Bug in bcm2835_thermal interface Description of problem: Stack traces, crash detail: ``` #0 __pthread_kill_implementation (no_tid=0, signo=6, threadid=140737230841344) at ./nptl/pthread_kill.c:44 #1 __pthread_kill_internal (signo=6, threadid=140737230841344) at ./nptl/pthread_kill.c:78 #2 __GI___pthread_kill (threadid=140737230841344, signo=signo@entry=6) at ./nptl/pthread_kill.c:89 #3 0x00007ffff5042476 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26 #4 0x00007ffff50287f3 in __GI_abort () at ./stdlib/abort.c:79 #5 0x00007ffff6f0eb57 in () at /lib/x86_64-linux-gnu/libglib-2.0.so.0 #6 0x00007ffff6f6870f in g_assertion_message_expr () at /lib/x86_64-linux-gnu/libglib-2.0.so.0 #7 0x0000555555d642a6 in bcm2835_thermal_write (opaque=0x7ffff0a475b0, addr=2, value=0, size=2) at ../hw/misc/bcm2835_thermal.c:76 #8 0x0000555556c4a119 in memory_region_write_accessor (mr=0x7ffff0a478e0, addr=2, value=0x7fffffffd250, size=2, shift=0, mask=65535, attrs=...) at ../system/memory.c:497 #9 0x0000555556c49da6 in access_with_adjusted_size (addr=2, value=0x7fffffffd250, size=2, access_size_min=1, access_size_max=4, access_fn=0x555556c49ef0 , mr=0x7ffff0a478e0, attrs=...) at ../system/memory.c:573 #10 0x0000555556c49395 in memory_region_dispatch_write (mr=0x7ffff0a478e0, addr=2, data=0, op=MO_16, attrs=...) at ../system/memory.c:1521 #11 0x0000555556c84e88 in flatview_write_continue_step (attrs=..., buf=0x7fffffffd470 "", len=512, mr_addr=2, l=0x7fffffffd360, mr=0x7ffff0a478e0) at ../system/physmem.c:2757 #12 0x0000555556c84c42 in flatview_write_continue (fv=0x555559717490, addr=1059135490, attrs=..., ptr=0x7fffffffd470, len=512, mr_addr=2, l=2, mr=0x7ffff0a478e0) at ../system/physmem.c:2787 #13 0x0000555556c73305 in flatview_write (fv=0x555559717490, addr=1059135490, attrs=..., buf=0x7fffffffd470, len=512) at ../system/physmem.c:2818 #14 0x0000555556c73179 in address_space_write --Type for more, q to quit, c to continue without paging--c (as=0x5555598056f0, addr=1059135490, attrs=..., buf=0x7fffffffd470, len=512) at ../system/physmem.c:2938 #15 0x0000555556c735df in address_space_set (as=0x5555598056f0, addr=1059135490, c=0 '\000', len=2025625, attrs=...) at ../system/physmem.c:2965 #16 0x0000555555a95b66 in rom_reset (unused=0x0) at ../hw/core/loader.c:1284 #17 0x0000555555ab872d in legacy_reset_hold (obj=0x5555598069b0, type=RESET_TYPE_COLD) at ../hw/core/reset.c:76 #18 0x0000555556d7dbf4 in resettable_phase_hold (obj=0x5555598069b0, opaque=0x0, type=RESET_TYPE_COLD) at ../hw/core/resettable.c:180 #19 0x0000555556d7d19f in resettable_container_child_foreach (obj=0x5555595573d0, cb=0x555556d7d970 , opaque=0x0, type=RESET_TYPE_COLD) at ../hw/core/resetcontainer.c:54 #20 0x0000555556d7f4a4 in resettable_child_foreach (rc=0x555558b02f50, obj=0x5555595573d0, cb=0x555556d7d970 , opaque=0x0, type=RESET_TYPE_COLD) at ../hw/core/resettable.c:92 #21 0x0000555556d7da92 in resettable_phase_hold (obj=0x5555595573d0, opaque=0x0, type=RESET_TYPE_COLD) at ../hw/core/resettable.c:169 #22 0x0000555556d7d47a in resettable_assert_reset (obj=0x5555595573d0, type=RESET_TYPE_COLD) at ../hw/core/resettable.c:58 #23 0x0000555556d7d2f7 in resettable_reset (obj=0x5555595573d0, type=RESET_TYPE_COLD) at ../hw/core/resettable.c:45 #24 0x0000555555ab842e in qemu_devices_reset (reason=SHUTDOWN_CAUSE_NONE) at ../hw/core/reset.c:179 #25 0x000055555633227d in qemu_system_reset (reason=SHUTDOWN_CAUSE_NONE) at ../system/runstate.c:493 #26 0x0000555555aa6bd2 in qdev_machine_creation_done () at ../hw/core/machine.c:1643 #27 0x000055555633679f in qemu_machine_creation_done (errp=0x555558587ee0 ) at ../system/vl.c:2685 #28 0x0000555556335ffd in qmp_x_exit_preconfig (errp=0x555558587ee0 ) at ../system/vl.c:2715 #29 0x000055555633bfe4 in qemu_init (argc=9, argv=0x7fffffffdc68) at ../system/vl.c:3759 #30 0x0000555556d6eea2 in main (argc=9, argv=0x7fffffffdc68) at ../system/main.c:47 ``` Description: I encountered a part of the code during QEMU execution that shouldn't have been reached, which led to an error. Crash detail: ``` ERROR:../hw/misc/bcm2835_thermal.c:76:bcm2835_thermal_write: code should not be reached Bail out! ERROR:../hw/misc/bcm2835_thermal.c:76:bcm2835_thermal_write: code should not be reached Aborted ``` Malicious inputs: Malicious input is attached as tar.gz archive to this file, it contains file name id:000017,sig:06,src:000428,time:48261741,execs:1725363,op:havoc,rep:8 [malicious_input.tar.gz](/uploads/fcf47faafb59308cfdb04b3e81e788f3/malicious_input.tar.gz) Affected code area/snippet: qemu/hw/misc/bcm2835_thermal.c:bcm2835_thermal_write ![bug](/uploads/24598ad2b9ca0edfcc7f8e422e94e87d/bug.png) Acknowledge for reporting this issue: Alisher Darmenov (darmenovalisher@gmail.com), Mohamadreza Rostami (mohamadreza.rostami@trust.tu-darmstadt.de), Ahmad-Reza Sadeghi (ahmad.sadeghi@trust.tu-darmstadt.de)