* [Bug 1878134] Re: Assertion failures in ati_reg_read_offs/ati_reg_write_offs
[not found] <158925637015.6343.182119641060008506.malonedeb@soybean.canonical.com>
@ 2020-05-14 21:45 ` Rafael David Tinoco
2020-05-16 11:25 ` [Bug 1878134] [NEW] " BALATON Zoltan
2020-08-20 15:12 ` [Bug 1878134] " Thomas Huth
2 siblings, 0 replies; 4+ messages in thread
From: Rafael David Tinoco @ 2020-05-14 21:45 UTC (permalink / raw)
To: qemu-devel
Hello Alexander,
I believe your fuzz test result was meant to the upstream project so I
moved it.
o/
** Also affects: qemu
Importance: Undecided
Status: New
** No longer affects: qemu-kvm (Ubuntu)
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1878134
Title:
Assertion failures in ati_reg_read_offs/ati_reg_write_offs
Status in QEMU:
New
Bug description:
Hello,
While fuzzing, I found inputs that trigger assertion failures in
ati_reg_read_offs/ati_reg_write_offs
uint32_t extract32(uint32_t, int, int): Assertion `start >= 0 &&
length > 0 && length <= 32 - start' failed
#3 0x00007ffff6866092 in __GI___assert_fail (assertion=0x555556e760c0 <str> "start >= 0 && length > 0 && length <= 32 - start", file=0x555556e76120 <str> "/home/alxndr/Development/qemu/include/qemu/bitops.h", line=0x12c, function=0x555556e76180 <__PRETTY_FUNCTION__.extract32> "uint32_t extract32(uint32_t, int, int)") at assert.c:101
#4 0x000055555653d8a7 in ati_mm_read (opaque=<optimized out>, addr=0x1a, size=<optimized out>) at /home/alxndr/Development/qemu/include/qemu/log-for-trace.h:29
#5 0x000055555653c825 in ati_mm_read (opaque=<optimized out>, addr=0x4, size=<optimized out>) at /home/alxndr/Development/qemu/hw/display/ati.c:289
#6 0x000055555601446e in memory_region_read_accessor (mr=0x63100004dc20, addr=<optimized out>, value=<optimized out>, size=<optimized out>, shift=<optimized out>, mask=<optimized out>, attrs=...) at /home/alxndr/Development/qemu/memory.c:434
#7 0x0000555556001a70 in access_with_adjusted_size (addr=<optimized out>, value=<optimized out>, size=<optimized out>, access_size_min=<optimized out>, access_size_max=<optimized out>, access_fn=<optimized out>, mr=0x63100004dc20, attrs=...) at /home/alxndr/Development/qemu/memory.c:544
#8 0x0000555556001a70 in memory_region_dispatch_read1 (mr=0x63100004dc20, addr=0x4, pval=<optimized out>, size=0x4, attrs=...) at /home/alxndr/Development/qemu/memory.c:1396
I can reproduce it in qemu 5.0 built with using:
cat << EOF | ~/Development/qemu/build/i386-softmmu/qemu-system-i386 -M pc-q35-5.0 -device ati-vga -nographic -qtest stdio -monitor none -serial none
outl 0xcf8 0x80001018
outl 0xcfc 0xe2000000
outl 0xcf8 0x8000101c
outl 0xcf8 0x80001004
outw 0xcfc 0x7
outl 0xcf8 0x8000fa20
write 0xe2000004 0x1 0x1a
readq 0xe2000000
EOF
Similarly for ati_reg_write_offs:
cat << EOF | ~/Development/qemu/build/i386-softmmu/qemu-system-i386 -M pc-q35-5.0 -device ati-vga -nographic -qtest stdio -monitor none -serial none
outl 0xcf8 0x80001018
outl 0xcfc 0xe2000000
outl 0xcf8 0x8000101c
outl 0xcf8 0x80001004
outw 0xcfc 0x7
outl 0xcf8 0x8000fa20
write 0xe2000000 0x8 0x6a00000000006a00
EOF
I also attached the traces to this launchpad report, in case the
formatting is broken:
qemu-system-i386 -M pc-q35-5.0 -device ati-vga -nographic -qtest stdio
-monitor none -serial none < attachment
Please let me know if I can provide any further info.
-Alex
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1878134/+subscriptions
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [Bug 1878134] [NEW] Assertion failures in ati_reg_read_offs/ati_reg_write_offs
[not found] <158925637015.6343.182119641060008506.malonedeb@soybean.canonical.com>
2020-05-14 21:45 ` [Bug 1878134] Re: Assertion failures in ati_reg_read_offs/ati_reg_write_offs Rafael David Tinoco
@ 2020-05-16 11:25 ` BALATON Zoltan
2020-05-16 13:31 ` BALATON Zoltan
2020-08-20 15:12 ` [Bug 1878134] " Thomas Huth
2 siblings, 1 reply; 4+ messages in thread
From: BALATON Zoltan @ 2020-05-16 11:25 UTC (permalink / raw)
To: qemu-devel
On Fri, 15 May 2020, Launchpad Bug Tracker wrote:
> You have been subscribed to a public bug by Philippe Mathieu-Daudé (philmd):
>
> Hello,
> While fuzzing, I found inputs that trigger assertion failures in
> ati_reg_read_offs/ati_reg_write_offs
>
> uint32_t extract32(uint32_t, int, int): Assertion `start >= 0 && length
>> 0 && length <= 32 - start' failed
>
> #3 0x00007ffff6866092 in __GI___assert_fail (assertion=0x555556e760c0 <str> "start >= 0 && length > 0 && length <= 32 - start", file=0x555556e76120 <str> "/home/alxndr/Development/qemu/include/qemu/bitops.h", line=0x12c, function=0x555556e76180 <__PRETTY_FUNCTION__.extract32> "uint32_t extract32(uint32_t, int, int)") at assert.c:101
> #4 0x000055555653d8a7 in ati_mm_read (opaque=<optimized out>, addr=0x1a, size=<optimized out>) at /home/alxndr/Development/qemu/include/qemu/log-for-trace.h:29
> #5 0x000055555653c825 in ati_mm_read (opaque=<optimized out>, addr=0x4, size=<optimized out>) at /home/alxndr/Development/qemu/hw/display/ati.c:289
> #6 0x000055555601446e in memory_region_read_accessor (mr=0x63100004dc20, addr=<optimized out>, value=<optimized out>, size=<optimized out>, shift=<optimized out>, mask=<optimized out>, attrs=...) at /home/alxndr/Development/qemu/memory.c:434
> #7 0x0000555556001a70 in access_with_adjusted_size (addr=<optimized out>, value=<optimized out>, size=<optimized out>, access_size_min=<optimized out>, access_size_max=<optimized out>, access_fn=<optimized out>, mr=0x63100004dc20, attrs=...) at /home/alxndr/Development/qemu/memory.c:544
> #8 0x0000555556001a70 in memory_region_dispatch_read1 (mr=0x63100004dc20, addr=0x4, pval=<optimized out>, size=0x4, attrs=...) at /home/alxndr/Development/qemu/memory.c:1396
Here's a stack trace with --enable debug which is more useful:
#4 0x0000555555b39464 in extract32 (value=0, start=16, length=32) at /home/balaton/src/qemu/include/qemu/bitops.h:300
#5 0x0000555555b3a45f in ati_reg_read_offs (reg=0, offs=2, size=4) at hw/display/ati.c:269
#6 0x0000555555b3a9f1 in ati_mm_read (opaque=0x555556f35610, addr=26, size=4) at hw/display/ati.c:299
#7 0x0000555555b3a988 in ati_mm_read (opaque=0x555556f35610, addr=4, size=4) at hw/display/ati.c:290
It's trying to do an indexed read via MM_DATA reg of the middle of reg
0x18 BIOS_2_SCRATCH which ends up calling ati_reg_read_offs with out of
bound values. Maybe we should clamp size somewhere.
Regards,
BALATON Zoltan
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1878134
Title:
Assertion failures in ati_reg_read_offs/ati_reg_write_offs
Status in QEMU:
New
Bug description:
Hello,
While fuzzing, I found inputs that trigger assertion failures in
ati_reg_read_offs/ati_reg_write_offs
uint32_t extract32(uint32_t, int, int): Assertion `start >= 0 &&
length > 0 && length <= 32 - start' failed
#3 0x00007ffff6866092 in __GI___assert_fail (assertion=0x555556e760c0 <str> "start >= 0 && length > 0 && length <= 32 - start", file=0x555556e76120 <str> "/home/alxndr/Development/qemu/include/qemu/bitops.h", line=0x12c, function=0x555556e76180 <__PRETTY_FUNCTION__.extract32> "uint32_t extract32(uint32_t, int, int)") at assert.c:101
#4 0x000055555653d8a7 in ati_mm_read (opaque=<optimized out>, addr=0x1a, size=<optimized out>) at /home/alxndr/Development/qemu/include/qemu/log-for-trace.h:29
#5 0x000055555653c825 in ati_mm_read (opaque=<optimized out>, addr=0x4, size=<optimized out>) at /home/alxndr/Development/qemu/hw/display/ati.c:289
#6 0x000055555601446e in memory_region_read_accessor (mr=0x63100004dc20, addr=<optimized out>, value=<optimized out>, size=<optimized out>, shift=<optimized out>, mask=<optimized out>, attrs=...) at /home/alxndr/Development/qemu/memory.c:434
#7 0x0000555556001a70 in access_with_adjusted_size (addr=<optimized out>, value=<optimized out>, size=<optimized out>, access_size_min=<optimized out>, access_size_max=<optimized out>, access_fn=<optimized out>, mr=0x63100004dc20, attrs=...) at /home/alxndr/Development/qemu/memory.c:544
#8 0x0000555556001a70 in memory_region_dispatch_read1 (mr=0x63100004dc20, addr=0x4, pval=<optimized out>, size=0x4, attrs=...) at /home/alxndr/Development/qemu/memory.c:1396
I can reproduce it in qemu 5.0 built with using:
cat << EOF | ~/Development/qemu/build/i386-softmmu/qemu-system-i386 -M pc-q35-5.0 -device ati-vga -nographic -qtest stdio -monitor none -serial none
outl 0xcf8 0x80001018
outl 0xcfc 0xe2000000
outl 0xcf8 0x8000101c
outl 0xcf8 0x80001004
outw 0xcfc 0x7
outl 0xcf8 0x8000fa20
write 0xe2000004 0x1 0x1a
readq 0xe2000000
EOF
Similarly for ati_reg_write_offs:
cat << EOF | ~/Development/qemu/build/i386-softmmu/qemu-system-i386 -M pc-q35-5.0 -device ati-vga -nographic -qtest stdio -monitor none -serial none
outl 0xcf8 0x80001018
outl 0xcfc 0xe2000000
outl 0xcf8 0x8000101c
outl 0xcf8 0x80001004
outw 0xcfc 0x7
outl 0xcf8 0x8000fa20
write 0xe2000000 0x8 0x6a00000000006a00
EOF
I also attached the traces to this launchpad report, in case the
formatting is broken:
qemu-system-i386 -M pc-q35-5.0 -device ati-vga -nographic -qtest stdio
-monitor none -serial none < attachment
Please let me know if I can provide any further info.
-Alex
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1878134/+subscriptions
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [Bug 1878134] [NEW] Assertion failures in ati_reg_read_offs/ati_reg_write_offs
2020-05-16 11:25 ` [Bug 1878134] [NEW] " BALATON Zoltan
@ 2020-05-16 13:31 ` BALATON Zoltan
0 siblings, 0 replies; 4+ messages in thread
From: BALATON Zoltan @ 2020-05-16 13:31 UTC (permalink / raw)
To: qemu-devel
Sent patch that should fix this:
https://patchew.org/QEMU/20200516132352.39E9374594E@zero.eik.bme.hu/
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1878134
Title:
Assertion failures in ati_reg_read_offs/ati_reg_write_offs
Status in QEMU:
New
Bug description:
Hello,
While fuzzing, I found inputs that trigger assertion failures in
ati_reg_read_offs/ati_reg_write_offs
uint32_t extract32(uint32_t, int, int): Assertion `start >= 0 &&
length > 0 && length <= 32 - start' failed
#3 0x00007ffff6866092 in __GI___assert_fail (assertion=0x555556e760c0 <str> "start >= 0 && length > 0 && length <= 32 - start", file=0x555556e76120 <str> "/home/alxndr/Development/qemu/include/qemu/bitops.h", line=0x12c, function=0x555556e76180 <__PRETTY_FUNCTION__.extract32> "uint32_t extract32(uint32_t, int, int)") at assert.c:101
#4 0x000055555653d8a7 in ati_mm_read (opaque=<optimized out>, addr=0x1a, size=<optimized out>) at /home/alxndr/Development/qemu/include/qemu/log-for-trace.h:29
#5 0x000055555653c825 in ati_mm_read (opaque=<optimized out>, addr=0x4, size=<optimized out>) at /home/alxndr/Development/qemu/hw/display/ati.c:289
#6 0x000055555601446e in memory_region_read_accessor (mr=0x63100004dc20, addr=<optimized out>, value=<optimized out>, size=<optimized out>, shift=<optimized out>, mask=<optimized out>, attrs=...) at /home/alxndr/Development/qemu/memory.c:434
#7 0x0000555556001a70 in access_with_adjusted_size (addr=<optimized out>, value=<optimized out>, size=<optimized out>, access_size_min=<optimized out>, access_size_max=<optimized out>, access_fn=<optimized out>, mr=0x63100004dc20, attrs=...) at /home/alxndr/Development/qemu/memory.c:544
#8 0x0000555556001a70 in memory_region_dispatch_read1 (mr=0x63100004dc20, addr=0x4, pval=<optimized out>, size=0x4, attrs=...) at /home/alxndr/Development/qemu/memory.c:1396
I can reproduce it in qemu 5.0 built with using:
cat << EOF | ~/Development/qemu/build/i386-softmmu/qemu-system-i386 -M pc-q35-5.0 -device ati-vga -nographic -qtest stdio -monitor none -serial none
outl 0xcf8 0x80001018
outl 0xcfc 0xe2000000
outl 0xcf8 0x8000101c
outl 0xcf8 0x80001004
outw 0xcfc 0x7
outl 0xcf8 0x8000fa20
write 0xe2000004 0x1 0x1a
readq 0xe2000000
EOF
Similarly for ati_reg_write_offs:
cat << EOF | ~/Development/qemu/build/i386-softmmu/qemu-system-i386 -M pc-q35-5.0 -device ati-vga -nographic -qtest stdio -monitor none -serial none
outl 0xcf8 0x80001018
outl 0xcfc 0xe2000000
outl 0xcf8 0x8000101c
outl 0xcf8 0x80001004
outw 0xcfc 0x7
outl 0xcf8 0x8000fa20
write 0xe2000000 0x8 0x6a00000000006a00
EOF
I also attached the traces to this launchpad report, in case the
formatting is broken:
qemu-system-i386 -M pc-q35-5.0 -device ati-vga -nographic -qtest stdio
-monitor none -serial none < attachment
Please let me know if I can provide any further info.
-Alex
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1878134/+subscriptions
^ permalink raw reply [flat|nested] 4+ messages in thread
* [Bug 1878134] Re: Assertion failures in ati_reg_read_offs/ati_reg_write_offs
[not found] <158925637015.6343.182119641060008506.malonedeb@soybean.canonical.com>
2020-05-14 21:45 ` [Bug 1878134] Re: Assertion failures in ati_reg_read_offs/ati_reg_write_offs Rafael David Tinoco
2020-05-16 11:25 ` [Bug 1878134] [NEW] " BALATON Zoltan
@ 2020-08-20 15:12 ` Thomas Huth
2 siblings, 0 replies; 4+ messages in thread
From: Thomas Huth @ 2020-08-20 15:12 UTC (permalink / raw)
To: qemu-devel
https://git.qemu.org/?p=qemu.git;a=commitdiff;h=b0588cb51da698671
** Changed in: qemu
Status: New => Fix Released
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1878134
Title:
Assertion failures in ati_reg_read_offs/ati_reg_write_offs
Status in QEMU:
Fix Released
Bug description:
Hello,
While fuzzing, I found inputs that trigger assertion failures in
ati_reg_read_offs/ati_reg_write_offs
uint32_t extract32(uint32_t, int, int): Assertion `start >= 0 &&
length > 0 && length <= 32 - start' failed
#3 0x00007ffff6866092 in __GI___assert_fail (assertion=0x555556e760c0 <str> "start >= 0 && length > 0 && length <= 32 - start", file=0x555556e76120 <str> "/home/alxndr/Development/qemu/include/qemu/bitops.h", line=0x12c, function=0x555556e76180 <__PRETTY_FUNCTION__.extract32> "uint32_t extract32(uint32_t, int, int)") at assert.c:101
#4 0x000055555653d8a7 in ati_mm_read (opaque=<optimized out>, addr=0x1a, size=<optimized out>) at /home/alxndr/Development/qemu/include/qemu/log-for-trace.h:29
#5 0x000055555653c825 in ati_mm_read (opaque=<optimized out>, addr=0x4, size=<optimized out>) at /home/alxndr/Development/qemu/hw/display/ati.c:289
#6 0x000055555601446e in memory_region_read_accessor (mr=0x63100004dc20, addr=<optimized out>, value=<optimized out>, size=<optimized out>, shift=<optimized out>, mask=<optimized out>, attrs=...) at /home/alxndr/Development/qemu/memory.c:434
#7 0x0000555556001a70 in access_with_adjusted_size (addr=<optimized out>, value=<optimized out>, size=<optimized out>, access_size_min=<optimized out>, access_size_max=<optimized out>, access_fn=<optimized out>, mr=0x63100004dc20, attrs=...) at /home/alxndr/Development/qemu/memory.c:544
#8 0x0000555556001a70 in memory_region_dispatch_read1 (mr=0x63100004dc20, addr=0x4, pval=<optimized out>, size=0x4, attrs=...) at /home/alxndr/Development/qemu/memory.c:1396
I can reproduce it in qemu 5.0 built with using:
cat << EOF | ~/Development/qemu/build/i386-softmmu/qemu-system-i386 -M pc-q35-5.0 -device ati-vga -nographic -qtest stdio -monitor none -serial none
outl 0xcf8 0x80001018
outl 0xcfc 0xe2000000
outl 0xcf8 0x8000101c
outl 0xcf8 0x80001004
outw 0xcfc 0x7
outl 0xcf8 0x8000fa20
write 0xe2000004 0x1 0x1a
readq 0xe2000000
EOF
Similarly for ati_reg_write_offs:
cat << EOF | ~/Development/qemu/build/i386-softmmu/qemu-system-i386 -M pc-q35-5.0 -device ati-vga -nographic -qtest stdio -monitor none -serial none
outl 0xcf8 0x80001018
outl 0xcfc 0xe2000000
outl 0xcf8 0x8000101c
outl 0xcf8 0x80001004
outw 0xcfc 0x7
outl 0xcf8 0x8000fa20
write 0xe2000000 0x8 0x6a00000000006a00
EOF
I also attached the traces to this launchpad report, in case the
formatting is broken:
qemu-system-i386 -M pc-q35-5.0 -device ati-vga -nographic -qtest stdio
-monitor none -serial none < attachment
Please let me know if I can provide any further info.
-Alex
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1878134/+subscriptions
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2020-08-20 15:34 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <158925637015.6343.182119641060008506.malonedeb@soybean.canonical.com>
2020-05-14 21:45 ` [Bug 1878134] Re: Assertion failures in ati_reg_read_offs/ati_reg_write_offs Rafael David Tinoco
2020-05-16 11:25 ` [Bug 1878134] [NEW] " BALATON Zoltan
2020-05-16 13:31 ` BALATON Zoltan
2020-08-20 15:12 ` [Bug 1878134] " Thomas Huth
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).