffff
+outl 0xcf8 0x8000e820
+inl 0xcfc
+outl 0xcf8 0x8000e820
+outl 0xcfc 0xc041
+outl 0xcf8 0x8000e804
+inw 0xcfc
+outl 0xcf8 0x8000e804
+outw 0xcfc 0x7
+outl 0xcf8 0x8000e804
+inw 0xcfc
+outl 0xcf8 0x8000fa00
+inw 0xcfc
+outl 0xcf8 0x8000fa20
+outl 0xcfc 0xffffffff
+outl 0xcf8 0x8000fa20
+inl 0xcfc
+outl 0xcf8 0x8000fa20
+outl 0xcfc 0xc061
+outl 0xcf8 0x8000fa24
+outl 0xcfc 0xffffffff
+outl 0xcf8 0x8000fa24
+inl 0xcfc
+outl 0xcf8 0x8000fa24
+outl 0xcfc 0xe0001000
+outl 0xcf8 0x8000fa04
+inw 0xcfc
+outl 0xcf8 0x8000fa04
+outw 0xcfc 0x7
+outl 0xcf8 0x8000fa04
+inw 0xcfc
+outl 0xcf8 0x8000ea20
+outl 0xcfc 0x625f69a0
+outb 0xc040 0x46
+outb 0xc040 0x69
+inb 0xc000
+outb 0xc040 0x46
+clock_step
+outb 0xc040 0x69
+clock_step
+write 0x0 0x4 0x64657669
+write 0x69766560 0x8 0x000000ff6c46f228
+write 0x69766568 0x8 0x2d323334319c6c65
+write 0xff000000 0x8 0x000000ff6c6f6766
+write 0xff000008 0x8 0x8d6c65652d736400
+outb 0xc040 0x69
+outl 0xcf8 0x8000ef76
+outw 0xcfc 0x6563
+outb 0xc040 0x46
+clock_step
+outb 0xc040 0x69
+inb 0xc000
+clock_step
+write 0x4 0x4 0x64657669
+write 0x69766560 0x8 0x000000ff6c46f228
+write 0x69766568 0x8 0x2d323334319c6c65
+write 0xff000000 0x8 0x000000ff6c6f6766
+write 0xff000008 0x8 0x8d6c65652d736400
+outb 0xc040 0x69
+outw 0xc003 0x6769
+outb 0xc040 0x69
+readq 0xe0000074
+outb 0xc040 0x46
+clock_step
+outb 0xc040 0x69
+clock_step
+write 0x8 0x4 0x00000100
+write 0x10000 0x10 0x000000ff6c46f2282d00363939333336
+write 0xff000000 0x8 0x6465766963656d69
+write 0xff000008 0x8 0x740d00699b652d63
+write 0x69766560 0x8 0x000000ff6c46f228
+write 0x69766568 0x8 0x2d323334319c6c65
+clock_step
+write 0xc 0x4 0x000000ff
+write 0xff000000 0x8 0x0000010000000069
+write 0xff000008 0x8 0x636c395f61707269
+write 0x10000 0x10 0x000000ff6c46f2282d00363939333336
+outw 0xc003 0x6f00
+outb 0xc040 0x69
+outl 0xc053 0x6378616d
+clock_step
+write 0x10 0x4 0x000000ff
+write 0xff000000 0x8 0x6465766963656d69
+write 0xff000008 0x8 0x740d00699b652d63
+write 0x69766560 0x8 0x000000ff6c46f228
+write 0x69766568 0x8 0x2d323334319c6c65
+outb 0xc051 0x6d
+outb 0xc04f 0x61
+outb 0xc040 0x69
+clock_step
+write 0x14 0x4 0x000000ff
+write 0xff000000 0x8 0x0000010000000069
+write 0xff000008 0x8 0x636c395f61707269
+write 0x10000 0x10 0x000000ff6c46f2282d00363939333336
+EOF
+```
+
+# Additional information
+The crash report triggered by the reproducer is:
+
+```
+[R +0.033173] outl 0xcf8 0x8000e900
+[S +0.033189] [R +0.033195] inw 0xcfc
+[S +0.033205] [R +0.033212] outl 0xcf8 0x8000e920
+[S +0.033218] [R +0.033222] outl 0xcfc 0xffffffff
+[S +0.033231] [R +0.033235] outl 0xcf8 0x8000e920
+[S +0.033241] [R +0.033245] inl 0xcfc
+[S +0.033250] [R +0.033255] outl 0xcf8 0x8000e920
+[S +0.033261] [R +0.033265] outl 0xcfc 0xc001
+[S +0.033271] [R +0.033275] outl 0xcf8 0x8000e904
+[S +0.033281] [R +0.033285] inw 0xcfc
+[S +0.033290] [R +0.033295] outl 0xcf8 0x8000e904
+[S +0.033300] [R +0.033306] outw 0xcfc 0x7
+[S +0.033755] [R +0.033767] outl 0xcf8 0x8000e904
+[S +0.033774] [R +0.033779] inw 0xcfc
+[S +0.033785] [R +0.033792] outl 0xcf8 0x8000ef00
+[S +0.033798] [R +0.033802] inw 0xcfc
+[S +0.033808] [R +0.033813] outl 0xcf8 0x8000ef10
+[S +0.033818] [R +0.033840] outl 0xcfc 0xffffffff
+[S +0.033848] [R +0.033853] outl 0xcf8 0x8000ef10
+[S +0.033859] [R +0.033864] inl 0xcfc
+[S +0.033870] [R +0.033875] outl 0xcf8 0x8000ef10
+[S +0.033880] [R +0.033884] outl 0xcfc 0xe0000000
+[S +0.033891] [R +0.033895] outl 0xcf8 0x8000ef04
+[S +0.033901] [R +0.033904] inw 0xcfc
+[S +0.033909] [R +0.033916] outl 0xcf8 0x8000ef04
+[S +0.033922] [R +0.033926] outw 0xcfc 0x7
+[S +0.034381] [R +0.034389] outl 0xcf8 0x8000ef04
+[S +0.034395] [R +0.034399] inw 0xcfc
+[S +0.034405] [R +0.034412] outl 0xcf8 0x8000ea00
+[S +0.034417] [R +0.034421] inw 0xcfc
+[S +0.034427] [R +0.034431] outl 0xcf8 0x8000ea20
+[S +0.034437] [R +0.034441] outl 0xcfc 0xffffffff
+[S +0.034448] [R +0.034452] outl 0xcf8 0x8000ea20
+[S +0.034457] [R +0.034463] inl 0xcfc
+[S +0.034469] [R +0.034474] outl 0xcf8 0x8000ea20
+[S +0.034480] [R +0.034484] outl 0xcfc 0xc021
+[S +0.034490] [R +0.034494] outl 0xcf8 0x8000ea04
+[S +0.034500] [R +0.034504] inw 0xcfc
+[S +0.034509] [R +0.034515] outl 0xcf8 0x8000ea04
+[S +0.034521] [R +0.034525] outw 0xcfc 0x7
+[S +0.034948] [R +0.034955] outl 0xcf8 0x8000ea04
+[S +0.034961] [R +0.034965] inw 0xcfc
+[S +0.034971] [R +0.034989] outl 0xcf8 0x8000e800
+[S +0.034996] [R +0.035000] inw 0xcfc
+[S +0.035005] [R +0.035010] outl 0xcf8 0x8000e820
+[S +0.035016] [R +0.035020] outl 0xcfc 0xffffffff
+[S +0.035027] [R +0.035033] outl 0xcf8 0x8000e820
+[S +0.035039] [R +0.035043] inl 0xcfc
+[S +0.035048] [R +0.035053] outl 0xcf8 0x8000e820
+[S +0.035059] [R +0.035065] outl 0xcfc 0xc041
+[S +0.035071] [R +0.035075] outl 0xcf8 0x8000e804
+[S +0.035081] [R +0.035084] inw 0xcfc
+[S +0.035089] [R +0.035094] outl 0xcf8 0x8000e804
+[S +0.035100] [R +0.035103] outw 0xcfc 0x7
+[S +0.035525] [R +0.035532] outl 0xcf8 0x8000e804
+[S +0.035538] [R +0.035542] inw 0xcfc
+[S +0.035548] [R +0.035553] outl 0xcf8 0x8000fa00
+[S +0.035558] [R +0.035562] inw 0xcfc
+[S +0.035567] [R +0.035572] outl 0xcf8 0x8000fa20
+[S +0.035578] [R +0.035581] outl 0xcfc 0xffffffff
+[S +0.035589] [R +0.035594] outl 0xcf8 0x8000fa20
+[S +0.035600] [R +0.035604] inl 0xcfc
+[S +0.035609] [R +0.035613] outl 0xcf8 0x8000fa20
+[S +0.035618] [R +0.035623] outl 0xcfc 0xc061
+[S +0.035629] [R +0.035633] outl 0xcf8 0x8000fa24
+[S +0.035638] [R +0.035642] outl 0xcfc 0xffffffff
+[S +0.035648] [R +0.035652] outl 0xcf8 0x8000fa24
+[S +0.035658] [R +0.035664] inl 0xcfc
+[S +0.035669] [R +0.035673] outl 0xcf8 0x8000fa24
+[S +0.035679] [R +0.035683] outl 0xcfc 0xe0001000
+[S +0.035689] [R +0.035696] outl 0xcf8 0x8000fa04
+[S +0.035702] [R +0.035706] inw 0xcfc
+[S +0.035711] [R +0.035716] outl 0xcf8 0x8000fa04
+[S +0.035722] [R +0.035725] outw 0xcfc 0x7
+[S +0.036402] [R +0.036412] outl 0xcf8 0x8000fa04
+[S +0.036418] [R +0.036422] inw 0xcfc
+[S +0.036434] [R +0.036442] outl 0xcf8 0x8000ea20
+[S +0.036448] [R +0.036463] outl 0xcfc 0x625f69a0
+[S +0.036906] [I +0.036981] CLOSED
+x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
+[R +0.000000] outb 0xc040 0x46
+x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
+[R +0.000000] outb 0xc040 0x69
+x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
+[R +0.000000] inb 0xc000
+x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
+[R +0.000000] outb 0xc040 0x46
+x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
+[R +0.000000] clock_step
+x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
+[R +0.000000] outb 0xc040 0x69
+x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
+[R +0.000000] clock_step
+[DMA] x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
+[R +0.000000] write 0x0 0x4 0x64657669
+[DMA] x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
+[R +0.000000] write 0x69766560 0x8 0x000000ff6c46f228
+[DMA] x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
+[R +0.000000] write 0x69766568 0x8 0x2d323334319c6c65
+[DMA] x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
+[R +0.000000] write 0xff000000 0x8 0x000000ff6c6f6766
+[DMA] x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
+[R +0.000000] write 0xff000008 0x8 0x8d6c65652d736400
+x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
+[R +0.000000] outb 0xc040 0x69
+x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
+[R +0.000000] outl 0xcf8 0x8000ef76
+x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
+[R +0.000000] outw 0xcfc 0x6563
+x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
+[R +0.000000] outb 0xc040 0x46
+x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
+[R +0.000000] clock_step
+x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
+[R +0.000000] outb 0xc040 0x69
+x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
+[R +0.000000] inb 0xc000
+x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
+[R +0.000000] clock_step
+[DMA] x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
+[R +0.000000] write 0x4 0x4 0x64657669
+[DMA] x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
+[R +0.000000] write 0x69766560 0x8 0x000000ff6c46f228
+[DMA] x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
+[R +0.000000] write 0x69766568 0x8 0x2d323334319c6c65
+[DMA] x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
+[R +0.000000] write 0xff000000 0x8 0x000000ff6c6f6766
+[DMA] x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
+[R +0.000000] write 0xff000008 0x8 0x8d6c65652d736400
+x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
+[R +0.000000] outb 0xc040 0x69
+x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
+[R +0.000000] outw 0xc003 0x6769
+x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
+[R +0.000000] outb 0xc040 0x69
+x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
+[R +0.000000] readq 0xe0000074
+x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
+[R +0.000000] outb 0xc040 0x46
+x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
+[R +0.000000] clock_step
+x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
+[R +0.000000] outb 0xc040 0x69
+x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
+[R +0.000000] clock_step
+[DMA] x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
+[R +0.000000] write 0x8 0x4 0x00000100
+[DMA] x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
+[R +0.000000] write 0x10000 0x10 0x000000ff6c46f2282d00363939333336
+[DMA] x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
+[R +0.000000] write 0xff000000 0x8 0x6465766963656d69
+[DMA] x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
+[R +0.000000] write 0xff000008 0x8 0x740d00699b652d63
+[DMA] x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
+[R +0.000000] write 0x69766560 0x8 0x000000ff6c46f228
+[DMA] x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
+[R +0.000000] write 0x69766568 0x8 0x2d323334319c6c65
+x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
+[R +0.000000] clock_step
+[DMA] x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
+[R +0.000000] write 0xc 0x4 0x000000ff
+[DMA] x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
+[R +0.000000] write 0xff000000 0x8 0x0000010000000069
+[DMA] x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
+[R +0.000000] write 0xff000008 0x8 0x636c395f61707269
+[DMA] x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
+[R +0.000000] write 0x10000 0x10 0x000000ff6c46f2282d00363939333336
+x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
+[R +0.000000] outw 0xc003 0x6f00
+x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
+[R +0.000000] outb 0xc040 0x69
+x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
+[R +0.000000] outl 0xc053 0x6378616d
+x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
+[R +0.000000] clock_step
+[DMA] x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
+[R +0.000000] write 0x10 0x4 0x000000ff
+[DMA] x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
+[R +0.000000] write 0xff000000 0x8 0x6465766963656d69
+[DMA] x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
+[R +0.000000] write 0xff000008 0x8 0x740d00699b652d63
+[DMA] x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
+[R +0.000000] write 0x69766560 0x8 0x000000ff6c46f228
+[DMA] x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
+[R +0.000000] write 0x69766568 0x8 0x2d323334319c6c65
+x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
+[R +0.000000] outb 0xc051 0x6d
+x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
+[R +0.000000] outb 0xc04f 0x61
+x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
+[R +0.000000] outb 0xc040 0x69
+x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
+[R +0.000000] clock_step
+[DMA] x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
+[R +0.000000] write 0x14 0x4 0x000000ff
+[DMA] x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
+[R +0.000000] write 0xff000000 0x8 0x0000010000000069
+[DMA] x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
+[R +0.000000] write 0xff000008 0x8 0x636c395f61707269
+[DMA] x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
+[R +0.000000] write 0x10000 0x10 0x000000ff6c46f2282d00363939333336
+qemu-fuzz-x86_64: ../hw/usb/core.c:744: struct USBEndpoint *usb_ep_get(USBDevice *, int, int): Assertion `pid == USB_TOKEN_IN || pid == USB_TOKEN_OUT' failed.
+==892641== ERROR: libFuzzer: deadly signal
+    #0 0x557dd985fc41 in __sanitizer_print_stack_trace (/home/hypervisor/qemu_fuzz/qemu/build2/qemu-fuzz-x86_64+0x20b2c41) (BuildId: 1208fb4c12f2da2381e7763dabbbdabaf2db65e5)
+    #1 0x557dd97cfa58 in fuzzer::PrintStackTrace() (/home/hypervisor/qemu_fuzz/qemu/build2/qemu-fuzz-x86_64+0x2022a58) (BuildId: 1208fb4c12f2da2381e7763dabbbdabaf2db65e5)
+    #2 0x557dd97b5ae3 in fuzzer::Fuzzer::CrashCallback() (/home/hypervisor/qemu_fuzz/qemu/build2/qemu-fuzz-x86_64+0x2008ae3) (BuildId: 1208fb4c12f2da2381e7763dabbbdabaf2db65e5)
+    #3 0x7fd7e623c45f  (/lib/x86_64-linux-gnu/libc.so.6+0x3c45f) (BuildId: d320ce4e63925d698610ed423fc4b1f0e8ed51f1)
+    #4 0x7fd7e629152a in __pthread_kill_implementation nptl/pthread_kill.c:43:17
+    #5 0x7fd7e629152a in __pthread_kill_internal nptl/pthread_kill.c:78:10
+    #6 0x7fd7e629152a in pthread_kill nptl/pthread_kill.c:89:10
+    #7 0x7fd7e623c3b5 in raise signal/../sysdeps/posix/raise.c:26:13
+    #8 0x7fd7e622287b in abort stdlib/abort.c:79:7
+    #9 0x7fd7e622279a in __assert_fail_base assert/assert.c:92:3
+    #10 0x7fd7e6233b65 in __assert_fail assert/assert.c:101:3
+    #11 0x557dda3b67c6 in usb_ep_get /home/hypervisor/qemu_fuzz/qemu/build2/../hw/usb/core.c:744:5
+    #12 0x557dda3d8820 in uhci_handle_td /home/hypervisor/qemu_fuzz/qemu/build2/../hw/usb/hcd-uhci.c:819:14
+    #13 0x557dda3d41ed in uhci_process_frame /home/hypervisor/qemu_fuzz/qemu/build2/../hw/usb/hcd-uhci.c:1022:15
+    #14 0x557dda3cbf7e in uhci_frame_timer /home/hypervisor/qemu_fuzz/qemu/build2/../hw/usb/hcd-uhci.c:1121:9
+    #15 0x557ddb90c0ff in timerlist_run_timers /home/hypervisor/qemu_fuzz/qemu/build2/../util/qemu-timer.c:576:9
+    #16 0x557ddb90d3e8 in qemu_clock_run_timers /home/hypervisor/qemu_fuzz/qemu/build2/../util/qemu-timer.c:590:12
+    #17 0x557ddb90d3e8 in qemu_clock_advance_virtual_time /home/hypervisor/qemu_fuzz/qemu/build2/../util/qemu-timer.c:696:9
+    #18 0x557dda67fa2f in qtest_process_command /home/hypervisor/qemu_fuzz/qemu/build2/../system/qtest.c:722:9
+    #19 0x557dda67b3bb in qtest_process_inbuf /home/hypervisor/qemu_fuzz/qemu/build2/../system/qtest.c:776:9
+    #20 0x557dda67acf6 in qtest_server_inproc_recv /home/hypervisor/qemu_fuzz/qemu/build2/../system/qtest.c:907:9
+    #21 0x557ddb5fa3e2 in qtest_sendf /home/hypervisor/qemu_fuzz/qemu/build2/../tests/qtest/libqtest.c:640:5
+    #22 0x557ddb5fa4f4 in qtest_clock_step_next /home/hypervisor/qemu_fuzz/qemu/build2/../tests/qtest/libqtest.c:1009:5
+    #23 0x557ddb67c2ef in generic_fuzz /home/hypervisor/qemu_fuzz/qemu/build2/../tests/qtest/fuzz/generic_fuzz.c:667:13
+    #24 0x557ddb66e807 in LLVMFuzzerTestOneInput /home/hypervisor/qemu_fuzz/qemu/build2/../tests/qtest/fuzz/fuzz.c:158:5
+    #25 0x557dd97b6f52 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/hypervisor/qemu_fuzz/qemu/build2/qemu-fuzz-x86_64+0x2009f52) (BuildId: 1208fb4c12f2da2381e7763dabbbdabaf2db65e5)
+    #26 0x557dd97a1080 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/home/hypervisor/qemu_fuzz/qemu/build2/qemu-fuzz-x86_64+0x1ff4080) (BuildId: 1208fb4c12f2da2381e7763dabbbdabaf2db65e5)
+    #27 0x557dd97a6d07 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/hypervisor/qemu_fuzz/qemu/build2/qemu-fuzz-x86_64+0x1ff9d07) (BuildId: 1208fb4c12f2da2381e7763dabbbdabaf2db65e5)
+    #28 0x557dd97d0292 in main (/home/hypervisor/qemu_fuzz/qemu/build2/qemu-fuzz-x86_64+0x2023292) (BuildId: 1208fb4c12f2da2381e7763dabbbdabaf2db65e5)
+    #29 0x7fd7e6223a8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
+    #30 0x7fd7e6223b48 in __libc_start_main csu/../csu/libc-start.c:360:3
+    #31 0x557dd979b884 in _start (/home/hypervisor/qemu_fuzz/qemu/build2/qemu-fuzz-x86_64+0x1fee884) (BuildId: 1208fb4c12f2da2381e7763dabbbdabaf2db65e5)
+```