* [Bug 1910826] [NEW] [OSS-Fuzz] Issue 29224 rtl8139: Stack-overflow in rtlNUMBER_transmit_one
@ 2021-01-08 22:31 Alexander Bulekov
2021-01-12 14:47 ` [Bug 1910826] " Qiuhao Li
` (3 more replies)
0 siblings, 4 replies; 5+ messages in thread
From: Alexander Bulekov @ 2021-01-08 22:31 UTC (permalink / raw)
To: qemu-devel
Public bug reported:
=== Reproducer ===
cat << EOF | ../build/qemu-system-i386 -machine q35 \
-nodefaults -device rtl8139,netdev=net0 \
-netdev user,id=net0 -display none -qtest stdio
outl 0xcf8 0x80000804
outb 0xcfc 0x26
outl 0xcf8 0x80000817
outb 0xcfc 0xff
write 0x1 0x1 0x42
write 0x5 0x1 0x42
write 0x9 0x1 0x42
write 0xd 0x1 0x42
write 0xff000044 0x4 0x11
write 0xff000037 0x1 0x1c
writel 0xff000030 0xff000000
write 0xff000040 0x4 0x100006
write 0xff000010 0x4 0x01020
EOF
=== Stack Trace ===
==2819215==ERROR: AddressSanitizer: stack-overflow on address 0x7ffd2c714040 (pc 0x5639b3a933d9 bp 0x7ffd2c716210 sp 0x7ffd2c714040 T0)
#0 rtl8139_transmit_one /src/qemu/hw/net/rtl8139.c:1815
#1 rtl8139_transmit /src/qemu/hw/net/rtl8139.c:2388:9
#2 rtl8139_TxStatus_write /src/qemu/hw/net/rtl8139.c:2442:5
#3 rtl8139_io_writel /src/qemu/hw/net/rtl8139.c:2865:13
#4 rtl8139_ioport_write /src/qemu/hw/net/rtl8139.c:3290:9
#5 memory_region_write_accessor /src/qemu/softmmu/memory.c:491:5
#6 access_with_adjusted_size /src/qemu/softmmu/memory.c:552:18
#7 memory_region_dispatch_write /src/qemu/softmmu/memory.c:0:13
#8 flatview_write_continue /src/qemu/softmmu/physmem.c:2759:23
#9 flatview_write /src/qemu/softmmu/physmem.c:2799:14
#10 address_space_write /src/qemu/softmmu/physmem.c:2891:18
#11 address_space_rw /src/qemu/softmmu/physmem.c:2901:16
#12 dma_memory_rw_relaxed /src/qemu/include/sysemu/dma.h:88:12
#13 dma_memory_rw /src/qemu/include/sysemu/dma.h:127:12
#14 pci_dma_rw /src/qemu/include/hw/pci/pci.h:801:12
#15 pci_dma_write /src/qemu/include/hw/pci/pci.h:837:12
#16 rtl8139_write_buffer /src/qemu/hw/net/rtl8139.c:778:5
#17 rtl8139_do_receive /src/qemu/hw/net/rtl8139.c:1172:9
#18 rtl8139_transfer_frame /src/qemu/hw/net/rtl8139.c:1798:9
#19 rtl8139_transmit_one /src/qemu/hw/net/rtl8139.c:1845:5
#20 rtl8139_transmit /src/qemu/hw/net/rtl8139.c:2388:9
#21 rtl8139_TxStatus_write /src/qemu/hw/net/rtl8139.c:2442:5
#22 rtl8139_io_writel /src/qemu/hw/net/rtl8139.c:2865:13
#23 rtl8139_ioport_write /src/qemu/hw/net/rtl8139.c:3290:9
#24 memory_region_write_accessor /src/qemu/softmmu/memory.c:491:5
#25 access_with_adjusted_size /src/qemu/softmmu/memory.c:552:18
#26 memory_region_dispatch_write /src/qemu/softmmu/memory.c:0:13
#27 flatview_write_continue /src/qemu/softmmu/physmem.c:2759:23
#28 flatview_write /src/qemu/softmmu/physmem.c:2799:14
#29 address_space_write /src/qemu/softmmu/physmem.c:2891:18
#30 address_space_rw /src/qemu/softmmu/physmem.c:2901:16
#31 dma_memory_rw_relaxed /src/qemu/include/sysemu/dma.h:88:12
#32 dma_memory_rw /src/qemu/include/sysemu/dma.h:127:12
#33 pci_dma_rw /src/qemu/include/hw/pci/pci.h:801:12
#34 pci_dma_write /src/qemu/include/hw/pci/pci.h:837:12
#35 rtl8139_write_buffer /src/qemu/hw/net/rtl8139.c:778:5
#36 rtl8139_do_receive /src/qemu/hw/net/rtl8139.c:1172:9
#37 rtl8139_transfer_frame /src/qemu/hw/net/rtl8139.c:1798:9
Repeat until we run out of stack
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29224
** Affects: qemu
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1910826
Title:
[OSS-Fuzz] Issue 29224 rtl8139: Stack-overflow in
rtlNUMBER_transmit_one
Status in QEMU:
New
Bug description:
=== Reproducer ===
cat << EOF | ../build/qemu-system-i386 -machine q35 \
-nodefaults -device rtl8139,netdev=net0 \
-netdev user,id=net0 -display none -qtest stdio
outl 0xcf8 0x80000804
outb 0xcfc 0x26
outl 0xcf8 0x80000817
outb 0xcfc 0xff
write 0x1 0x1 0x42
write 0x5 0x1 0x42
write 0x9 0x1 0x42
write 0xd 0x1 0x42
write 0xff000044 0x4 0x11
write 0xff000037 0x1 0x1c
writel 0xff000030 0xff000000
write 0xff000040 0x4 0x100006
write 0xff000010 0x4 0x01020
EOF
=== Stack Trace ===
==2819215==ERROR: AddressSanitizer: stack-overflow on address 0x7ffd2c714040 (pc 0x5639b3a933d9 bp 0x7ffd2c716210 sp 0x7ffd2c714040 T0)
#0 rtl8139_transmit_one /src/qemu/hw/net/rtl8139.c:1815
#1 rtl8139_transmit /src/qemu/hw/net/rtl8139.c:2388:9
#2 rtl8139_TxStatus_write /src/qemu/hw/net/rtl8139.c:2442:5
#3 rtl8139_io_writel /src/qemu/hw/net/rtl8139.c:2865:13
#4 rtl8139_ioport_write /src/qemu/hw/net/rtl8139.c:3290:9
#5 memory_region_write_accessor /src/qemu/softmmu/memory.c:491:5
#6 access_with_adjusted_size /src/qemu/softmmu/memory.c:552:18
#7 memory_region_dispatch_write /src/qemu/softmmu/memory.c:0:13
#8 flatview_write_continue /src/qemu/softmmu/physmem.c:2759:23
#9 flatview_write /src/qemu/softmmu/physmem.c:2799:14
#10 address_space_write /src/qemu/softmmu/physmem.c:2891:18
#11 address_space_rw /src/qemu/softmmu/physmem.c:2901:16
#12 dma_memory_rw_relaxed /src/qemu/include/sysemu/dma.h:88:12
#13 dma_memory_rw /src/qemu/include/sysemu/dma.h:127:12
#14 pci_dma_rw /src/qemu/include/hw/pci/pci.h:801:12
#15 pci_dma_write /src/qemu/include/hw/pci/pci.h:837:12
#16 rtl8139_write_buffer /src/qemu/hw/net/rtl8139.c:778:5
#17 rtl8139_do_receive /src/qemu/hw/net/rtl8139.c:1172:9
#18 rtl8139_transfer_frame /src/qemu/hw/net/rtl8139.c:1798:9
#19 rtl8139_transmit_one /src/qemu/hw/net/rtl8139.c:1845:5
#20 rtl8139_transmit /src/qemu/hw/net/rtl8139.c:2388:9
#21 rtl8139_TxStatus_write /src/qemu/hw/net/rtl8139.c:2442:5
#22 rtl8139_io_writel /src/qemu/hw/net/rtl8139.c:2865:13
#23 rtl8139_ioport_write /src/qemu/hw/net/rtl8139.c:3290:9
#24 memory_region_write_accessor /src/qemu/softmmu/memory.c:491:5
#25 access_with_adjusted_size /src/qemu/softmmu/memory.c:552:18
#26 memory_region_dispatch_write /src/qemu/softmmu/memory.c:0:13
#27 flatview_write_continue /src/qemu/softmmu/physmem.c:2759:23
#28 flatview_write /src/qemu/softmmu/physmem.c:2799:14
#29 address_space_write /src/qemu/softmmu/physmem.c:2891:18
#30 address_space_rw /src/qemu/softmmu/physmem.c:2901:16
#31 dma_memory_rw_relaxed /src/qemu/include/sysemu/dma.h:88:12
#32 dma_memory_rw /src/qemu/include/sysemu/dma.h:127:12
#33 pci_dma_rw /src/qemu/include/hw/pci/pci.h:801:12
#34 pci_dma_write /src/qemu/include/hw/pci/pci.h:837:12
#35 rtl8139_write_buffer /src/qemu/hw/net/rtl8139.c:778:5
#36 rtl8139_do_receive /src/qemu/hw/net/rtl8139.c:1172:9
#37 rtl8139_transfer_frame /src/qemu/hw/net/rtl8139.c:1798:9
Repeat until we run out of stack
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29224
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1910826/+subscriptions
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug 1910826] Re: [OSS-Fuzz] Issue 29224 rtl8139: Stack-overflow in rtlNUMBER_transmit_one
2021-01-08 22:31 [Bug 1910826] [NEW] [OSS-Fuzz] Issue 29224 rtl8139: Stack-overflow in rtlNUMBER_transmit_one Alexander Bulekov
@ 2021-01-12 14:47 ` Qiuhao Li
2021-01-15 16:08 ` Peter Maydell
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: Qiuhao Li @ 2021-01-12 14:47 UTC (permalink / raw)
To: qemu-devel
A more concise version and corresponding notes. Might help :)
-- [ Reproducer
cat << EOF | ../build/qemu-system-i386 -machine q35 \
-nodefaults -device rtl8139,netdev=net0 \
-netdev user,id=net0 -display none -qtest stdio
outl 0xcf8 0x80000804
outb 0xcfc 0x06
outl 0xcf8 0x80000817
outb 0xcfc 0xff
write 0xff000037 0x1 0x0c
writel 0xff000030 0xff000010
write 0xff000040 0x4 0x100006
write 0xff000044 0x4 0x01
write 0xff000010 0x4 0x01
EOF
-- [ Notes
/* Make the MMIO region start from 0xff000000 */
outl 0xcf8 0x80000817
outb 0xcfc 0xff
/*Command Register: enable receiver and transmitter*/
write 0xff000037 0x1 0x0c
/* set Receive (Rx) Buffer Start Address at 0xff000010 */
/* Note: 0xff000010 - 0xff000000 = 0x10 is the offset of TSD0*/
writel 0xff000030 0xff000010
/* TXRR, Tx Retry Count = 1 */
/* set transmit mode into the loopback */
write 0xff000040 0x4 0x100006
/* Receive Configuration Register: Accept All Packets */
write 0xff000044 0x4 0x01
/* TSD0: set Descriptor Size to 1 and trigger a tranfer*/
write 0xff000010 0x4 0x01
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1910826
Title:
[OSS-Fuzz] Issue 29224 rtl8139: Stack-overflow in
rtlNUMBER_transmit_one
Status in QEMU:
New
Bug description:
=== Reproducer ===
cat << EOF | ../build/qemu-system-i386 -machine q35 \
-nodefaults -device rtl8139,netdev=net0 \
-netdev user,id=net0 -display none -qtest stdio
outl 0xcf8 0x80000804
outb 0xcfc 0x26
outl 0xcf8 0x80000817
outb 0xcfc 0xff
write 0x1 0x1 0x42
write 0x5 0x1 0x42
write 0x9 0x1 0x42
write 0xd 0x1 0x42
write 0xff000044 0x4 0x11
write 0xff000037 0x1 0x1c
writel 0xff000030 0xff000000
write 0xff000040 0x4 0x100006
write 0xff000010 0x4 0x01020
EOF
=== Stack Trace ===
==2819215==ERROR: AddressSanitizer: stack-overflow on address 0x7ffd2c714040 (pc 0x5639b3a933d9 bp 0x7ffd2c716210 sp 0x7ffd2c714040 T0)
#0 rtl8139_transmit_one /src/qemu/hw/net/rtl8139.c:1815
#1 rtl8139_transmit /src/qemu/hw/net/rtl8139.c:2388:9
#2 rtl8139_TxStatus_write /src/qemu/hw/net/rtl8139.c:2442:5
#3 rtl8139_io_writel /src/qemu/hw/net/rtl8139.c:2865:13
#4 rtl8139_ioport_write /src/qemu/hw/net/rtl8139.c:3290:9
#5 memory_region_write_accessor /src/qemu/softmmu/memory.c:491:5
#6 access_with_adjusted_size /src/qemu/softmmu/memory.c:552:18
#7 memory_region_dispatch_write /src/qemu/softmmu/memory.c:0:13
#8 flatview_write_continue /src/qemu/softmmu/physmem.c:2759:23
#9 flatview_write /src/qemu/softmmu/physmem.c:2799:14
#10 address_space_write /src/qemu/softmmu/physmem.c:2891:18
#11 address_space_rw /src/qemu/softmmu/physmem.c:2901:16
#12 dma_memory_rw_relaxed /src/qemu/include/sysemu/dma.h:88:12
#13 dma_memory_rw /src/qemu/include/sysemu/dma.h:127:12
#14 pci_dma_rw /src/qemu/include/hw/pci/pci.h:801:12
#15 pci_dma_write /src/qemu/include/hw/pci/pci.h:837:12
#16 rtl8139_write_buffer /src/qemu/hw/net/rtl8139.c:778:5
#17 rtl8139_do_receive /src/qemu/hw/net/rtl8139.c:1172:9
#18 rtl8139_transfer_frame /src/qemu/hw/net/rtl8139.c:1798:9
#19 rtl8139_transmit_one /src/qemu/hw/net/rtl8139.c:1845:5
#20 rtl8139_transmit /src/qemu/hw/net/rtl8139.c:2388:9
#21 rtl8139_TxStatus_write /src/qemu/hw/net/rtl8139.c:2442:5
#22 rtl8139_io_writel /src/qemu/hw/net/rtl8139.c:2865:13
#23 rtl8139_ioport_write /src/qemu/hw/net/rtl8139.c:3290:9
#24 memory_region_write_accessor /src/qemu/softmmu/memory.c:491:5
#25 access_with_adjusted_size /src/qemu/softmmu/memory.c:552:18
#26 memory_region_dispatch_write /src/qemu/softmmu/memory.c:0:13
#27 flatview_write_continue /src/qemu/softmmu/physmem.c:2759:23
#28 flatview_write /src/qemu/softmmu/physmem.c:2799:14
#29 address_space_write /src/qemu/softmmu/physmem.c:2891:18
#30 address_space_rw /src/qemu/softmmu/physmem.c:2901:16
#31 dma_memory_rw_relaxed /src/qemu/include/sysemu/dma.h:88:12
#32 dma_memory_rw /src/qemu/include/sysemu/dma.h:127:12
#33 pci_dma_rw /src/qemu/include/hw/pci/pci.h:801:12
#34 pci_dma_write /src/qemu/include/hw/pci/pci.h:837:12
#35 rtl8139_write_buffer /src/qemu/hw/net/rtl8139.c:778:5
#36 rtl8139_do_receive /src/qemu/hw/net/rtl8139.c:1172:9
#37 rtl8139_transfer_frame /src/qemu/hw/net/rtl8139.c:1798:9
Repeat until we run out of stack
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29224
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1910826/+subscriptions
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug 1910826] Re: [OSS-Fuzz] Issue 29224 rtl8139: Stack-overflow in rtlNUMBER_transmit_one
2021-01-08 22:31 [Bug 1910826] [NEW] [OSS-Fuzz] Issue 29224 rtl8139: Stack-overflow in rtlNUMBER_transmit_one Alexander Bulekov
2021-01-12 14:47 ` [Bug 1910826] " Qiuhao Li
@ 2021-01-15 16:08 ` Peter Maydell
2021-03-17 14:53 ` Alexander Bulekov
2021-04-30 8:19 ` Thomas Huth
3 siblings, 0 replies; 5+ messages in thread
From: Peter Maydell @ 2021-01-15 16:08 UTC (permalink / raw)
To: qemu-devel
** Tags added: fuzzer
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1910826
Title:
[OSS-Fuzz] Issue 29224 rtl8139: Stack-overflow in
rtlNUMBER_transmit_one
Status in QEMU:
New
Bug description:
=== Reproducer ===
cat << EOF | ../build/qemu-system-i386 -machine q35 \
-nodefaults -device rtl8139,netdev=net0 \
-netdev user,id=net0 -display none -qtest stdio
outl 0xcf8 0x80000804
outb 0xcfc 0x26
outl 0xcf8 0x80000817
outb 0xcfc 0xff
write 0x1 0x1 0x42
write 0x5 0x1 0x42
write 0x9 0x1 0x42
write 0xd 0x1 0x42
write 0xff000044 0x4 0x11
write 0xff000037 0x1 0x1c
writel 0xff000030 0xff000000
write 0xff000040 0x4 0x100006
write 0xff000010 0x4 0x01020
EOF
=== Stack Trace ===
==2819215==ERROR: AddressSanitizer: stack-overflow on address 0x7ffd2c714040 (pc 0x5639b3a933d9 bp 0x7ffd2c716210 sp 0x7ffd2c714040 T0)
#0 rtl8139_transmit_one /src/qemu/hw/net/rtl8139.c:1815
#1 rtl8139_transmit /src/qemu/hw/net/rtl8139.c:2388:9
#2 rtl8139_TxStatus_write /src/qemu/hw/net/rtl8139.c:2442:5
#3 rtl8139_io_writel /src/qemu/hw/net/rtl8139.c:2865:13
#4 rtl8139_ioport_write /src/qemu/hw/net/rtl8139.c:3290:9
#5 memory_region_write_accessor /src/qemu/softmmu/memory.c:491:5
#6 access_with_adjusted_size /src/qemu/softmmu/memory.c:552:18
#7 memory_region_dispatch_write /src/qemu/softmmu/memory.c:0:13
#8 flatview_write_continue /src/qemu/softmmu/physmem.c:2759:23
#9 flatview_write /src/qemu/softmmu/physmem.c:2799:14
#10 address_space_write /src/qemu/softmmu/physmem.c:2891:18
#11 address_space_rw /src/qemu/softmmu/physmem.c:2901:16
#12 dma_memory_rw_relaxed /src/qemu/include/sysemu/dma.h:88:12
#13 dma_memory_rw /src/qemu/include/sysemu/dma.h:127:12
#14 pci_dma_rw /src/qemu/include/hw/pci/pci.h:801:12
#15 pci_dma_write /src/qemu/include/hw/pci/pci.h:837:12
#16 rtl8139_write_buffer /src/qemu/hw/net/rtl8139.c:778:5
#17 rtl8139_do_receive /src/qemu/hw/net/rtl8139.c:1172:9
#18 rtl8139_transfer_frame /src/qemu/hw/net/rtl8139.c:1798:9
#19 rtl8139_transmit_one /src/qemu/hw/net/rtl8139.c:1845:5
#20 rtl8139_transmit /src/qemu/hw/net/rtl8139.c:2388:9
#21 rtl8139_TxStatus_write /src/qemu/hw/net/rtl8139.c:2442:5
#22 rtl8139_io_writel /src/qemu/hw/net/rtl8139.c:2865:13
#23 rtl8139_ioport_write /src/qemu/hw/net/rtl8139.c:3290:9
#24 memory_region_write_accessor /src/qemu/softmmu/memory.c:491:5
#25 access_with_adjusted_size /src/qemu/softmmu/memory.c:552:18
#26 memory_region_dispatch_write /src/qemu/softmmu/memory.c:0:13
#27 flatview_write_continue /src/qemu/softmmu/physmem.c:2759:23
#28 flatview_write /src/qemu/softmmu/physmem.c:2799:14
#29 address_space_write /src/qemu/softmmu/physmem.c:2891:18
#30 address_space_rw /src/qemu/softmmu/physmem.c:2901:16
#31 dma_memory_rw_relaxed /src/qemu/include/sysemu/dma.h:88:12
#32 dma_memory_rw /src/qemu/include/sysemu/dma.h:127:12
#33 pci_dma_rw /src/qemu/include/hw/pci/pci.h:801:12
#34 pci_dma_write /src/qemu/include/hw/pci/pci.h:837:12
#35 rtl8139_write_buffer /src/qemu/hw/net/rtl8139.c:778:5
#36 rtl8139_do_receive /src/qemu/hw/net/rtl8139.c:1172:9
#37 rtl8139_transfer_frame /src/qemu/hw/net/rtl8139.c:1798:9
Repeat until we run out of stack
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29224
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1910826/+subscriptions
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug 1910826] Re: [OSS-Fuzz] Issue 29224 rtl8139: Stack-overflow in rtlNUMBER_transmit_one
2021-01-08 22:31 [Bug 1910826] [NEW] [OSS-Fuzz] Issue 29224 rtl8139: Stack-overflow in rtlNUMBER_transmit_one Alexander Bulekov
2021-01-12 14:47 ` [Bug 1910826] " Qiuhao Li
2021-01-15 16:08 ` Peter Maydell
@ 2021-03-17 14:53 ` Alexander Bulekov
2021-04-30 8:19 ` Thomas Huth
3 siblings, 0 replies; 5+ messages in thread
From: Alexander Bulekov @ 2021-03-17 14:53 UTC (permalink / raw)
To: qemu-devel
OSS-Fuzz says this issue has been fixed.
** Changed in: qemu
Status: New => Fix Committed
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1910826
Title:
[OSS-Fuzz] Issue 29224 rtl8139: Stack-overflow in
rtlNUMBER_transmit_one
Status in QEMU:
Fix Committed
Bug description:
=== Reproducer ===
cat << EOF | ../build/qemu-system-i386 -machine q35 \
-nodefaults -device rtl8139,netdev=net0 \
-netdev user,id=net0 -display none -qtest stdio
outl 0xcf8 0x80000804
outb 0xcfc 0x26
outl 0xcf8 0x80000817
outb 0xcfc 0xff
write 0x1 0x1 0x42
write 0x5 0x1 0x42
write 0x9 0x1 0x42
write 0xd 0x1 0x42
write 0xff000044 0x4 0x11
write 0xff000037 0x1 0x1c
writel 0xff000030 0xff000000
write 0xff000040 0x4 0x100006
write 0xff000010 0x4 0x01020
EOF
=== Stack Trace ===
==2819215==ERROR: AddressSanitizer: stack-overflow on address 0x7ffd2c714040 (pc 0x5639b3a933d9 bp 0x7ffd2c716210 sp 0x7ffd2c714040 T0)
#0 rtl8139_transmit_one /src/qemu/hw/net/rtl8139.c:1815
#1 rtl8139_transmit /src/qemu/hw/net/rtl8139.c:2388:9
#2 rtl8139_TxStatus_write /src/qemu/hw/net/rtl8139.c:2442:5
#3 rtl8139_io_writel /src/qemu/hw/net/rtl8139.c:2865:13
#4 rtl8139_ioport_write /src/qemu/hw/net/rtl8139.c:3290:9
#5 memory_region_write_accessor /src/qemu/softmmu/memory.c:491:5
#6 access_with_adjusted_size /src/qemu/softmmu/memory.c:552:18
#7 memory_region_dispatch_write /src/qemu/softmmu/memory.c:0:13
#8 flatview_write_continue /src/qemu/softmmu/physmem.c:2759:23
#9 flatview_write /src/qemu/softmmu/physmem.c:2799:14
#10 address_space_write /src/qemu/softmmu/physmem.c:2891:18
#11 address_space_rw /src/qemu/softmmu/physmem.c:2901:16
#12 dma_memory_rw_relaxed /src/qemu/include/sysemu/dma.h:88:12
#13 dma_memory_rw /src/qemu/include/sysemu/dma.h:127:12
#14 pci_dma_rw /src/qemu/include/hw/pci/pci.h:801:12
#15 pci_dma_write /src/qemu/include/hw/pci/pci.h:837:12
#16 rtl8139_write_buffer /src/qemu/hw/net/rtl8139.c:778:5
#17 rtl8139_do_receive /src/qemu/hw/net/rtl8139.c:1172:9
#18 rtl8139_transfer_frame /src/qemu/hw/net/rtl8139.c:1798:9
#19 rtl8139_transmit_one /src/qemu/hw/net/rtl8139.c:1845:5
#20 rtl8139_transmit /src/qemu/hw/net/rtl8139.c:2388:9
#21 rtl8139_TxStatus_write /src/qemu/hw/net/rtl8139.c:2442:5
#22 rtl8139_io_writel /src/qemu/hw/net/rtl8139.c:2865:13
#23 rtl8139_ioport_write /src/qemu/hw/net/rtl8139.c:3290:9
#24 memory_region_write_accessor /src/qemu/softmmu/memory.c:491:5
#25 access_with_adjusted_size /src/qemu/softmmu/memory.c:552:18
#26 memory_region_dispatch_write /src/qemu/softmmu/memory.c:0:13
#27 flatview_write_continue /src/qemu/softmmu/physmem.c:2759:23
#28 flatview_write /src/qemu/softmmu/physmem.c:2799:14
#29 address_space_write /src/qemu/softmmu/physmem.c:2891:18
#30 address_space_rw /src/qemu/softmmu/physmem.c:2901:16
#31 dma_memory_rw_relaxed /src/qemu/include/sysemu/dma.h:88:12
#32 dma_memory_rw /src/qemu/include/sysemu/dma.h:127:12
#33 pci_dma_rw /src/qemu/include/hw/pci/pci.h:801:12
#34 pci_dma_write /src/qemu/include/hw/pci/pci.h:837:12
#35 rtl8139_write_buffer /src/qemu/hw/net/rtl8139.c:778:5
#36 rtl8139_do_receive /src/qemu/hw/net/rtl8139.c:1172:9
#37 rtl8139_transfer_frame /src/qemu/hw/net/rtl8139.c:1798:9
Repeat until we run out of stack
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29224
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1910826/+subscriptions
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug 1910826] Re: [OSS-Fuzz] Issue 29224 rtl8139: Stack-overflow in rtlNUMBER_transmit_one
2021-01-08 22:31 [Bug 1910826] [NEW] [OSS-Fuzz] Issue 29224 rtl8139: Stack-overflow in rtlNUMBER_transmit_one Alexander Bulekov
` (2 preceding siblings ...)
2021-03-17 14:53 ` Alexander Bulekov
@ 2021-04-30 8:19 ` Thomas Huth
3 siblings, 0 replies; 5+ messages in thread
From: Thomas Huth @ 2021-04-30 8:19 UTC (permalink / raw)
To: qemu-devel
https://gitlab.com/qemu-project/qemu/-/commit/5311fb805a4403bba
** Changed in: qemu
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1910826
Title:
[OSS-Fuzz] Issue 29224 rtl8139: Stack-overflow in
rtlNUMBER_transmit_one
Status in QEMU:
Fix Released
Bug description:
=== Reproducer ===
cat << EOF | ../build/qemu-system-i386 -machine q35 \
-nodefaults -device rtl8139,netdev=net0 \
-netdev user,id=net0 -display none -qtest stdio
outl 0xcf8 0x80000804
outb 0xcfc 0x26
outl 0xcf8 0x80000817
outb 0xcfc 0xff
write 0x1 0x1 0x42
write 0x5 0x1 0x42
write 0x9 0x1 0x42
write 0xd 0x1 0x42
write 0xff000044 0x4 0x11
write 0xff000037 0x1 0x1c
writel 0xff000030 0xff000000
write 0xff000040 0x4 0x100006
write 0xff000010 0x4 0x01020
EOF
=== Stack Trace ===
==2819215==ERROR: AddressSanitizer: stack-overflow on address 0x7ffd2c714040 (pc 0x5639b3a933d9 bp 0x7ffd2c716210 sp 0x7ffd2c714040 T0)
#0 rtl8139_transmit_one /src/qemu/hw/net/rtl8139.c:1815
#1 rtl8139_transmit /src/qemu/hw/net/rtl8139.c:2388:9
#2 rtl8139_TxStatus_write /src/qemu/hw/net/rtl8139.c:2442:5
#3 rtl8139_io_writel /src/qemu/hw/net/rtl8139.c:2865:13
#4 rtl8139_ioport_write /src/qemu/hw/net/rtl8139.c:3290:9
#5 memory_region_write_accessor /src/qemu/softmmu/memory.c:491:5
#6 access_with_adjusted_size /src/qemu/softmmu/memory.c:552:18
#7 memory_region_dispatch_write /src/qemu/softmmu/memory.c:0:13
#8 flatview_write_continue /src/qemu/softmmu/physmem.c:2759:23
#9 flatview_write /src/qemu/softmmu/physmem.c:2799:14
#10 address_space_write /src/qemu/softmmu/physmem.c:2891:18
#11 address_space_rw /src/qemu/softmmu/physmem.c:2901:16
#12 dma_memory_rw_relaxed /src/qemu/include/sysemu/dma.h:88:12
#13 dma_memory_rw /src/qemu/include/sysemu/dma.h:127:12
#14 pci_dma_rw /src/qemu/include/hw/pci/pci.h:801:12
#15 pci_dma_write /src/qemu/include/hw/pci/pci.h:837:12
#16 rtl8139_write_buffer /src/qemu/hw/net/rtl8139.c:778:5
#17 rtl8139_do_receive /src/qemu/hw/net/rtl8139.c:1172:9
#18 rtl8139_transfer_frame /src/qemu/hw/net/rtl8139.c:1798:9
#19 rtl8139_transmit_one /src/qemu/hw/net/rtl8139.c:1845:5
#20 rtl8139_transmit /src/qemu/hw/net/rtl8139.c:2388:9
#21 rtl8139_TxStatus_write /src/qemu/hw/net/rtl8139.c:2442:5
#22 rtl8139_io_writel /src/qemu/hw/net/rtl8139.c:2865:13
#23 rtl8139_ioport_write /src/qemu/hw/net/rtl8139.c:3290:9
#24 memory_region_write_accessor /src/qemu/softmmu/memory.c:491:5
#25 access_with_adjusted_size /src/qemu/softmmu/memory.c:552:18
#26 memory_region_dispatch_write /src/qemu/softmmu/memory.c:0:13
#27 flatview_write_continue /src/qemu/softmmu/physmem.c:2759:23
#28 flatview_write /src/qemu/softmmu/physmem.c:2799:14
#29 address_space_write /src/qemu/softmmu/physmem.c:2891:18
#30 address_space_rw /src/qemu/softmmu/physmem.c:2901:16
#31 dma_memory_rw_relaxed /src/qemu/include/sysemu/dma.h:88:12
#32 dma_memory_rw /src/qemu/include/sysemu/dma.h:127:12
#33 pci_dma_rw /src/qemu/include/hw/pci/pci.h:801:12
#34 pci_dma_write /src/qemu/include/hw/pci/pci.h:837:12
#35 rtl8139_write_buffer /src/qemu/hw/net/rtl8139.c:778:5
#36 rtl8139_do_receive /src/qemu/hw/net/rtl8139.c:1172:9
#37 rtl8139_transfer_frame /src/qemu/hw/net/rtl8139.c:1798:9
Repeat until we run out of stack
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29224
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1910826/+subscriptions
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2021-04-30 8:34 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-01-08 22:31 [Bug 1910826] [NEW] [OSS-Fuzz] Issue 29224 rtl8139: Stack-overflow in rtlNUMBER_transmit_one Alexander Bulekov
2021-01-12 14:47 ` [Bug 1910826] " Qiuhao Li
2021-01-15 16:08 ` Peter Maydell
2021-03-17 14:53 ` Alexander Bulekov
2021-04-30 8:19 ` Thomas Huth
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).