[Bug 1880539] [NEW] I/O write make QXL abort in qxl_set_mode()

[Bug 1880539] [NEW] I/O write make QXL abort in qxl_set_mode()

[Philippe Mathieu-Daudé]

Public bug reported:

libFuzzer found:

qxl-0: guest bug: qxl_add_memslot: guest_start > guest_end 0xffffffffffffffff > 0x3ffffff
qemu-fuzz-i386: hw/display/qxl.c:1611: void qxl_set_mode(PCIQXLDevice *, unsigned int, int): Assertion `qxl_add_memslot(d, 0, devmem, QXL_SYNC) == 0' failed.
==8134== ERROR: libFuzzer: deadly signal
    #0 0x55fddfcfb3f0 in __sanitizer_print_stack_trace (qemu-fuzz-i386+0xcb13f0)
    #1 0x55fddfc0a3e1 in fuzzer::PrintStackTrace() (qemu-fuzz-i386+0xbc03e1)
    #2 0x55fddfbeac6f in fuzzer::Fuzzer::CrashCallback() (qemu-fuzz-i386+0xba0c6f)
    #3 0x55fddfbeacc3 in fuzzer::Fuzzer::StaticCrashSignalCallback() (qemu-fuzz-i386+0xba0cc3)
    #4 0x7fd640644c6f  (/lib64/libpthread.so.0+0x12c6f)
    #5 0x7fd640483e34 in __GI_raise (/lib64/libc.so.6+0x37e34)
    #6 0x7fd64046e894 in __GI_abort (/lib64/libc.so.6+0x22894)
    #7 0x7fd64046e768 in __assert_fail_base.cold (/lib64/libc.so.6+0x22768)
    #8 0x7fd64047c565 in __GI___assert_fail (/lib64/libc.so.6+0x30565)
    #9 0x55fde08afd8b in qxl_set_mode (qemu-fuzz-i386+0x1865d8b)
    #10 0x55fde08b9602 in ioport_write (qemu-fuzz-i386+0x186f602)
    #11 0x55fddff170a7 in memory_region_write_accessor (qemu-fuzz-i386+0xecd0a7)
    #12 0x55fddff16c13 in access_with_adjusted_size (qemu-fuzz-i386+0xeccc13)
    #13 0x55fddff157b4 in memory_region_dispatch_write (qemu-fuzz-i386+0xecb7b4)

Can be reproduce doing "writeb 0x06 0x23" on QXL I/O (PCI BAR #3).

Command line: 'qemu-system-i386 -display none -M pc -vga qxl'

** Affects: qemu
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1880539

Title:
  I/O write make QXL abort in qxl_set_mode()

Status in QEMU:
  New

Bug description:
  libFuzzer found:

  qxl-0: guest bug: qxl_add_memslot: guest_start > guest_end 0xffffffffffffffff > 0x3ffffff
  qemu-fuzz-i386: hw/display/qxl.c:1611: void qxl_set_mode(PCIQXLDevice *, unsigned int, int): Assertion `qxl_add_memslot(d, 0, devmem, QXL_SYNC) == 0' failed.
  ==8134== ERROR: libFuzzer: deadly signal
      #0 0x55fddfcfb3f0 in __sanitizer_print_stack_trace (qemu-fuzz-i386+0xcb13f0)
      #1 0x55fddfc0a3e1 in fuzzer::PrintStackTrace() (qemu-fuzz-i386+0xbc03e1)
      #2 0x55fddfbeac6f in fuzzer::Fuzzer::CrashCallback() (qemu-fuzz-i386+0xba0c6f)
      #3 0x55fddfbeacc3 in fuzzer::Fuzzer::StaticCrashSignalCallback() (qemu-fuzz-i386+0xba0cc3)
      #4 0x7fd640644c6f  (/lib64/libpthread.so.0+0x12c6f)
      #5 0x7fd640483e34 in __GI_raise (/lib64/libc.so.6+0x37e34)
      #6 0x7fd64046e894 in __GI_abort (/lib64/libc.so.6+0x22894)
      #7 0x7fd64046e768 in __assert_fail_base.cold (/lib64/libc.so.6+0x22768)
      #8 0x7fd64047c565 in __GI___assert_fail (/lib64/libc.so.6+0x30565)
      #9 0x55fde08afd8b in qxl_set_mode (qemu-fuzz-i386+0x1865d8b)
      #10 0x55fde08b9602 in ioport_write (qemu-fuzz-i386+0x186f602)
      #11 0x55fddff170a7 in memory_region_write_accessor (qemu-fuzz-i386+0xecd0a7)
      #12 0x55fddff16c13 in access_with_adjusted_size (qemu-fuzz-i386+0xeccc13)
      #13 0x55fddff157b4 in memory_region_dispatch_write (qemu-fuzz-i386+0xecb7b4)

  Can be reproduce doing "writeb 0x06 0x23" on QXL I/O (PCI BAR #3).

  Command line: 'qemu-system-i386 -display none -M pc -vga qxl'

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1880539/+subscriptions

[Bug 1880539] Re: I/O write make QXL abort in qxl_set_mode()

[Alexander Bulekov]

Here's a qtest reproducer for this:
cat << EOF | ./i386-softmmu/qemu-system-i386 -M q35,accel=qtest -qtest null -nographic -vga qxl -qtest stdio -nodefaults
outl 0xcf8 0x80000804
outb 0xcfc 0xff
outl 0xcf8 0x80000819
outl 0xcfc 0x87caff7a
outb 0x86 0x23
EOF

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1880539

Title:
  I/O write make QXL abort in qxl_set_mode()

Status in QEMU:
  New

Bug description:
  libFuzzer found:

  qxl-0: guest bug: qxl_add_memslot: guest_start > guest_end 0xffffffffffffffff > 0x3ffffff
  qemu-fuzz-i386: hw/display/qxl.c:1611: void qxl_set_mode(PCIQXLDevice *, unsigned int, int): Assertion `qxl_add_memslot(d, 0, devmem, QXL_SYNC) == 0' failed.
  ==8134== ERROR: libFuzzer: deadly signal
      #0 0x55fddfcfb3f0 in __sanitizer_print_stack_trace (qemu-fuzz-i386+0xcb13f0)
      #1 0x55fddfc0a3e1 in fuzzer::PrintStackTrace() (qemu-fuzz-i386+0xbc03e1)
      #2 0x55fddfbeac6f in fuzzer::Fuzzer::CrashCallback() (qemu-fuzz-i386+0xba0c6f)
      #3 0x55fddfbeacc3 in fuzzer::Fuzzer::StaticCrashSignalCallback() (qemu-fuzz-i386+0xba0cc3)
      #4 0x7fd640644c6f  (/lib64/libpthread.so.0+0x12c6f)
      #5 0x7fd640483e34 in __GI_raise (/lib64/libc.so.6+0x37e34)
      #6 0x7fd64046e894 in __GI_abort (/lib64/libc.so.6+0x22894)
      #7 0x7fd64046e768 in __assert_fail_base.cold (/lib64/libc.so.6+0x22768)
      #8 0x7fd64047c565 in __GI___assert_fail (/lib64/libc.so.6+0x30565)
      #9 0x55fde08afd8b in qxl_set_mode (qemu-fuzz-i386+0x1865d8b)
      #10 0x55fde08b9602 in ioport_write (qemu-fuzz-i386+0x186f602)
      #11 0x55fddff170a7 in memory_region_write_accessor (qemu-fuzz-i386+0xecd0a7)
      #12 0x55fddff16c13 in access_with_adjusted_size (qemu-fuzz-i386+0xeccc13)
      #13 0x55fddff157b4 in memory_region_dispatch_write (qemu-fuzz-i386+0xecb7b4)

  Can be reproduce doing "writeb 0x06 0x23" on QXL I/O (PCI BAR #3).

  Command line: 'qemu-system-i386 -display none -M pc -vga qxl'

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1880539/+subscriptions

[Bug 1880539] Re: I/O write make QXL abort in qxl_set_mode()

[Philippe Mathieu-Daudé]

This is an automated cleanup. This bug report has been moved to QEMU's
new bug tracker on gitlab.com and thus gets marked as 'invalid' now.
Please continue with the discussion here:

 https://gitlab.com/qemu-project/qemu/-/issues/232


** Changed in: qemu
       Status: New => Invalid

** Bug watch added: gitlab.com/qemu-project/qemu/-/issues #232
   https://gitlab.com/qemu-project/qemu/-/issues/232

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1880539

Title:
  I/O write make QXL abort in qxl_set_mode()

Status in QEMU:
  Invalid

Bug description:
  libFuzzer found:

  qxl-0: guest bug: qxl_add_memslot: guest_start > guest_end 0xffffffffffffffff > 0x3ffffff
  qemu-fuzz-i386: hw/display/qxl.c:1611: void qxl_set_mode(PCIQXLDevice *, unsigned int, int): Assertion `qxl_add_memslot(d, 0, devmem, QXL_SYNC) == 0' failed.
  ==8134== ERROR: libFuzzer: deadly signal
      #0 0x55fddfcfb3f0 in __sanitizer_print_stack_trace (qemu-fuzz-i386+0xcb13f0)
      #1 0x55fddfc0a3e1 in fuzzer::PrintStackTrace() (qemu-fuzz-i386+0xbc03e1)
      #2 0x55fddfbeac6f in fuzzer::Fuzzer::CrashCallback() (qemu-fuzz-i386+0xba0c6f)
      #3 0x55fddfbeacc3 in fuzzer::Fuzzer::StaticCrashSignalCallback() (qemu-fuzz-i386+0xba0cc3)
      #4 0x7fd640644c6f  (/lib64/libpthread.so.0+0x12c6f)
      #5 0x7fd640483e34 in __GI_raise (/lib64/libc.so.6+0x37e34)
      #6 0x7fd64046e894 in __GI_abort (/lib64/libc.so.6+0x22894)
      #7 0x7fd64046e768 in __assert_fail_base.cold (/lib64/libc.so.6+0x22768)
      #8 0x7fd64047c565 in __GI___assert_fail (/lib64/libc.so.6+0x30565)
      #9 0x55fde08afd8b in qxl_set_mode (qemu-fuzz-i386+0x1865d8b)
      #10 0x55fde08b9602 in ioport_write (qemu-fuzz-i386+0x186f602)
      #11 0x55fddff170a7 in memory_region_write_accessor (qemu-fuzz-i386+0xecd0a7)
      #12 0x55fddff16c13 in access_with_adjusted_size (qemu-fuzz-i386+0xeccc13)
      #13 0x55fddff157b4 in memory_region_dispatch_write (qemu-fuzz-i386+0xecb7b4)

  Can be reproduce doing "writeb 0x06 0x23" on QXL I/O (PCI BAR #3).

  Command line: 'qemu-system-i386 -display none -M pc -vga qxl'

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1880539/+subscriptions