From: "Philippe Mathieu-Daudé" <1880539@bugs.launchpad.net>
To: qemu-devel@nongnu.org
Subject: [Bug 1880539] [NEW] I/O write make QXL abort in qxl_set_mode()
Date: Mon, 25 May 2020 09:29:19 -0000 [thread overview]
Message-ID: <159039895924.7312.8999076686824323072.malonedeb@gac.canonical.com> (raw)
Public bug reported:
libFuzzer found:
qxl-0: guest bug: qxl_add_memslot: guest_start > guest_end 0xffffffffffffffff > 0x3ffffff
qemu-fuzz-i386: hw/display/qxl.c:1611: void qxl_set_mode(PCIQXLDevice *, unsigned int, int): Assertion `qxl_add_memslot(d, 0, devmem, QXL_SYNC) == 0' failed.
==8134== ERROR: libFuzzer: deadly signal
#0 0x55fddfcfb3f0 in __sanitizer_print_stack_trace (qemu-fuzz-i386+0xcb13f0)
#1 0x55fddfc0a3e1 in fuzzer::PrintStackTrace() (qemu-fuzz-i386+0xbc03e1)
#2 0x55fddfbeac6f in fuzzer::Fuzzer::CrashCallback() (qemu-fuzz-i386+0xba0c6f)
#3 0x55fddfbeacc3 in fuzzer::Fuzzer::StaticCrashSignalCallback() (qemu-fuzz-i386+0xba0cc3)
#4 0x7fd640644c6f (/lib64/libpthread.so.0+0x12c6f)
#5 0x7fd640483e34 in __GI_raise (/lib64/libc.so.6+0x37e34)
#6 0x7fd64046e894 in __GI_abort (/lib64/libc.so.6+0x22894)
#7 0x7fd64046e768 in __assert_fail_base.cold (/lib64/libc.so.6+0x22768)
#8 0x7fd64047c565 in __GI___assert_fail (/lib64/libc.so.6+0x30565)
#9 0x55fde08afd8b in qxl_set_mode (qemu-fuzz-i386+0x1865d8b)
#10 0x55fde08b9602 in ioport_write (qemu-fuzz-i386+0x186f602)
#11 0x55fddff170a7 in memory_region_write_accessor (qemu-fuzz-i386+0xecd0a7)
#12 0x55fddff16c13 in access_with_adjusted_size (qemu-fuzz-i386+0xeccc13)
#13 0x55fddff157b4 in memory_region_dispatch_write (qemu-fuzz-i386+0xecb7b4)
Can be reproduce doing "writeb 0x06 0x23" on QXL I/O (PCI BAR #3).
Command line: 'qemu-system-i386 -display none -M pc -vga qxl'
** Affects: qemu
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1880539
Title:
I/O write make QXL abort in qxl_set_mode()
Status in QEMU:
New
Bug description:
libFuzzer found:
qxl-0: guest bug: qxl_add_memslot: guest_start > guest_end 0xffffffffffffffff > 0x3ffffff
qemu-fuzz-i386: hw/display/qxl.c:1611: void qxl_set_mode(PCIQXLDevice *, unsigned int, int): Assertion `qxl_add_memslot(d, 0, devmem, QXL_SYNC) == 0' failed.
==8134== ERROR: libFuzzer: deadly signal
#0 0x55fddfcfb3f0 in __sanitizer_print_stack_trace (qemu-fuzz-i386+0xcb13f0)
#1 0x55fddfc0a3e1 in fuzzer::PrintStackTrace() (qemu-fuzz-i386+0xbc03e1)
#2 0x55fddfbeac6f in fuzzer::Fuzzer::CrashCallback() (qemu-fuzz-i386+0xba0c6f)
#3 0x55fddfbeacc3 in fuzzer::Fuzzer::StaticCrashSignalCallback() (qemu-fuzz-i386+0xba0cc3)
#4 0x7fd640644c6f (/lib64/libpthread.so.0+0x12c6f)
#5 0x7fd640483e34 in __GI_raise (/lib64/libc.so.6+0x37e34)
#6 0x7fd64046e894 in __GI_abort (/lib64/libc.so.6+0x22894)
#7 0x7fd64046e768 in __assert_fail_base.cold (/lib64/libc.so.6+0x22768)
#8 0x7fd64047c565 in __GI___assert_fail (/lib64/libc.so.6+0x30565)
#9 0x55fde08afd8b in qxl_set_mode (qemu-fuzz-i386+0x1865d8b)
#10 0x55fde08b9602 in ioport_write (qemu-fuzz-i386+0x186f602)
#11 0x55fddff170a7 in memory_region_write_accessor (qemu-fuzz-i386+0xecd0a7)
#12 0x55fddff16c13 in access_with_adjusted_size (qemu-fuzz-i386+0xeccc13)
#13 0x55fddff157b4 in memory_region_dispatch_write (qemu-fuzz-i386+0xecb7b4)
Can be reproduce doing "writeb 0x06 0x23" on QXL I/O (PCI BAR #3).
Command line: 'qemu-system-i386 -display none -M pc -vga qxl'
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1880539/+subscriptions
next reply other threads:[~2020-05-25 9:36 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-25 9:29 Philippe Mathieu-Daudé [this message]
2020-07-11 2:27 ` [Bug 1880539] Re: I/O write make QXL abort in qxl_set_mode() Alexander Bulekov
2021-05-09 15:34 ` Philippe Mathieu-Daudé
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=159039895924.7312.8999076686824323072.malonedeb@gac.canonical.com \
--to=1880539@bugs.launchpad.net \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).