* [Bug 1911075] [NEW] [OSS-Fuzz] ahci: stack overflow in ahci_cond_start_engines
@ 2021-01-12 0:35 Alexander Bulekov
2021-01-12 8:59 ` [Bug 1911075] " Thomas Huth
` (4 more replies)
0 siblings, 5 replies; 6+ messages in thread
From: Alexander Bulekov @ 2021-01-12 0:35 UTC (permalink / raw)
To: qemu-devel
Public bug reported:
=== Reproducer ===
while true; do cat << EOF; done | ./qemu-system-i386 -machine q35 -nodefaults -nographic -qtest stdio -accel qtest
outl 0xcf8 0x8000fa27
outl 0xcfc 0x37414537
outl 0xcf8 0x8000fa01
outl 0xcfc 0x4606ce74
writew 0x37000f01 0x215a
writeq 0x37000100 0xfffaf
writeq 0x37000115 0xffff373d27004037
outl 0xcf8 0x8000fa01
outl 0xcfc 0x4606ce74
writeq 0x370000ff 0x3700011500
writeq 0x37000115 0xc41ffffff035a5a
outl 0xcf8 0x8000ea04
outb 0xcfc 0x15
outl 0xcf8 0x8000ea00
outw 0xcfc 0x5a1f
writeq 0x37000115 0x100007765746972
writeq 0x37000115 0xbf00000000000000
outl 0xcf8 0x8000ea04
outb 0xcfc 0x15
outl 0xcf8 0x8000fa46
outb 0xcfc 0xff
clock_step
writeq 0x37000115 0xaf
writeq 0x37000115 0x6301275541af7415
writeq 0x37000115 0xafaf5a5a743715
outb 0x64 0xfe
EOF
=== Stack Trace ===
==887446==ERROR: UndefinedBehaviorSanitizer: stack-overflow on address 0x7ffe567cae0c (pc 0x7fdd9100819e bp 0x7ffe567cb2b0 sp 0x7ffe567cad40 T887446)
#0 vfprintf
#1 fprintf
#2 ahci_mem_write /src/qemu/hw/ide/ahci.c:468:9
#3 memory_region_write_accessor /src/qemu/softmmu/memory.c:491:5
#4 access_with_adjusted_size /src/qemu/softmmu/memory.c:552:18
#5 memory_region_dispatch_write /src/qemu/softmmu/memory.c:0:13
#6 flatview_write_continue /src/qemu/softmmu/physmem.c:2759:23
#7 flatview_write /src/qemu/softmmu/physmem.c:2799:14
#8 address_space_write /src/qemu/softmmu/physmem.c:2891:18
#9 address_space_unmap /src/qemu/softmmu/physmem.c:3217:9
#10 dma_memory_unmap /src/qemu/include/sysemu/dma.h:226:5
#11 map_page /src/qemu/hw/ide/ahci.c:249:9
#12 ahci_map_clb_address /src/qemu/hw/ide/ahci.c:748:5
#13 ahci_cond_start_engines /src/qemu/hw/ide/ahci.c:276:14
#14 ahci_port_write /src/qemu/hw/ide/ahci.c:339:9
#15 ahci_mem_write /src/qemu/hw/ide/ahci.c:513:9
#16 memory_region_write_accessor /src/qemu/softmmu/memory.c:491:5
#17 access_with_adjusted_size /src/qemu/softmmu/memory.c:552:18
#18 memory_region_dispatch_write /src/qemu/softmmu/memory.c:0:13
#19 flatview_write_continue /src/qemu/softmmu/physmem.c:2759:23
#20 flatview_write /src/qemu/softmmu/physmem.c:2799:14
#21 address_space_write /src/qemu/softmmu/physmem.c:2891:18
#22 address_space_unmap /src/qemu/softmmu/physmem.c:3217:9
#23 dma_memory_unmap /src/qemu/include/sysemu/dma.h:226:5
#24 map_page /src/qemu/hw/ide/ahci.c:249:9
#25 ahci_map_clb_address /src/qemu/hw/ide/ahci.c:748:5
#26 ahci_cond_start_engines /src/qemu/hw/ide/ahci.c:276:14
#27 ahci_port_write /src/qemu/hw/ide/ahci.c:339:9
#28 ahci_mem_write /src/qemu/hw/ide/ahci.c:513:9
... Repeat until we run out of stack
** Affects: qemu
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1911075
Title:
[OSS-Fuzz] ahci: stack overflow in ahci_cond_start_engines
Status in QEMU:
New
Bug description:
=== Reproducer ===
while true; do cat << EOF; done | ./qemu-system-i386 -machine q35 -nodefaults -nographic -qtest stdio -accel qtest
outl 0xcf8 0x8000fa27
outl 0xcfc 0x37414537
outl 0xcf8 0x8000fa01
outl 0xcfc 0x4606ce74
writew 0x37000f01 0x215a
writeq 0x37000100 0xfffaf
writeq 0x37000115 0xffff373d27004037
outl 0xcf8 0x8000fa01
outl 0xcfc 0x4606ce74
writeq 0x370000ff 0x3700011500
writeq 0x37000115 0xc41ffffff035a5a
outl 0xcf8 0x8000ea04
outb 0xcfc 0x15
outl 0xcf8 0x8000ea00
outw 0xcfc 0x5a1f
writeq 0x37000115 0x100007765746972
writeq 0x37000115 0xbf00000000000000
outl 0xcf8 0x8000ea04
outb 0xcfc 0x15
outl 0xcf8 0x8000fa46
outb 0xcfc 0xff
clock_step
writeq 0x37000115 0xaf
writeq 0x37000115 0x6301275541af7415
writeq 0x37000115 0xafaf5a5a743715
outb 0x64 0xfe
EOF
=== Stack Trace ===
==887446==ERROR: UndefinedBehaviorSanitizer: stack-overflow on address 0x7ffe567cae0c (pc 0x7fdd9100819e bp 0x7ffe567cb2b0 sp 0x7ffe567cad40 T887446)
#0 vfprintf
#1 fprintf
#2 ahci_mem_write /src/qemu/hw/ide/ahci.c:468:9
#3 memory_region_write_accessor /src/qemu/softmmu/memory.c:491:5
#4 access_with_adjusted_size /src/qemu/softmmu/memory.c:552:18
#5 memory_region_dispatch_write /src/qemu/softmmu/memory.c:0:13
#6 flatview_write_continue /src/qemu/softmmu/physmem.c:2759:23
#7 flatview_write /src/qemu/softmmu/physmem.c:2799:14
#8 address_space_write /src/qemu/softmmu/physmem.c:2891:18
#9 address_space_unmap /src/qemu/softmmu/physmem.c:3217:9
#10 dma_memory_unmap /src/qemu/include/sysemu/dma.h:226:5
#11 map_page /src/qemu/hw/ide/ahci.c:249:9
#12 ahci_map_clb_address /src/qemu/hw/ide/ahci.c:748:5
#13 ahci_cond_start_engines /src/qemu/hw/ide/ahci.c:276:14
#14 ahci_port_write /src/qemu/hw/ide/ahci.c:339:9
#15 ahci_mem_write /src/qemu/hw/ide/ahci.c:513:9
#16 memory_region_write_accessor /src/qemu/softmmu/memory.c:491:5
#17 access_with_adjusted_size /src/qemu/softmmu/memory.c:552:18
#18 memory_region_dispatch_write /src/qemu/softmmu/memory.c:0:13
#19 flatview_write_continue /src/qemu/softmmu/physmem.c:2759:23
#20 flatview_write /src/qemu/softmmu/physmem.c:2799:14
#21 address_space_write /src/qemu/softmmu/physmem.c:2891:18
#22 address_space_unmap /src/qemu/softmmu/physmem.c:3217:9
#23 dma_memory_unmap /src/qemu/include/sysemu/dma.h:226:5
#24 map_page /src/qemu/hw/ide/ahci.c:249:9
#25 ahci_map_clb_address /src/qemu/hw/ide/ahci.c:748:5
#26 ahci_cond_start_engines /src/qemu/hw/ide/ahci.c:276:14
#27 ahci_port_write /src/qemu/hw/ide/ahci.c:339:9
#28 ahci_mem_write /src/qemu/hw/ide/ahci.c:513:9
... Repeat until we run out of stack
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1911075/+subscriptions
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug 1911075] Re: [OSS-Fuzz] ahci: stack overflow in ahci_cond_start_engines
2021-01-12 0:35 [Bug 1911075] [NEW] [OSS-Fuzz] ahci: stack overflow in ahci_cond_start_engines Alexander Bulekov
@ 2021-01-12 8:59 ` Thomas Huth
2021-01-12 11:25 ` Philippe Mathieu-Daudé
` (3 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: Thomas Huth @ 2021-01-12 8:59 UTC (permalink / raw)
To: qemu-devel
** Changed in: qemu
Assignee: (unassigned) => John Snow (jnsnow)
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1911075
Title:
[OSS-Fuzz] ahci: stack overflow in ahci_cond_start_engines
Status in QEMU:
New
Bug description:
=== Reproducer ===
while true; do cat << EOF; done | ./qemu-system-i386 -machine q35 -nodefaults -nographic -qtest stdio -accel qtest
outl 0xcf8 0x8000fa27
outl 0xcfc 0x37414537
outl 0xcf8 0x8000fa01
outl 0xcfc 0x4606ce74
writew 0x37000f01 0x215a
writeq 0x37000100 0xfffaf
writeq 0x37000115 0xffff373d27004037
outl 0xcf8 0x8000fa01
outl 0xcfc 0x4606ce74
writeq 0x370000ff 0x3700011500
writeq 0x37000115 0xc41ffffff035a5a
outl 0xcf8 0x8000ea04
outb 0xcfc 0x15
outl 0xcf8 0x8000ea00
outw 0xcfc 0x5a1f
writeq 0x37000115 0x100007765746972
writeq 0x37000115 0xbf00000000000000
outl 0xcf8 0x8000ea04
outb 0xcfc 0x15
outl 0xcf8 0x8000fa46
outb 0xcfc 0xff
clock_step
writeq 0x37000115 0xaf
writeq 0x37000115 0x6301275541af7415
writeq 0x37000115 0xafaf5a5a743715
outb 0x64 0xfe
EOF
=== Stack Trace ===
==887446==ERROR: UndefinedBehaviorSanitizer: stack-overflow on address 0x7ffe567cae0c (pc 0x7fdd9100819e bp 0x7ffe567cb2b0 sp 0x7ffe567cad40 T887446)
#0 vfprintf
#1 fprintf
#2 ahci_mem_write /src/qemu/hw/ide/ahci.c:468:9
#3 memory_region_write_accessor /src/qemu/softmmu/memory.c:491:5
#4 access_with_adjusted_size /src/qemu/softmmu/memory.c:552:18
#5 memory_region_dispatch_write /src/qemu/softmmu/memory.c:0:13
#6 flatview_write_continue /src/qemu/softmmu/physmem.c:2759:23
#7 flatview_write /src/qemu/softmmu/physmem.c:2799:14
#8 address_space_write /src/qemu/softmmu/physmem.c:2891:18
#9 address_space_unmap /src/qemu/softmmu/physmem.c:3217:9
#10 dma_memory_unmap /src/qemu/include/sysemu/dma.h:226:5
#11 map_page /src/qemu/hw/ide/ahci.c:249:9
#12 ahci_map_clb_address /src/qemu/hw/ide/ahci.c:748:5
#13 ahci_cond_start_engines /src/qemu/hw/ide/ahci.c:276:14
#14 ahci_port_write /src/qemu/hw/ide/ahci.c:339:9
#15 ahci_mem_write /src/qemu/hw/ide/ahci.c:513:9
#16 memory_region_write_accessor /src/qemu/softmmu/memory.c:491:5
#17 access_with_adjusted_size /src/qemu/softmmu/memory.c:552:18
#18 memory_region_dispatch_write /src/qemu/softmmu/memory.c:0:13
#19 flatview_write_continue /src/qemu/softmmu/physmem.c:2759:23
#20 flatview_write /src/qemu/softmmu/physmem.c:2799:14
#21 address_space_write /src/qemu/softmmu/physmem.c:2891:18
#22 address_space_unmap /src/qemu/softmmu/physmem.c:3217:9
#23 dma_memory_unmap /src/qemu/include/sysemu/dma.h:226:5
#24 map_page /src/qemu/hw/ide/ahci.c:249:9
#25 ahci_map_clb_address /src/qemu/hw/ide/ahci.c:748:5
#26 ahci_cond_start_engines /src/qemu/hw/ide/ahci.c:276:14
#27 ahci_port_write /src/qemu/hw/ide/ahci.c:339:9
#28 ahci_mem_write /src/qemu/hw/ide/ahci.c:513:9
... Repeat until we run out of stack
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1911075/+subscriptions
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug 1911075] Re: [OSS-Fuzz] ahci: stack overflow in ahci_cond_start_engines
2021-01-12 0:35 [Bug 1911075] [NEW] [OSS-Fuzz] ahci: stack overflow in ahci_cond_start_engines Alexander Bulekov
2021-01-12 8:59 ` [Bug 1911075] " Thomas Huth
@ 2021-01-12 11:25 ` Philippe Mathieu-Daudé
2021-01-12 11:27 ` Philippe Mathieu-Daudé
` (2 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: Philippe Mathieu-Daudé @ 2021-01-12 11:25 UTC (permalink / raw)
To: qemu-devel
Having a quick look, the problem might be in ahci_cond_start_engines()
which calls ahci_map_clb_address(), then ahci_map_fis_address() fails
and we return without calling ahci_unmap_clb_address().
** Changed in: qemu
Status: New => Confirmed
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1911075
Title:
[OSS-Fuzz] ahci: stack overflow in ahci_cond_start_engines
Status in QEMU:
Confirmed
Bug description:
=== Reproducer ===
while true; do cat << EOF; done | ./qemu-system-i386 -machine q35 -nodefaults -nographic -qtest stdio -accel qtest
outl 0xcf8 0x8000fa27
outl 0xcfc 0x37414537
outl 0xcf8 0x8000fa01
outl 0xcfc 0x4606ce74
writew 0x37000f01 0x215a
writeq 0x37000100 0xfffaf
writeq 0x37000115 0xffff373d27004037
outl 0xcf8 0x8000fa01
outl 0xcfc 0x4606ce74
writeq 0x370000ff 0x3700011500
writeq 0x37000115 0xc41ffffff035a5a
outl 0xcf8 0x8000ea04
outb 0xcfc 0x15
outl 0xcf8 0x8000ea00
outw 0xcfc 0x5a1f
writeq 0x37000115 0x100007765746972
writeq 0x37000115 0xbf00000000000000
outl 0xcf8 0x8000ea04
outb 0xcfc 0x15
outl 0xcf8 0x8000fa46
outb 0xcfc 0xff
clock_step
writeq 0x37000115 0xaf
writeq 0x37000115 0x6301275541af7415
writeq 0x37000115 0xafaf5a5a743715
outb 0x64 0xfe
EOF
=== Stack Trace ===
==887446==ERROR: UndefinedBehaviorSanitizer: stack-overflow on address 0x7ffe567cae0c (pc 0x7fdd9100819e bp 0x7ffe567cb2b0 sp 0x7ffe567cad40 T887446)
#0 vfprintf
#1 fprintf
#2 ahci_mem_write /src/qemu/hw/ide/ahci.c:468:9
#3 memory_region_write_accessor /src/qemu/softmmu/memory.c:491:5
#4 access_with_adjusted_size /src/qemu/softmmu/memory.c:552:18
#5 memory_region_dispatch_write /src/qemu/softmmu/memory.c:0:13
#6 flatview_write_continue /src/qemu/softmmu/physmem.c:2759:23
#7 flatview_write /src/qemu/softmmu/physmem.c:2799:14
#8 address_space_write /src/qemu/softmmu/physmem.c:2891:18
#9 address_space_unmap /src/qemu/softmmu/physmem.c:3217:9
#10 dma_memory_unmap /src/qemu/include/sysemu/dma.h:226:5
#11 map_page /src/qemu/hw/ide/ahci.c:249:9
#12 ahci_map_clb_address /src/qemu/hw/ide/ahci.c:748:5
#13 ahci_cond_start_engines /src/qemu/hw/ide/ahci.c:276:14
#14 ahci_port_write /src/qemu/hw/ide/ahci.c:339:9
#15 ahci_mem_write /src/qemu/hw/ide/ahci.c:513:9
#16 memory_region_write_accessor /src/qemu/softmmu/memory.c:491:5
#17 access_with_adjusted_size /src/qemu/softmmu/memory.c:552:18
#18 memory_region_dispatch_write /src/qemu/softmmu/memory.c:0:13
#19 flatview_write_continue /src/qemu/softmmu/physmem.c:2759:23
#20 flatview_write /src/qemu/softmmu/physmem.c:2799:14
#21 address_space_write /src/qemu/softmmu/physmem.c:2891:18
#22 address_space_unmap /src/qemu/softmmu/physmem.c:3217:9
#23 dma_memory_unmap /src/qemu/include/sysemu/dma.h:226:5
#24 map_page /src/qemu/hw/ide/ahci.c:249:9
#25 ahci_map_clb_address /src/qemu/hw/ide/ahci.c:748:5
#26 ahci_cond_start_engines /src/qemu/hw/ide/ahci.c:276:14
#27 ahci_port_write /src/qemu/hw/ide/ahci.c:339:9
#28 ahci_mem_write /src/qemu/hw/ide/ahci.c:513:9
... Repeat until we run out of stack
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1911075/+subscriptions
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug 1911075] Re: [OSS-Fuzz] ahci: stack overflow in ahci_cond_start_engines
2021-01-12 0:35 [Bug 1911075] [NEW] [OSS-Fuzz] ahci: stack overflow in ahci_cond_start_engines Alexander Bulekov
2021-01-12 8:59 ` [Bug 1911075] " Thomas Huth
2021-01-12 11:25 ` Philippe Mathieu-Daudé
@ 2021-01-12 11:27 ` Philippe Mathieu-Daudé
2021-01-15 16:08 ` Peter Maydell
2021-05-01 5:48 ` Thomas Huth
4 siblings, 0 replies; 6+ messages in thread
From: Philippe Mathieu-Daudé @ 2021-01-12 11:27 UTC (permalink / raw)
To: qemu-devel
And ahci_port_write(AHCI_PORT_REG_CMD) doesn't check
ahci_cond_start_engines() return value, calling
ahci_init_d2h() even if former failed.
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1911075
Title:
[OSS-Fuzz] ahci: stack overflow in ahci_cond_start_engines
Status in QEMU:
Confirmed
Bug description:
=== Reproducer ===
while true; do cat << EOF; done | ./qemu-system-i386 -machine q35 -nodefaults -nographic -qtest stdio -accel qtest
outl 0xcf8 0x8000fa27
outl 0xcfc 0x37414537
outl 0xcf8 0x8000fa01
outl 0xcfc 0x4606ce74
writew 0x37000f01 0x215a
writeq 0x37000100 0xfffaf
writeq 0x37000115 0xffff373d27004037
outl 0xcf8 0x8000fa01
outl 0xcfc 0x4606ce74
writeq 0x370000ff 0x3700011500
writeq 0x37000115 0xc41ffffff035a5a
outl 0xcf8 0x8000ea04
outb 0xcfc 0x15
outl 0xcf8 0x8000ea00
outw 0xcfc 0x5a1f
writeq 0x37000115 0x100007765746972
writeq 0x37000115 0xbf00000000000000
outl 0xcf8 0x8000ea04
outb 0xcfc 0x15
outl 0xcf8 0x8000fa46
outb 0xcfc 0xff
clock_step
writeq 0x37000115 0xaf
writeq 0x37000115 0x6301275541af7415
writeq 0x37000115 0xafaf5a5a743715
outb 0x64 0xfe
EOF
=== Stack Trace ===
==887446==ERROR: UndefinedBehaviorSanitizer: stack-overflow on address 0x7ffe567cae0c (pc 0x7fdd9100819e bp 0x7ffe567cb2b0 sp 0x7ffe567cad40 T887446)
#0 vfprintf
#1 fprintf
#2 ahci_mem_write /src/qemu/hw/ide/ahci.c:468:9
#3 memory_region_write_accessor /src/qemu/softmmu/memory.c:491:5
#4 access_with_adjusted_size /src/qemu/softmmu/memory.c:552:18
#5 memory_region_dispatch_write /src/qemu/softmmu/memory.c:0:13
#6 flatview_write_continue /src/qemu/softmmu/physmem.c:2759:23
#7 flatview_write /src/qemu/softmmu/physmem.c:2799:14
#8 address_space_write /src/qemu/softmmu/physmem.c:2891:18
#9 address_space_unmap /src/qemu/softmmu/physmem.c:3217:9
#10 dma_memory_unmap /src/qemu/include/sysemu/dma.h:226:5
#11 map_page /src/qemu/hw/ide/ahci.c:249:9
#12 ahci_map_clb_address /src/qemu/hw/ide/ahci.c:748:5
#13 ahci_cond_start_engines /src/qemu/hw/ide/ahci.c:276:14
#14 ahci_port_write /src/qemu/hw/ide/ahci.c:339:9
#15 ahci_mem_write /src/qemu/hw/ide/ahci.c:513:9
#16 memory_region_write_accessor /src/qemu/softmmu/memory.c:491:5
#17 access_with_adjusted_size /src/qemu/softmmu/memory.c:552:18
#18 memory_region_dispatch_write /src/qemu/softmmu/memory.c:0:13
#19 flatview_write_continue /src/qemu/softmmu/physmem.c:2759:23
#20 flatview_write /src/qemu/softmmu/physmem.c:2799:14
#21 address_space_write /src/qemu/softmmu/physmem.c:2891:18
#22 address_space_unmap /src/qemu/softmmu/physmem.c:3217:9
#23 dma_memory_unmap /src/qemu/include/sysemu/dma.h:226:5
#24 map_page /src/qemu/hw/ide/ahci.c:249:9
#25 ahci_map_clb_address /src/qemu/hw/ide/ahci.c:748:5
#26 ahci_cond_start_engines /src/qemu/hw/ide/ahci.c:276:14
#27 ahci_port_write /src/qemu/hw/ide/ahci.c:339:9
#28 ahci_mem_write /src/qemu/hw/ide/ahci.c:513:9
... Repeat until we run out of stack
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1911075/+subscriptions
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug 1911075] Re: [OSS-Fuzz] ahci: stack overflow in ahci_cond_start_engines
2021-01-12 0:35 [Bug 1911075] [NEW] [OSS-Fuzz] ahci: stack overflow in ahci_cond_start_engines Alexander Bulekov
` (2 preceding siblings ...)
2021-01-12 11:27 ` Philippe Mathieu-Daudé
@ 2021-01-15 16:08 ` Peter Maydell
2021-05-01 5:48 ` Thomas Huth
4 siblings, 0 replies; 6+ messages in thread
From: Peter Maydell @ 2021-01-15 16:08 UTC (permalink / raw)
To: qemu-devel
** Tags added: fuzzer
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1911075
Title:
[OSS-Fuzz] ahci: stack overflow in ahci_cond_start_engines
Status in QEMU:
Confirmed
Bug description:
=== Reproducer ===
while true; do cat << EOF; done | ./qemu-system-i386 -machine q35 -nodefaults -nographic -qtest stdio -accel qtest
outl 0xcf8 0x8000fa27
outl 0xcfc 0x37414537
outl 0xcf8 0x8000fa01
outl 0xcfc 0x4606ce74
writew 0x37000f01 0x215a
writeq 0x37000100 0xfffaf
writeq 0x37000115 0xffff373d27004037
outl 0xcf8 0x8000fa01
outl 0xcfc 0x4606ce74
writeq 0x370000ff 0x3700011500
writeq 0x37000115 0xc41ffffff035a5a
outl 0xcf8 0x8000ea04
outb 0xcfc 0x15
outl 0xcf8 0x8000ea00
outw 0xcfc 0x5a1f
writeq 0x37000115 0x100007765746972
writeq 0x37000115 0xbf00000000000000
outl 0xcf8 0x8000ea04
outb 0xcfc 0x15
outl 0xcf8 0x8000fa46
outb 0xcfc 0xff
clock_step
writeq 0x37000115 0xaf
writeq 0x37000115 0x6301275541af7415
writeq 0x37000115 0xafaf5a5a743715
outb 0x64 0xfe
EOF
=== Stack Trace ===
==887446==ERROR: UndefinedBehaviorSanitizer: stack-overflow on address 0x7ffe567cae0c (pc 0x7fdd9100819e bp 0x7ffe567cb2b0 sp 0x7ffe567cad40 T887446)
#0 vfprintf
#1 fprintf
#2 ahci_mem_write /src/qemu/hw/ide/ahci.c:468:9
#3 memory_region_write_accessor /src/qemu/softmmu/memory.c:491:5
#4 access_with_adjusted_size /src/qemu/softmmu/memory.c:552:18
#5 memory_region_dispatch_write /src/qemu/softmmu/memory.c:0:13
#6 flatview_write_continue /src/qemu/softmmu/physmem.c:2759:23
#7 flatview_write /src/qemu/softmmu/physmem.c:2799:14
#8 address_space_write /src/qemu/softmmu/physmem.c:2891:18
#9 address_space_unmap /src/qemu/softmmu/physmem.c:3217:9
#10 dma_memory_unmap /src/qemu/include/sysemu/dma.h:226:5
#11 map_page /src/qemu/hw/ide/ahci.c:249:9
#12 ahci_map_clb_address /src/qemu/hw/ide/ahci.c:748:5
#13 ahci_cond_start_engines /src/qemu/hw/ide/ahci.c:276:14
#14 ahci_port_write /src/qemu/hw/ide/ahci.c:339:9
#15 ahci_mem_write /src/qemu/hw/ide/ahci.c:513:9
#16 memory_region_write_accessor /src/qemu/softmmu/memory.c:491:5
#17 access_with_adjusted_size /src/qemu/softmmu/memory.c:552:18
#18 memory_region_dispatch_write /src/qemu/softmmu/memory.c:0:13
#19 flatview_write_continue /src/qemu/softmmu/physmem.c:2759:23
#20 flatview_write /src/qemu/softmmu/physmem.c:2799:14
#21 address_space_write /src/qemu/softmmu/physmem.c:2891:18
#22 address_space_unmap /src/qemu/softmmu/physmem.c:3217:9
#23 dma_memory_unmap /src/qemu/include/sysemu/dma.h:226:5
#24 map_page /src/qemu/hw/ide/ahci.c:249:9
#25 ahci_map_clb_address /src/qemu/hw/ide/ahci.c:748:5
#26 ahci_cond_start_engines /src/qemu/hw/ide/ahci.c:276:14
#27 ahci_port_write /src/qemu/hw/ide/ahci.c:339:9
#28 ahci_mem_write /src/qemu/hw/ide/ahci.c:513:9
... Repeat until we run out of stack
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1911075/+subscriptions
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug 1911075] Re: [OSS-Fuzz] ahci: stack overflow in ahci_cond_start_engines
2021-01-12 0:35 [Bug 1911075] [NEW] [OSS-Fuzz] ahci: stack overflow in ahci_cond_start_engines Alexander Bulekov
` (3 preceding siblings ...)
2021-01-15 16:08 ` Peter Maydell
@ 2021-05-01 5:48 ` Thomas Huth
4 siblings, 0 replies; 6+ messages in thread
From: Thomas Huth @ 2021-05-01 5:48 UTC (permalink / raw)
To: qemu-devel
This is an automated cleanup. This bug report has been moved
to QEMU's new bug tracker on gitlab.com and thus gets marked
as 'expired' now. Please continue with the discussion here:
https://gitlab.com/qemu-project/qemu/-/issues/62
** Changed in: qemu
Status: Confirmed => Expired
** Changed in: qemu
Assignee: John Snow (jnsnow) => (unassigned)
** Bug watch added: gitlab.com/qemu-project/qemu/-/issues #62
https://gitlab.com/qemu-project/qemu/-/issues/62
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1911075
Title:
[OSS-Fuzz] ahci: stack overflow in ahci_cond_start_engines
Status in QEMU:
Expired
Bug description:
=== Reproducer ===
while true; do cat << EOF; done | ./qemu-system-i386 -machine q35 -nodefaults -nographic -qtest stdio -accel qtest
outl 0xcf8 0x8000fa27
outl 0xcfc 0x37414537
outl 0xcf8 0x8000fa01
outl 0xcfc 0x4606ce74
writew 0x37000f01 0x215a
writeq 0x37000100 0xfffaf
writeq 0x37000115 0xffff373d27004037
outl 0xcf8 0x8000fa01
outl 0xcfc 0x4606ce74
writeq 0x370000ff 0x3700011500
writeq 0x37000115 0xc41ffffff035a5a
outl 0xcf8 0x8000ea04
outb 0xcfc 0x15
outl 0xcf8 0x8000ea00
outw 0xcfc 0x5a1f
writeq 0x37000115 0x100007765746972
writeq 0x37000115 0xbf00000000000000
outl 0xcf8 0x8000ea04
outb 0xcfc 0x15
outl 0xcf8 0x8000fa46
outb 0xcfc 0xff
clock_step
writeq 0x37000115 0xaf
writeq 0x37000115 0x6301275541af7415
writeq 0x37000115 0xafaf5a5a743715
outb 0x64 0xfe
EOF
=== Stack Trace ===
==887446==ERROR: UndefinedBehaviorSanitizer: stack-overflow on address 0x7ffe567cae0c (pc 0x7fdd9100819e bp 0x7ffe567cb2b0 sp 0x7ffe567cad40 T887446)
#0 vfprintf
#1 fprintf
#2 ahci_mem_write /src/qemu/hw/ide/ahci.c:468:9
#3 memory_region_write_accessor /src/qemu/softmmu/memory.c:491:5
#4 access_with_adjusted_size /src/qemu/softmmu/memory.c:552:18
#5 memory_region_dispatch_write /src/qemu/softmmu/memory.c:0:13
#6 flatview_write_continue /src/qemu/softmmu/physmem.c:2759:23
#7 flatview_write /src/qemu/softmmu/physmem.c:2799:14
#8 address_space_write /src/qemu/softmmu/physmem.c:2891:18
#9 address_space_unmap /src/qemu/softmmu/physmem.c:3217:9
#10 dma_memory_unmap /src/qemu/include/sysemu/dma.h:226:5
#11 map_page /src/qemu/hw/ide/ahci.c:249:9
#12 ahci_map_clb_address /src/qemu/hw/ide/ahci.c:748:5
#13 ahci_cond_start_engines /src/qemu/hw/ide/ahci.c:276:14
#14 ahci_port_write /src/qemu/hw/ide/ahci.c:339:9
#15 ahci_mem_write /src/qemu/hw/ide/ahci.c:513:9
#16 memory_region_write_accessor /src/qemu/softmmu/memory.c:491:5
#17 access_with_adjusted_size /src/qemu/softmmu/memory.c:552:18
#18 memory_region_dispatch_write /src/qemu/softmmu/memory.c:0:13
#19 flatview_write_continue /src/qemu/softmmu/physmem.c:2759:23
#20 flatview_write /src/qemu/softmmu/physmem.c:2799:14
#21 address_space_write /src/qemu/softmmu/physmem.c:2891:18
#22 address_space_unmap /src/qemu/softmmu/physmem.c:3217:9
#23 dma_memory_unmap /src/qemu/include/sysemu/dma.h:226:5
#24 map_page /src/qemu/hw/ide/ahci.c:249:9
#25 ahci_map_clb_address /src/qemu/hw/ide/ahci.c:748:5
#26 ahci_cond_start_engines /src/qemu/hw/ide/ahci.c:276:14
#27 ahci_port_write /src/qemu/hw/ide/ahci.c:339:9
#28 ahci_mem_write /src/qemu/hw/ide/ahci.c:513:9
... Repeat until we run out of stack
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1911075/+subscriptions
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2021-05-01 5:56 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-01-12 0:35 [Bug 1911075] [NEW] [OSS-Fuzz] ahci: stack overflow in ahci_cond_start_engines Alexander Bulekov
2021-01-12 8:59 ` [Bug 1911075] " Thomas Huth
2021-01-12 11:25 ` Philippe Mathieu-Daudé
2021-01-12 11:27 ` Philippe Mathieu-Daudé
2021-01-15 16:08 ` Peter Maydell
2021-05-01 5:48 ` Thomas Huth
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).