All of lore.kernel.org
 help / color / mirror / Atom feed
* [OSS-Fuzz] Assertion Failure: !in6_zero(&ip_addr) (#111)
@ 2021-05-03 20:09 Alexander Bulekov
  2021-05-08 23:50 ` Samuel Thibault
  0 siblings, 1 reply; 2+ messages in thread
From: Alexander Bulekov @ 2021-05-03 20:09 UTC (permalink / raw)
  To: qemu-devel; +Cc: Samuel Thibault

Hi,
Forwarding this along to the list, so it doesn't get burried during the
gitlab issue migration.

----- Forwarded message from "Alexander Bulekov (@a1xndr)" <gitlab@mg.gitlab.com> -----

Alexander Bulekov created an issue: https://gitlab.com/qemu-project/qemu/-/issues/111

Hello,
Reproducer
```
cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, -m \
512M -M q35 -nodefaults -device e1000e,netdev=net0 -netdev user,id=net0 \
-qtest stdio
outl 0xcf8 0x80000813
outl 0xcfc 0x56
outl 0xcf8 0x80000801
outl 0xcfc 0x06000000
write 0x56000403 0x1 0x02
write 0x5600042b 0x1 0x80
write 0x20a 0x1 0x86
write 0x20b 0x1 0xdd
write 0x20c 0x1 0x60
write 0x212 0x1 0x11
write 0x213 0x1 0x01
write 0x224 0x1 0xfe
write 0x225 0x1 0xc0
write 0x233 0x1 0x02
write 0x237 0x1 0x45
write 0x23d 0x1 0x01
write 0xb 0x1 0x24
write 0x10 0x1 0xfe
write 0x11 0x1 0x01
write 0x19 0x1 0x01
write 0x1a 0x1 0x10
write 0x1b 0x1 0x25
write 0x5600043a 0x1 0x04
EOF
```

Stack-trace:
```
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../net/eth.c:374:27 in
../net/eth.c:375:27: runtime error: member access within misaligned address 0x631000014846 for type 'struct ip6_header', which requires 4 byte alignment
0x631000014846: note: pointer points here
 00 00 11 11 60 00  00 00 00 00 11 11 00 00  00 00 00 00 00 00 00 00  00 00 00 00 00 00 fe c0  00 00
             ^
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../net/eth.c:375:27 in
qemu-fuzz-i386: ../slirp/src/ndp_table.c:59: _Bool ndp_table_search(Slirp *, struct in6_addr, uint8_t *): Assertion `!in6_zero(&ip_addr)' failed.

#8 in __assert_fail assert/assert.c:101:3
#9 in ndp_table_search /slirp/src/ndp_table.c:59:5
#10 in if_encap6 /slirp/src/slirp.c:926:10
#11 in if_encap /slirp/src/slirp.c:967:15
#12 in if_start /slirp/src/if.c:183:45
#13 in ip6_output /slirp/src/ip6_output.c:35:9
#14 in tftp_udp_output /slirp/src/tftp.c:161:9
#15 in tftp_send_error /slirp/src/tftp.c:223:5
#16 in tftp_handle_rrq /slirp/src/tftp.c
#17 in tftp_input /slirp/src/tftp.c:453:9
#18 in udp6_input /slirp/src/udp6.c:81:9
#19 in slirp_input /slirp/src/slirp.c:847:13
#20 in net_slirp_receive /net/slirp.c:136:5
#21 in nc_sendv_compat /net/net.c
#22 in qemu_deliver_packet_iov /net/net.c:765:15
#23 in qemu_net_queue_deliver_iov /net/queue.c:179:11
#24 in qemu_net_queue_send_iov /net/queue.c:246:11
#25 in net_tx_pkt_sendv /hw/net/net_tx_pkt.c:558:9
#26 in net_tx_pkt_send /hw/net/net_tx_pkt.c:633:9
#27 in e1000e_tx_pkt_send /hw/net/e1000e_core.c:659:16
#28 in e1000e_process_tx_desc /hw/net/e1000e_core.c:736:17
#29 in e1000e_start_xmit /hw/net/e1000e_core.c:927:9
#30 in e1000e_set_tdt /hw/net/e1000e_core.c:2444:9
#31 in e1000e_core_write /hw/net/e1000e_core.c:3256:9
#32 in memory_region_write_accessor /softmmu/memory.c:491:5
#33 in access_with_adjusted_size /softmmu/memory.c:552:18
#34 in memory_region_dispatch_write /softmmu/memory.c
#35 in flatview_write_continue /softmmu/physmem.c:2746:23
#36 in flatview_write /softmmu/physmem.c:2786:14
#37 in address_space_write /softmmu/physmem.c:2878:18
```

Test-case:
```
/*
 * Autogenerated Fuzzer Test Case
 *
 * Copyright (c) 2021 <name of author>
 *
 * This work is licensed under the terms of the GNU GPL, version 2 or later.
 * See the COPYING file in the top-level directory.
 */

#include "qemu/osdep.h"

#include "libqos/libqtest.h"

static void test_fuzz(void)
{
    QTestState *s = qtest_init("-display none , -m 512M -M q35 -nodefaults -device "
                               "e1000e,netdev=net0 -netdev user,id=net0");
    qtest_outl(s, 0xcf8, 0x80000813);
    qtest_outl(s, 0xcfc, 0x56);
    qtest_outl(s, 0xcf8, 0x80000801);
    qtest_outl(s, 0xcfc, 0x06000000);
    qtest_bufwrite(s, 0x56000403, "\x02", 0x1);
    qtest_bufwrite(s, 0x5600042b, "\x80", 0x1);
    qtest_bufwrite(s, 0x20a, "\x86", 0x1);
    qtest_bufwrite(s, 0x20b, "\xdd", 0x1);
    qtest_bufwrite(s, 0x20c, "\x60", 0x1);
    qtest_bufwrite(s, 0x212, "\x11", 0x1);
    qtest_bufwrite(s, 0x213, "\x01", 0x1);
    qtest_bufwrite(s, 0x224, "\xfe", 0x1);
    qtest_bufwrite(s, 0x225, "\xc0", 0x1);
    qtest_bufwrite(s, 0x233, "\x02", 0x1);
    qtest_bufwrite(s, 0x237, "\x45", 0x1);
    qtest_bufwrite(s, 0x23d, "\x01", 0x1);
    qtest_bufwrite(s, 0xb, "\x24", 0x1);
    qtest_bufwrite(s, 0x10, "\xfe", 0x1);
    qtest_bufwrite(s, 0x11, "\x01", 0x1);
    qtest_bufwrite(s, 0x19, "\x01", 0x1);
    qtest_bufwrite(s, 0x1a, "\x10", 0x1);
    qtest_bufwrite(s, 0x1b, "\x25", 0x1);
    qtest_bufwrite(s, 0x5600043a, "\x04", 0x1);
    qtest_quit(s);
}
int main(int argc, char **argv)
{
    const char *arch = qtest_get_arch();

    g_test_init(&argc, &argv, NULL);

    if (strcmp(arch, "i386") == 0) {
        qtest_add_func("fuzz/test_fuzz", test_fuzz);
    }

    return g_test_run();
}
```

OSS-Fuzz Report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=33873


^ permalink raw reply	[flat|nested] 2+ messages in thread
* Re: [OSS-Fuzz] Assertion Failure: !in6_zero(&ip_addr) (#111)
  2021-05-03 20:09 [OSS-Fuzz] Assertion Failure: !in6_zero(&ip_addr) (#111) Alexander Bulekov
@ 2021-05-08 23:50 ` Samuel Thibault
  0 siblings, 0 replies; 2+ messages in thread
From: Samuel Thibault @ 2021-05-08 23:50 UTC (permalink / raw)
  To: Alexander Bulekov; +Cc: qemu-devel

Hello,

Alexander Bulekov, le lun. 03 mai 2021 16:09:33 -0400, a ecrit:
> Forwarding this along to the list, so it doesn't get burried during the
> gitlab issue migration.

Thanks!

Pushed a proposed fix on

https://gitlab.freedesktop.org/slirp/libslirp/-/merge_requests/86

Samuel

> ----- Forwarded message from "Alexander Bulekov (@a1xndr)" <gitlab@mg.gitlab.com> -----
> 
> Alexander Bulekov created an issue: https://gitlab.com/qemu-project/qemu/-/issues/111
> 
> Hello,
> Reproducer
> ```
> cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, -m \
> 512M -M q35 -nodefaults -device e1000e,netdev=net0 -netdev user,id=net0 \
> -qtest stdio
> outl 0xcf8 0x80000813
> outl 0xcfc 0x56
> outl 0xcf8 0x80000801
> outl 0xcfc 0x06000000
> write 0x56000403 0x1 0x02
> write 0x5600042b 0x1 0x80
> write 0x20a 0x1 0x86
> write 0x20b 0x1 0xdd
> write 0x20c 0x1 0x60
> write 0x212 0x1 0x11
> write 0x213 0x1 0x01
> write 0x224 0x1 0xfe
> write 0x225 0x1 0xc0
> write 0x233 0x1 0x02
> write 0x237 0x1 0x45
> write 0x23d 0x1 0x01
> write 0xb 0x1 0x24
> write 0x10 0x1 0xfe
> write 0x11 0x1 0x01
> write 0x19 0x1 0x01
> write 0x1a 0x1 0x10
> write 0x1b 0x1 0x25
> write 0x5600043a 0x1 0x04
> EOF
> ```
> 
> Stack-trace:
> ```
> SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../net/eth.c:374:27 in
> ../net/eth.c:375:27: runtime error: member access within misaligned address 0x631000014846 for type 'struct ip6_header', which requires 4 byte alignment
> 0x631000014846: note: pointer points here
>  00 00 11 11 60 00  00 00 00 00 11 11 00 00  00 00 00 00 00 00 00 00  00 00 00 00 00 00 fe c0  00 00
>              ^
> SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../net/eth.c:375:27 in
> qemu-fuzz-i386: ../slirp/src/ndp_table.c:59: _Bool ndp_table_search(Slirp *, struct in6_addr, uint8_t *): Assertion `!in6_zero(&ip_addr)' failed.
> 
> #8 in __assert_fail assert/assert.c:101:3
> #9 in ndp_table_search /slirp/src/ndp_table.c:59:5
> #10 in if_encap6 /slirp/src/slirp.c:926:10
> #11 in if_encap /slirp/src/slirp.c:967:15
> #12 in if_start /slirp/src/if.c:183:45
> #13 in ip6_output /slirp/src/ip6_output.c:35:9
> #14 in tftp_udp_output /slirp/src/tftp.c:161:9
> #15 in tftp_send_error /slirp/src/tftp.c:223:5
> #16 in tftp_handle_rrq /slirp/src/tftp.c
> #17 in tftp_input /slirp/src/tftp.c:453:9
> #18 in udp6_input /slirp/src/udp6.c:81:9
> #19 in slirp_input /slirp/src/slirp.c:847:13
> #20 in net_slirp_receive /net/slirp.c:136:5
> #21 in nc_sendv_compat /net/net.c
> #22 in qemu_deliver_packet_iov /net/net.c:765:15
> #23 in qemu_net_queue_deliver_iov /net/queue.c:179:11
> #24 in qemu_net_queue_send_iov /net/queue.c:246:11
> #25 in net_tx_pkt_sendv /hw/net/net_tx_pkt.c:558:9
> #26 in net_tx_pkt_send /hw/net/net_tx_pkt.c:633:9
> #27 in e1000e_tx_pkt_send /hw/net/e1000e_core.c:659:16
> #28 in e1000e_process_tx_desc /hw/net/e1000e_core.c:736:17
> #29 in e1000e_start_xmit /hw/net/e1000e_core.c:927:9
> #30 in e1000e_set_tdt /hw/net/e1000e_core.c:2444:9
> #31 in e1000e_core_write /hw/net/e1000e_core.c:3256:9
> #32 in memory_region_write_accessor /softmmu/memory.c:491:5
> #33 in access_with_adjusted_size /softmmu/memory.c:552:18
> #34 in memory_region_dispatch_write /softmmu/memory.c
> #35 in flatview_write_continue /softmmu/physmem.c:2746:23
> #36 in flatview_write /softmmu/physmem.c:2786:14
> #37 in address_space_write /softmmu/physmem.c:2878:18
> ```
> 
> Test-case:
> ```
> /*
>  * Autogenerated Fuzzer Test Case
>  *
>  * Copyright (c) 2021 <name of author>
>  *
>  * This work is licensed under the terms of the GNU GPL, version 2 or later.
>  * See the COPYING file in the top-level directory.
>  */
> 
> #include "qemu/osdep.h"
> 
> #include "libqos/libqtest.h"
> 
> static void test_fuzz(void)
> {
>     QTestState *s = qtest_init("-display none , -m 512M -M q35 -nodefaults -device "
>                                "e1000e,netdev=net0 -netdev user,id=net0");
>     qtest_outl(s, 0xcf8, 0x80000813);
>     qtest_outl(s, 0xcfc, 0x56);
>     qtest_outl(s, 0xcf8, 0x80000801);
>     qtest_outl(s, 0xcfc, 0x06000000);
>     qtest_bufwrite(s, 0x56000403, "\x02", 0x1);
>     qtest_bufwrite(s, 0x5600042b, "\x80", 0x1);
>     qtest_bufwrite(s, 0x20a, "\x86", 0x1);
>     qtest_bufwrite(s, 0x20b, "\xdd", 0x1);
>     qtest_bufwrite(s, 0x20c, "\x60", 0x1);
>     qtest_bufwrite(s, 0x212, "\x11", 0x1);
>     qtest_bufwrite(s, 0x213, "\x01", 0x1);
>     qtest_bufwrite(s, 0x224, "\xfe", 0x1);
>     qtest_bufwrite(s, 0x225, "\xc0", 0x1);
>     qtest_bufwrite(s, 0x233, "\x02", 0x1);
>     qtest_bufwrite(s, 0x237, "\x45", 0x1);
>     qtest_bufwrite(s, 0x23d, "\x01", 0x1);
>     qtest_bufwrite(s, 0xb, "\x24", 0x1);
>     qtest_bufwrite(s, 0x10, "\xfe", 0x1);
>     qtest_bufwrite(s, 0x11, "\x01", 0x1);
>     qtest_bufwrite(s, 0x19, "\x01", 0x1);
>     qtest_bufwrite(s, 0x1a, "\x10", 0x1);
>     qtest_bufwrite(s, 0x1b, "\x25", 0x1);
>     qtest_bufwrite(s, 0x5600043a, "\x04", 0x1);
>     qtest_quit(s);
> }
> int main(int argc, char **argv)
> {
>     const char *arch = qtest_get_arch();
> 
>     g_test_init(&argc, &argv, NULL);
> 
>     if (strcmp(arch, "i386") == 0) {
>         qtest_add_func("fuzz/test_fuzz", test_fuzz);
>     }
> 
>     return g_test_run();
> }
> ```
> 
> OSS-Fuzz Report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=33873
> 

-- 
Samuel
Tu as lu les docs. Tu es devenu un informaticien. Que tu le veuilles
ou non. Lire la doc, c'est le Premier et Unique Commandement de
l'informaticien.
-+- TP in: Guide du Linuxien pervers - "L'évangile selon St Thomas"


^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-05-08 23:51 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-05-03 20:09 [OSS-Fuzz] Assertion Failure: !in6_zero(&ip_addr) (#111) Alexander Bulekov
2021-05-08 23:50 ` Samuel Thibault

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.