summary refs log tree commit diff stats
path: root/results/classifier/108/other/1890333
diff options
context:
space:
mode:
Diffstat (limited to 'results/classifier/108/other/1890333')
-rw-r--r--results/classifier/108/other/1890333170
1 files changed, 170 insertions, 0 deletions
diff --git a/results/classifier/108/other/1890333 b/results/classifier/108/other/1890333
new file mode 100644
index 000000000..1ea344057
--- /dev/null
+++ b/results/classifier/108/other/1890333
@@ -0,0 +1,170 @@
+other: 0.888
+permissions: 0.876
+debug: 0.872
+performance: 0.868
+PID: 0.864
+graphic: 0.861
+device: 0.860
+semantic: 0.858
+network: 0.856
+boot: 0.846
+socket: 0.843
+files: 0.840
+KVM: 0.838
+vnc: 0.832
+
+[OSS-Fuzz]  Issue 26797: qemu:qemu-fuzz-i386-target-generic-fuzz-virtio-blk: ASSERT: addr < cache->len && 2 <= cache->len - addr
+
+Hello,
+Reproducer:
+cat << EOF | ./i386-softmmu/qemu-system-i386 \
+-drive id=mydrive,file=null-co://,size=2M,format=raw,if=none \
+-device virtio-blk,drive=mydrive \
+-nodefaults -qtest stdio -nographic
+outl 0xcf8 0x80001001
+outl 0xcfc 0x6574c1ff
+outl 0xcf8 0x8000100e
+outl 0xcfc 0xefe5e1e
+outl 0xe86 0x3aff9090
+outl 0xe84 0x3aff9090
+outl 0xe8e 0xe
+EOF
+
+qemu-system-i386: /home/alxndr/Development/qemu/general-fuzz/include/exec/memory_ldst_cached.inc.h:88: void address_space_stw_le_cached(MemoryRegionCache *, hwaddr, uint32_t, MemTxAttrs, MemTxResult *): Assertion `addr < cache->len && 2 <= cache->len - addr' failed.
+Aborted
+
+I can trigger similar assertions with other VIRTIO devices, as-well.
+I reported this at some point in Message-ID: <email address hidden> but never created a Launchpad issue...
+-Alex
+
+OSS-Fuzz Report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=26797
+
+=== Reproducer (build with --enable-sanitizers) ===
+cat << EOF | ./qemu-system-i386 -display none \
+-machine accel=qtest, -m 512M -machine q35 \
+-device virtio-blk,drive=disk0 \
+-drive file=null-co://,id=disk0,if=none,format=raw \
+-qtest stdio
+outl 0xcf8 0x80001889
+outl 0xcfc 0x1000ffff
+outl 0xcf8 0x80001897
+outl 0xcf8 0x80001890
+outl 0xcfc 0x4
+outl 0xcf8 0x800018ff
+outl 0xcf8 0x80001897
+inb 0xcfc
+outl 0xcf8 0x8000188a
+outl 0xcfc 0xd4624
+outl 0xcf8 0x80001897
+outl 0xcf8 0x80001806
+outl 0xcf8 0x80001897
+outl 0xcfc 0xff6ca0ba
+outl 0xcf8 0x8000188c
+outw 0xcfc 0x14
+outl 0xcf8 0x80001897
+outl 0xcf8 0x8000185a
+outl 0xcf8 0x80001897
+outl 0xcfc 0x5f6c6346
+inb 0xcfc
+outl 0xcf8 0x80001802
+outl 0xcfc 0x65a6055
+outl 0xcf8 0x80001897
+inb 0xcfc
+outl 0xcf8 0x80001889
+outl 0xcfc 0x1869ffff
+outl 0xcf8 0x80001812
+outl 0xcf8 0x80001897
+outl 0xcfc 0x5f6c6346
+outl 0xcf8 0x8000188c
+outw 0xcfc 0x24
+outl 0xcf8 0x80001890
+outl 0xcf8 0x80001897
+outl 0xcfc 0x1
+outl 0xcf8 0x80001892
+outl 0xcfc 0x1ff04
+outl 0xcf8 0x8000188c
+outw 0xcfc 0x1c
+outl 0xcf8 0x80001890
+outl 0xcfc 0x1
+outl 0xcf8 0x80001897
+outl 0xcfc 0xfd467562
+outl 0xcf8 0x8000188a
+outl 0xcfc 0x245a5546
+outl 0xcf8 0x80001890
+outl 0xcf8 0x80001897
+inb 0xcfc
+outl 0xcf8 0x8000188c
+outw 0xcfc 0x14
+outl 0xcf8 0x80001897
+outl 0xcf8 0x80001806
+outl 0xcf8 0x80001889
+outl 0xcfc 0x1869ffff
+outl 0xcf8 0x80001812
+outl 0xcf8 0x80001897
+outl 0xcfc 0x6c6346
+outl 0xcf8 0x8000188c
+outw 0xcfc 0x14
+outl 0xcf8 0x80001890
+outl 0xcf8 0x80001897
+outl 0xcfc 0x1ff04
+EOF
+
+=== Stack Trace ===
+
+qemu-fuzz-i386-target-generic-fuzz-virtio-blk: /src/qemu/include/exec/memory_ldst_cached.h.inc:88: void address_space_stw_le_cached(MemoryRegionCache *, hwaddr, uint32_t, MemTxAttrs, MemTxResult *): Assertion `addr < cache->len && 2 <= cache->len - addr' failed.
+==46== ERROR: libFuzzer: deadly signal
+#0 0x55deb7b59e61 in __sanitizer_print_stack_trace /src/llvm-project/compiler-rt/lib/asan/asan_stack.cpp:86:3
+#1 0x55deb7aa1158 in fuzzer::PrintStackTrace() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerUtil.cpp:210:5
+#2 0x55deb7a87053 in fuzzer::Fuzzer::CrashCallback() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:233:3
+#3 0x7fccd310638f in libpthread.so.0
+#4 0x7fccd273e437 in gsignal
+#5 0x7fccd2740039 in abort
+#6 0x7fccd2736be6 in libc.so.6
+#7 0x7fccd2736c91 in __assert_fail
+#8 0x55deb8416ba3 in address_space_stw_le_cached /src/qemu/include/exec/memory_ldst_cached.h.inc:88:5
+#9 0x55deb8416a40 in stw_le_phys_cached /src/qemu/include/exec/memory_ldst_phys.h.inc:121:5
+#10 0x55deb8416a13 in virtio_stw_phys_cached /src/qemu/include/hw/virtio/virtio-access.h:196:9
+#11 0x55deb8416899 in vring_set_avail_event /src/qemu/hw/virtio/virtio.c:428:5
+#12 0x55deb8406ba8 in virtio_queue_split_set_notification /src/qemu/hw/virtio/virtio.c:437:9
+#13 0x55deb84067a2 in virtio_queue_set_notification /src/qemu/hw/virtio/virtio.c:498:9
+#14 0x55deb84755d3 in virtio_blk_handle_vq /src/qemu/hw/block/virtio-blk.c:795:13
+#15 0x55deb84916ce in virtio_blk_data_plane_handle_output /src/qemu/hw/block/dataplane/virtio-blk.c:165:12
+#16 0x55deb841afaf in virtio_queue_notify_aio_vq /src/qemu/hw/virtio/virtio.c:2325:15
+#17 0x55deb8415adb in virtio_queue_host_notifier_aio_read /src/qemu/hw/virtio/virtio.c:3529:9
+#18 0x55deb892af84 in aio_dispatch_handler /src/qemu/util/aio-posix.c:329:9
+#19 0x55deb8929b8a in aio_dispatch_handlers /src/qemu/util/aio-posix.c:372:20
+#20 0x55deb8929ac0 in aio_dispatch /src/qemu/util/aio-posix.c:382:5
+#21 0x55deb893ae2c in aio_ctx_dispatch /src/qemu/util/async.c:306:5
+#22 0x7fccd3868196 in g_main_context_dispatch
+#23 0x55deb8947fed in glib_pollfds_poll /src/qemu/util/main-loop.c:221:9
+#24 0x55deb8947264 in os_host_main_loop_wait /src/qemu/util/main-loop.c:244:5
+#25 0x55deb8946f25 in main_loop_wait /src/qemu/util/main-loop.c:520:11
+#26 0x55deb7b8806a in flush_events /src/qemu/tests/qtest/fuzz/fuzz.c:48:9
+#27 0x55deb7b85a32 in generic_fuzz /src/qemu/tests/qtest/fuzz/generic_fuzz.c:681:17
+#28 0x55deb7b88450 in LLVMFuzzerTestOneInput /src/qemu/tests/qtest/fuzz/fuzz.c:150:5
+#29 0x55deb7a887c1 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:595:15
+#30 0x55deb7a73892 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:323:6
+#31 0x55deb7a7994e in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:852:9
+#32 0x55deb7aa1932 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
+#33 0x7fccd272983f in __libc_start_main
+#34 0x55deb7a4eb38 in _start
+
+Fix in commit 2d69eba5fe52045b2c8b0d04fd3806414352afc1
+
+Hi,
+
+It seems while the minimized producer doesn't fail the assertion now, the original reproducer provided by OSS-Fuzz[1] can still crash the latest QEMU (1758428, Dec 12, built with --enable-sanitizers --enable-fuzzing). Could anyone check if they trigger different bugs?
+
+Tested on:
+  Ubuntu: 20.04.1 5.4.0-58-generic x86_64
+  clang: 10.0.0-4ubuntu1
+  glibc: 2.31-0ubuntu9.1
+  libglib2.0-dev: 2.64.3-1~ubuntu20.04.1
+
+[1] https://bugs.launchpad.net/qemu/+bug/1890333/comments/1
+
+
+There is a new bug that fails the same assertion, and maybe its minimized producer will help:
+  https://bugs.launchpad.net/qemu/+bug/1908062
+
+