From: Alexander Bulekov <1926111@bugs.launchpad.net>
To: qemu-devel@nongnu.org
Subject: [Bug 1926111] [NEW] Assertion `tx_queue_idx <= s->txq_num' failed in vmxnet3_io_bar0_write
Date: Mon, 26 Apr 2021 03:19:06 -0000 [thread overview]
Message-ID: <161940714680.11021.12941917748278413607.malonedeb@soybean.canonical.com> (raw)
Public bug reported:
=== Stacktrace ===
qemu-fuzz-i386: ../hw/net/vmxnet3.c:1096: void vmxnet3_io_bar0_write(void *, hwaddr, uint64_t, unsigned int): Assertion `tx_queue_idx <= s->txq_num' failed.
==602353== ERROR: libFuzzer: deadly signal
#5 0x7fe4b93a7ce0 in raise signal/../sysdeps/unix/sysv/linux/raise.c:48:3
#6 0x7fe4b9391536 in abort stdlib/abort.c:79:7
#7 0x7fe4b939140e in __assert_fail_base assert/assert.c:92:3
#8 0x7fe4b93a0661 in __assert_fail assert/assert.c:101:3
#9 0x563e6cf5ebb5 in vmxnet3_io_bar0_write hw/net/vmxnet3.c:1096:9
#10 0x563e6eefdb00 in memory_region_write_accessor softmmu/memory.c:491:5
#11 0x563e6eefcfdd in access_with_adjusted_size softmmu/memory.c:552:18
#12 0x563e6eefac90 in memory_region_dispatch_write softmmu/memory.c:1502:16
#13 0x563e6e834e16 in flatview_write_continue softmmu/physmem.c:2746:23
#14 0x563e6e81cd38 in flatview_write softmmu/physmem.c:2786:14
#15 0x563e6e81c868 in address_space_write softmmu/physmem.c:2878:18
=== Reproducer ===
cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, -m \
512M -machine q35 -nodefaults -device vmxnet3,netdev=net0 -netdev \
user,id=net0 -qtest stdio
outl 0xcf8 0x80000810
outl 0xcfc 0xe0000000
outl 0xcf8 0x80000814
outl 0xcf8 0x80000804
outw 0xcfc 0x7
outl 0xcf8 0x80000815
outl 0xcfc 0xffff00b5
write 0x0 0x1 0xe1
write 0x1 0x1 0xfe
write 0x2 0x1 0xbe
write 0x3 0x1 0xba
write 0xff00b020 0x4 0x0000feca
write 0xe0000630 0x1 0x00
EOF
=== Testcase ===
/*
* Autogenerated Fuzzer Test Case
*
* This work is licensed under the terms of the GNU GPL, version 2 or later.
* See the COPYING file in the top-level directory.
*/
#include "qemu/osdep.h"
#include "libqos/libqtest.h"
static void test_fuzz(void) {
QTestState *s = qtest_init(" -display none , -m 512M -machine q35 -nodefaults "
"-device vmxnet3,netdev=net0 -netdev user,id=net0");
qtest_outl(s, 0xcf8, 0x80000810);
qtest_outl(s, 0xcfc, 0xe0000000);
qtest_outl(s, 0xcf8, 0x80000814);
qtest_outl(s, 0xcf8, 0x80000804);
qtest_outw(s, 0xcfc, 0x7);
qtest_outl(s, 0xcf8, 0x80000815);
qtest_outl(s, 0xcfc, 0xffff00b5);
qtest_bufwrite(s, 0x0, "\xe1", 0x1);
qtest_bufwrite(s, 0x1, "\xfe", 0x1);
qtest_bufwrite(s, 0x2, "\xbe", 0x1);
qtest_bufwrite(s, 0x3, "\xba", 0x1);
qtest_bufwrite(s, 0xff00b020, "\x00\x00\xfe\xca", 0x4);
qtest_bufwrite(s, 0xe0000630, "\x00", 0x1);
qtest_quit(s);
}
int main(int argc, char **argv) {
const char *arch = qtest_get_arch();
g_test_init(&argc, &argv, NULL);
if (strcmp(arch, "i386") == 0) {
qtest_add_func("fuzz/test_fuzz", test_fuzz);
}
return g_test_run();
}
=== OSS-Fuzz Report ===
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=33603
https://oss-fuzz.com/testcase?key=6071483232288768
** Affects: qemu
Importance: Undecided
Status: New
** Tags: fuzzer
** Tags removed: fuzz
** Tags added: fuzzer
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1926111
Title:
Assertion `tx_queue_idx <= s->txq_num' failed in vmxnet3_io_bar0_write
Status in QEMU:
New
Bug description:
=== Stacktrace ===
qemu-fuzz-i386: ../hw/net/vmxnet3.c:1096: void vmxnet3_io_bar0_write(void *, hwaddr, uint64_t, unsigned int): Assertion `tx_queue_idx <= s->txq_num' failed.
==602353== ERROR: libFuzzer: deadly signal
#5 0x7fe4b93a7ce0 in raise signal/../sysdeps/unix/sysv/linux/raise.c:48:3
#6 0x7fe4b9391536 in abort stdlib/abort.c:79:7
#7 0x7fe4b939140e in __assert_fail_base assert/assert.c:92:3
#8 0x7fe4b93a0661 in __assert_fail assert/assert.c:101:3
#9 0x563e6cf5ebb5 in vmxnet3_io_bar0_write hw/net/vmxnet3.c:1096:9
#10 0x563e6eefdb00 in memory_region_write_accessor softmmu/memory.c:491:5
#11 0x563e6eefcfdd in access_with_adjusted_size softmmu/memory.c:552:18
#12 0x563e6eefac90 in memory_region_dispatch_write softmmu/memory.c:1502:16
#13 0x563e6e834e16 in flatview_write_continue softmmu/physmem.c:2746:23
#14 0x563e6e81cd38 in flatview_write softmmu/physmem.c:2786:14
#15 0x563e6e81c868 in address_space_write softmmu/physmem.c:2878:18
=== Reproducer ===
cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, -m \
512M -machine q35 -nodefaults -device vmxnet3,netdev=net0 -netdev \
user,id=net0 -qtest stdio
outl 0xcf8 0x80000810
outl 0xcfc 0xe0000000
outl 0xcf8 0x80000814
outl 0xcf8 0x80000804
outw 0xcfc 0x7
outl 0xcf8 0x80000815
outl 0xcfc 0xffff00b5
write 0x0 0x1 0xe1
write 0x1 0x1 0xfe
write 0x2 0x1 0xbe
write 0x3 0x1 0xba
write 0xff00b020 0x4 0x0000feca
write 0xe0000630 0x1 0x00
EOF
=== Testcase ===
/*
* Autogenerated Fuzzer Test Case
*
* This work is licensed under the terms of the GNU GPL, version 2 or later.
* See the COPYING file in the top-level directory.
*/
#include "qemu/osdep.h"
#include "libqos/libqtest.h"
static void test_fuzz(void) {
QTestState *s = qtest_init(" -display none , -m 512M -machine q35 -nodefaults "
"-device vmxnet3,netdev=net0 -netdev user,id=net0");
qtest_outl(s, 0xcf8, 0x80000810);
qtest_outl(s, 0xcfc, 0xe0000000);
qtest_outl(s, 0xcf8, 0x80000814);
qtest_outl(s, 0xcf8, 0x80000804);
qtest_outw(s, 0xcfc, 0x7);
qtest_outl(s, 0xcf8, 0x80000815);
qtest_outl(s, 0xcfc, 0xffff00b5);
qtest_bufwrite(s, 0x0, "\xe1", 0x1);
qtest_bufwrite(s, 0x1, "\xfe", 0x1);
qtest_bufwrite(s, 0x2, "\xbe", 0x1);
qtest_bufwrite(s, 0x3, "\xba", 0x1);
qtest_bufwrite(s, 0xff00b020, "\x00\x00\xfe\xca", 0x4);
qtest_bufwrite(s, 0xe0000630, "\x00", 0x1);
qtest_quit(s);
}
int main(int argc, char **argv) {
const char *arch = qtest_get_arch();
g_test_init(&argc, &argv, NULL);
if (strcmp(arch, "i386") == 0) {
qtest_add_func("fuzz/test_fuzz", test_fuzz);
}
return g_test_run();
}
=== OSS-Fuzz Report ===
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=33603
https://oss-fuzz.com/testcase?key=6071483232288768
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1926111/+subscriptions
next reply other threads:[~2021-04-26 3:26 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-04-26 3:19 Alexander Bulekov [this message]
2021-04-29 14:26 ` [Bug 1926111] [NEW] Assertion `tx_queue_idx <= s->txq_num' failed in vmxnet3_io_bar0_write Philippe Mathieu-Daudé
2021-04-29 14:26 ` Philippe Mathieu-Daudé
2021-06-01 9:00 ` [Bug 1926111] " Thomas Huth
2021-07-15 10:43 ` Thomas Huth
2021-07-19 15:03 ` Thomas Huth
2021-08-25 7:06 ` Thomas Huth
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=161940714680.11021.12941917748278413607.malonedeb@soybean.canonical.com \
--to=1926111@bugs.launchpad.net \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.