diff options
Diffstat (limited to 'results/classifier/zero-shot/105/KVM/2548')
| -rw-r--r-- | results/classifier/zero-shot/105/KVM/2548 | 419 |
1 files changed, 419 insertions, 0 deletions
diff --git a/results/classifier/zero-shot/105/KVM/2548 b/results/classifier/zero-shot/105/KVM/2548 new file mode 100644 index 000000000..cec4482b8 --- /dev/null +++ b/results/classifier/zero-shot/105/KVM/2548 @@ -0,0 +1,419 @@ +mistranslation: 0.962 +KVM: 0.943 +graphic: 0.938 +other: 0.933 +vnc: 0.927 +semantic: 0.924 +assembly: 0.918 +network: 0.916 +device: 0.914 +instruction: 0.914 +socket: 0.912 +boot: 0.904 + +Assert failure in `usb_ep_get` : Assertion `pid == USB_TOKEN_IN || pid == USB_TOKEN_OUT` failed. +Description of problem: +Assert failure in `usb_ep_get` : Assertion `pid == USB_TOKEN_IN || pid == USB_TOKEN_OUT` failed. + +The TD PID needs to be either `USB_TOKEN_IN` or `USB_TOKEN_OUT` in `usb_ep_get`, but in the caller `uhci_handle_td` it may be `USB_TOKEN_SETUP`. + +An unprivileged guest user may be able to reach the assertion, I think this bug is quite akin to CVE-2024-3567 (https://gitlab.com/qemu-project/qemu/-/issues/2273) : + +Users are not directly able to craft URBs, however as a user, one might be able to find a kernel path that would send a TD with PID `USB_TOKEN_SETUP` to QEMU (which is called `USB_PID_SETUP` in Linux). +For instance in the Linux Kernel, `uhci_submit_control` in `drivers/usb/host/uhci-q.c:789` does link a `USB_PID_SETUP` TD to the URB. +Steps to reproduce: +Minimized reproducer: + +``` +cat << EOF | ./qemu/build2/qemu-system-x86_64 -machine q35 -nodefaults \ +-device \ +ich9-usb-ehci1,bus=pcie.0,addr=1d.7,multifunction=on,id=ich9-ehci-1 \ +-device ich9-usb-uhci1,bus=pcie.0,addr=1d.0,multifunction=on,masterbus=i\ +ch9-ehci-1.0,firstport=0 -device ich9-usb-uhci2,bus=pcie.0,addr=1d.1,mul\ +tifunction=on,masterbus=ich9-ehci-1.0,firstport=2 -device ich9-usb-uhci3\ +,bus=pcie.0,addr=1d.2,multifunction=on,masterbus=ich9-ehci-1.0,firstport\ +=4 -drive if=none,id=usbcdrom,media=cdrom -device \ +usb-tablet,bus=ich9-ehci-1.0,port=1,usb_version=1 -device \ +usb-storage,bus=ich9-ehci-1.0,port=2,drive=usbcdrom -qtest stdio +outl 0xcf8 0x8000e900 +inw 0xcfc +outl 0xcf8 0x8000e920 +outl 0xcfc 0xffffffff +outl 0xcf8 0x8000e920 +inl 0xcfc +outl 0xcf8 0x8000e920 +outl 0xcfc 0xc001 +outl 0xcf8 0x8000e904 +inw 0xcfc +outl 0xcf8 0x8000e904 +outw 0xcfc 0x7 +outl 0xcf8 0x8000e904 +inw 0xcfc +outl 0xcf8 0x8000ef00 +inw 0xcfc +outl 0xcf8 0x8000ef10 +outl 0xcfc 0xffffffff +outl 0xcf8 0x8000ef10 +inl 0xcfc +outl 0xcf8 0x8000ef10 +outl 0xcfc 0xe0000000 +outl 0xcf8 0x8000ef04 +inw 0xcfc +outl 0xcf8 0x8000ef04 +outw 0xcfc 0x7 +outl 0xcf8 0x8000ef04 +inw 0xcfc +outl 0xcf8 0x8000ea00 +inw 0xcfc +outl 0xcf8 0x8000ea20 +outl 0xcfc 0xffffffff +outl 0xcf8 0x8000ea20 +inl 0xcfc +outl 0xcf8 0x8000ea20 +outl 0xcfc 0xc021 +outl 0xcf8 0x8000ea04 +inw 0xcfc +outl 0xcf8 0x8000ea04 +outw 0xcfc 0x7 +outl 0xcf8 0x8000ea04 +inw 0xcfc +outl 0xcf8 0x8000e800 +inw 0xcfc +outl 0xcf8 0x8000e820 +outl 0xcfc 0xffffffff +outl 0xcf8 0x8000e820 +inl 0xcfc +outl 0xcf8 0x8000e820 +outl 0xcfc 0xc041 +outl 0xcf8 0x8000e804 +inw 0xcfc +outl 0xcf8 0x8000e804 +outw 0xcfc 0x7 +outl 0xcf8 0x8000e804 +inw 0xcfc +outl 0xcf8 0x8000fa00 +inw 0xcfc +outl 0xcf8 0x8000fa20 +outl 0xcfc 0xffffffff +outl 0xcf8 0x8000fa20 +inl 0xcfc +outl 0xcf8 0x8000fa20 +outl 0xcfc 0xc061 +outl 0xcf8 0x8000fa24 +outl 0xcfc 0xffffffff +outl 0xcf8 0x8000fa24 +inl 0xcfc +outl 0xcf8 0x8000fa24 +outl 0xcfc 0xe0001000 +outl 0xcf8 0x8000fa04 +inw 0xcfc +outl 0xcf8 0x8000fa04 +outw 0xcfc 0x7 +outl 0xcf8 0x8000fa04 +inw 0xcfc +outl 0xcf8 0x8000ea20 +outl 0xcfc 0x625f69a0 +outb 0xc040 0x46 +outb 0xc040 0x69 +inb 0xc000 +outb 0xc040 0x46 +clock_step +outb 0xc040 0x69 +clock_step +write 0x0 0x4 0x64657669 +write 0x69766560 0x8 0x000000ff6c46f228 +write 0x69766568 0x8 0x2d323334319c6c65 +write 0xff000000 0x8 0x000000ff6c6f6766 +write 0xff000008 0x8 0x8d6c65652d736400 +outb 0xc040 0x69 +outl 0xcf8 0x8000ef76 +outw 0xcfc 0x6563 +outb 0xc040 0x46 +clock_step +outb 0xc040 0x69 +inb 0xc000 +clock_step +write 0x4 0x4 0x64657669 +write 0x69766560 0x8 0x000000ff6c46f228 +write 0x69766568 0x8 0x2d323334319c6c65 +write 0xff000000 0x8 0x000000ff6c6f6766 +write 0xff000008 0x8 0x8d6c65652d736400 +outb 0xc040 0x69 +outw 0xc003 0x6769 +outb 0xc040 0x69 +readq 0xe0000074 +outb 0xc040 0x46 +clock_step +outb 0xc040 0x69 +clock_step +write 0x8 0x4 0x00000100 +write 0x10000 0x10 0x000000ff6c46f2282d00363939333336 +write 0xff000000 0x8 0x6465766963656d69 +write 0xff000008 0x8 0x740d00699b652d63 +write 0x69766560 0x8 0x000000ff6c46f228 +write 0x69766568 0x8 0x2d323334319c6c65 +clock_step +write 0xc 0x4 0x000000ff +write 0xff000000 0x8 0x0000010000000069 +write 0xff000008 0x8 0x636c395f61707269 +write 0x10000 0x10 0x000000ff6c46f2282d00363939333336 +outw 0xc003 0x6f00 +outb 0xc040 0x69 +outl 0xc053 0x6378616d +clock_step +write 0x10 0x4 0x000000ff +write 0xff000000 0x8 0x6465766963656d69 +write 0xff000008 0x8 0x740d00699b652d63 +write 0x69766560 0x8 0x000000ff6c46f228 +write 0x69766568 0x8 0x2d323334319c6c65 +outb 0xc051 0x6d +outb 0xc04f 0x61 +outb 0xc040 0x69 +clock_step +write 0x14 0x4 0x000000ff +write 0xff000000 0x8 0x0000010000000069 +write 0xff000008 0x8 0x636c395f61707269 +write 0x10000 0x10 0x000000ff6c46f2282d00363939333336 +EOF +``` + +# Additional information +The crash report triggered by the reproducer is: + +``` +[R +0.033173] outl 0xcf8 0x8000e900 +[S +0.033189] [R +0.033195] inw 0xcfc +[S +0.033205] [R +0.033212] outl 0xcf8 0x8000e920 +[S +0.033218] [R +0.033222] outl 0xcfc 0xffffffff +[S +0.033231] [R +0.033235] outl 0xcf8 0x8000e920 +[S +0.033241] [R +0.033245] inl 0xcfc +[S +0.033250] [R +0.033255] outl 0xcf8 0x8000e920 +[S +0.033261] [R +0.033265] outl 0xcfc 0xc001 +[S +0.033271] [R +0.033275] outl 0xcf8 0x8000e904 +[S +0.033281] [R +0.033285] inw 0xcfc +[S +0.033290] [R +0.033295] outl 0xcf8 0x8000e904 +[S +0.033300] [R +0.033306] outw 0xcfc 0x7 +[S +0.033755] [R +0.033767] outl 0xcf8 0x8000e904 +[S +0.033774] [R +0.033779] inw 0xcfc +[S +0.033785] [R +0.033792] outl 0xcf8 0x8000ef00 +[S +0.033798] [R +0.033802] inw 0xcfc +[S +0.033808] [R +0.033813] outl 0xcf8 0x8000ef10 +[S +0.033818] [R +0.033840] outl 0xcfc 0xffffffff +[S +0.033848] [R +0.033853] outl 0xcf8 0x8000ef10 +[S +0.033859] [R +0.033864] inl 0xcfc +[S +0.033870] [R +0.033875] outl 0xcf8 0x8000ef10 +[S +0.033880] [R +0.033884] outl 0xcfc 0xe0000000 +[S +0.033891] [R +0.033895] outl 0xcf8 0x8000ef04 +[S +0.033901] [R +0.033904] inw 0xcfc +[S +0.033909] [R +0.033916] outl 0xcf8 0x8000ef04 +[S +0.033922] [R +0.033926] outw 0xcfc 0x7 +[S +0.034381] [R +0.034389] outl 0xcf8 0x8000ef04 +[S +0.034395] [R +0.034399] inw 0xcfc +[S +0.034405] [R +0.034412] outl 0xcf8 0x8000ea00 +[S +0.034417] [R +0.034421] inw 0xcfc +[S +0.034427] [R +0.034431] outl 0xcf8 0x8000ea20 +[S +0.034437] [R +0.034441] outl 0xcfc 0xffffffff +[S +0.034448] [R +0.034452] outl 0xcf8 0x8000ea20 +[S +0.034457] [R +0.034463] inl 0xcfc +[S +0.034469] [R +0.034474] outl 0xcf8 0x8000ea20 +[S +0.034480] [R +0.034484] outl 0xcfc 0xc021 +[S +0.034490] [R +0.034494] outl 0xcf8 0x8000ea04 +[S +0.034500] [R +0.034504] inw 0xcfc +[S +0.034509] [R +0.034515] outl 0xcf8 0x8000ea04 +[S +0.034521] [R +0.034525] outw 0xcfc 0x7 +[S +0.034948] [R +0.034955] outl 0xcf8 0x8000ea04 +[S +0.034961] [R +0.034965] inw 0xcfc +[S +0.034971] [R +0.034989] outl 0xcf8 0x8000e800 +[S +0.034996] [R +0.035000] inw 0xcfc +[S +0.035005] [R +0.035010] outl 0xcf8 0x8000e820 +[S +0.035016] [R +0.035020] outl 0xcfc 0xffffffff +[S +0.035027] [R +0.035033] outl 0xcf8 0x8000e820 +[S +0.035039] [R +0.035043] inl 0xcfc +[S +0.035048] [R +0.035053] outl 0xcf8 0x8000e820 +[S +0.035059] [R +0.035065] outl 0xcfc 0xc041 +[S +0.035071] [R +0.035075] outl 0xcf8 0x8000e804 +[S +0.035081] [R +0.035084] inw 0xcfc +[S +0.035089] [R +0.035094] outl 0xcf8 0x8000e804 +[S +0.035100] [R +0.035103] outw 0xcfc 0x7 +[S +0.035525] [R +0.035532] outl 0xcf8 0x8000e804 +[S +0.035538] [R +0.035542] inw 0xcfc +[S +0.035548] [R +0.035553] outl 0xcf8 0x8000fa00 +[S +0.035558] [R +0.035562] inw 0xcfc +[S +0.035567] [R +0.035572] outl 0xcf8 0x8000fa20 +[S +0.035578] [R +0.035581] outl 0xcfc 0xffffffff +[S +0.035589] [R +0.035594] outl 0xcf8 0x8000fa20 +[S +0.035600] [R +0.035604] inl 0xcfc +[S +0.035609] [R +0.035613] outl 0xcf8 0x8000fa20 +[S +0.035618] [R +0.035623] outl 0xcfc 0xc061 +[S +0.035629] [R +0.035633] outl 0xcf8 0x8000fa24 +[S +0.035638] [R +0.035642] outl 0xcfc 0xffffffff +[S +0.035648] [R +0.035652] outl 0xcf8 0x8000fa24 +[S +0.035658] [R +0.035664] inl 0xcfc +[S +0.035669] [R +0.035673] outl 0xcf8 0x8000fa24 +[S +0.035679] [R +0.035683] outl 0xcfc 0xe0001000 +[S +0.035689] [R +0.035696] outl 0xcf8 0x8000fa04 +[S +0.035702] [R +0.035706] inw 0xcfc +[S +0.035711] [R +0.035716] outl 0xcf8 0x8000fa04 +[S +0.035722] [R +0.035725] outw 0xcfc 0x7 +[S +0.036402] [R +0.036412] outl 0xcf8 0x8000fa04 +[S +0.036418] [R +0.036422] inw 0xcfc +[S +0.036434] [R +0.036442] outl 0xcf8 0x8000ea20 +[S +0.036448] [R +0.036463] outl 0xcfc 0x625f69a0 +[S +0.036906] [I +0.036981] CLOSED +x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed +[R +0.000000] outb 0xc040 0x46 +x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed +[R +0.000000] outb 0xc040 0x69 +x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed +[R +0.000000] inb 0xc000 +x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed +[R +0.000000] outb 0xc040 0x46 +x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed +[R +0.000000] clock_step +x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed +[R +0.000000] outb 0xc040 0x69 +x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed +[R +0.000000] clock_step +[DMA] x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed +[R +0.000000] write 0x0 0x4 0x64657669 +[DMA] x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed +[R +0.000000] write 0x69766560 0x8 0x000000ff6c46f228 +[DMA] x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed +[R +0.000000] write 0x69766568 0x8 0x2d323334319c6c65 +[DMA] x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed +[R +0.000000] write 0xff000000 0x8 0x000000ff6c6f6766 +[DMA] x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed +[R +0.000000] write 0xff000008 0x8 0x8d6c65652d736400 +x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed +[R +0.000000] outb 0xc040 0x69 +x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed +[R +0.000000] outl 0xcf8 0x8000ef76 +x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed +[R +0.000000] outw 0xcfc 0x6563 +x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed +[R +0.000000] outb 0xc040 0x46 +x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed +[R +0.000000] clock_step +x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed +[R +0.000000] outb 0xc040 0x69 +x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed +[R +0.000000] inb 0xc000 +x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed +[R +0.000000] clock_step +[DMA] x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed +[R +0.000000] write 0x4 0x4 0x64657669 +[DMA] x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed +[R +0.000000] write 0x69766560 0x8 0x000000ff6c46f228 +[DMA] x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed +[R +0.000000] write 0x69766568 0x8 0x2d323334319c6c65 +[DMA] x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed +[R +0.000000] write 0xff000000 0x8 0x000000ff6c6f6766 +[DMA] x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed +[R +0.000000] write 0xff000008 0x8 0x8d6c65652d736400 +x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed +[R +0.000000] outb 0xc040 0x69 +x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed +[R +0.000000] outw 0xc003 0x6769 +x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed +[R +0.000000] outb 0xc040 0x69 +x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed +[R +0.000000] readq 0xe0000074 +x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed +[R +0.000000] outb 0xc040 0x46 +x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed +[R +0.000000] clock_step +x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed +[R +0.000000] outb 0xc040 0x69 +x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed +[R +0.000000] clock_step +[DMA] x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed +[R +0.000000] write 0x8 0x4 0x00000100 +[DMA] x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed +[R +0.000000] write 0x10000 0x10 0x000000ff6c46f2282d00363939333336 +[DMA] x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed +[R +0.000000] write 0xff000000 0x8 0x6465766963656d69 +[DMA] x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed +[R +0.000000] write 0xff000008 0x8 0x740d00699b652d63 +[DMA] x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed +[R +0.000000] write 0x69766560 0x8 0x000000ff6c46f228 +[DMA] x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed +[R +0.000000] write 0x69766568 0x8 0x2d323334319c6c65 +x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed +[R +0.000000] clock_step +[DMA] x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed +[R +0.000000] write 0xc 0x4 0x000000ff +[DMA] x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed +[R +0.000000] write 0xff000000 0x8 0x0000010000000069 +[DMA] x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed +[R +0.000000] write 0xff000008 0x8 0x636c395f61707269 +[DMA] x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed +[R +0.000000] write 0x10000 0x10 0x000000ff6c46f2282d00363939333336 +x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed +[R +0.000000] outw 0xc003 0x6f00 +x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed +[R +0.000000] outb 0xc040 0x69 +x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed +[R +0.000000] outl 0xc053 0x6378616d +x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed +[R +0.000000] clock_step +[DMA] x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed +[R +0.000000] write 0x10 0x4 0x000000ff +[DMA] x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed +[R +0.000000] write 0xff000000 0x8 0x6465766963656d69 +[DMA] x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed +[R +0.000000] write 0xff000008 0x8 0x740d00699b652d63 +[DMA] x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed +[R +0.000000] write 0x69766560 0x8 0x000000ff6c46f228 +[DMA] x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed +[R +0.000000] write 0x69766568 0x8 0x2d323334319c6c65 +x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed +[R +0.000000] outb 0xc051 0x6d +x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed +[R +0.000000] outb 0xc04f 0x61 +x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed +[R +0.000000] outb 0xc040 0x69 +x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed +[R +0.000000] clock_step +[DMA] x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed +[R +0.000000] write 0x14 0x4 0x000000ff +[DMA] x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed +[R +0.000000] write 0xff000000 0x8 0x0000010000000069 +[DMA] x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed +[R +0.000000] write 0xff000008 0x8 0x636c395f61707269 +[DMA] x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed +[R +0.000000] write 0x10000 0x10 0x000000ff6c46f2282d00363939333336 +qemu-fuzz-x86_64: ../hw/usb/core.c:744: struct USBEndpoint *usb_ep_get(USBDevice *, int, int): Assertion `pid == USB_TOKEN_IN || pid == USB_TOKEN_OUT' failed. +==892641== ERROR: libFuzzer: deadly signal + #0 0x557dd985fc41 in __sanitizer_print_stack_trace (/home/hypervisor/qemu_fuzz/qemu/build2/qemu-fuzz-x86_64+0x20b2c41) (BuildId: 1208fb4c12f2da2381e7763dabbbdabaf2db65e5) + #1 0x557dd97cfa58 in fuzzer::PrintStackTrace() (/home/hypervisor/qemu_fuzz/qemu/build2/qemu-fuzz-x86_64+0x2022a58) (BuildId: 1208fb4c12f2da2381e7763dabbbdabaf2db65e5) + #2 0x557dd97b5ae3 in fuzzer::Fuzzer::CrashCallback() (/home/hypervisor/qemu_fuzz/qemu/build2/qemu-fuzz-x86_64+0x2008ae3) (BuildId: 1208fb4c12f2da2381e7763dabbbdabaf2db65e5) + #3 0x7fd7e623c45f (/lib/x86_64-linux-gnu/libc.so.6+0x3c45f) (BuildId: d320ce4e63925d698610ed423fc4b1f0e8ed51f1) + #4 0x7fd7e629152a in __pthread_kill_implementation nptl/pthread_kill.c:43:17 + #5 0x7fd7e629152a in __pthread_kill_internal nptl/pthread_kill.c:78:10 + #6 0x7fd7e629152a in pthread_kill nptl/pthread_kill.c:89:10 + #7 0x7fd7e623c3b5 in raise signal/../sysdeps/posix/raise.c:26:13 + #8 0x7fd7e622287b in abort stdlib/abort.c:79:7 + #9 0x7fd7e622279a in __assert_fail_base assert/assert.c:92:3 + #10 0x7fd7e6233b65 in __assert_fail assert/assert.c:101:3 + #11 0x557dda3b67c6 in usb_ep_get /home/hypervisor/qemu_fuzz/qemu/build2/../hw/usb/core.c:744:5 + #12 0x557dda3d8820 in uhci_handle_td /home/hypervisor/qemu_fuzz/qemu/build2/../hw/usb/hcd-uhci.c:819:14 + #13 0x557dda3d41ed in uhci_process_frame /home/hypervisor/qemu_fuzz/qemu/build2/../hw/usb/hcd-uhci.c:1022:15 + #14 0x557dda3cbf7e in uhci_frame_timer /home/hypervisor/qemu_fuzz/qemu/build2/../hw/usb/hcd-uhci.c:1121:9 + #15 0x557ddb90c0ff in timerlist_run_timers /home/hypervisor/qemu_fuzz/qemu/build2/../util/qemu-timer.c:576:9 + #16 0x557ddb90d3e8 in qemu_clock_run_timers /home/hypervisor/qemu_fuzz/qemu/build2/../util/qemu-timer.c:590:12 + #17 0x557ddb90d3e8 in qemu_clock_advance_virtual_time /home/hypervisor/qemu_fuzz/qemu/build2/../util/qemu-timer.c:696:9 + #18 0x557dda67fa2f in qtest_process_command /home/hypervisor/qemu_fuzz/qemu/build2/../system/qtest.c:722:9 + #19 0x557dda67b3bb in qtest_process_inbuf /home/hypervisor/qemu_fuzz/qemu/build2/../system/qtest.c:776:9 + #20 0x557dda67acf6 in qtest_server_inproc_recv /home/hypervisor/qemu_fuzz/qemu/build2/../system/qtest.c:907:9 + #21 0x557ddb5fa3e2 in qtest_sendf /home/hypervisor/qemu_fuzz/qemu/build2/../tests/qtest/libqtest.c:640:5 + #22 0x557ddb5fa4f4 in qtest_clock_step_next /home/hypervisor/qemu_fuzz/qemu/build2/../tests/qtest/libqtest.c:1009:5 + #23 0x557ddb67c2ef in generic_fuzz /home/hypervisor/qemu_fuzz/qemu/build2/../tests/qtest/fuzz/generic_fuzz.c:667:13 + #24 0x557ddb66e807 in LLVMFuzzerTestOneInput /home/hypervisor/qemu_fuzz/qemu/build2/../tests/qtest/fuzz/fuzz.c:158:5 + #25 0x557dd97b6f52 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/hypervisor/qemu_fuzz/qemu/build2/qemu-fuzz-x86_64+0x2009f52) (BuildId: 1208fb4c12f2da2381e7763dabbbdabaf2db65e5) + #26 0x557dd97a1080 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/home/hypervisor/qemu_fuzz/qemu/build2/qemu-fuzz-x86_64+0x1ff4080) (BuildId: 1208fb4c12f2da2381e7763dabbbdabaf2db65e5) + #27 0x557dd97a6d07 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/hypervisor/qemu_fuzz/qemu/build2/qemu-fuzz-x86_64+0x1ff9d07) (BuildId: 1208fb4c12f2da2381e7763dabbbdabaf2db65e5) + #28 0x557dd97d0292 in main (/home/hypervisor/qemu_fuzz/qemu/build2/qemu-fuzz-x86_64+0x2023292) (BuildId: 1208fb4c12f2da2381e7763dabbbdabaf2db65e5) + #29 0x7fd7e6223a8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 + #30 0x7fd7e6223b48 in __libc_start_main csu/../csu/libc-start.c:360:3 + #31 0x557dd979b884 in _start (/home/hypervisor/qemu_fuzz/qemu/build2/qemu-fuzz-x86_64+0x1fee884) (BuildId: 1208fb4c12f2da2381e7763dabbbdabaf2db65e5) +``` |