* [Bug 1913914] [NEW] arm_gic: Abort in gic_clear_pending_sgi
@ 2021-01-31 2:14 Alexander Bulekov
2021-03-11 18:52 ` [Bug 1913914] " Peter Maydell
0 siblings, 1 reply; 2+ messages in thread
From: Alexander Bulekov @ 2021-01-31 2:14 UTC (permalink / raw)
To: qemu-devel
Public bug reported:
Reproducer:
cat << EOF | ./qemu-system-aarch64 \
-machine virt,accel=qtest -qtest stdio
write 0x8000000 0x1 0x02
write 0x8010000 0x1 0x03
write 0x8010004 0x1 0x10
write 0x8000f2f 0x1 0x0
writel 0x8000f00 0x2065559
write 0x8000d56 0x1 0x0
readl 0x801000b
EOF
Stacktrace:
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../qemu/hw/intc/arm_gic.c:173:28 in
../qemu/hw/intc/arm_gic.c:173:28: runtime error: load of misaligned address 0x6290000215c1 for type 'uint32_t' (aka 'unsigned int'), which requires 16 byte alignment
0x6290000215c1: note: pointer points here
00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 1c 00 00 80 60 00 00 00 00 00 00 00
^
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../qemu/hw/intc/arm_gic.c:173:28 in
[R +0.117623] readl 0x8010015
[R +0.117718] readl 0x801000b
qemu-fuzz-aarch64: ../qemu/hw/intc/arm_gic.c:580: uint32_t gic_clear_pending_sgi(GICState *, int, int): Assertion `s->sgi_pending[irq][cpu] != 0' failed.
==762== ERROR: libFuzzer: deadly signal
#0 0x563d4e2371f1 in __sanitizer_print_stack_trace (/home/alxndr/build-asan/qemu-fuzz-aarch64+0x350d1f1)
#1 0x563d4e182348 in fuzzer::PrintStackTrace() (/home/alxndr/build-asan/qemu-fuzz-aarch64+0x3458348)
#2 0x563d4e167493 in fuzzer::Fuzzer::CrashCallback() (/home/alxndr/build-asan/qemu-fuzz-aarch64+0x343d493)
#3 0x7feabe05350f (/lib/x86_64-linux-gnu/libpthread.so.0+0x1350f)
#4 0x7feabde8e080 in __libc_signal_restore_set /build/glibc-suXNNi/glibc-2.29/signal/../sysdeps/unix/sysv/linux/internal-signals.h:84:10
#5 0x7feabde8e080 in raise /build/glibc-suXNNi/glibc-2.29/signal/../sysdeps/unix/sysv/linux/raise.c:48:3
#6 0x7feabde79534 in abort /build/glibc-suXNNi/glibc-2.29/stdlib/abort.c:79:7
#7 0x7feabde7940e in __assert_fail_base /build/glibc-suXNNi/glibc-2.29/assert/assert.c:92:3
#8 0x7feabde86b91 in __assert_fail /build/glibc-suXNNi/glibc-2.29/assert/assert.c:101:3
#9 0x563d4eba2a3c in gic_clear_pending_sgi /home/alxndr/build-asan/../qemu/hw/intc/arm_gic.c:580:9
#10 0x563d4eba2a3c in gic_acknowledge_irq /home/alxndr/build-asan/../qemu/hw/intc/arm_gic.c:630:19
#11 0x563d4ebb4ca4 in gic_cpu_read /home/alxndr/build-asan/../qemu/hw/intc/arm_gic.c:1615:17
#12 0x563d4ebab538 in gic_thiscpu_read /home/alxndr/build-asan/../qemu/hw/intc/arm_gic.c:1771:12
#13 0x563d5029ec2d in memory_region_read_with_attrs_accessor /home/alxndr/build-asan/../qemu/softmmu/memory.c:464:9
#14 0x563d502705f3 in access_with_adjusted_size /home/alxndr/build-asan/../qemu/softmmu/memory.c:552:18
#15 0x563d5026eb44 in memory_region_dispatch_read1 /home/alxndr/build-asan/../qemu/softmmu/memory.c
#16 0x563d5026eb44 in memory_region_dispatch_read /home/alxndr/build-asan/../qemu/softmmu/memory.c:1449:9
#17 0x563d5048c5bf in flatview_read_continue /home/alxndr/build-asan/../qemu/softmmu/physmem.c:2822:23
#18 0x563d504a9a9b in address_space_read /home/alxndr/qemu/include/exec/memory.h:2484:26
#19 0x563d504a9a9b in qtest_process_command /home/alxndr/build-asan/../qemu/softmmu/qtest.c:568:13
#20 0x563d504a497f in qtest_process_inbuf /home/alxndr/build-asan/../qemu/softmmu/qtest.c:797:9
#21 0x563d504a46d5 in qtest_server_inproc_recv /home/alxndr/build-asan/../qemu/softmmu/qtest.c:904:9
#22 0x563d50ce5cc8 in qtest_sendf /home/alxndr/build-asan/../qemu/tests/qtest/libqtest.c:438:5
#23 0x563d50ce73a3 in qtest_read /home/alxndr/build-asan/../qemu/tests/qtest/libqtest.c:1032:5
#24 0x563d4e264499 in __wrap_qtest_readl /home/alxndr/build-asan/../qemu/tests/qtest/fuzz/qtest_wrappers.c:138:16
#25 0x563d4e26ee5b in op_read /home/alxndr/build-asan/../qemu/tests/qtest/fuzz/generic_fuzz.c:432:13
#26 0x563d4e26dc46 in generic_fuzz /home/alxndr/build-asan/../qemu/tests/qtest/fuzz/generic_fuzz.c:681:17
#27 0x563d4e261283 in LLVMFuzzerTestOneInput /home/alxndr/build-asan/../qemu/tests/qtest/fuzz/fuzz.c:151:5
#28 0x563d4e168b51 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/alxndr/build-asan/qemu-fuzz-aarch64+0x343eb51)
#29 0x563d4e1542c2 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/home/alxndr/build-asan/qemu-fuzz-aarch64+0x342a2c2)
#30 0x563d4e159d76 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/alxndr/build-asan/qemu-fuzz-aarch64+0x342fd76)
#31 0x563d4e182a32 in main (/home/alxndr/build-asan/qemu-fuzz-aarch64+0x3458a32)
#32 0x7feabde7abba in __libc_start_main /build/glibc-suXNNi/glibc-2.29/csu/../csu/libc-start.c:308:16
#33 0x563d4e12e989 in _start (/home/alxndr/build-asan/qemu-fuzz-aarch64+0x3404989)
** Affects: qemu
Importance: Undecided
Status: New
** Tags: arm fuzzer
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1913914
Title:
arm_gic: Abort in gic_clear_pending_sgi
Status in QEMU:
New
Bug description:
Reproducer:
cat << EOF | ./qemu-system-aarch64 \
-machine virt,accel=qtest -qtest stdio
write 0x8000000 0x1 0x02
write 0x8010000 0x1 0x03
write 0x8010004 0x1 0x10
write 0x8000f2f 0x1 0x0
writel 0x8000f00 0x2065559
write 0x8000d56 0x1 0x0
readl 0x801000b
EOF
Stacktrace:
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../qemu/hw/intc/arm_gic.c:173:28 in
../qemu/hw/intc/arm_gic.c:173:28: runtime error: load of misaligned address 0x6290000215c1 for type 'uint32_t' (aka 'unsigned int'), which requires 16 byte alignment
0x6290000215c1: note: pointer points here
00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 1c 00 00 80 60 00 00 00 00 00 00 00
^
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../qemu/hw/intc/arm_gic.c:173:28 in
[R +0.117623] readl 0x8010015
[R +0.117718] readl 0x801000b
qemu-fuzz-aarch64: ../qemu/hw/intc/arm_gic.c:580: uint32_t gic_clear_pending_sgi(GICState *, int, int): Assertion `s->sgi_pending[irq][cpu] != 0' failed.
==762== ERROR: libFuzzer: deadly signal
#0 0x563d4e2371f1 in __sanitizer_print_stack_trace (/home/alxndr/build-asan/qemu-fuzz-aarch64+0x350d1f1)
#1 0x563d4e182348 in fuzzer::PrintStackTrace() (/home/alxndr/build-asan/qemu-fuzz-aarch64+0x3458348)
#2 0x563d4e167493 in fuzzer::Fuzzer::CrashCallback() (/home/alxndr/build-asan/qemu-fuzz-aarch64+0x343d493)
#3 0x7feabe05350f (/lib/x86_64-linux-gnu/libpthread.so.0+0x1350f)
#4 0x7feabde8e080 in __libc_signal_restore_set /build/glibc-suXNNi/glibc-2.29/signal/../sysdeps/unix/sysv/linux/internal-signals.h:84:10
#5 0x7feabde8e080 in raise /build/glibc-suXNNi/glibc-2.29/signal/../sysdeps/unix/sysv/linux/raise.c:48:3
#6 0x7feabde79534 in abort /build/glibc-suXNNi/glibc-2.29/stdlib/abort.c:79:7
#7 0x7feabde7940e in __assert_fail_base /build/glibc-suXNNi/glibc-2.29/assert/assert.c:92:3
#8 0x7feabde86b91 in __assert_fail /build/glibc-suXNNi/glibc-2.29/assert/assert.c:101:3
#9 0x563d4eba2a3c in gic_clear_pending_sgi /home/alxndr/build-asan/../qemu/hw/intc/arm_gic.c:580:9
#10 0x563d4eba2a3c in gic_acknowledge_irq /home/alxndr/build-asan/../qemu/hw/intc/arm_gic.c:630:19
#11 0x563d4ebb4ca4 in gic_cpu_read /home/alxndr/build-asan/../qemu/hw/intc/arm_gic.c:1615:17
#12 0x563d4ebab538 in gic_thiscpu_read /home/alxndr/build-asan/../qemu/hw/intc/arm_gic.c:1771:12
#13 0x563d5029ec2d in memory_region_read_with_attrs_accessor /home/alxndr/build-asan/../qemu/softmmu/memory.c:464:9
#14 0x563d502705f3 in access_with_adjusted_size /home/alxndr/build-asan/../qemu/softmmu/memory.c:552:18
#15 0x563d5026eb44 in memory_region_dispatch_read1 /home/alxndr/build-asan/../qemu/softmmu/memory.c
#16 0x563d5026eb44 in memory_region_dispatch_read /home/alxndr/build-asan/../qemu/softmmu/memory.c:1449:9
#17 0x563d5048c5bf in flatview_read_continue /home/alxndr/build-asan/../qemu/softmmu/physmem.c:2822:23
#18 0x563d504a9a9b in address_space_read /home/alxndr/qemu/include/exec/memory.h:2484:26
#19 0x563d504a9a9b in qtest_process_command /home/alxndr/build-asan/../qemu/softmmu/qtest.c:568:13
#20 0x563d504a497f in qtest_process_inbuf /home/alxndr/build-asan/../qemu/softmmu/qtest.c:797:9
#21 0x563d504a46d5 in qtest_server_inproc_recv /home/alxndr/build-asan/../qemu/softmmu/qtest.c:904:9
#22 0x563d50ce5cc8 in qtest_sendf /home/alxndr/build-asan/../qemu/tests/qtest/libqtest.c:438:5
#23 0x563d50ce73a3 in qtest_read /home/alxndr/build-asan/../qemu/tests/qtest/libqtest.c:1032:5
#24 0x563d4e264499 in __wrap_qtest_readl /home/alxndr/build-asan/../qemu/tests/qtest/fuzz/qtest_wrappers.c:138:16
#25 0x563d4e26ee5b in op_read /home/alxndr/build-asan/../qemu/tests/qtest/fuzz/generic_fuzz.c:432:13
#26 0x563d4e26dc46 in generic_fuzz /home/alxndr/build-asan/../qemu/tests/qtest/fuzz/generic_fuzz.c:681:17
#27 0x563d4e261283 in LLVMFuzzerTestOneInput /home/alxndr/build-asan/../qemu/tests/qtest/fuzz/fuzz.c:151:5
#28 0x563d4e168b51 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/alxndr/build-asan/qemu-fuzz-aarch64+0x343eb51)
#29 0x563d4e1542c2 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/home/alxndr/build-asan/qemu-fuzz-aarch64+0x342a2c2)
#30 0x563d4e159d76 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/alxndr/build-asan/qemu-fuzz-aarch64+0x342fd76)
#31 0x563d4e182a32 in main (/home/alxndr/build-asan/qemu-fuzz-aarch64+0x3458a32)
#32 0x7feabde7abba in __libc_start_main /build/glibc-suXNNi/glibc-2.29/csu/../csu/libc-start.c:308:16
#33 0x563d4e12e989 in _start (/home/alxndr/build-asan/qemu-fuzz-aarch64+0x3404989)
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1913914/+subscriptions
^ permalink raw reply [flat|nested] 2+ messages in thread
* [Bug 1913914] Re: arm_gic: Abort in gic_clear_pending_sgi
2021-01-31 2:14 [Bug 1913914] [NEW] arm_gic: Abort in gic_clear_pending_sgi Alexander Bulekov
@ 2021-03-11 18:52 ` Peter Maydell
0 siblings, 0 replies; 2+ messages in thread
From: Peter Maydell @ 2021-03-11 18:52 UTC (permalink / raw)
To: qemu-devel
*** This bug is a duplicate of bug 1914353 ***
https://bugs.launchpad.net/bugs/1914353
** This bug has been marked a duplicate of bug 1914353
QEMU: aarch64: :GIC: out-of-bounds access via interrupt ID
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1913914
Title:
arm_gic: Abort in gic_clear_pending_sgi
Status in QEMU:
New
Bug description:
Reproducer:
cat << EOF | ./qemu-system-aarch64 \
-machine virt,accel=qtest -qtest stdio
write 0x8000000 0x1 0x02
write 0x8010000 0x1 0x03
write 0x8010004 0x1 0x10
write 0x8000f2f 0x1 0x0
writel 0x8000f00 0x2065559
write 0x8000d56 0x1 0x0
readl 0x801000b
EOF
Stacktrace:
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../qemu/hw/intc/arm_gic.c:173:28 in
../qemu/hw/intc/arm_gic.c:173:28: runtime error: load of misaligned address 0x6290000215c1 for type 'uint32_t' (aka 'unsigned int'), which requires 16 byte alignment
0x6290000215c1: note: pointer points here
00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 1c 00 00 80 60 00 00 00 00 00 00 00
^
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../qemu/hw/intc/arm_gic.c:173:28 in
[R +0.117623] readl 0x8010015
[R +0.117718] readl 0x801000b
qemu-fuzz-aarch64: ../qemu/hw/intc/arm_gic.c:580: uint32_t gic_clear_pending_sgi(GICState *, int, int): Assertion `s->sgi_pending[irq][cpu] != 0' failed.
==762== ERROR: libFuzzer: deadly signal
#0 0x563d4e2371f1 in __sanitizer_print_stack_trace (/home/alxndr/build-asan/qemu-fuzz-aarch64+0x350d1f1)
#1 0x563d4e182348 in fuzzer::PrintStackTrace() (/home/alxndr/build-asan/qemu-fuzz-aarch64+0x3458348)
#2 0x563d4e167493 in fuzzer::Fuzzer::CrashCallback() (/home/alxndr/build-asan/qemu-fuzz-aarch64+0x343d493)
#3 0x7feabe05350f (/lib/x86_64-linux-gnu/libpthread.so.0+0x1350f)
#4 0x7feabde8e080 in __libc_signal_restore_set /build/glibc-suXNNi/glibc-2.29/signal/../sysdeps/unix/sysv/linux/internal-signals.h:84:10
#5 0x7feabde8e080 in raise /build/glibc-suXNNi/glibc-2.29/signal/../sysdeps/unix/sysv/linux/raise.c:48:3
#6 0x7feabde79534 in abort /build/glibc-suXNNi/glibc-2.29/stdlib/abort.c:79:7
#7 0x7feabde7940e in __assert_fail_base /build/glibc-suXNNi/glibc-2.29/assert/assert.c:92:3
#8 0x7feabde86b91 in __assert_fail /build/glibc-suXNNi/glibc-2.29/assert/assert.c:101:3
#9 0x563d4eba2a3c in gic_clear_pending_sgi /home/alxndr/build-asan/../qemu/hw/intc/arm_gic.c:580:9
#10 0x563d4eba2a3c in gic_acknowledge_irq /home/alxndr/build-asan/../qemu/hw/intc/arm_gic.c:630:19
#11 0x563d4ebb4ca4 in gic_cpu_read /home/alxndr/build-asan/../qemu/hw/intc/arm_gic.c:1615:17
#12 0x563d4ebab538 in gic_thiscpu_read /home/alxndr/build-asan/../qemu/hw/intc/arm_gic.c:1771:12
#13 0x563d5029ec2d in memory_region_read_with_attrs_accessor /home/alxndr/build-asan/../qemu/softmmu/memory.c:464:9
#14 0x563d502705f3 in access_with_adjusted_size /home/alxndr/build-asan/../qemu/softmmu/memory.c:552:18
#15 0x563d5026eb44 in memory_region_dispatch_read1 /home/alxndr/build-asan/../qemu/softmmu/memory.c
#16 0x563d5026eb44 in memory_region_dispatch_read /home/alxndr/build-asan/../qemu/softmmu/memory.c:1449:9
#17 0x563d5048c5bf in flatview_read_continue /home/alxndr/build-asan/../qemu/softmmu/physmem.c:2822:23
#18 0x563d504a9a9b in address_space_read /home/alxndr/qemu/include/exec/memory.h:2484:26
#19 0x563d504a9a9b in qtest_process_command /home/alxndr/build-asan/../qemu/softmmu/qtest.c:568:13
#20 0x563d504a497f in qtest_process_inbuf /home/alxndr/build-asan/../qemu/softmmu/qtest.c:797:9
#21 0x563d504a46d5 in qtest_server_inproc_recv /home/alxndr/build-asan/../qemu/softmmu/qtest.c:904:9
#22 0x563d50ce5cc8 in qtest_sendf /home/alxndr/build-asan/../qemu/tests/qtest/libqtest.c:438:5
#23 0x563d50ce73a3 in qtest_read /home/alxndr/build-asan/../qemu/tests/qtest/libqtest.c:1032:5
#24 0x563d4e264499 in __wrap_qtest_readl /home/alxndr/build-asan/../qemu/tests/qtest/fuzz/qtest_wrappers.c:138:16
#25 0x563d4e26ee5b in op_read /home/alxndr/build-asan/../qemu/tests/qtest/fuzz/generic_fuzz.c:432:13
#26 0x563d4e26dc46 in generic_fuzz /home/alxndr/build-asan/../qemu/tests/qtest/fuzz/generic_fuzz.c:681:17
#27 0x563d4e261283 in LLVMFuzzerTestOneInput /home/alxndr/build-asan/../qemu/tests/qtest/fuzz/fuzz.c:151:5
#28 0x563d4e168b51 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/alxndr/build-asan/qemu-fuzz-aarch64+0x343eb51)
#29 0x563d4e1542c2 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/home/alxndr/build-asan/qemu-fuzz-aarch64+0x342a2c2)
#30 0x563d4e159d76 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/alxndr/build-asan/qemu-fuzz-aarch64+0x342fd76)
#31 0x563d4e182a32 in main (/home/alxndr/build-asan/qemu-fuzz-aarch64+0x3458a32)
#32 0x7feabde7abba in __libc_start_main /build/glibc-suXNNi/glibc-2.29/csu/../csu/libc-start.c:308:16
#33 0x563d4e12e989 in _start (/home/alxndr/build-asan/qemu-fuzz-aarch64+0x3404989)
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1913914/+subscriptions
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-03-11 19:25 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-01-31 2:14 [Bug 1913914] [NEW] arm_gic: Abort in gic_clear_pending_sgi Alexander Bulekov
2021-03-11 18:52 ` [Bug 1913914] " Peter Maydell
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.