* [Bug 1910941] [NEW] Assertion `addr < cache->len && 2 <= cache->len - addr' in virtio-blk
@ 2021-01-11 2:47 Cheol-Woo,Myung
2021-01-11 4:09 ` [Bug 1910941] " Alexander Bulekov
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Cheol-Woo,Myung @ 2021-01-11 2:47 UTC (permalink / raw)
To: qemu-devel
Public bug reported:
Hello,
Using hypervisor fuzzer, hyfuzz, I found an assertion failure through
virtio-blk emulator.
A malicious guest user/process could use this flaw to abort the QEMU
process on the host, resulting in a denial of service.
This was found in version 5.2.0 (master)
```
qemu-system-i386: /home/cwmyung/prj/hyfuzz/src/qemu-master/include/exec/memory_ldst_cached.h.inc:88: void address_space_stw_le_cached(MemoryRegionCache *, hwaddr, uint32_t, MemTxAttrs, MemTxResult *): Assertion `addr < cache->len && 2 <= cache->len - addr' failed.
[1] 1877 abort (core dumped) /home/cwmyung/prj/hyfuzz/src/qemu-master/build/i386-softmmu/qemu-system-i386
Program terminated with signal SIGABRT, Aborted.
#0 0x00007f71cc171f47 in __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:51
#1 0x00007f71cc1738b1 in __GI_abort () at abort.c:79
#2 0x00007f71cc16342a in __assert_fail_base (fmt=0x7f71cc2eaa38 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=assertion@entry=0x56537b324230 "addr < cache->len && 2 <= cache->len - addr", file=file@entry=0x56537b32425c "/home/cwmyung/prj/hyfuzz/src/qemu-master/include/exec/memory_ldst_cached.h.inc", line=line@entry=0x58, function=function@entry=0x56537b3242ab "void address_space_stw_le_cached(MemoryRegionCache *, hwaddr, uint32_t, MemTxAttrs, MemTxResult *)") at assert.c:92
#3 0x00007f71cc1634a2 in __GI___assert_fail (assertion=0x56537b324230 "addr < cache->len && 2 <= cache->len - addr", file=0x56537b32425c "/home/cwmyung/prj/hyfuzz/src/qemu-master/include/exec/memory_ldst_cached.h.inc", line=0x58, function=0x56537b3242ab "void address_space_stw_le_cached(MemoryRegionCache *, hwaddr, uint32_t, MemTxAttrs, MemTxResult *)") at assert.c:101
#4 0x000056537af3c917 in address_space_stw_le_cached (attrs=..., result=<optimized out>, cache=<optimized out>, addr=<optimized out>, val=<optimized out>) at /home/cwmyung/prj/hyfuzz/src/qemu-master/include/exec/memory_ldst_cached.h.inc:88
#5 0x000056537af3c917 in stw_le_phys_cached (cache=<optimized out>, addr=<optimized out>, val=<optimized out>) at /home/cwmyung/prj/hyfuzz/src/qemu-master/include/exec/memory_ldst_phys.h.inc:121
#6 0x000056537af3c917 in virtio_stw_phys_cached (vdev=<optimized out>, cache=<optimized out>, pa=<optimized out>, value=<optimized out>) at /home/cwmyung/prj/hyfuzz/src/qemu-master/include/hw/virtio/virtio-access.h:196
#7 0x000056537af2b809 in vring_set_avail_event (vq=<optimized out>, val=0x0) at ../hw/virtio/virtio.c:429
#8 0x000056537af2b809 in virtio_queue_split_set_notification (vq=<optimized out>, enable=<optimized out>) at ../hw/virtio/virtio.c:438
#9 0x000056537af2b809 in virtio_queue_set_notification (vq=<optimized out>, enable=0x1) at ../hw/virtio/virtio.c:499
#10 0x000056537b07ce1c in virtio_blk_handle_vq (s=0x56537d6bb3a0, vq=0x56537d6c0680) at ../hw/block/virtio-blk.c:795
#11 0x000056537af3eb4d in virtio_queue_notify_aio_vq (vq=0x56537d6c0680) at ../hw/virtio/virtio.c:2326
#12 0x000056537af3ba04 in virtio_queue_host_notifier_aio_read (n=<optimized out>) at ../hw/virtio/virtio.c:3533
#13 0x000056537b20901c in aio_dispatch_handler (ctx=0x56537c4179f0, node=0x7f71a810b370) at ../util/aio-posix.c:329
#14 0x000056537b20838c in aio_dispatch_handlers (ctx=<optimized out>) at ../util/aio-posix.c:372
#15 0x000056537b20838c in aio_dispatch (ctx=0x56537c4179f0) at ../util/aio-posix.c:382
#16 0x000056537b1f99cb in aio_ctx_dispatch (source=0x2, callback=0x7ffc8add9f90, user_data=0x0) at ../util/async.c:306
#17 0x00007f71d1c10417 in g_main_context_dispatch () at /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
#18 0x000056537b1f1bab in glib_pollfds_poll () at ../util/main-loop.c:232
#19 0x000056537b1f1bab in os_host_main_loop_wait (timeout=<optimized out>) at ../util/main-loop.c:255
#20 0x000056537b1f1bab in main_loop_wait (nonblocking=<optimized out>) at ../util/main-loop.c:531
#21 0x000056537af879d7 in qemu_main_loop () at ../softmmu/runstate.c:720
#22 0x000056537a928a3b in main (argc=<optimized out>, argc@entry=0x15, argv=<optimized out>, argv@entry=0x7ffc8adda718, envp=<optimized out>) at ../softmmu/main.c:50
#23 0x00007f71cc154b97 in __libc_start_main (main=0x56537a928a30 <main>, argc=0x15, argv=0x7ffc8adda718, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffc8adda708) at ../csu/libc-start.c:310
#24 0x000056537a92894a in _start ()
```
To reproduce this issue, please run the QEMU with the following command
line.
```
# To reproduce this issue, please run the QEMU process with the
following command line.
$ qemu-system-i386 -m 512 -drive
file=hyfuzz.img,index=0,media=disk,format=raw -device virtio-blk-
pci,drive=drive0,id=virtblk0,num-queues=4 -drive
file=disk.img,if=none,id=drive0
```
Please let me know if I can provide any further info.
Thank you.
** Affects: qemu
Importance: Undecided
Status: New
** Attachment added: "attachment.tar.gz"
https://bugs.launchpad.net/bugs/1910941/+attachment/5451586/+files/attachment.tar.gz
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1910941
Title:
Assertion `addr < cache->len && 2 <= cache->len - addr' in virtio-blk
Status in QEMU:
New
Bug description:
Hello,
Using hypervisor fuzzer, hyfuzz, I found an assertion failure through
virtio-blk emulator.
A malicious guest user/process could use this flaw to abort the QEMU
process on the host, resulting in a denial of service.
This was found in version 5.2.0 (master)
```
qemu-system-i386: /home/cwmyung/prj/hyfuzz/src/qemu-master/include/exec/memory_ldst_cached.h.inc:88: void address_space_stw_le_cached(MemoryRegionCache *, hwaddr, uint32_t, MemTxAttrs, MemTxResult *): Assertion `addr < cache->len && 2 <= cache->len - addr' failed.
[1] 1877 abort (core dumped) /home/cwmyung/prj/hyfuzz/src/qemu-master/build/i386-softmmu/qemu-system-i386
Program terminated with signal SIGABRT, Aborted.
#0 0x00007f71cc171f47 in __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:51
#1 0x00007f71cc1738b1 in __GI_abort () at abort.c:79
#2 0x00007f71cc16342a in __assert_fail_base (fmt=0x7f71cc2eaa38 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=assertion@entry=0x56537b324230 "addr < cache->len && 2 <= cache->len - addr", file=file@entry=0x56537b32425c "/home/cwmyung/prj/hyfuzz/src/qemu-master/include/exec/memory_ldst_cached.h.inc", line=line@entry=0x58, function=function@entry=0x56537b3242ab "void address_space_stw_le_cached(MemoryRegionCache *, hwaddr, uint32_t, MemTxAttrs, MemTxResult *)") at assert.c:92
#3 0x00007f71cc1634a2 in __GI___assert_fail (assertion=0x56537b324230 "addr < cache->len && 2 <= cache->len - addr", file=0x56537b32425c "/home/cwmyung/prj/hyfuzz/src/qemu-master/include/exec/memory_ldst_cached.h.inc", line=0x58, function=0x56537b3242ab "void address_space_stw_le_cached(MemoryRegionCache *, hwaddr, uint32_t, MemTxAttrs, MemTxResult *)") at assert.c:101
#4 0x000056537af3c917 in address_space_stw_le_cached (attrs=..., result=<optimized out>, cache=<optimized out>, addr=<optimized out>, val=<optimized out>) at /home/cwmyung/prj/hyfuzz/src/qemu-master/include/exec/memory_ldst_cached.h.inc:88
#5 0x000056537af3c917 in stw_le_phys_cached (cache=<optimized out>, addr=<optimized out>, val=<optimized out>) at /home/cwmyung/prj/hyfuzz/src/qemu-master/include/exec/memory_ldst_phys.h.inc:121
#6 0x000056537af3c917 in virtio_stw_phys_cached (vdev=<optimized out>, cache=<optimized out>, pa=<optimized out>, value=<optimized out>) at /home/cwmyung/prj/hyfuzz/src/qemu-master/include/hw/virtio/virtio-access.h:196
#7 0x000056537af2b809 in vring_set_avail_event (vq=<optimized out>, val=0x0) at ../hw/virtio/virtio.c:429
#8 0x000056537af2b809 in virtio_queue_split_set_notification (vq=<optimized out>, enable=<optimized out>) at ../hw/virtio/virtio.c:438
#9 0x000056537af2b809 in virtio_queue_set_notification (vq=<optimized out>, enable=0x1) at ../hw/virtio/virtio.c:499
#10 0x000056537b07ce1c in virtio_blk_handle_vq (s=0x56537d6bb3a0, vq=0x56537d6c0680) at ../hw/block/virtio-blk.c:795
#11 0x000056537af3eb4d in virtio_queue_notify_aio_vq (vq=0x56537d6c0680) at ../hw/virtio/virtio.c:2326
#12 0x000056537af3ba04 in virtio_queue_host_notifier_aio_read (n=<optimized out>) at ../hw/virtio/virtio.c:3533
#13 0x000056537b20901c in aio_dispatch_handler (ctx=0x56537c4179f0, node=0x7f71a810b370) at ../util/aio-posix.c:329
#14 0x000056537b20838c in aio_dispatch_handlers (ctx=<optimized out>) at ../util/aio-posix.c:372
#15 0x000056537b20838c in aio_dispatch (ctx=0x56537c4179f0) at ../util/aio-posix.c:382
#16 0x000056537b1f99cb in aio_ctx_dispatch (source=0x2, callback=0x7ffc8add9f90, user_data=0x0) at ../util/async.c:306
#17 0x00007f71d1c10417 in g_main_context_dispatch () at /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
#18 0x000056537b1f1bab in glib_pollfds_poll () at ../util/main-loop.c:232
#19 0x000056537b1f1bab in os_host_main_loop_wait (timeout=<optimized out>) at ../util/main-loop.c:255
#20 0x000056537b1f1bab in main_loop_wait (nonblocking=<optimized out>) at ../util/main-loop.c:531
#21 0x000056537af879d7 in qemu_main_loop () at ../softmmu/runstate.c:720
#22 0x000056537a928a3b in main (argc=<optimized out>, argc@entry=0x15, argv=<optimized out>, argv@entry=0x7ffc8adda718, envp=<optimized out>) at ../softmmu/main.c:50
#23 0x00007f71cc154b97 in __libc_start_main (main=0x56537a928a30 <main>, argc=0x15, argv=0x7ffc8adda718, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffc8adda708) at ../csu/libc-start.c:310
#24 0x000056537a92894a in _start ()
```
To reproduce this issue, please run the QEMU with the following
command line.
```
# To reproduce this issue, please run the QEMU process with the
following command line.
$ qemu-system-i386 -m 512 -drive
file=hyfuzz.img,index=0,media=disk,format=raw -device virtio-blk-
pci,drive=drive0,id=virtblk0,num-queues=4 -drive
file=disk.img,if=none,id=drive0
```
Please let me know if I can provide any further info.
Thank you.
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1910941/+subscriptions
^ permalink raw reply [flat|nested] 4+ messages in thread
* [Bug 1910941] Re: Assertion `addr < cache->len && 2 <= cache->len - addr' in virtio-blk
2021-01-11 2:47 [Bug 1910941] [NEW] Assertion `addr < cache->len && 2 <= cache->len - addr' in virtio-blk Cheol-Woo,Myung
@ 2021-01-11 4:09 ` Alexander Bulekov
2021-01-15 16:08 ` Peter Maydell
2021-05-14 18:46 ` Thomas Huth
2 siblings, 0 replies; 4+ messages in thread
From: Alexander Bulekov @ 2021-01-11 4:09 UTC (permalink / raw)
To: qemu-devel
This is OSS-Fuzz Issue 26797
=== Reproducer ===
cat << EOF | ./qemu-system-i386 -machine q35 \
-device virtio-blk,drive=disk0 \
-drive file=null-co://,id=disk0,if=none,format=raw \
-serial none -monitor none -qtest stdio -nographic
outl 0xcf8 0x80001890
outl 0xcfc 0x4
outl 0xcf8 0x8000188a
outl 0xcfc 0xd4624
outl 0xcf8 0x80001894
outl 0xcfc 0x20000002
outl 0xcf8 0x80001889
outl 0xcfc 0x18000000
outl 0xcf8 0x80001896
outl 0xcfc 0x0
outl 0xcf8 0x8000188c
outw 0xcfc 0x20
outl 0xcf8 0x80001894
outl 0xcfc 0x1
outl 0xcf8 0x8000188c
outw 0xcfc 0x1c
outl 0xcf8 0x80001895
outl 0xcfc 0x0
outl 0xcf8 0x80001889
outl 0xcfc 0x18000000
outl 0xcf8 0x80001894
outl 0xcfc 0x40
outl 0xcf8 0x8000188c
outw 0xcfc 0x14
outl 0xcf8 0x80001894
outl 0xcfc 0x1004
EOF
=== Stack Trace ===
qemu-fuzz-i386-target-generic-fuzz-virtio-blk: /src/qemu/include/exec/memory_ldst_cached.h.inc:88: void address_space_stw_le_cached(MemoryRegionCache *, hwaddr, uint32_t, MemTxAttrs, MemTxResult *): Assertion `addr < cache->len && 2 <= cache->len - addr' failed.
==2382430== ERROR: libFuzzer: deadly signal
#8 address_space_stw_le_cached /src/qemu/include/exec/memory_ldst_cached.h.inc:88:5
#9 stw_le_phys_cached /src/qemu/include/exec/memory_ldst_phys.h.inc:121:5
#10 virtio_stw_phys_cached /src/qemu/include/hw/virtio/virtio-access.h:196:9
#11 vring_set_avail_event /src/qemu/hw/virtio/virtio.c:429:5
#12 virtio_queue_split_set_notification /src/qemu/hw/virtio/virtio.c:438:9
#13 virtio_queue_set_notification /src/qemu/hw/virtio/virtio.c:499:9
#14 virtio_blk_handle_vq /src/qemu/hw/block/virtio-blk.c:795:13
#15 virtio_blk_data_plane_handle_output /src/qemu/hw/block/dataplane/virtio-blk.c:165:12
#16 virtio_queue_notify_aio_vq /src/qemu/hw/virtio/virtio.c:2326:15
#17 virtio_queue_host_notifier_aio_read /src/qemu/hw/virtio/virtio.c:3533:9
#18 aio_dispatch_handler /src/qemu/util/aio-posix.c:329:9
#19 aio_dispatch_handlers /src/qemu/util/aio-posix.c:372:20
#20 aio_dispatch /src/qemu/util/aio-posix.c:382:5
#21 aio_ctx_dispatch /src/qemu/util/async.c:306:5
#22 g_main_context_dispatch
#23 glib_pollfds_poll /src/qemu/util/main-loop.c:232:9
#24 os_host_main_loop_wait /src/qemu/util/main-loop.c:255:5
#25 main_loop_wait /src/qemu/util/main-loop.c:531:11
#26 flush_events /src/qemu/tests/qtest/fuzz/fuzz.c:49:9
#27 generic_fuzz /src/qemu/tests/qtest/fuzz/generic_fuzz.c:683:17
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2qemu-fuzz-i386
-target-generic-fuzz-virtio-blk:
/src/qemu/include/exec/memory_ldst_cached.h.inc:88: void
address_space_stw_le_cached(MemoryRegionCache *, hwaddr, uint32_t,
MemTxAttrs, MemTxResult *): Assertion `addr < cache->len && 2 <=
cache->len - addr' failed.6797
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1910941
Title:
Assertion `addr < cache->len && 2 <= cache->len - addr' in virtio-blk
Status in QEMU:
New
Bug description:
Hello,
Using hypervisor fuzzer, hyfuzz, I found an assertion failure through
virtio-blk emulator.
A malicious guest user/process could use this flaw to abort the QEMU
process on the host, resulting in a denial of service.
This was found in version 5.2.0 (master)
```
qemu-system-i386: /home/cwmyung/prj/hyfuzz/src/qemu-master/include/exec/memory_ldst_cached.h.inc:88: void address_space_stw_le_cached(MemoryRegionCache *, hwaddr, uint32_t, MemTxAttrs, MemTxResult *): Assertion `addr < cache->len && 2 <= cache->len - addr' failed.
[1] 1877 abort (core dumped) /home/cwmyung/prj/hyfuzz/src/qemu-master/build/i386-softmmu/qemu-system-i386
Program terminated with signal SIGABRT, Aborted.
#0 0x00007f71cc171f47 in __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:51
#1 0x00007f71cc1738b1 in __GI_abort () at abort.c:79
#2 0x00007f71cc16342a in __assert_fail_base (fmt=0x7f71cc2eaa38 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=assertion@entry=0x56537b324230 "addr < cache->len && 2 <= cache->len - addr", file=file@entry=0x56537b32425c "/home/cwmyung/prj/hyfuzz/src/qemu-master/include/exec/memory_ldst_cached.h.inc", line=line@entry=0x58, function=function@entry=0x56537b3242ab "void address_space_stw_le_cached(MemoryRegionCache *, hwaddr, uint32_t, MemTxAttrs, MemTxResult *)") at assert.c:92
#3 0x00007f71cc1634a2 in __GI___assert_fail (assertion=0x56537b324230 "addr < cache->len && 2 <= cache->len - addr", file=0x56537b32425c "/home/cwmyung/prj/hyfuzz/src/qemu-master/include/exec/memory_ldst_cached.h.inc", line=0x58, function=0x56537b3242ab "void address_space_stw_le_cached(MemoryRegionCache *, hwaddr, uint32_t, MemTxAttrs, MemTxResult *)") at assert.c:101
#4 0x000056537af3c917 in address_space_stw_le_cached (attrs=..., result=<optimized out>, cache=<optimized out>, addr=<optimized out>, val=<optimized out>) at /home/cwmyung/prj/hyfuzz/src/qemu-master/include/exec/memory_ldst_cached.h.inc:88
#5 0x000056537af3c917 in stw_le_phys_cached (cache=<optimized out>, addr=<optimized out>, val=<optimized out>) at /home/cwmyung/prj/hyfuzz/src/qemu-master/include/exec/memory_ldst_phys.h.inc:121
#6 0x000056537af3c917 in virtio_stw_phys_cached (vdev=<optimized out>, cache=<optimized out>, pa=<optimized out>, value=<optimized out>) at /home/cwmyung/prj/hyfuzz/src/qemu-master/include/hw/virtio/virtio-access.h:196
#7 0x000056537af2b809 in vring_set_avail_event (vq=<optimized out>, val=0x0) at ../hw/virtio/virtio.c:429
#8 0x000056537af2b809 in virtio_queue_split_set_notification (vq=<optimized out>, enable=<optimized out>) at ../hw/virtio/virtio.c:438
#9 0x000056537af2b809 in virtio_queue_set_notification (vq=<optimized out>, enable=0x1) at ../hw/virtio/virtio.c:499
#10 0x000056537b07ce1c in virtio_blk_handle_vq (s=0x56537d6bb3a0, vq=0x56537d6c0680) at ../hw/block/virtio-blk.c:795
#11 0x000056537af3eb4d in virtio_queue_notify_aio_vq (vq=0x56537d6c0680) at ../hw/virtio/virtio.c:2326
#12 0x000056537af3ba04 in virtio_queue_host_notifier_aio_read (n=<optimized out>) at ../hw/virtio/virtio.c:3533
#13 0x000056537b20901c in aio_dispatch_handler (ctx=0x56537c4179f0, node=0x7f71a810b370) at ../util/aio-posix.c:329
#14 0x000056537b20838c in aio_dispatch_handlers (ctx=<optimized out>) at ../util/aio-posix.c:372
#15 0x000056537b20838c in aio_dispatch (ctx=0x56537c4179f0) at ../util/aio-posix.c:382
#16 0x000056537b1f99cb in aio_ctx_dispatch (source=0x2, callback=0x7ffc8add9f90, user_data=0x0) at ../util/async.c:306
#17 0x00007f71d1c10417 in g_main_context_dispatch () at /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
#18 0x000056537b1f1bab in glib_pollfds_poll () at ../util/main-loop.c:232
#19 0x000056537b1f1bab in os_host_main_loop_wait (timeout=<optimized out>) at ../util/main-loop.c:255
#20 0x000056537b1f1bab in main_loop_wait (nonblocking=<optimized out>) at ../util/main-loop.c:531
#21 0x000056537af879d7 in qemu_main_loop () at ../softmmu/runstate.c:720
#22 0x000056537a928a3b in main (argc=<optimized out>, argc@entry=0x15, argv=<optimized out>, argv@entry=0x7ffc8adda718, envp=<optimized out>) at ../softmmu/main.c:50
#23 0x00007f71cc154b97 in __libc_start_main (main=0x56537a928a30 <main>, argc=0x15, argv=0x7ffc8adda718, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffc8adda708) at ../csu/libc-start.c:310
#24 0x000056537a92894a in _start ()
```
To reproduce this issue, please run the QEMU with the following
command line.
```
# To reproduce this issue, please run the QEMU process with the
following command line.
$ qemu-system-i386 -m 512 -drive
file=hyfuzz.img,index=0,media=disk,format=raw -device virtio-blk-
pci,drive=drive0,id=virtblk0,num-queues=4 -drive
file=disk.img,if=none,id=drive0
```
Please let me know if I can provide any further info.
Thank you.
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1910941/+subscriptions
^ permalink raw reply [flat|nested] 4+ messages in thread
* [Bug 1910941] Re: Assertion `addr < cache->len && 2 <= cache->len - addr' in virtio-blk
2021-01-11 2:47 [Bug 1910941] [NEW] Assertion `addr < cache->len && 2 <= cache->len - addr' in virtio-blk Cheol-Woo,Myung
2021-01-11 4:09 ` [Bug 1910941] " Alexander Bulekov
@ 2021-01-15 16:08 ` Peter Maydell
2021-05-14 18:46 ` Thomas Huth
2 siblings, 0 replies; 4+ messages in thread
From: Peter Maydell @ 2021-01-15 16:08 UTC (permalink / raw)
To: qemu-devel
** Tags added: fuzzer
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1910941
Title:
Assertion `addr < cache->len && 2 <= cache->len - addr' in virtio-blk
Status in QEMU:
New
Bug description:
Hello,
Using hypervisor fuzzer, hyfuzz, I found an assertion failure through
virtio-blk emulator.
A malicious guest user/process could use this flaw to abort the QEMU
process on the host, resulting in a denial of service.
This was found in version 5.2.0 (master)
```
qemu-system-i386: /home/cwmyung/prj/hyfuzz/src/qemu-master/include/exec/memory_ldst_cached.h.inc:88: void address_space_stw_le_cached(MemoryRegionCache *, hwaddr, uint32_t, MemTxAttrs, MemTxResult *): Assertion `addr < cache->len && 2 <= cache->len - addr' failed.
[1] 1877 abort (core dumped) /home/cwmyung/prj/hyfuzz/src/qemu-master/build/i386-softmmu/qemu-system-i386
Program terminated with signal SIGABRT, Aborted.
#0 0x00007f71cc171f47 in __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:51
#1 0x00007f71cc1738b1 in __GI_abort () at abort.c:79
#2 0x00007f71cc16342a in __assert_fail_base (fmt=0x7f71cc2eaa38 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=assertion@entry=0x56537b324230 "addr < cache->len && 2 <= cache->len - addr", file=file@entry=0x56537b32425c "/home/cwmyung/prj/hyfuzz/src/qemu-master/include/exec/memory_ldst_cached.h.inc", line=line@entry=0x58, function=function@entry=0x56537b3242ab "void address_space_stw_le_cached(MemoryRegionCache *, hwaddr, uint32_t, MemTxAttrs, MemTxResult *)") at assert.c:92
#3 0x00007f71cc1634a2 in __GI___assert_fail (assertion=0x56537b324230 "addr < cache->len && 2 <= cache->len - addr", file=0x56537b32425c "/home/cwmyung/prj/hyfuzz/src/qemu-master/include/exec/memory_ldst_cached.h.inc", line=0x58, function=0x56537b3242ab "void address_space_stw_le_cached(MemoryRegionCache *, hwaddr, uint32_t, MemTxAttrs, MemTxResult *)") at assert.c:101
#4 0x000056537af3c917 in address_space_stw_le_cached (attrs=..., result=<optimized out>, cache=<optimized out>, addr=<optimized out>, val=<optimized out>) at /home/cwmyung/prj/hyfuzz/src/qemu-master/include/exec/memory_ldst_cached.h.inc:88
#5 0x000056537af3c917 in stw_le_phys_cached (cache=<optimized out>, addr=<optimized out>, val=<optimized out>) at /home/cwmyung/prj/hyfuzz/src/qemu-master/include/exec/memory_ldst_phys.h.inc:121
#6 0x000056537af3c917 in virtio_stw_phys_cached (vdev=<optimized out>, cache=<optimized out>, pa=<optimized out>, value=<optimized out>) at /home/cwmyung/prj/hyfuzz/src/qemu-master/include/hw/virtio/virtio-access.h:196
#7 0x000056537af2b809 in vring_set_avail_event (vq=<optimized out>, val=0x0) at ../hw/virtio/virtio.c:429
#8 0x000056537af2b809 in virtio_queue_split_set_notification (vq=<optimized out>, enable=<optimized out>) at ../hw/virtio/virtio.c:438
#9 0x000056537af2b809 in virtio_queue_set_notification (vq=<optimized out>, enable=0x1) at ../hw/virtio/virtio.c:499
#10 0x000056537b07ce1c in virtio_blk_handle_vq (s=0x56537d6bb3a0, vq=0x56537d6c0680) at ../hw/block/virtio-blk.c:795
#11 0x000056537af3eb4d in virtio_queue_notify_aio_vq (vq=0x56537d6c0680) at ../hw/virtio/virtio.c:2326
#12 0x000056537af3ba04 in virtio_queue_host_notifier_aio_read (n=<optimized out>) at ../hw/virtio/virtio.c:3533
#13 0x000056537b20901c in aio_dispatch_handler (ctx=0x56537c4179f0, node=0x7f71a810b370) at ../util/aio-posix.c:329
#14 0x000056537b20838c in aio_dispatch_handlers (ctx=<optimized out>) at ../util/aio-posix.c:372
#15 0x000056537b20838c in aio_dispatch (ctx=0x56537c4179f0) at ../util/aio-posix.c:382
#16 0x000056537b1f99cb in aio_ctx_dispatch (source=0x2, callback=0x7ffc8add9f90, user_data=0x0) at ../util/async.c:306
#17 0x00007f71d1c10417 in g_main_context_dispatch () at /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
#18 0x000056537b1f1bab in glib_pollfds_poll () at ../util/main-loop.c:232
#19 0x000056537b1f1bab in os_host_main_loop_wait (timeout=<optimized out>) at ../util/main-loop.c:255
#20 0x000056537b1f1bab in main_loop_wait (nonblocking=<optimized out>) at ../util/main-loop.c:531
#21 0x000056537af879d7 in qemu_main_loop () at ../softmmu/runstate.c:720
#22 0x000056537a928a3b in main (argc=<optimized out>, argc@entry=0x15, argv=<optimized out>, argv@entry=0x7ffc8adda718, envp=<optimized out>) at ../softmmu/main.c:50
#23 0x00007f71cc154b97 in __libc_start_main (main=0x56537a928a30 <main>, argc=0x15, argv=0x7ffc8adda718, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffc8adda708) at ../csu/libc-start.c:310
#24 0x000056537a92894a in _start ()
```
To reproduce this issue, please run the QEMU with the following
command line.
```
# To reproduce this issue, please run the QEMU process with the
following command line.
$ qemu-system-i386 -m 512 -drive
file=hyfuzz.img,index=0,media=disk,format=raw -device virtio-blk-
pci,drive=drive0,id=virtblk0,num-queues=4 -drive
file=disk.img,if=none,id=drive0
```
Please let me know if I can provide any further info.
Thank you.
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1910941/+subscriptions
^ permalink raw reply [flat|nested] 4+ messages in thread
* [Bug 1910941] Re: Assertion `addr < cache->len && 2 <= cache->len - addr' in virtio-blk
2021-01-11 2:47 [Bug 1910941] [NEW] Assertion `addr < cache->len && 2 <= cache->len - addr' in virtio-blk Cheol-Woo,Myung
2021-01-11 4:09 ` [Bug 1910941] " Alexander Bulekov
2021-01-15 16:08 ` Peter Maydell
@ 2021-05-14 18:46 ` Thomas Huth
2 siblings, 0 replies; 4+ messages in thread
From: Thomas Huth @ 2021-05-14 18:46 UTC (permalink / raw)
To: qemu-devel
This is an automated cleanup. This bug report has been moved to QEMU's
new bug tracker on gitlab.com and thus gets marked as 'expired' now.
Please continue with the discussion here:
https://gitlab.com/qemu-project/qemu/-/issues/301
** Changed in: qemu
Status: New => Expired
** Bug watch added: gitlab.com/qemu-project/qemu/-/issues #301
https://gitlab.com/qemu-project/qemu/-/issues/301
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1910941
Title:
Assertion `addr < cache->len && 2 <= cache->len - addr' in virtio-blk
Status in QEMU:
Expired
Bug description:
Hello,
Using hypervisor fuzzer, hyfuzz, I found an assertion failure through
virtio-blk emulator.
A malicious guest user/process could use this flaw to abort the QEMU
process on the host, resulting in a denial of service.
This was found in version 5.2.0 (master)
```
qemu-system-i386: /home/cwmyung/prj/hyfuzz/src/qemu-master/include/exec/memory_ldst_cached.h.inc:88: void address_space_stw_le_cached(MemoryRegionCache *, hwaddr, uint32_t, MemTxAttrs, MemTxResult *): Assertion `addr < cache->len && 2 <= cache->len - addr' failed.
[1] 1877 abort (core dumped) /home/cwmyung/prj/hyfuzz/src/qemu-master/build/i386-softmmu/qemu-system-i386
Program terminated with signal SIGABRT, Aborted.
#0 0x00007f71cc171f47 in __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:51
#1 0x00007f71cc1738b1 in __GI_abort () at abort.c:79
#2 0x00007f71cc16342a in __assert_fail_base (fmt=0x7f71cc2eaa38 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=assertion@entry=0x56537b324230 "addr < cache->len && 2 <= cache->len - addr", file=file@entry=0x56537b32425c "/home/cwmyung/prj/hyfuzz/src/qemu-master/include/exec/memory_ldst_cached.h.inc", line=line@entry=0x58, function=function@entry=0x56537b3242ab "void address_space_stw_le_cached(MemoryRegionCache *, hwaddr, uint32_t, MemTxAttrs, MemTxResult *)") at assert.c:92
#3 0x00007f71cc1634a2 in __GI___assert_fail (assertion=0x56537b324230 "addr < cache->len && 2 <= cache->len - addr", file=0x56537b32425c "/home/cwmyung/prj/hyfuzz/src/qemu-master/include/exec/memory_ldst_cached.h.inc", line=0x58, function=0x56537b3242ab "void address_space_stw_le_cached(MemoryRegionCache *, hwaddr, uint32_t, MemTxAttrs, MemTxResult *)") at assert.c:101
#4 0x000056537af3c917 in address_space_stw_le_cached (attrs=..., result=<optimized out>, cache=<optimized out>, addr=<optimized out>, val=<optimized out>) at /home/cwmyung/prj/hyfuzz/src/qemu-master/include/exec/memory_ldst_cached.h.inc:88
#5 0x000056537af3c917 in stw_le_phys_cached (cache=<optimized out>, addr=<optimized out>, val=<optimized out>) at /home/cwmyung/prj/hyfuzz/src/qemu-master/include/exec/memory_ldst_phys.h.inc:121
#6 0x000056537af3c917 in virtio_stw_phys_cached (vdev=<optimized out>, cache=<optimized out>, pa=<optimized out>, value=<optimized out>) at /home/cwmyung/prj/hyfuzz/src/qemu-master/include/hw/virtio/virtio-access.h:196
#7 0x000056537af2b809 in vring_set_avail_event (vq=<optimized out>, val=0x0) at ../hw/virtio/virtio.c:429
#8 0x000056537af2b809 in virtio_queue_split_set_notification (vq=<optimized out>, enable=<optimized out>) at ../hw/virtio/virtio.c:438
#9 0x000056537af2b809 in virtio_queue_set_notification (vq=<optimized out>, enable=0x1) at ../hw/virtio/virtio.c:499
#10 0x000056537b07ce1c in virtio_blk_handle_vq (s=0x56537d6bb3a0, vq=0x56537d6c0680) at ../hw/block/virtio-blk.c:795
#11 0x000056537af3eb4d in virtio_queue_notify_aio_vq (vq=0x56537d6c0680) at ../hw/virtio/virtio.c:2326
#12 0x000056537af3ba04 in virtio_queue_host_notifier_aio_read (n=<optimized out>) at ../hw/virtio/virtio.c:3533
#13 0x000056537b20901c in aio_dispatch_handler (ctx=0x56537c4179f0, node=0x7f71a810b370) at ../util/aio-posix.c:329
#14 0x000056537b20838c in aio_dispatch_handlers (ctx=<optimized out>) at ../util/aio-posix.c:372
#15 0x000056537b20838c in aio_dispatch (ctx=0x56537c4179f0) at ../util/aio-posix.c:382
#16 0x000056537b1f99cb in aio_ctx_dispatch (source=0x2, callback=0x7ffc8add9f90, user_data=0x0) at ../util/async.c:306
#17 0x00007f71d1c10417 in g_main_context_dispatch () at /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
#18 0x000056537b1f1bab in glib_pollfds_poll () at ../util/main-loop.c:232
#19 0x000056537b1f1bab in os_host_main_loop_wait (timeout=<optimized out>) at ../util/main-loop.c:255
#20 0x000056537b1f1bab in main_loop_wait (nonblocking=<optimized out>) at ../util/main-loop.c:531
#21 0x000056537af879d7 in qemu_main_loop () at ../softmmu/runstate.c:720
#22 0x000056537a928a3b in main (argc=<optimized out>, argc@entry=0x15, argv=<optimized out>, argv@entry=0x7ffc8adda718, envp=<optimized out>) at ../softmmu/main.c:50
#23 0x00007f71cc154b97 in __libc_start_main (main=0x56537a928a30 <main>, argc=0x15, argv=0x7ffc8adda718, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffc8adda708) at ../csu/libc-start.c:310
#24 0x000056537a92894a in _start ()
```
To reproduce this issue, please run the QEMU with the following
command line.
```
# To reproduce this issue, please run the QEMU process with the
following command line.
$ qemu-system-i386 -m 512 -drive
file=hyfuzz.img,index=0,media=disk,format=raw -device virtio-blk-
pci,drive=drive0,id=virtblk0,num-queues=4 -drive
file=disk.img,if=none,id=drive0
```
Please let me know if I can provide any further info.
Thank you.
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1910941/+subscriptions
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2021-05-14 18:56 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-01-11 2:47 [Bug 1910941] [NEW] Assertion `addr < cache->len && 2 <= cache->len - addr' in virtio-blk Cheol-Woo,Myung
2021-01-11 4:09 ` [Bug 1910941] " Alexander Bulekov
2021-01-15 16:08 ` Peter Maydell
2021-05-14 18:46 ` Thomas Huth
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).