blob: 8fc869389f92d4ce8d3ecd3c63ec2b1411d79f59 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
|
x86: 0.965
graphic: 0.884
user-level: 0.802
device: 0.734
performance: 0.730
ppc: 0.658
kernel: 0.638
semantic: 0.620
debug: 0.591
hypervisor: 0.582
PID: 0.558
architecture: 0.558
peripherals: 0.540
boot: 0.534
vnc: 0.528
mistranslation: 0.467
network: 0.464
arm: 0.437
socket: 0.436
TCG: 0.360
files: 0.349
VMM: 0.346
risc-v: 0.344
permissions: 0.341
register: 0.335
virtual: 0.313
KVM: 0.296
i386: 0.271
assembly: 0.250
--------------------
x86: 0.984
hypervisor: 0.640
kernel: 0.610
virtual: 0.560
debug: 0.542
performance: 0.124
assembly: 0.119
files: 0.061
PID: 0.049
register: 0.045
TCG: 0.041
KVM: 0.038
semantic: 0.027
device: 0.027
user-level: 0.011
VMM: 0.011
architecture: 0.010
network: 0.007
socket: 0.006
boot: 0.004
ppc: 0.003
graphic: 0.002
risc-v: 0.002
peripherals: 0.002
permissions: 0.002
vnc: 0.001
mistranslation: 0.001
i386: 0.000
arm: 0.000
Assertion failuer in cryptodev_builtin_close_session()
Description of problem:
In the function _cryptodev_builtin_close_session(),_ an assertation happened:
```
qemu-fuzz-x86_64: qemu/backends/cryptodev-builtin.c:430: int cryptodev_builtin_close_session(CryptoDevBackend *, uint64_t, uint32_t, CryptoDevCompletionFunc, void *): Assertion `session_id < MAX_NUM_SESSIONS && builtin->sessions[session_id]' failed.
==1256139== ERROR: libFuzzer: deadly signal
#9 0x71acb8c2871a in __assert_fail_base assert/./assert/assert.c:92:3
#10 0x71acb8c39e95 in __assert_fail assert/./assert/assert.c:101:3
#11 0x5af7f624b12b in cryptodev_builtin_close_session qemu/backends/cryptodev-builtin.c:430:5
#12 0x5af7f60b2860 in virtio_crypto_handle_close_session qemu/hw/virtio/virtio-crypto.c:262:12
#13 0x5af7f60b2860 in virtio_crypto_handle_ctrl qemu/hw/virtio/virtio-crypto.c:423:19
```
The user could send an invalid session_id to trigger this assertion.
Steps to reproduce:
Here's a simple PoC:
```
cat << EOF | qemu-system-x86_64 -display none\
-machine accel=qtest -m 512M -machine q35 -nodefaults -object \
cryptodev-backend-builtin,id=cryptodev0 -device \
virtio-crypto-pci,id=crypto0,cryptodev=cryptodev0 -qtest stdio
outl 0xcf8 0x80000804
outw 0xcfc 0x06
outl 0xcf8 0x80000820
outl 0xcfc 0xe0008000
write 0x10800e 0x1 0x01
write 0xe0008016 0x1 0x01
write 0xe0008020 0x4 0x00801000
write 0xe0008028 0x4 0x00c01000
write 0xe000801c 0x1 0x01
write 0x110000 0x1 0x05
write 0x110001 0x1 0x04
write 0x108002 0x1 0x11
write 0x108008 0x1 0x48
write 0x10800c 0x1 0x01
write 0x108018 0x1 0x10
write 0x10801c 0x1 0x02
write 0x10c002 0x1 0x01
write 0xe000b005 0x1 0x00
EOF
```
|