[Bug 1911839] [NEW] [OSS-Fuzz] Issue 29586 e1000e: Memcpy-param-overlap in flatview_write_continue

* [Bug 1911839] [NEW] [OSS-Fuzz] Issue 29586 e1000e: Memcpy-param-overlap in flatview_write_continue
@ 2021-01-15  2:38 Alexander Bulekov
  2021-01-15 16:07 ` [Bug 1911839] " Peter Maydell
                   ` (2 more replies)
  0 siblings, 3 replies; 4+ messages in thread
From: Alexander Bulekov @ 2021-01-15  2:38 UTC (permalink / raw)
  To: qemu-devel

Public bug reported:

=== Reproducer ===
cat << EOF | ./qemu-system-i386 -M q35 -accel qtest \
-qtest stdio -nographic -nodefaults -device \
e1000e,netdev=net0 -netdev user,id=net0 
outl 0xcf8 0x80000811
outl 0xcfc 0x5ac600
outl 0xcf8 0x80000801
outl 0xcfc 0x26000000
write 0x5ac60100 0x4 0x56000302
write 0x5ac6011a 0x2 0x1006
write 0x5ac60120 0x1 0x25
write 0x5ac6042a 0x2 0x4048
write 0x5ac60431 0x1 0x04
write 0x4240 0x1 0xff
write 0x4241 0x1 0x01
write 0x4249 0x1 0xf5
write 0x1ff 0x1 0x11
write 0x5ac60401 0x1 0x12
write 0x5ac6043a 0x2 0x3000
write 0x5ac60112 0x2 0xf090
write 0x5ac60430 0x1 0x0
write 0x239 0x1 0xff
write 0x2bb 0x1 0x41
write 0x9531 0x1 0xff
write 0x9532 0x1 0xff
write 0x9533 0x1 0xff
write 0x9534 0x1 0xff
write 0x9535 0x1 0xff
write 0x9536 0x1 0xff
write 0x9537 0x1 0xff
write 0x5ac60403 0x1 0x12
EOF

=== Stack Trace ===
==1364==ERROR: AddressSanitizer: memcpy-param-overlap: memory ranges [0x7f90b7e00025,0x7f90b7e00604) and [0x7f90b7e00225, 0x7f90b7e00804) overlap
#0 __asan_memcpy /src/llvm-project/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22:3
#1 flatview_write_continue /src/qemu/softmmu/physmem.c:2764:13
#2 flatview_write /src/qemu/softmmu/physmem.c:2799:14
#3 address_space_write /src/qemu/softmmu/physmem.c:2891:18
#4 address_space_rw /src/qemu/softmmu/physmem.c:2901:16
#5 dma_memory_rw_relaxed /src/qemu/include/sysemu/dma.h:88:12
#6 dma_memory_rw /src/qemu/include/sysemu/dma.h:127:12
#7 pci_dma_rw /src/qemu/include/hw/pci/pci.h:801:12
#8 pci_dma_write /src/qemu/include/hw/pci/pci.h:837:12
#9 e1000e_write_to_rx_buffers /src/qemu/hw/net/e1000e_core.c:1405:9
#10 e1000e_write_packet_to_guest /src/qemu/hw/net/e1000e_core.c:1575:21
#11 e1000e_receive_iov /src/qemu/hw/net/e1000e_core.c:1702:9
#12 e1000e_nc_receive_iov /src/qemu/hw/net/e1000e.c:214:12
#13 net_tx_pkt_sendv /src/qemu/hw/net/net_tx_pkt.c:556:9
#14 net_tx_pkt_send /src/qemu/hw/net/net_tx_pkt.c:633:9
#15 net_tx_pkt_send_loopback /src/qemu/hw/net/net_tx_pkt.c:646:11
#16 e1000e_tx_pkt_send /src/qemu/hw/net/e1000e_core.c:657:16
#17 e1000e_process_tx_desc /src/qemu/hw/net/e1000e_core.c:736:17
#18 e1000e_start_xmit /src/qemu/hw/net/e1000e_core.c:927:9
#19 e1000e_set_tctl /src/qemu/hw/net/e1000e_core.c:2424:9
#20 e1000e_core_write /src/qemu/hw/net/e1000e_core.c:3256:9
#21 e1000e_mmio_write /src/qemu/hw/net/e1000e.c:110:5
#22 memory_region_write_accessor /src/qemu/softmmu/memory.c:491:5
#23 access_with_adjusted_size /src/qemu/softmmu/memory.c:552:18
#24 memory_region_dispatch_write /src/qemu/softmmu/memory.c:0:13
#25 flatview_write_continue /src/qemu/softmmu/physmem.c:2759:23
#26 flatview_write /src/qemu/softmmu/physmem.c:2799:14
#27 address_space_write /src/qemu/softmmu/physmem.c:2891:18
#28 __wrap_qtest_writeq /src/qemu/tests/qtest/fuzz/qtest_wrappers.c:187:9
#29 op_write /src/qemu/tests/qtest/fuzz/generic_fuzz.c:479:13
#30 generic_fuzz /src/qemu/tests/qtest/fuzz/generic_fuzz.c:681:17

OSS-Fuzz Report: https://bugs.chromium.org/p/oss-
fuzz/issues/detail?id=29586

** Affects: qemu
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1911839

Title:
  [OSS-Fuzz] Issue 29586 e1000e: Memcpy-param-overlap in
  flatview_write_continue

Status in QEMU:
  New

Bug description:
  === Reproducer ===
  cat << EOF | ./qemu-system-i386 -M q35 -accel qtest \
  -qtest stdio -nographic -nodefaults -device \
  e1000e,netdev=net0 -netdev user,id=net0 
  outl 0xcf8 0x80000811
  outl 0xcfc 0x5ac600
  outl 0xcf8 0x80000801
  outl 0xcfc 0x26000000
  write 0x5ac60100 0x4 0x56000302
  write 0x5ac6011a 0x2 0x1006
  write 0x5ac60120 0x1 0x25
  write 0x5ac6042a 0x2 0x4048
  write 0x5ac60431 0x1 0x04
  write 0x4240 0x1 0xff
  write 0x4241 0x1 0x01
  write 0x4249 0x1 0xf5
  write 0x1ff 0x1 0x11
  write 0x5ac60401 0x1 0x12
  write 0x5ac6043a 0x2 0x3000
  write 0x5ac60112 0x2 0xf090
  write 0x5ac60430 0x1 0x0
  write 0x239 0x1 0xff
  write 0x2bb 0x1 0x41
  write 0x9531 0x1 0xff
  write 0x9532 0x1 0xff
  write 0x9533 0x1 0xff
  write 0x9534 0x1 0xff
  write 0x9535 0x1 0xff
  write 0x9536 0x1 0xff
  write 0x9537 0x1 0xff
  write 0x5ac60403 0x1 0x12
  EOF

  === Stack Trace ===
  ==1364==ERROR: AddressSanitizer: memcpy-param-overlap: memory ranges [0x7f90b7e00025,0x7f90b7e00604) and [0x7f90b7e00225, 0x7f90b7e00804) overlap
  #0 __asan_memcpy /src/llvm-project/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22:3
  #1 flatview_write_continue /src/qemu/softmmu/physmem.c:2764:13
  #2 flatview_write /src/qemu/softmmu/physmem.c:2799:14
  #3 address_space_write /src/qemu/softmmu/physmem.c:2891:18
  #4 address_space_rw /src/qemu/softmmu/physmem.c:2901:16
  #5 dma_memory_rw_relaxed /src/qemu/include/sysemu/dma.h:88:12
  #6 dma_memory_rw /src/qemu/include/sysemu/dma.h:127:12
  #7 pci_dma_rw /src/qemu/include/hw/pci/pci.h:801:12
  #8 pci_dma_write /src/qemu/include/hw/pci/pci.h:837:12
  #9 e1000e_write_to_rx_buffers /src/qemu/hw/net/e1000e_core.c:1405:9
  #10 e1000e_write_packet_to_guest /src/qemu/hw/net/e1000e_core.c:1575:21
  #11 e1000e_receive_iov /src/qemu/hw/net/e1000e_core.c:1702:9
  #12 e1000e_nc_receive_iov /src/qemu/hw/net/e1000e.c:214:12
  #13 net_tx_pkt_sendv /src/qemu/hw/net/net_tx_pkt.c:556:9
  #14 net_tx_pkt_send /src/qemu/hw/net/net_tx_pkt.c:633:9
  #15 net_tx_pkt_send_loopback /src/qemu/hw/net/net_tx_pkt.c:646:11
  #16 e1000e_tx_pkt_send /src/qemu/hw/net/e1000e_core.c:657:16
  #17 e1000e_process_tx_desc /src/qemu/hw/net/e1000e_core.c:736:17
  #18 e1000e_start_xmit /src/qemu/hw/net/e1000e_core.c:927:9
  #19 e1000e_set_tctl /src/qemu/hw/net/e1000e_core.c:2424:9
  #20 e1000e_core_write /src/qemu/hw/net/e1000e_core.c:3256:9
  #21 e1000e_mmio_write /src/qemu/hw/net/e1000e.c:110:5
  #22 memory_region_write_accessor /src/qemu/softmmu/memory.c:491:5
  #23 access_with_adjusted_size /src/qemu/softmmu/memory.c:552:18
  #24 memory_region_dispatch_write /src/qemu/softmmu/memory.c:0:13
  #25 flatview_write_continue /src/qemu/softmmu/physmem.c:2759:23
  #26 flatview_write /src/qemu/softmmu/physmem.c:2799:14
  #27 address_space_write /src/qemu/softmmu/physmem.c:2891:18
  #28 __wrap_qtest_writeq /src/qemu/tests/qtest/fuzz/qtest_wrappers.c:187:9
  #29 op_write /src/qemu/tests/qtest/fuzz/generic_fuzz.c:479:13
  #30 generic_fuzz /src/qemu/tests/qtest/fuzz/generic_fuzz.c:681:17

  OSS-Fuzz Report: https://bugs.chromium.org/p/oss-
  fuzz/issues/detail?id=29586

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1911839/+subscriptions

^ permalink raw reply	[flat|nested] 4+ messages in thread