[Bug 1890333] [NEW] Assertion failure in address_space_stw_le

All of lore.kernel.org
 help / color / mirror / Atom feed

* [Bug 1890333] [NEW] Assertion failure in address_space_stw_le_cached through virtio-* devices
@ 2020-08-04 19:03 Alexander Bulekov
  2020-11-01  1:05 ` [Bug 1890333] Re: [OSS-Fuzz] Issue 26693: qemu:qemu-fuzz-i386-target-generic-fuzz-xhci: Index-out-of-bounds in xhci_runtime_write " Alexander Bulekov
                   ` (3 more replies)
  0 siblings, 4 replies; 5+ messages in thread
From: Alexander Bulekov @ 2020-08-04 19:03 UTC (permalink / raw)
  To: qemu-devel

Public bug reported:

Hello,
Reproducer:
cat << EOF | ./i386-softmmu/qemu-system-i386 \
-drive id=mydrive,file=null-co://,size=2M,format=raw,if=none \
-device virtio-blk,drive=mydrive \
-nodefaults -qtest stdio -nographic
outl 0xcf8 0x80001001
outl 0xcfc 0x6574c1ff
outl 0xcf8 0x8000100e
outl 0xcfc 0xefe5e1e
outl 0xe86 0x3aff9090
outl 0xe84 0x3aff9090
outl 0xe8e 0xe
EOF

qemu-system-i386: /home/alxndr/Development/qemu/general-fuzz/include/exec/memory_ldst_cached.inc.h:88: void address_space_stw_le_cached(MemoryRegionCache *, hwaddr, uint32_t, MemTxAttrs, MemTxResult *): Assertion `addr < cache->len && 2 <= cache->len - addr' failed.
Aborted

I can trigger similar assertions with other VIRTIO devices, as-well.
I reported this at some point in Message-ID: <20200511033001.dzvtbdhl3oz5pgiy@mozz.bu.edu> but never created a Launchpad issue...
-Alex

** Affects: qemu
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1890333

Title:
  Assertion failure in address_space_stw_le_cached through virtio-*
  devices

Status in QEMU:
  New

Bug description:
  Hello,
  Reproducer:
  cat << EOF | ./i386-softmmu/qemu-system-i386 \
  -drive id=mydrive,file=null-co://,size=2M,format=raw,if=none \
  -device virtio-blk,drive=mydrive \
  -nodefaults -qtest stdio -nographic
  outl 0xcf8 0x80001001
  outl 0xcfc 0x6574c1ff
  outl 0xcf8 0x8000100e
  outl 0xcfc 0xefe5e1e
  outl 0xe86 0x3aff9090
  outl 0xe84 0x3aff9090
  outl 0xe8e 0xe
  EOF

  qemu-system-i386: /home/alxndr/Development/qemu/general-fuzz/include/exec/memory_ldst_cached.inc.h:88: void address_space_stw_le_cached(MemoryRegionCache *, hwaddr, uint32_t, MemTxAttrs, MemTxResult *): Assertion `addr < cache->len && 2 <= cache->len - addr' failed.
  Aborted

  I can trigger similar assertions with other VIRTIO devices, as-well.
  I reported this at some point in Message-ID: <20200511033001.dzvtbdhl3oz5pgiy@mozz.bu.edu> but never created a Launchpad issue...
  -Alex

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1890333/+subscriptions


^ permalink raw reply	[flat|nested] 5+ messages in thread

* [Bug 1890333] Re: [OSS-Fuzz] Issue 26693: qemu:qemu-fuzz-i386-target-generic-fuzz-xhci: Index-out-of-bounds in xhci_runtime_write Assertion failure in address_space_stw_le_cached through virtio-* devices
  2020-08-04 19:03 [Bug 1890333] [NEW] Assertion failure in address_space_stw_le_cached through virtio-* devices Alexander Bulekov
@ 2020-11-01  1:05 ` Alexander Bulekov
  2020-12-10  9:02 ` [Bug 1890333] Re: [OSS-Fuzz] Issue 26797: qemu:qemu-fuzz-i386-target-generic-fuzz-virtio-blk: ASSERT: addr < cache->len && 2 <= cache->len - addr Thomas Huth
                   ` (2 subsequent siblings)
  3 siblings, 0 replies; 5+ messages in thread
From: Alexander Bulekov @ 2020-11-01  1:05 UTC (permalink / raw)
  To: qemu-devel

OSS-Fuzz Report: https://bugs.chromium.org/p/oss-
fuzz/issues/detail?id=26797

=== Reproducer (build with --enable-sanitizers) ===
cat << EOF | ./qemu-system-i386 -display none \
-machine accel=qtest, -m 512M -machine q35 \
-device virtio-blk,drive=disk0 \
-drive file=null-co://,id=disk0,if=none,format=raw \
-qtest stdio
outl 0xcf8 0x80001889
outl 0xcfc 0x1000ffff
outl 0xcf8 0x80001897
outl 0xcf8 0x80001890
outl 0xcfc 0x4
outl 0xcf8 0x800018ff
outl 0xcf8 0x80001897
inb 0xcfc
outl 0xcf8 0x8000188a
outl 0xcfc 0xd4624
outl 0xcf8 0x80001897
outl 0xcf8 0x80001806
outl 0xcf8 0x80001897
outl 0xcfc 0xff6ca0ba
outl 0xcf8 0x8000188c
outw 0xcfc 0x14
outl 0xcf8 0x80001897
outl 0xcf8 0x8000185a
outl 0xcf8 0x80001897
outl 0xcfc 0x5f6c6346
inb 0xcfc
outl 0xcf8 0x80001802
outl 0xcfc 0x65a6055
outl 0xcf8 0x80001897
inb 0xcfc
outl 0xcf8 0x80001889
outl 0xcfc 0x1869ffff
outl 0xcf8 0x80001812
outl 0xcf8 0x80001897
outl 0xcfc 0x5f6c6346
outl 0xcf8 0x8000188c
outw 0xcfc 0x24
outl 0xcf8 0x80001890
outl 0xcf8 0x80001897
outl 0xcfc 0x1
outl 0xcf8 0x80001892
outl 0xcfc 0x1ff04
outl 0xcf8 0x8000188c
outw 0xcfc 0x1c
outl 0xcf8 0x80001890
outl 0xcfc 0x1
outl 0xcf8 0x80001897
outl 0xcfc 0xfd467562
outl 0xcf8 0x8000188a
outl 0xcfc 0x245a5546
outl 0xcf8 0x80001890
outl 0xcf8 0x80001897
inb 0xcfc
outl 0xcf8 0x8000188c
outw 0xcfc 0x14
outl 0xcf8 0x80001897
outl 0xcf8 0x80001806
outl 0xcf8 0x80001889
outl 0xcfc 0x1869ffff
outl 0xcf8 0x80001812
outl 0xcf8 0x80001897
outl 0xcfc 0x6c6346
outl 0xcf8 0x8000188c
outw 0xcfc 0x14
outl 0xcf8 0x80001890
outl 0xcf8 0x80001897
outl 0xcfc 0x1ff04
EOF

=== Stack Trace ===

qemu-fuzz-i386-target-generic-fuzz-virtio-blk: /src/qemu/include/exec/memory_ldst_cached.h.inc:88: void address_space_stw_le_cached(MemoryRegionCache *, hwaddr, uint32_t, MemTxAttrs, MemTxResult *): Assertion `addr < cache->len && 2 <= cache->len - addr' failed.
==46== ERROR: libFuzzer: deadly signal
#0 0x55deb7b59e61 in __sanitizer_print_stack_trace /src/llvm-project/compiler-rt/lib/asan/asan_stack.cpp:86:3
#1 0x55deb7aa1158 in fuzzer::PrintStackTrace() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerUtil.cpp:210:5
#2 0x55deb7a87053 in fuzzer::Fuzzer::CrashCallback() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:233:3
#3 0x7fccd310638f in libpthread.so.0
#4 0x7fccd273e437 in gsignal
#5 0x7fccd2740039 in abort
#6 0x7fccd2736be6 in libc.so.6
#7 0x7fccd2736c91 in __assert_fail
#8 0x55deb8416ba3 in address_space_stw_le_cached /src/qemu/include/exec/memory_ldst_cached.h.inc:88:5
#9 0x55deb8416a40 in stw_le_phys_cached /src/qemu/include/exec/memory_ldst_phys.h.inc:121:5
#10 0x55deb8416a13 in virtio_stw_phys_cached /src/qemu/include/hw/virtio/virtio-access.h:196:9
#11 0x55deb8416899 in vring_set_avail_event /src/qemu/hw/virtio/virtio.c:428:5
#12 0x55deb8406ba8 in virtio_queue_split_set_notification /src/qemu/hw/virtio/virtio.c:437:9
#13 0x55deb84067a2 in virtio_queue_set_notification /src/qemu/hw/virtio/virtio.c:498:9
#14 0x55deb84755d3 in virtio_blk_handle_vq /src/qemu/hw/block/virtio-blk.c:795:13
#15 0x55deb84916ce in virtio_blk_data_plane_handle_output /src/qemu/hw/block/dataplane/virtio-blk.c:165:12
#16 0x55deb841afaf in virtio_queue_notify_aio_vq /src/qemu/hw/virtio/virtio.c:2325:15
#17 0x55deb8415adb in virtio_queue_host_notifier_aio_read /src/qemu/hw/virtio/virtio.c:3529:9
#18 0x55deb892af84 in aio_dispatch_handler /src/qemu/util/aio-posix.c:329:9
#19 0x55deb8929b8a in aio_dispatch_handlers /src/qemu/util/aio-posix.c:372:20
#20 0x55deb8929ac0 in aio_dispatch /src/qemu/util/aio-posix.c:382:5
#21 0x55deb893ae2c in aio_ctx_dispatch /src/qemu/util/async.c:306:5
#22 0x7fccd3868196 in g_main_context_dispatch
#23 0x55deb8947fed in glib_pollfds_poll /src/qemu/util/main-loop.c:221:9
#24 0x55deb8947264 in os_host_main_loop_wait /src/qemu/util/main-loop.c:244:5
#25 0x55deb8946f25 in main_loop_wait /src/qemu/util/main-loop.c:520:11
#26 0x55deb7b8806a in flush_events /src/qemu/tests/qtest/fuzz/fuzz.c:48:9
#27 0x55deb7b85a32 in generic_fuzz /src/qemu/tests/qtest/fuzz/generic_fuzz.c:681:17
#28 0x55deb7b88450 in LLVMFuzzerTestOneInput /src/qemu/tests/qtest/fuzz/fuzz.c:150:5
#29 0x55deb7a887c1 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:595:15
#30 0x55deb7a73892 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:323:6
#31 0x55deb7a7994e in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:852:9
#32 0x55deb7aa1932 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
#33 0x7fccd272983f in __libc_start_main
#34 0x55deb7a4eb38 in _start

** Summary changed:

- Assertion failure in address_space_stw_le_cached through virtio-* devices
+ [OSS-Fuzz] Issue 26693: qemu:qemu-fuzz-i386-target-generic-fuzz-xhci: Index-out-of-bounds in xhci_runtime_write Assertion failure in address_space_stw_le_cached through virtio-* devices

** Summary changed:

- [OSS-Fuzz] Issue 26693: qemu:qemu-fuzz-i386-target-generic-fuzz-xhci: Index-out-of-bounds in xhci_runtime_write Assertion failure in address_space_stw_le_cached through virtio-* devices
+ [OSS-Fuzz]  Issue 26797: qemu:qemu-fuzz-i386-target-generic-fuzz-virtio-blk: ASSERT: addr < cache->len && 2 <= cache->len - addr

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1890333

Title:
  [OSS-Fuzz]  Issue 26797: qemu:qemu-fuzz-i386-target-generic-fuzz-
  virtio-blk: ASSERT: addr < cache->len && 2 <= cache->len - addr

Status in QEMU:
  New

Bug description:
  Hello,
  Reproducer:
  cat << EOF | ./i386-softmmu/qemu-system-i386 \
  -drive id=mydrive,file=null-co://,size=2M,format=raw,if=none \
  -device virtio-blk,drive=mydrive \
  -nodefaults -qtest stdio -nographic
  outl 0xcf8 0x80001001
  outl 0xcfc 0x6574c1ff
  outl 0xcf8 0x8000100e
  outl 0xcfc 0xefe5e1e
  outl 0xe86 0x3aff9090
  outl 0xe84 0x3aff9090
  outl 0xe8e 0xe
  EOF

  qemu-system-i386: /home/alxndr/Development/qemu/general-fuzz/include/exec/memory_ldst_cached.inc.h:88: void address_space_stw_le_cached(MemoryRegionCache *, hwaddr, uint32_t, MemTxAttrs, MemTxResult *): Assertion `addr < cache->len && 2 <= cache->len - addr' failed.
  Aborted

  I can trigger similar assertions with other VIRTIO devices, as-well.
  I reported this at some point in Message-ID: <20200511033001.dzvtbdhl3oz5pgiy@mozz.bu.edu> but never created a Launchpad issue...
  -Alex

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1890333/+subscriptions


^ permalink raw reply	[flat|nested] 5+ messages in thread

* [Bug 1890333] Re: [OSS-Fuzz] Issue 26797: qemu:qemu-fuzz-i386-target-generic-fuzz-virtio-blk: ASSERT: addr < cache->len && 2 <= cache->len - addr
  2020-08-04 19:03 [Bug 1890333] [NEW] Assertion failure in address_space_stw_le_cached through virtio-* devices Alexander Bulekov
  2020-11-01  1:05 ` [Bug 1890333] Re: [OSS-Fuzz] Issue 26693: qemu:qemu-fuzz-i386-target-generic-fuzz-xhci: Index-out-of-bounds in xhci_runtime_write " Alexander Bulekov
@ 2020-12-10  9:02 ` Thomas Huth
  2020-12-15 13:43 ` Qiuhao Li
  2020-12-15 15:04 ` Qiuhao Li
  3 siblings, 0 replies; 5+ messages in thread
From: Thomas Huth @ 2020-12-10  9:02 UTC (permalink / raw)
  To: qemu-devel

Fix in commit 2d69eba5fe52045b2c8b0d04fd3806414352afc1

** Changed in: qemu
       Status: New => Fix Released

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1890333

Title:
  [OSS-Fuzz]  Issue 26797: qemu:qemu-fuzz-i386-target-generic-fuzz-
  virtio-blk: ASSERT: addr < cache->len && 2 <= cache->len - addr

Status in QEMU:
  Fix Released

Bug description:
  Hello,
  Reproducer:
  cat << EOF | ./i386-softmmu/qemu-system-i386 \
  -drive id=mydrive,file=null-co://,size=2M,format=raw,if=none \
  -device virtio-blk,drive=mydrive \
  -nodefaults -qtest stdio -nographic
  outl 0xcf8 0x80001001
  outl 0xcfc 0x6574c1ff
  outl 0xcf8 0x8000100e
  outl 0xcfc 0xefe5e1e
  outl 0xe86 0x3aff9090
  outl 0xe84 0x3aff9090
  outl 0xe8e 0xe
  EOF

  qemu-system-i386: /home/alxndr/Development/qemu/general-fuzz/include/exec/memory_ldst_cached.inc.h:88: void address_space_stw_le_cached(MemoryRegionCache *, hwaddr, uint32_t, MemTxAttrs, MemTxResult *): Assertion `addr < cache->len && 2 <= cache->len - addr' failed.
  Aborted

  I can trigger similar assertions with other VIRTIO devices, as-well.
  I reported this at some point in Message-ID: <20200511033001.dzvtbdhl3oz5pgiy@mozz.bu.edu> but never created a Launchpad issue...
  -Alex

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1890333/+subscriptions


^ permalink raw reply	[flat|nested] 5+ messages in thread

* [Bug 1890333] Re: [OSS-Fuzz] Issue 26797: qemu:qemu-fuzz-i386-target-generic-fuzz-virtio-blk: ASSERT: addr < cache->len && 2 <= cache->len - addr
  2020-08-04 19:03 [Bug 1890333] [NEW] Assertion failure in address_space_stw_le_cached through virtio-* devices Alexander Bulekov
  2020-11-01  1:05 ` [Bug 1890333] Re: [OSS-Fuzz] Issue 26693: qemu:qemu-fuzz-i386-target-generic-fuzz-xhci: Index-out-of-bounds in xhci_runtime_write " Alexander Bulekov
  2020-12-10  9:02 ` [Bug 1890333] Re: [OSS-Fuzz] Issue 26797: qemu:qemu-fuzz-i386-target-generic-fuzz-virtio-blk: ASSERT: addr < cache->len && 2 <= cache->len - addr Thomas Huth
@ 2020-12-15 13:43 ` Qiuhao Li
  2020-12-15 15:04 ` Qiuhao Li
  3 siblings, 0 replies; 5+ messages in thread
From: Qiuhao Li @ 2020-12-15 13:43 UTC (permalink / raw)
  To: qemu-devel

Hi,

It seems while the minimized producer doesn't fail the assertion now,
the original reproducer provided by OSS-Fuzz[1] can still crash the
latest QEMU (1758428, Dec 12, built with --enable-sanitizers --enable-
fuzzing). Could anyone check if they trigger different bugs?

Tested on:
  Ubuntu: 20.04.1 5.4.0-58-generic x86_64
  clang: 10.0.0-4ubuntu1
  glibc: 2.31-0ubuntu9.1
  libglib2.0-dev: 2.64.3-1~ubuntu20.04.1

[1] https://bugs.launchpad.net/qemu/+bug/1890333/comments/1

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1890333

Title:
  [OSS-Fuzz]  Issue 26797: qemu:qemu-fuzz-i386-target-generic-fuzz-
  virtio-blk: ASSERT: addr < cache->len && 2 <= cache->len - addr

Status in QEMU:
  Fix Released

Bug description:
  Hello,
  Reproducer:
  cat << EOF | ./i386-softmmu/qemu-system-i386 \
  -drive id=mydrive,file=null-co://,size=2M,format=raw,if=none \
  -device virtio-blk,drive=mydrive \
  -nodefaults -qtest stdio -nographic
  outl 0xcf8 0x80001001
  outl 0xcfc 0x6574c1ff
  outl 0xcf8 0x8000100e
  outl 0xcfc 0xefe5e1e
  outl 0xe86 0x3aff9090
  outl 0xe84 0x3aff9090
  outl 0xe8e 0xe
  EOF

  qemu-system-i386: /home/alxndr/Development/qemu/general-fuzz/include/exec/memory_ldst_cached.inc.h:88: void address_space_stw_le_cached(MemoryRegionCache *, hwaddr, uint32_t, MemTxAttrs, MemTxResult *): Assertion `addr < cache->len && 2 <= cache->len - addr' failed.
  Aborted

  I can trigger similar assertions with other VIRTIO devices, as-well.
  I reported this at some point in Message-ID: <20200511033001.dzvtbdhl3oz5pgiy@mozz.bu.edu> but never created a Launchpad issue...
  -Alex

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1890333/+subscriptions


^ permalink raw reply	[flat|nested] 5+ messages in thread

* [Bug 1890333] Re: [OSS-Fuzz] Issue 26797: qemu:qemu-fuzz-i386-target-generic-fuzz-virtio-blk: ASSERT: addr < cache->len && 2 <= cache->len - addr
  2020-08-04 19:03 [Bug 1890333] [NEW] Assertion failure in address_space_stw_le_cached through virtio-* devices Alexander Bulekov
                   ` (2 preceding siblings ...)
  2020-12-15 13:43 ` Qiuhao Li
@ 2020-12-15 15:04 ` Qiuhao Li
  3 siblings, 0 replies; 5+ messages in thread
From: Qiuhao Li @ 2020-12-15 15:04 UTC (permalink / raw)
  To: qemu-devel

There is a new bug that fails the same assertion, and maybe its minimized producer will help:
  https://bugs.launchpad.net/qemu/+bug/1908062

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1890333

Title:
  [OSS-Fuzz]  Issue 26797: qemu:qemu-fuzz-i386-target-generic-fuzz-
  virtio-blk: ASSERT: addr < cache->len && 2 <= cache->len - addr

Status in QEMU:
  Fix Released

Bug description:
  Hello,
  Reproducer:
  cat << EOF | ./i386-softmmu/qemu-system-i386 \
  -drive id=mydrive,file=null-co://,size=2M,format=raw,if=none \
  -device virtio-blk,drive=mydrive \
  -nodefaults -qtest stdio -nographic
  outl 0xcf8 0x80001001
  outl 0xcfc 0x6574c1ff
  outl 0xcf8 0x8000100e
  outl 0xcfc 0xefe5e1e
  outl 0xe86 0x3aff9090
  outl 0xe84 0x3aff9090
  outl 0xe8e 0xe
  EOF

  qemu-system-i386: /home/alxndr/Development/qemu/general-fuzz/include/exec/memory_ldst_cached.inc.h:88: void address_space_stw_le_cached(MemoryRegionCache *, hwaddr, uint32_t, MemTxAttrs, MemTxResult *): Assertion `addr < cache->len && 2 <= cache->len - addr' failed.
  Aborted

  I can trigger similar assertions with other VIRTIO devices, as-well.
  I reported this at some point in Message-ID: <20200511033001.dzvtbdhl3oz5pgiy@mozz.bu.edu> but never created a Launchpad issue...
  -Alex

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1890333/+subscriptions


^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2020-12-15 15:12 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-08-04 19:03 [Bug 1890333] [NEW] Assertion failure in address_space_stw_le_cached through virtio-* devices Alexander Bulekov
2020-11-01  1:05 ` [Bug 1890333] Re: [OSS-Fuzz] Issue 26693: qemu:qemu-fuzz-i386-target-generic-fuzz-xhci: Index-out-of-bounds in xhci_runtime_write " Alexander Bulekov
2020-12-10  9:02 ` [Bug 1890333] Re: [OSS-Fuzz] Issue 26797: qemu:qemu-fuzz-i386-target-generic-fuzz-virtio-blk: ASSERT: addr < cache->len && 2 <= cache->len - addr Thomas Huth
2020-12-15 13:43 ` Qiuhao Li
2020-12-15 15:04 ` Qiuhao Li

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.