From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.0 required=3.0 tests=BAYES_00,HK_RANDOM_FROM, INCLUDES_CR_TRAILER,MAILING_LIST_MULTI,SPF_HELO_NONE autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 03109C433DB for ; Wed, 17 Mar 2021 16:23:41 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 3BE5264F0F for ; Wed, 17 Mar 2021 16:23:40 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 3BE5264F0F Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=bu.edu Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Received: from localhost ([::1]:48378 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lMYxO-0003I7-W9 for qemu-devel@archiver.kernel.org; Wed, 17 Mar 2021 12:23:39 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:50844) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lMYF5-0007jE-Ab for qemu-devel@nongnu.org; Wed, 17 Mar 2021 11:37:58 -0400 Received: from relay68.bu.edu ([128.197.228.73]:51127) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lMYF3-0000ED-7g for qemu-devel@nongnu.org; Wed, 17 Mar 2021 11:37:50 -0400 X-Envelope-From: alxndr@bu.edu X-BU-AUTH: mozz.bu.edu [128.197.127.33] Received: from BU-AUTH (localhost.localdomain [127.0.0.1]) (authenticated bits=0) by relay68.bu.edu (8.14.3/8.14.3) with ESMTP id 12HFbCMS027652 (version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256 verify=NO); Wed, 17 Mar 2021 11:37:16 -0400 Date: Wed, 17 Mar 2021 11:37:12 -0400 From: Alexander Bulekov To: Mark Cave-Ayland Subject: Re: [PATCH 1/4] esp: don't underflow cmdfifo if no message out/command data is present Message-ID: <20210317153712.rmtw63ptoyfdwvph@mozz.bu.edu> References: <20210316233024.13560-1-mark.cave-ayland@ilande.co.uk> <20210316233024.13560-2-mark.cave-ayland@ilande.co.uk> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20210316233024.13560-2-mark.cave-ayland@ilande.co.uk> Received-SPF: pass client-ip=128.197.228.73; envelope-from=alxndr@bu.edu; helo=relay68.bu.edu X-Spam_score_int: -31 X-Spam_score: -3.2 X-Spam_bar: --- X-Spam_report: (-3.2 / 5.0 requ) BAYES_00=-1.9, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=0.999, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: qemu-devel@nongnu.org Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" On 210316 2330, Mark Cave-Ayland wrote: > If a guest sends a TI (Transfer Information) command without previously sending > any message out/command phase data then cmdfifo will underflow triggering an > assert reading the IDENTIFY byte. > > Buglink: https://bugs.launchpad.net/qemu/+bug/1919035 > Signed-off-by: Mark Cave-Ayland Hi Mark, The original reproducer no longer asserts, but I ran through the fuzz corpus, and there is another one, that still seems to trigger the same bug: cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, \ -m 512M -device am53c974,id=scsi -device scsi-hd,drive=disk0 -drive \ id=disk0,if=none,file=null-co://,format=raw -nodefaults -qtest stdio outl 0xcf8 0x80001010 outl 0xcfc 0xc000 outl 0xcf8 0x80001004 outw 0xcfc 0x01 outl 0xc008 0x0a outl 0xc009 0x41000000 outl 0xc009 0x41000000 outl 0xc00b 0x1000 EOF C Code testcase below. Thanks -Alex /* * Autogenerated Fuzzer Test Case * * Copyright (c) 2021 * * This work is licensed under the terms of the GNU GPL, version 2 or * later. See the COPYING file in the top-level directory. */ #include "qemu/osdep.h" #include "libqos/libqtest.h" /* * cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, \ * -m 512M -device am53c974,id=scsi -device scsi-hd,drive=disk0 -drive \ * id=disk0,if=none,file=null-co://,format=raw -nodefaults -qtest stdio * outl 0xcf8 0x80001010 * outl 0xcfc 0xc000 * outl 0xcf8 0x80001004 * outw 0xcfc 0x01 * outl 0xc008 0x0a * outl 0xc009 0x41000000 * outl 0xc009 0x41000000 * outl 0xc00b 0x1000 * EOF */ static void test_fuzz(void) { QTestState *s = qtest_init( "-display none , -m 512M -device am53c974,id=scsi -device " "scsi-hd,drive=disk0 -drive " "id=disk0,if=none,file=null-co://,format=raw -nodefaults "); qtest_outl(s, 0xcf8, 0x80001010); qtest_outl(s, 0xcfc, 0xc000); qtest_outl(s, 0xcf8, 0x80001004); qtest_outw(s, 0xcfc, 0x01); qtest_outl(s, 0xc008, 0x0a); qtest_outl(s, 0xc009, 0x41000000); qtest_outl(s, 0xc009, 0x41000000); qtest_outl(s, 0xc00b, 0x1000); qtest_quit(s); } int main(int argc, char **argv) { const char *arch = qtest_get_arch(); g_test_init(&argc, &argv, NULL); if (strcmp(arch, "i386") == 0) { qtest_add_func("fuzz/test_fuzz", test_fuzz); } return g_test_run(); }