* [Bug 1911216] [NEW] abort issue locates in hw/usb/hcd-ohci.c:1297:ohci_frame_boundary
@ 2021-01-12 15:53 Gaoning Pan
2021-01-12 16:43 ` [Bug 1911216] " Alexander Bulekov
` (6 more replies)
0 siblings, 7 replies; 8+ messages in thread
From: Gaoning Pan @ 2021-01-12 15:53 UTC (permalink / raw)
To: qemu-devel
Public bug reported:
Hello,
I found an assertion failure in hw/usb/hcd-ohci.c:1297
This was found in latest version 5.2.0.
my reproduced environment is as follows:
Host: ubuntu 18.04
Guest: ubuntu 18.04
QEMU boot command line:
qemu-system-x86_64 -enable-kvm -boot c -m 4G -drive format=qcow2,file=./ubuntu.img -nic user,hostfwd=tcp:0.0.0.0:5555-:22 -display none -device pci-ohci,id=ohci -device usb-tablet,bus=ohci.0,port=1,id=usbdev1
backtrace is as follows
pwndbg> bt
#0 0x00007fdf392aa438 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54
#1 0x00007fdf392ac03a in __GI_abort () at abort.c:89
#2 0x000055c613721118 in ohci_frame_boundary (opaque=0x6270000191f0) at hw/usb/hcd-ohci.c:1297
#3 0x000055c6140bdf0e in timerlist_run_timers (timer_list=0x60b00005bcc0) at util/qemu-timer.c:572
#4 0x000055c6140be15a in qemu_clock_run_timers (type=QEMU_CLOCK_VIRTUAL) at util/qemu-timer.c:586
#5 0x000055c6140beac7 in qemu_clock_run_all_timers () at util/qemu-timer.c:672
#6 0x000055c6140a1938 in main_loop_wait (nonblocking=0) at util/main-loop.c:523
#7 0x000055c6125d87e9 in qemu_main_loop () at /home/dell/qemu5-hypervisor/vm/fuzz-seedpool/hcd-ohci/qemu-5.1.0/softmmu/vl.c:1676
#8 0x000055c613f216ea in main (argc=7, argv=0x7fff174cdd28, envp=0x7fff174cdd68) at /home/dell/qemu5-hypervisor/vm/fuzz-seedpool/hcd-ohci/qemu-5.1.0/softmmu/main.c:49
#9 0x00007fdf39295840 in __libc_start_main (main=0x55c613f21699 <main>, argc=7, argv=0x7fff174cdd28, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fff174cdd18) at ../csu/libc-start.c:291
#10 0x000055c6120a4349 in _start ()
The poc is attached.
** Affects: qemu
Importance: Undecided
Status: New
** Attachment added: "poc-ohci-abort.c"
https://bugs.launchpad.net/bugs/1911216/+attachment/5452326/+files/poc-ohci-abort.c
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1911216
Title:
abort issue locates in hw/usb/hcd-ohci.c:1297:ohci_frame_boundary
Status in QEMU:
New
Bug description:
Hello,
I found an assertion failure in hw/usb/hcd-ohci.c:1297
This was found in latest version 5.2.0.
my reproduced environment is as follows:
Host: ubuntu 18.04
Guest: ubuntu 18.04
QEMU boot command line:
qemu-system-x86_64 -enable-kvm -boot c -m 4G -drive format=qcow2,file=./ubuntu.img -nic user,hostfwd=tcp:0.0.0.0:5555-:22 -display none -device pci-ohci,id=ohci -device usb-tablet,bus=ohci.0,port=1,id=usbdev1
backtrace is as follows
pwndbg> bt
#0 0x00007fdf392aa438 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54
#1 0x00007fdf392ac03a in __GI_abort () at abort.c:89
#2 0x000055c613721118 in ohci_frame_boundary (opaque=0x6270000191f0) at hw/usb/hcd-ohci.c:1297
#3 0x000055c6140bdf0e in timerlist_run_timers (timer_list=0x60b00005bcc0) at util/qemu-timer.c:572
#4 0x000055c6140be15a in qemu_clock_run_timers (type=QEMU_CLOCK_VIRTUAL) at util/qemu-timer.c:586
#5 0x000055c6140beac7 in qemu_clock_run_all_timers () at util/qemu-timer.c:672
#6 0x000055c6140a1938 in main_loop_wait (nonblocking=0) at util/main-loop.c:523
#7 0x000055c6125d87e9 in qemu_main_loop () at /home/dell/qemu5-hypervisor/vm/fuzz-seedpool/hcd-ohci/qemu-5.1.0/softmmu/vl.c:1676
#8 0x000055c613f216ea in main (argc=7, argv=0x7fff174cdd28, envp=0x7fff174cdd68) at /home/dell/qemu5-hypervisor/vm/fuzz-seedpool/hcd-ohci/qemu-5.1.0/softmmu/main.c:49
#9 0x00007fdf39295840 in __libc_start_main (main=0x55c613f21699 <main>, argc=7, argv=0x7fff174cdd28, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fff174cdd18) at ../csu/libc-start.c:291
#10 0x000055c6120a4349 in _start ()
The poc is attached.
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1911216/+subscriptions
^ permalink raw reply [flat|nested] 8+ messages in thread
* [Bug 1911216] Re: abort issue locates in hw/usb/hcd-ohci.c:1297:ohci_frame_boundary
2021-01-12 15:53 [Bug 1911216] [NEW] abort issue locates in hw/usb/hcd-ohci.c:1297:ohci_frame_boundary Gaoning Pan
@ 2021-01-12 16:43 ` Alexander Bulekov
2021-01-29 14:29 ` Philippe Mathieu-Daudé
` (5 subsequent siblings)
6 siblings, 0 replies; 8+ messages in thread
From: Alexander Bulekov @ 2021-01-12 16:43 UTC (permalink / raw)
To: qemu-devel
Seems to be the same as OSS-Fuzz Issue 29224
=== Reproducer ===
cat << EOF | ./qemu-system-i386 -machine q35 \
-machine accel=qtest, -m 512M -nodefaults \
-device pci-ohci -display none -qtest stdio
outl 0xcf8 0x80000801
outl 0xcfc 0x16000000
outl 0xcf8 0x80000813
outl 0xcfc 0x23
clock_step
write 0x23000004 0x1 0x84
clock_step
write 0x0 0x1 0x7e
write 0x1 0x1 0xaa
write 0x3 0x1 0x16
write 0x1600aa8a 0x1 0xa0
write 0xa1 0x1 0x80
write 0xa4 0x1 0x20
clock_step
EOF
=== Stack Trace ===
==6351==ERROR: AddressSanitizer: ABRT on unknown address 0x0539000018cf (pc 0x7f675c885438 bp 0x7fff157e6150 sp 0x7fff157e5e68 T0)
#0 raise
#1 abort
#2 ohci_frame_boundary /src/qemu/hw/usb/hcd-ohci.c:1297:13
#3 timerlist_run_timers /src/qemu/util/qemu-timer.c:574:9
#4 qemu_clock_run_timers /src/qemu/util/qemu-timer.c:588:12
#5 qtest_clock_warp /src/qemu/softmmu/qtest.c:356:9
#6 qtest_process_command /src/qemu/softmmu/qtest.c:752:9
#7 qtest_process_inbuf /src/qemu/softmmu/qtest.c:797:9
#8 qtest_server_inproc_recv /src/qemu/softmmu/qtest.c:904:9
#9 send_wrapper /src/qemu/tests/qtest/libqtest.c:1388:5
#10 qtest_sendf /src/qemu/tests/qtest/libqtest.c:438:5
#11 qtest_clock_step_next /src/qemu/tests/qtest/libqtest.c:910:5
#12 op_clock_step /src/qemu/tests/qtest/fuzz/generic_fuzz.c:575:5
#13 generic_fuzz /src/qemu/tests/qtest/fuzz/generic_fuzz.c:681:17
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29176
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1911216
Title:
abort issue locates in hw/usb/hcd-ohci.c:1297:ohci_frame_boundary
Status in QEMU:
New
Bug description:
Hello,
I found an assertion failure in hw/usb/hcd-ohci.c:1297
This was found in latest version 5.2.0.
my reproduced environment is as follows:
Host: ubuntu 18.04
Guest: ubuntu 18.04
QEMU boot command line:
qemu-system-x86_64 -enable-kvm -boot c -m 4G -drive format=qcow2,file=./ubuntu.img -nic user,hostfwd=tcp:0.0.0.0:5555-:22 -display none -device pci-ohci,id=ohci -device usb-tablet,bus=ohci.0,port=1,id=usbdev1
backtrace is as follows
pwndbg> bt
#0 0x00007fdf392aa438 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54
#1 0x00007fdf392ac03a in __GI_abort () at abort.c:89
#2 0x000055c613721118 in ohci_frame_boundary (opaque=0x6270000191f0) at hw/usb/hcd-ohci.c:1297
#3 0x000055c6140bdf0e in timerlist_run_timers (timer_list=0x60b00005bcc0) at util/qemu-timer.c:572
#4 0x000055c6140be15a in qemu_clock_run_timers (type=QEMU_CLOCK_VIRTUAL) at util/qemu-timer.c:586
#5 0x000055c6140beac7 in qemu_clock_run_all_timers () at util/qemu-timer.c:672
#6 0x000055c6140a1938 in main_loop_wait (nonblocking=0) at util/main-loop.c:523
#7 0x000055c6125d87e9 in qemu_main_loop () at /home/dell/qemu5-hypervisor/vm/fuzz-seedpool/hcd-ohci/qemu-5.1.0/softmmu/vl.c:1676
#8 0x000055c613f216ea in main (argc=7, argv=0x7fff174cdd28, envp=0x7fff174cdd68) at /home/dell/qemu5-hypervisor/vm/fuzz-seedpool/hcd-ohci/qemu-5.1.0/softmmu/main.c:49
#9 0x00007fdf39295840 in __libc_start_main (main=0x55c613f21699 <main>, argc=7, argv=0x7fff174cdd28, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fff174cdd18) at ../csu/libc-start.c:291
#10 0x000055c6120a4349 in _start ()
The poc is attached.
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1911216/+subscriptions
^ permalink raw reply [flat|nested] 8+ messages in thread
* [Bug 1911216] Re: abort issue locates in hw/usb/hcd-ohci.c:1297:ohci_frame_boundary
2021-01-12 15:53 [Bug 1911216] [NEW] abort issue locates in hw/usb/hcd-ohci.c:1297:ohci_frame_boundary Gaoning Pan
2021-01-12 16:43 ` [Bug 1911216] " Alexander Bulekov
@ 2021-01-29 14:29 ` Philippe Mathieu-Daudé
2021-05-12 11:20 ` Thomas Huth
` (4 subsequent siblings)
6 siblings, 0 replies; 8+ messages in thread
From: Philippe Mathieu-Daudé @ 2021-01-29 14:29 UTC (permalink / raw)
To: qemu-devel
** Tags added: fuzzer
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1911216
Title:
abort issue locates in hw/usb/hcd-ohci.c:1297:ohci_frame_boundary
Status in QEMU:
New
Bug description:
Hello,
I found an assertion failure in hw/usb/hcd-ohci.c:1297
This was found in latest version 5.2.0.
my reproduced environment is as follows:
Host: ubuntu 18.04
Guest: ubuntu 18.04
QEMU boot command line:
qemu-system-x86_64 -enable-kvm -boot c -m 4G -drive format=qcow2,file=./ubuntu.img -nic user,hostfwd=tcp:0.0.0.0:5555-:22 -display none -device pci-ohci,id=ohci -device usb-tablet,bus=ohci.0,port=1,id=usbdev1
backtrace is as follows
pwndbg> bt
#0 0x00007fdf392aa438 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54
#1 0x00007fdf392ac03a in __GI_abort () at abort.c:89
#2 0x000055c613721118 in ohci_frame_boundary (opaque=0x6270000191f0) at hw/usb/hcd-ohci.c:1297
#3 0x000055c6140bdf0e in timerlist_run_timers (timer_list=0x60b00005bcc0) at util/qemu-timer.c:572
#4 0x000055c6140be15a in qemu_clock_run_timers (type=QEMU_CLOCK_VIRTUAL) at util/qemu-timer.c:586
#5 0x000055c6140beac7 in qemu_clock_run_all_timers () at util/qemu-timer.c:672
#6 0x000055c6140a1938 in main_loop_wait (nonblocking=0) at util/main-loop.c:523
#7 0x000055c6125d87e9 in qemu_main_loop () at /home/dell/qemu5-hypervisor/vm/fuzz-seedpool/hcd-ohci/qemu-5.1.0/softmmu/vl.c:1676
#8 0x000055c613f216ea in main (argc=7, argv=0x7fff174cdd28, envp=0x7fff174cdd68) at /home/dell/qemu5-hypervisor/vm/fuzz-seedpool/hcd-ohci/qemu-5.1.0/softmmu/main.c:49
#9 0x00007fdf39295840 in __libc_start_main (main=0x55c613f21699 <main>, argc=7, argv=0x7fff174cdd28, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fff174cdd18) at ../csu/libc-start.c:291
#10 0x000055c6120a4349 in _start ()
The poc is attached.
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1911216/+subscriptions
^ permalink raw reply [flat|nested] 8+ messages in thread
* [Bug 1911216] Re: abort issue locates in hw/usb/hcd-ohci.c:1297:ohci_frame_boundary
2021-01-12 15:53 [Bug 1911216] [NEW] abort issue locates in hw/usb/hcd-ohci.c:1297:ohci_frame_boundary Gaoning Pan
2021-01-12 16:43 ` [Bug 1911216] " Alexander Bulekov
2021-01-29 14:29 ` Philippe Mathieu-Daudé
@ 2021-05-12 11:20 ` Thomas Huth
2021-06-15 0:02 ` Alexander Bulekov
` (3 subsequent siblings)
6 siblings, 0 replies; 8+ messages in thread
From: Thomas Huth @ 2021-05-12 11:20 UTC (permalink / raw)
To: qemu-devel
Hi! Can you still reproduce this issue with QEMU v6.0 ? At least
Alexander's reproducer does not seem to trigger this issue anymore...
** Changed in: qemu
Status: New => Incomplete
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1911216
Title:
abort issue locates in hw/usb/hcd-ohci.c:1297:ohci_frame_boundary
Status in QEMU:
Incomplete
Bug description:
Hello,
I found an assertion failure in hw/usb/hcd-ohci.c:1297
This was found in latest version 5.2.0.
my reproduced environment is as follows:
Host: ubuntu 18.04
Guest: ubuntu 18.04
QEMU boot command line:
qemu-system-x86_64 -enable-kvm -boot c -m 4G -drive format=qcow2,file=./ubuntu.img -nic user,hostfwd=tcp:0.0.0.0:5555-:22 -display none -device pci-ohci,id=ohci -device usb-tablet,bus=ohci.0,port=1,id=usbdev1
backtrace is as follows
pwndbg> bt
#0 0x00007fdf392aa438 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54
#1 0x00007fdf392ac03a in __GI_abort () at abort.c:89
#2 0x000055c613721118 in ohci_frame_boundary (opaque=0x6270000191f0) at hw/usb/hcd-ohci.c:1297
#3 0x000055c6140bdf0e in timerlist_run_timers (timer_list=0x60b00005bcc0) at util/qemu-timer.c:572
#4 0x000055c6140be15a in qemu_clock_run_timers (type=QEMU_CLOCK_VIRTUAL) at util/qemu-timer.c:586
#5 0x000055c6140beac7 in qemu_clock_run_all_timers () at util/qemu-timer.c:672
#6 0x000055c6140a1938 in main_loop_wait (nonblocking=0) at util/main-loop.c:523
#7 0x000055c6125d87e9 in qemu_main_loop () at /home/dell/qemu5-hypervisor/vm/fuzz-seedpool/hcd-ohci/qemu-5.1.0/softmmu/vl.c:1676
#8 0x000055c613f216ea in main (argc=7, argv=0x7fff174cdd28, envp=0x7fff174cdd68) at /home/dell/qemu5-hypervisor/vm/fuzz-seedpool/hcd-ohci/qemu-5.1.0/softmmu/main.c:49
#9 0x00007fdf39295840 in __libc_start_main (main=0x55c613f21699 <main>, argc=7, argv=0x7fff174cdd28, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fff174cdd18) at ../csu/libc-start.c:291
#10 0x000055c6120a4349 in _start ()
The poc is attached.
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1911216/+subscriptions
^ permalink raw reply [flat|nested] 8+ messages in thread
* [Bug 1911216] Re: abort issue locates in hw/usb/hcd-ohci.c:1297:ohci_frame_boundary
2021-01-12 15:53 [Bug 1911216] [NEW] abort issue locates in hw/usb/hcd-ohci.c:1297:ohci_frame_boundary Gaoning Pan
` (2 preceding siblings ...)
2021-05-12 11:20 ` Thomas Huth
@ 2021-06-15 0:02 ` Alexander Bulekov
2021-06-16 9:47 ` Thomas Huth
` (2 subsequent siblings)
6 siblings, 0 replies; 8+ messages in thread
From: Alexander Bulekov @ 2021-06-15 0:02 UTC (permalink / raw)
To: qemu-devel
OSS-Fuzz still has a functioning reproducer. I'll copy this one over to
gitlab
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1911216
Title:
abort issue locates in hw/usb/hcd-ohci.c:1297:ohci_frame_boundary
Status in QEMU:
Incomplete
Bug description:
Hello,
I found an assertion failure in hw/usb/hcd-ohci.c:1297
This was found in latest version 5.2.0.
my reproduced environment is as follows:
Host: ubuntu 18.04
Guest: ubuntu 18.04
QEMU boot command line:
qemu-system-x86_64 -enable-kvm -boot c -m 4G -drive format=qcow2,file=./ubuntu.img -nic user,hostfwd=tcp:0.0.0.0:5555-:22 -display none -device pci-ohci,id=ohci -device usb-tablet,bus=ohci.0,port=1,id=usbdev1
backtrace is as follows
pwndbg> bt
#0 0x00007fdf392aa438 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54
#1 0x00007fdf392ac03a in __GI_abort () at abort.c:89
#2 0x000055c613721118 in ohci_frame_boundary (opaque=0x6270000191f0) at hw/usb/hcd-ohci.c:1297
#3 0x000055c6140bdf0e in timerlist_run_timers (timer_list=0x60b00005bcc0) at util/qemu-timer.c:572
#4 0x000055c6140be15a in qemu_clock_run_timers (type=QEMU_CLOCK_VIRTUAL) at util/qemu-timer.c:586
#5 0x000055c6140beac7 in qemu_clock_run_all_timers () at util/qemu-timer.c:672
#6 0x000055c6140a1938 in main_loop_wait (nonblocking=0) at util/main-loop.c:523
#7 0x000055c6125d87e9 in qemu_main_loop () at /home/dell/qemu5-hypervisor/vm/fuzz-seedpool/hcd-ohci/qemu-5.1.0/softmmu/vl.c:1676
#8 0x000055c613f216ea in main (argc=7, argv=0x7fff174cdd28, envp=0x7fff174cdd68) at /home/dell/qemu5-hypervisor/vm/fuzz-seedpool/hcd-ohci/qemu-5.1.0/softmmu/main.c:49
#9 0x00007fdf39295840 in __libc_start_main (main=0x55c613f21699 <main>, argc=7, argv=0x7fff174cdd28, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fff174cdd18) at ../csu/libc-start.c:291
#10 0x000055c6120a4349 in _start ()
The poc is attached.
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1911216/+subscriptions
^ permalink raw reply [flat|nested] 8+ messages in thread
* [Bug 1911216] Re: abort issue locates in hw/usb/hcd-ohci.c:1297:ohci_frame_boundary
2021-01-12 15:53 [Bug 1911216] [NEW] abort issue locates in hw/usb/hcd-ohci.c:1297:ohci_frame_boundary Gaoning Pan
` (3 preceding siblings ...)
2021-06-15 0:02 ` Alexander Bulekov
@ 2021-06-16 9:47 ` Thomas Huth
2021-08-21 4:13 ` Alexander Bulekov
2021-08-21 6:22 ` Thomas Huth
6 siblings, 0 replies; 8+ messages in thread
From: Thomas Huth @ 2021-06-16 9:47 UTC (permalink / raw)
To: qemu-devel
** Changed in: qemu
Status: Incomplete => Confirmed
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1911216
Title:
abort issue locates in hw/usb/hcd-ohci.c:1297:ohci_frame_boundary
Status in QEMU:
Confirmed
Bug description:
Hello,
I found an assertion failure in hw/usb/hcd-ohci.c:1297
This was found in latest version 5.2.0.
my reproduced environment is as follows:
Host: ubuntu 18.04
Guest: ubuntu 18.04
QEMU boot command line:
qemu-system-x86_64 -enable-kvm -boot c -m 4G -drive format=qcow2,file=./ubuntu.img -nic user,hostfwd=tcp:0.0.0.0:5555-:22 -display none -device pci-ohci,id=ohci -device usb-tablet,bus=ohci.0,port=1,id=usbdev1
backtrace is as follows
pwndbg> bt
#0 0x00007fdf392aa438 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54
#1 0x00007fdf392ac03a in __GI_abort () at abort.c:89
#2 0x000055c613721118 in ohci_frame_boundary (opaque=0x6270000191f0) at hw/usb/hcd-ohci.c:1297
#3 0x000055c6140bdf0e in timerlist_run_timers (timer_list=0x60b00005bcc0) at util/qemu-timer.c:572
#4 0x000055c6140be15a in qemu_clock_run_timers (type=QEMU_CLOCK_VIRTUAL) at util/qemu-timer.c:586
#5 0x000055c6140beac7 in qemu_clock_run_all_timers () at util/qemu-timer.c:672
#6 0x000055c6140a1938 in main_loop_wait (nonblocking=0) at util/main-loop.c:523
#7 0x000055c6125d87e9 in qemu_main_loop () at /home/dell/qemu5-hypervisor/vm/fuzz-seedpool/hcd-ohci/qemu-5.1.0/softmmu/vl.c:1676
#8 0x000055c613f216ea in main (argc=7, argv=0x7fff174cdd28, envp=0x7fff174cdd68) at /home/dell/qemu5-hypervisor/vm/fuzz-seedpool/hcd-ohci/qemu-5.1.0/softmmu/main.c:49
#9 0x00007fdf39295840 in __libc_start_main (main=0x55c613f21699 <main>, argc=7, argv=0x7fff174cdd28, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fff174cdd18) at ../csu/libc-start.c:291
#10 0x000055c6120a4349 in _start ()
The poc is attached.
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1911216/+subscriptions
^ permalink raw reply [flat|nested] 8+ messages in thread
* [Bug 1911216] Re: abort issue locates in hw/usb/hcd-ohci.c:1297:ohci_frame_boundary
2021-01-12 15:53 [Bug 1911216] [NEW] abort issue locates in hw/usb/hcd-ohci.c:1297:ohci_frame_boundary Gaoning Pan
` (4 preceding siblings ...)
2021-06-16 9:47 ` Thomas Huth
@ 2021-08-21 4:13 ` Alexander Bulekov
2021-08-21 6:22 ` Thomas Huth
6 siblings, 0 replies; 8+ messages in thread
From: Alexander Bulekov @ 2021-08-21 4:13 UTC (permalink / raw)
To: qemu-devel
I moved this report over to QEMU's new bug tracker on gitlab.com.
Please continue with the discussion here:
https://gitlab.com/qemu-project/qemu/-/issues/545
** Bug watch added: gitlab.com/qemu-project/qemu/-/issues #545
https://gitlab.com/qemu-project/qemu/-/issues/545
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1911216
Title:
abort issue locates in hw/usb/hcd-ohci.c:1297:ohci_frame_boundary
Status in QEMU:
Confirmed
Bug description:
Hello,
I found an assertion failure in hw/usb/hcd-ohci.c:1297
This was found in latest version 5.2.0.
my reproduced environment is as follows:
Host: ubuntu 18.04
Guest: ubuntu 18.04
QEMU boot command line:
qemu-system-x86_64 -enable-kvm -boot c -m 4G -drive format=qcow2,file=./ubuntu.img -nic user,hostfwd=tcp:0.0.0.0:5555-:22 -display none -device pci-ohci,id=ohci -device usb-tablet,bus=ohci.0,port=1,id=usbdev1
backtrace is as follows
pwndbg> bt
#0 0x00007fdf392aa438 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54
#1 0x00007fdf392ac03a in __GI_abort () at abort.c:89
#2 0x000055c613721118 in ohci_frame_boundary (opaque=0x6270000191f0) at hw/usb/hcd-ohci.c:1297
#3 0x000055c6140bdf0e in timerlist_run_timers (timer_list=0x60b00005bcc0) at util/qemu-timer.c:572
#4 0x000055c6140be15a in qemu_clock_run_timers (type=QEMU_CLOCK_VIRTUAL) at util/qemu-timer.c:586
#5 0x000055c6140beac7 in qemu_clock_run_all_timers () at util/qemu-timer.c:672
#6 0x000055c6140a1938 in main_loop_wait (nonblocking=0) at util/main-loop.c:523
#7 0x000055c6125d87e9 in qemu_main_loop () at /home/dell/qemu5-hypervisor/vm/fuzz-seedpool/hcd-ohci/qemu-5.1.0/softmmu/vl.c:1676
#8 0x000055c613f216ea in main (argc=7, argv=0x7fff174cdd28, envp=0x7fff174cdd68) at /home/dell/qemu5-hypervisor/vm/fuzz-seedpool/hcd-ohci/qemu-5.1.0/softmmu/main.c:49
#9 0x00007fdf39295840 in __libc_start_main (main=0x55c613f21699 <main>, argc=7, argv=0x7fff174cdd28, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fff174cdd18) at ../csu/libc-start.c:291
#10 0x000055c6120a4349 in _start ()
The poc is attached.
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1911216/+subscriptions
^ permalink raw reply [flat|nested] 8+ messages in thread
* [Bug 1911216] Re: abort issue locates in hw/usb/hcd-ohci.c:1297:ohci_frame_boundary
2021-01-12 15:53 [Bug 1911216] [NEW] abort issue locates in hw/usb/hcd-ohci.c:1297:ohci_frame_boundary Gaoning Pan
` (5 preceding siblings ...)
2021-08-21 4:13 ` Alexander Bulekov
@ 2021-08-21 6:22 ` Thomas Huth
6 siblings, 0 replies; 8+ messages in thread
From: Thomas Huth @ 2021-08-21 6:22 UTC (permalink / raw)
To: qemu-devel
Thanks for moving it over! ... let's close this one here on Launchpad
now.
** Changed in: qemu
Status: Confirmed => Invalid
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1911216
Title:
abort issue locates in hw/usb/hcd-ohci.c:1297:ohci_frame_boundary
Status in QEMU:
Invalid
Bug description:
Hello,
I found an assertion failure in hw/usb/hcd-ohci.c:1297
This was found in latest version 5.2.0.
my reproduced environment is as follows:
Host: ubuntu 18.04
Guest: ubuntu 18.04
QEMU boot command line:
qemu-system-x86_64 -enable-kvm -boot c -m 4G -drive format=qcow2,file=./ubuntu.img -nic user,hostfwd=tcp:0.0.0.0:5555-:22 -display none -device pci-ohci,id=ohci -device usb-tablet,bus=ohci.0,port=1,id=usbdev1
backtrace is as follows
pwndbg> bt
#0 0x00007fdf392aa438 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54
#1 0x00007fdf392ac03a in __GI_abort () at abort.c:89
#2 0x000055c613721118 in ohci_frame_boundary (opaque=0x6270000191f0) at hw/usb/hcd-ohci.c:1297
#3 0x000055c6140bdf0e in timerlist_run_timers (timer_list=0x60b00005bcc0) at util/qemu-timer.c:572
#4 0x000055c6140be15a in qemu_clock_run_timers (type=QEMU_CLOCK_VIRTUAL) at util/qemu-timer.c:586
#5 0x000055c6140beac7 in qemu_clock_run_all_timers () at util/qemu-timer.c:672
#6 0x000055c6140a1938 in main_loop_wait (nonblocking=0) at util/main-loop.c:523
#7 0x000055c6125d87e9 in qemu_main_loop () at /home/dell/qemu5-hypervisor/vm/fuzz-seedpool/hcd-ohci/qemu-5.1.0/softmmu/vl.c:1676
#8 0x000055c613f216ea in main (argc=7, argv=0x7fff174cdd28, envp=0x7fff174cdd68) at /home/dell/qemu5-hypervisor/vm/fuzz-seedpool/hcd-ohci/qemu-5.1.0/softmmu/main.c:49
#9 0x00007fdf39295840 in __libc_start_main (main=0x55c613f21699 <main>, argc=7, argv=0x7fff174cdd28, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fff174cdd18) at ../csu/libc-start.c:291
#10 0x000055c6120a4349 in _start ()
The poc is attached.
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1911216/+subscriptions
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2021-08-21 6:32 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-01-12 15:53 [Bug 1911216] [NEW] abort issue locates in hw/usb/hcd-ohci.c:1297:ohci_frame_boundary Gaoning Pan
2021-01-12 16:43 ` [Bug 1911216] " Alexander Bulekov
2021-01-29 14:29 ` Philippe Mathieu-Daudé
2021-05-12 11:20 ` Thomas Huth
2021-06-15 0:02 ` Alexander Bulekov
2021-06-16 9:47 ` Thomas Huth
2021-08-21 4:13 ` Alexander Bulekov
2021-08-21 6:22 ` Thomas Huth
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.