1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
|
performance: 0.984
debug: 0.984
permissions: 0.983
register: 0.982
semantic: 0.982
device: 0.982
assembly: 0.981
PID: 0.981
peripherals: 0.980
architecture: 0.980
vnc: 0.980
graphic: 0.978
virtual: 0.978
arm: 0.977
socket: 0.973
kernel: 0.972
network: 0.969
user-level: 0.966
i386: 0.966
hypervisor: 0.965
mistranslation: 0.964
files: 0.964
boot: 0.964
x86: 0.963
ppc: 0.952
risc-v: 0.951
VMM: 0.944
TCG: 0.942
KVM: 0.925
Assertion `tx_queue_idx <= s->txq_num' failed in vmxnet3_io_bar0_write
=== Stacktrace ===
qemu-fuzz-i386: ../hw/net/vmxnet3.c:1096: void vmxnet3_io_bar0_write(void *, hwaddr, uint64_t, unsigned int): Assertion `tx_queue_idx <= s->txq_num' failed.
==602353== ERROR: libFuzzer: deadly signal
#5 0x7fe4b93a7ce0 in raise signal/../sysdeps/unix/sysv/linux/raise.c:48:3
#6 0x7fe4b9391536 in abort stdlib/abort.c:79:7
#7 0x7fe4b939140e in __assert_fail_base assert/assert.c:92:3
#8 0x7fe4b93a0661 in __assert_fail assert/assert.c:101:3
#9 0x563e6cf5ebb5 in vmxnet3_io_bar0_write hw/net/vmxnet3.c:1096:9
#10 0x563e6eefdb00 in memory_region_write_accessor softmmu/memory.c:491:5
#11 0x563e6eefcfdd in access_with_adjusted_size softmmu/memory.c:552:18
#12 0x563e6eefac90 in memory_region_dispatch_write softmmu/memory.c:1502:16
#13 0x563e6e834e16 in flatview_write_continue softmmu/physmem.c:2746:23
#14 0x563e6e81cd38 in flatview_write softmmu/physmem.c:2786:14
#15 0x563e6e81c868 in address_space_write softmmu/physmem.c:2878:18
=== Reproducer ===
cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, -m \
512M -machine q35 -nodefaults -device vmxnet3,netdev=net0 -netdev \
user,id=net0 -qtest stdio
outl 0xcf8 0x80000810
outl 0xcfc 0xe0000000
outl 0xcf8 0x80000814
outl 0xcf8 0x80000804
outw 0xcfc 0x7
outl 0xcf8 0x80000815
outl 0xcfc 0xffff00b5
write 0x0 0x1 0xe1
write 0x1 0x1 0xfe
write 0x2 0x1 0xbe
write 0x3 0x1 0xba
write 0xff00b020 0x4 0x0000feca
write 0xe0000630 0x1 0x00
EOF
=== Testcase ===
/*
* Autogenerated Fuzzer Test Case
*
* This work is licensed under the terms of the GNU GPL, version 2 or later.
* See the COPYING file in the top-level directory.
*/
#include "qemu/osdep.h"
#include "libqos/libqtest.h"
static void test_fuzz(void) {
QTestState *s = qtest_init(" -display none , -m 512M -machine q35 -nodefaults "
"-device vmxnet3,netdev=net0 -netdev user,id=net0");
qtest_outl(s, 0xcf8, 0x80000810);
qtest_outl(s, 0xcfc, 0xe0000000);
qtest_outl(s, 0xcf8, 0x80000814);
qtest_outl(s, 0xcf8, 0x80000804);
qtest_outw(s, 0xcfc, 0x7);
qtest_outl(s, 0xcf8, 0x80000815);
qtest_outl(s, 0xcfc, 0xffff00b5);
qtest_bufwrite(s, 0x0, "\xe1", 0x1);
qtest_bufwrite(s, 0x1, "\xfe", 0x1);
qtest_bufwrite(s, 0x2, "\xbe", 0x1);
qtest_bufwrite(s, 0x3, "\xba", 0x1);
qtest_bufwrite(s, 0xff00b020, "\x00\x00\xfe\xca", 0x4);
qtest_bufwrite(s, 0xe0000630, "\x00", 0x1);
qtest_quit(s);
}
int main(int argc, char **argv) {
const char *arch = qtest_get_arch();
g_test_init(&argc, &argv, NULL);
if (strcmp(arch, "i386") == 0) {
qtest_add_func("fuzz/test_fuzz", test_fuzz);
}
return g_test_run();
}
=== OSS-Fuzz Report ===
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=33603
https://oss-fuzz.com/testcase?key=6071483232288768
Cc'ing maintainers.
./scripts/get_maintainer.pl -f hw/net/vmxnet3.c
Dmitry Fleytman <email address hidden> (maintainer:Vmware)
Jason Wang <email address hidden> (odd fixer:Network devices)
On 4/26/21 5:19 AM, Alexander Bulekov wrote:
> Public bug reported:
>
> === Stacktrace ===
>
> qemu-fuzz-i386: ../hw/net/vmxnet3.c:1096: void vmxnet3_io_bar0_write(void *, hwaddr, uint64_t, unsigned int): Assertion `tx_queue_idx <= s->txq_num' failed.
> ==602353== ERROR: libFuzzer: deadly signal
> #5 0x7fe4b93a7ce0 in raise signal/../sysdeps/unix/sysv/linux/raise.c:48:3
> #6 0x7fe4b9391536 in abort stdlib/abort.c:79:7
> #7 0x7fe4b939140e in __assert_fail_base assert/assert.c:92:3
> #8 0x7fe4b93a0661 in __assert_fail assert/assert.c:101:3
> #9 0x563e6cf5ebb5 in vmxnet3_io_bar0_write hw/net/vmxnet3.c:1096:9
> #10 0x563e6eefdb00 in memory_region_write_accessor softmmu/memory.c:491:5
> #11 0x563e6eefcfdd in access_with_adjusted_size softmmu/memory.c:552:18
> #12 0x563e6eefac90 in memory_region_dispatch_write softmmu/memory.c:1502:16
> #13 0x563e6e834e16 in flatview_write_continue softmmu/physmem.c:2746:23
> #14 0x563e6e81cd38 in flatview_write softmmu/physmem.c:2786:14
> #15 0x563e6e81c868 in address_space_write softmmu/physmem.c:2878:18
>
> === Reproducer ===
> cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, -m \
> 512M -machine q35 -nodefaults -device vmxnet3,netdev=net0 -netdev \
> user,id=net0 -qtest stdio
> outl 0xcf8 0x80000810
> outl 0xcfc 0xe0000000
> outl 0xcf8 0x80000814
> outl 0xcf8 0x80000804
> outw 0xcfc 0x7
> outl 0xcf8 0x80000815
> outl 0xcfc 0xffff00b5
> write 0x0 0x1 0xe1
> write 0x1 0x1 0xfe
> write 0x2 0x1 0xbe
> write 0x3 0x1 0xba
> write 0xff00b020 0x4 0x0000feca
> write 0xe0000630 0x1 0x00
> EOF
>
>
> === Testcase ===
>
> /*
> * Autogenerated Fuzzer Test Case
> *
> * This work is licensed under the terms of the GNU GPL, version 2 or later.
> * See the COPYING file in the top-level directory.
> */
>
> #include "qemu/osdep.h"
>
> #include "libqos/libqtest.h"
>
> static void test_fuzz(void) {
> QTestState *s = qtest_init(" -display none , -m 512M -machine q35 -nodefaults "
> "-device vmxnet3,netdev=net0 -netdev user,id=net0");
> qtest_outl(s, 0xcf8, 0x80000810);
> qtest_outl(s, 0xcfc, 0xe0000000);
> qtest_outl(s, 0xcf8, 0x80000814);
> qtest_outl(s, 0xcf8, 0x80000804);
> qtest_outw(s, 0xcfc, 0x7);
> qtest_outl(s, 0xcf8, 0x80000815);
> qtest_outl(s, 0xcfc, 0xffff00b5);
> qtest_bufwrite(s, 0x0, "\xe1", 0x1);
> qtest_bufwrite(s, 0x1, "\xfe", 0x1);
> qtest_bufwrite(s, 0x2, "\xbe", 0x1);
> qtest_bufwrite(s, 0x3, "\xba", 0x1);
> qtest_bufwrite(s, 0xff00b020, "\x00\x00\xfe\xca", 0x4);
> qtest_bufwrite(s, 0xe0000630, "\x00", 0x1);
> qtest_quit(s);
> }
> int main(int argc, char **argv) {
> const char *arch = qtest_get_arch();
>
> g_test_init(&argc, &argv, NULL);
>
> if (strcmp(arch, "i386") == 0) {
> qtest_add_func("fuzz/test_fuzz", test_fuzz);
> }
>
> return g_test_run();
> }
>
>
> === OSS-Fuzz Report ===
> https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=33603
> https://oss-fuzz.com/testcase?key=6071483232288768
>
> ** Affects: qemu
> Importance: Undecided
> Status: New
>
>
> ** Tags: fuzzer
>
> ** Tags removed: fuzz
> ** Tags added: fuzzer
>
I can reproduce this issue with the latest version of QEMU. Marking as "Confirmed"
Suggested fix: https://<email address hidden>/
Fix has been included here:
https://gitlab.com/qemu-project/qemu/-/commit/6a932c4ed8748b08c58c
|