blob: 4c48c61e43189708ff6d1766bfd51dea15e4be4a (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
|
Assert failure in ahci-hd device
Description of problem:
Assert
```
qemu-system-x86_64: ../hw/ide/core.c:934: void ide_dma_cb(void *, int): Assertion `prep_size >= 0 && prep_size <= n * 512' failed.
```
can be triggered with some qtest commands. This was found by fuzzing.
Steps to reproduce:
Command:
```
cat << EOF | ./qemu-system-x86_64 -display none -machine accel=qtest, -m 512M -machine q35 -nodefaults -drive file=null-co://,if=none,format=raw,id=disk0 -device ide-hd,drive=disk0 -qtest stdio
outl 0xcf8 0x8000fa24
outl 0xcfc 0xe0000000
outl 0xcf8 0x8000fa04
outw 0xcfc 0x06
write 0x0 0x1 0x27
write 0x1 0x1 0x80
write 0x2 0x1 0x25
write 0xe00003b8 0x1 0x02
write 0xe0000398 0x1 0x01
EOF
```
Results in
```
[I 0.000001] OPENED
[R +0.076075] outl 0xcf8 0x8000fa24
[S +0.076165] OK
OK
[R +0.076198] outl 0xcfc 0xe0000000
[S +0.076242] OK
OK
[R +0.076320] outl 0xcf8 0x8000fa04
[S +0.076344] OK
OK
[R +0.076379] outw 0xcfc 0x06
[S +0.077676] OK
OK
[R +0.077760] write 0x0 0x1 0x27
[S +0.079429] OK
OK
[R +0.079552] write 0x1 0x1 0x80
[S +0.079592] OK
OK
[R +0.079618] write 0x2 0x1 0x25
[S +0.079645] OK
OK
[R +0.079669] write 0xe00003b8 0x1 0x02
[S +0.079709] OK
OK
[R +0.079733] write 0xe0000398 0x1 0x01
qemu-system-x86_64: ../hw/ide/core.c:934: void ide_dma_cb(void *, int): Assertion `prep_size >= 0 && prep_size <= n * 512' failed.
Aborted
```
Additional information:
Maybe we can just `goto eot;` instead of assert?
|