assertion failure in mptsas1068 emulator Using hypervisor fuzzer, hyfuzz, I found an assertion failure through mptsas1068 emulator. A malicious guest user/process could use this flaw to abort the QEMU process on the host, resulting in a denial of service. This was found in version 5.2.0 (master) qemu-system-i386: ../hw/scsi/mptsas.c:968: void mptsas_interrupt_status_write(MPTSASState *): Assertion `s->intr_status & MPI_HIS_DOORBELL_INTERRUPT' failed. [1] 16951 abort (core dumped) /home/cwmyung/prj/hyfuzz/src/qemu-5.2/build/qemu-system-i386 -m 512 -drive Program terminated with signal SIGABRT, Aborted. #0 __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:51 51 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory. [Current thread is 1 (Thread 0x7fc7d6023700 (LWP 23475))] gdb-peda$ bt #0 0x00007fc7efa13f47 in __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:51 #1 0x00007fc7efa158b1 in __GI_abort () at abort.c:79 #2 0x00007fc7efa0542a in __assert_fail_base (fmt=0x7fc7efb8ca38 "%s%s%s:%u: %s%sAssertion `%s' failed.\\n%n", assertion=assertion@entry=0x56439214d593 "s->intr_status & MPI_HIS_DOORBELL_INTERRUPT", file=file@entry=0x56439214d4a7 "../hw/scsi/mptsas.c", line=line@entry=0x3c8, function=function@entry=0x56439214d81c "void mptsas_interrupt_status_write(MPTSASState *)") at assert.c:92 #3 0x00007fc7efa054a2 in __GI___assert_fail (assertion=0x56439214d593 "s->intr_status & MPI_HIS_DOORBELL_INTERRUPT", file=0x56439214d4a7 "../hw/scsi/mptsas.c", line=0x3c8, function=0x56439214d81c "void mptsas_interrupt_status_write(MPTSASState *)") at assert.c:101 #4 0x0000564391a43963 in mptsas_interrupt_status_write (s=) at ../hw/scsi/mptsas.c:968 #5 0x0000564391a43963 in mptsas_mmio_write (opaque=0x5643943dd5b0, addr=0x30, val=0x18000000, size=) at ../hw/scsi/mptsas.c:1052 #6 0x0000564391e08798 in memory_region_write_accessor (mr=, addr=, value=, size=, shift=, mask=, attrs=...) at ../softmmu/memory.c:491 #7 0x0000564391e0858e in access_with_adjusted_size (addr=, value=, size=, access_size_min=, access_size_max=, access_fn=, mr=, attrs=...) at ../softmmu/memory.c:552 #8 0x0000564391e0858e in memory_region_dispatch_write (mr=0x5643943ddea0, addr=, data=, op=, attrs=...) at ../softmmu/memory.c:1501 #9 0x0000564391eff228 in io_writex (iotlbentry=, mmu_idx=, val=, addr=, retaddr=, op=, env=) at ../accel/tcg/cputlb.c:1378 #10 0x0000564391eff228 in store_helper (env=, addr=, val=, oi=, retaddr=, op=MO_32) at ../accel/tcg/cputlb.c:2397 #11 0x0000564391eff228 in helper_le_stl_mmu (env=, addr=, val=0x2, oi=, retaddr=0x7fc78841b401) at ../accel/tcg/cputlb.c:2463 #12 0x00007fc78841b401 in code_gen_buffer () #13 0x0000564391dd0da0 in cpu_tb_exec (cpu=0x56439363e650, itb=) at ../accel/tcg/cpu-exec.c:178 #14 0x0000564391dd19eb in cpu_loop_exec_tb (tb=, cpu=, last_tb=, tb_exit=) at ../accel/tcg/cpu-exec.c:658 #15 0x0000564391dd19eb in cpu_exec (cpu=0x56439363e650) at ../accel/tcg/cpu-exec.c:771 #16 0x0000564391e00b9f in tcg_cpu_exec (cpu=) at ../accel/tcg/tcg-cpus.c:243 #17 0x0000564391e00b9f in tcg_cpu_thread_fn (arg=0x56439363e650) at ../accel/tcg/tcg-cpus.c:427 #18 0x00005643920d8775 in qemu_thread_start (args=) at ../util/qemu-thread-posix.c:521 #19 0x00007fc7efdcd6db in start_thread (arg=0x7fc7d6023700) at pthread_create.c:463 To reproduce this issue, please run the QEMU with the following command line. # To enable ASan option, please set configuration with the following command $ ./configure --target-list=i386-softmmu --disable-werror --enable-sanitizers $ make # To reproduce this issue, please run the QEMU process with the following command line. $ ./qemu-system-i386 -m 512 -drive file=./hyfuzz.img,index=0,media=disk,format=raw -device mptsas1068,id=scsi -device scsi-hd,drive=SysDisk -drive id=SysDisk,if=none,file=./disk.img Please let me know if I can provide any further info. Thank you. - Cheolwoo, Myung (Seoul National University)