blob: d63d81b59e9fc1091d4d7a334e2569b82d5c547f (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
|
x86: 0.899
graphic: 0.865
ppc: 0.832
device: 0.826
performance: 0.722
network: 0.618
vnc: 0.608
i386: 0.572
socket: 0.564
semantic: 0.479
files: 0.475
PID: 0.470
VMM: 0.468
arm: 0.443
register: 0.437
debug: 0.419
risc-v: 0.416
permissions: 0.345
TCG: 0.334
boot: 0.333
peripherals: 0.327
virtual: 0.316
architecture: 0.299
hypervisor: 0.265
mistranslation: 0.245
user-level: 0.232
kernel: 0.186
KVM: 0.166
assembly: 0.139
Spice: handle_dev_destroy_surface_wait: condition `msg->surface_id == 0' failed (DoS via assert failure)
Description of problem:
Assert failure in libspice-server was found during fuzzing qxl-vga device.
```plaintext
qemu-system-x86_64: Spice: ../server/red-worker.cpp:367:handle_dev_destroy_surface_wait: condition `msg->surface_id == 0' failed
Аварийный останов
```
Steps to reproduce:
1. This bug can be reroduced with
```plaintext
cat << EOF | ./qemu-system-x86_64 -display none -machine accel=qtest, -m 512M -M \
pc -nodefaults -vga qxl -qtest stdio
outl 0xcf8 0x8000101c
outl 0xcfc 0xc000
outl 0xcf8 0x80001004
outw 0xcfc 0x01
outl 0xc00b 0x01000000
EOF
```
2. This bug is in another place from https://gitlab.com/qemu-project/qemu/-/issues/1829, please pay attention to it. It has to be solved, because it interferes with further fuzzing process
Additional information:
As I mentioned, I really need this bug to be solved, because fuzzing qxl-vga device gets less efficient. I suggested to report it here, not in spice-server, because this bug can be on the QEMU side.
|