* [Bug 1910603] [NEW] [OSS-Fuzz] Issue 29174 sb16: Abrt in audio_bug @ 2021-01-07 22:25 Alexander Bulekov 2021-01-15 16:09 ` [Bug 1910603] " Peter Maydell ` (5 more replies) 0 siblings, 6 replies; 14+ messages in thread From: Alexander Bulekov @ 2021-01-07 22:25 UTC (permalink / raw) To: qemu-devel Public bug reported: === Reproducer === cat << EOF | ../build-system/qemu-system-i386 \ -machine q35 -device sb16,audiodev=snd0 \ -audiodev none,id=snd0 -nographic -nodefaults \ -qtest stdio outw 0x22c 0x41 outb 0x22c 0x0 outw 0x22c 0x1004 outw 0x22c 0x1c EOF === Stack Trace === A bug was just triggered in audio_calloc Save all your work and restart without audio I am sorry Context: Aborted #0 raise #1 abort #2 audio_bug /src/qemu/audio/audio.c:119:9 #3 audio_calloc /src/qemu/audio/audio.c:154:9 #4 audio_pcm_sw_alloc_resources_out /src/qemu/audio/audio_template.h:116:15 #5 audio_pcm_sw_init_out /src/qemu/audio/audio_template.h:175:11 #6 audio_pcm_create_voice_pair_out /src/qemu/audio/audio_template.h:410:9 #7 AUD_open_out /src/qemu/audio/audio_template.h:503:14 #8 continue_dma8 /src/qemu/hw/audio/sb16.c:216:20 #9 dma_cmd8 /src/qemu/hw/audio/sb16.c:276:5 #10 command /src/qemu/hw/audio/sb16.c:0 #11 dsp_write /src/qemu/hw/audio/sb16.c:949:13 #12 portio_write /src/qemu/softmmu/ioport.c:205:13 #13 memory_region_write_accessor /src/qemu/softmmu/memory.c:491:5 #14 access_with_adjusted_size /src/qemu/softmmu/memory.c:552:18 #15 memory_region_dispatch_write /src/qemu/softmmu/memory.c:0:13 #16 flatview_write_continue /src/qemu/softmmu/physmem.c:2759:23 #17 flatview_write /src/qemu/softmmu/physmem.c:2799:14 #18 address_space_write /src/qemu/softmmu/physmem.c:2891:18 #19 cpu_outw /src/qemu/softmmu/ioport.c:70:5 OSS-Fuzz Report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29174 ** Affects: qemu Importance: Undecided Status: New -- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/1910603 Title: [OSS-Fuzz] Issue 29174 sb16: Abrt in audio_bug Status in QEMU: New Bug description: === Reproducer === cat << EOF | ../build-system/qemu-system-i386 \ -machine q35 -device sb16,audiodev=snd0 \ -audiodev none,id=snd0 -nographic -nodefaults \ -qtest stdio outw 0x22c 0x41 outb 0x22c 0x0 outw 0x22c 0x1004 outw 0x22c 0x1c EOF === Stack Trace === A bug was just triggered in audio_calloc Save all your work and restart without audio I am sorry Context: Aborted #0 raise #1 abort #2 audio_bug /src/qemu/audio/audio.c:119:9 #3 audio_calloc /src/qemu/audio/audio.c:154:9 #4 audio_pcm_sw_alloc_resources_out /src/qemu/audio/audio_template.h:116:15 #5 audio_pcm_sw_init_out /src/qemu/audio/audio_template.h:175:11 #6 audio_pcm_create_voice_pair_out /src/qemu/audio/audio_template.h:410:9 #7 AUD_open_out /src/qemu/audio/audio_template.h:503:14 #8 continue_dma8 /src/qemu/hw/audio/sb16.c:216:20 #9 dma_cmd8 /src/qemu/hw/audio/sb16.c:276:5 #10 command /src/qemu/hw/audio/sb16.c:0 #11 dsp_write /src/qemu/hw/audio/sb16.c:949:13 #12 portio_write /src/qemu/softmmu/ioport.c:205:13 #13 memory_region_write_accessor /src/qemu/softmmu/memory.c:491:5 #14 access_with_adjusted_size /src/qemu/softmmu/memory.c:552:18 #15 memory_region_dispatch_write /src/qemu/softmmu/memory.c:0:13 #16 flatview_write_continue /src/qemu/softmmu/physmem.c:2759:23 #17 flatview_write /src/qemu/softmmu/physmem.c:2799:14 #18 address_space_write /src/qemu/softmmu/physmem.c:2891:18 #19 cpu_outw /src/qemu/softmmu/ioport.c:70:5 OSS-Fuzz Report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29174 To manage notifications about this bug go to: https://bugs.launchpad.net/qemu/+bug/1910603/+subscriptions ^ permalink raw reply [flat|nested] 14+ messages in thread
* [Bug 1910603] Re: [OSS-Fuzz] Issue 29174 sb16: Abrt in audio_bug 2021-01-07 22:25 [Bug 1910603] [NEW] [OSS-Fuzz] Issue 29174 sb16: Abrt in audio_bug Alexander Bulekov @ 2021-01-15 16:09 ` Peter Maydell 2021-05-26 15:31 ` Thomas Huth ` (4 subsequent siblings) 5 siblings, 0 replies; 14+ messages in thread From: Peter Maydell @ 2021-01-15 16:09 UTC (permalink / raw) To: qemu-devel ** Tags added: fuzzer -- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/1910603 Title: [OSS-Fuzz] Issue 29174 sb16: Abrt in audio_bug Status in QEMU: New Bug description: === Reproducer === cat << EOF | ../build-system/qemu-system-i386 \ -machine q35 -device sb16,audiodev=snd0 \ -audiodev none,id=snd0 -nographic -nodefaults \ -qtest stdio outw 0x22c 0x41 outb 0x22c 0x0 outw 0x22c 0x1004 outw 0x22c 0x1c EOF === Stack Trace === A bug was just triggered in audio_calloc Save all your work and restart without audio I am sorry Context: Aborted #0 raise #1 abort #2 audio_bug /src/qemu/audio/audio.c:119:9 #3 audio_calloc /src/qemu/audio/audio.c:154:9 #4 audio_pcm_sw_alloc_resources_out /src/qemu/audio/audio_template.h:116:15 #5 audio_pcm_sw_init_out /src/qemu/audio/audio_template.h:175:11 #6 audio_pcm_create_voice_pair_out /src/qemu/audio/audio_template.h:410:9 #7 AUD_open_out /src/qemu/audio/audio_template.h:503:14 #8 continue_dma8 /src/qemu/hw/audio/sb16.c:216:20 #9 dma_cmd8 /src/qemu/hw/audio/sb16.c:276:5 #10 command /src/qemu/hw/audio/sb16.c:0 #11 dsp_write /src/qemu/hw/audio/sb16.c:949:13 #12 portio_write /src/qemu/softmmu/ioport.c:205:13 #13 memory_region_write_accessor /src/qemu/softmmu/memory.c:491:5 #14 access_with_adjusted_size /src/qemu/softmmu/memory.c:552:18 #15 memory_region_dispatch_write /src/qemu/softmmu/memory.c:0:13 #16 flatview_write_continue /src/qemu/softmmu/physmem.c:2759:23 #17 flatview_write /src/qemu/softmmu/physmem.c:2799:14 #18 address_space_write /src/qemu/softmmu/physmem.c:2891:18 #19 cpu_outw /src/qemu/softmmu/ioport.c:70:5 OSS-Fuzz Report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29174 To manage notifications about this bug go to: https://bugs.launchpad.net/qemu/+bug/1910603/+subscriptions ^ permalink raw reply [flat|nested] 14+ messages in thread
* [Bug 1910603] Re: [OSS-Fuzz] Issue 29174 sb16: Abrt in audio_bug 2021-01-07 22:25 [Bug 1910603] [NEW] [OSS-Fuzz] Issue 29174 sb16: Abrt in audio_bug Alexander Bulekov 2021-01-15 16:09 ` [Bug 1910603] " Peter Maydell @ 2021-05-26 15:31 ` Thomas Huth 2021-06-01 15:18 ` [PATCH] hw/audio/sb16: Avoid assertion by restricting I/O sampling rate range Philippe Mathieu-Daudé ` (3 subsequent siblings) 5 siblings, 0 replies; 14+ messages in thread From: Thomas Huth @ 2021-05-26 15:31 UTC (permalink / raw) To: qemu-devel This is still reproducible with the current version of QEMU. Marking this as "Confirmed" ** Changed in: qemu Status: New => Confirmed ** Tags added: audio -- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/1910603 Title: [OSS-Fuzz] Issue 29174 sb16: Abrt in audio_bug Status in QEMU: Confirmed Bug description: === Reproducer === cat << EOF | ../build-system/qemu-system-i386 \ -machine q35 -device sb16,audiodev=snd0 \ -audiodev none,id=snd0 -nographic -nodefaults \ -qtest stdio outw 0x22c 0x41 outb 0x22c 0x0 outw 0x22c 0x1004 outw 0x22c 0x1c EOF === Stack Trace === A bug was just triggered in audio_calloc Save all your work and restart without audio I am sorry Context: Aborted #0 raise #1 abort #2 audio_bug /src/qemu/audio/audio.c:119:9 #3 audio_calloc /src/qemu/audio/audio.c:154:9 #4 audio_pcm_sw_alloc_resources_out /src/qemu/audio/audio_template.h:116:15 #5 audio_pcm_sw_init_out /src/qemu/audio/audio_template.h:175:11 #6 audio_pcm_create_voice_pair_out /src/qemu/audio/audio_template.h:410:9 #7 AUD_open_out /src/qemu/audio/audio_template.h:503:14 #8 continue_dma8 /src/qemu/hw/audio/sb16.c:216:20 #9 dma_cmd8 /src/qemu/hw/audio/sb16.c:276:5 #10 command /src/qemu/hw/audio/sb16.c:0 #11 dsp_write /src/qemu/hw/audio/sb16.c:949:13 #12 portio_write /src/qemu/softmmu/ioport.c:205:13 #13 memory_region_write_accessor /src/qemu/softmmu/memory.c:491:5 #14 access_with_adjusted_size /src/qemu/softmmu/memory.c:552:18 #15 memory_region_dispatch_write /src/qemu/softmmu/memory.c:0:13 #16 flatview_write_continue /src/qemu/softmmu/physmem.c:2759:23 #17 flatview_write /src/qemu/softmmu/physmem.c:2799:14 #18 address_space_write /src/qemu/softmmu/physmem.c:2891:18 #19 cpu_outw /src/qemu/softmmu/ioport.c:70:5 OSS-Fuzz Report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29174 To manage notifications about this bug go to: https://bugs.launchpad.net/qemu/+bug/1910603/+subscriptions ^ permalink raw reply [flat|nested] 14+ messages in thread
* [PATCH] hw/audio/sb16: Avoid assertion by restricting I/O sampling rate range @ 2021-06-01 15:18 ` Philippe Mathieu-Daudé 2021-06-01 15:18 ` [Bug 1910603] " Philippe Mathieu-Daudé 2021-06-14 11:13 ` Philippe Mathieu-Daudé 0 siblings, 2 replies; 14+ messages in thread From: Philippe Mathieu-Daudé @ 2021-06-01 15:18 UTC (permalink / raw) To: qemu-devel Cc: 1910603, Alexander Bulekov, Gerd Hoffmann, Philippe Mathieu-Daudé While the SB16 seems to work up to 48000 Hz, the "Sound Blaster Series Hardware Programming Guide" limit the sampling range from 4000 Hz to 44100 Hz (Section 3-9, 3-10: Digitized Sound I/O Programming, tables 3-2 and 3-3). Later, section 6-15 (DSP Commands) is more specific regarding the 41h / 42h registers (Set digitized sound output sampling rate): Valid sampling rates range from 5000 to 45000 Hz inclusive. There is no comment regarding error handling if the register is filled with an out-of-range value. (See also section 3-28 "8-bit or 16-bit Auto-initialize Transfer"). Assume limits are enforced in hardware. This fixes triggering an assertion in audio_calloc(): #1 abort #2 audio_bug audio/audio.c:119:9 #3 audio_calloc audio/audio.c:154:9 #4 audio_pcm_sw_alloc_resources_out audio/audio_template.h:116:15 #5 audio_pcm_sw_init_out audio/audio_template.h:175:11 #6 audio_pcm_create_voice_pair_out audio/audio_template.h:410:9 #7 AUD_open_out audio/audio_template.h:503:14 #8 continue_dma8 hw/audio/sb16.c:216:20 #9 dma_cmd8 hw/audio/sb16.c:276:5 #10 command hw/audio/sb16.c:0 #11 dsp_write hw/audio/sb16.c:949:13 #12 portio_write softmmu/ioport.c:205:13 #13 memory_region_write_accessor softmmu/memory.c:491:5 #14 access_with_adjusted_size softmmu/memory.c:552:18 #15 memory_region_dispatch_write softmmu/memory.c:0:13 #16 flatview_write_continue softmmu/physmem.c:2759:23 #17 flatview_write softmmu/physmem.c:2799:14 #18 address_space_write softmmu/physmem.c:2891:18 #19 cpu_outw softmmu/ioport.c:70:5 [*] http://www.baudline.com/solutions/full_duplex/sb16_pci/index.html Fixes: 85571bc7415 ("audio merge (malc)") Buglink: https://bugs.launchpad.net/bugs/1910603 OSS-Fuzz Report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29174 Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> --- hw/audio/sb16.c | 14 ++++++++++ tests/qtest/fuzz-sb16-test.c | 52 ++++++++++++++++++++++++++++++++++++ MAINTAINERS | 1 + tests/qtest/meson.build | 1 + 4 files changed, 68 insertions(+) create mode 100644 tests/qtest/fuzz-sb16-test.c diff --git a/hw/audio/sb16.c b/hw/audio/sb16.c index 8b207004102..5cf121fe363 100644 --- a/hw/audio/sb16.c +++ b/hw/audio/sb16.c @@ -115,6 +115,9 @@ struct SB16State { PortioList portio_list; }; +#define SAMPLE_RATE_MIN 5000 +#define SAMPLE_RATE_MAX 45000 + static void SB_audio_callback (void *opaque, int free); static int magic_of_irq (int irq) @@ -241,6 +244,17 @@ static void dma_cmd8 (SB16State *s, int mask, int dma_len) int tmp = (256 - s->time_const); s->freq = (1000000 + (tmp / 2)) / tmp; } + if (s->freq < SAMPLE_RATE_MIN) { + qemu_log_mask(LOG_GUEST_ERROR, + "sampling range too low: %d, increasing to %u\n", + s->freq, SAMPLE_RATE_MIN); + s->freq = SAMPLE_RATE_MIN; + } else if (s->freq > SAMPLE_RATE_MAX) { + qemu_log_mask(LOG_GUEST_ERROR, + "sampling range too high: %d, decreasing to %u\n", + s->freq, SAMPLE_RATE_MAX); + s->freq = SAMPLE_RATE_MAX; + } if (dma_len != -1) { s->block_size = dma_len << s->fmt_stereo; diff --git a/tests/qtest/fuzz-sb16-test.c b/tests/qtest/fuzz-sb16-test.c new file mode 100644 index 00000000000..51030cd7dc4 --- /dev/null +++ b/tests/qtest/fuzz-sb16-test.c @@ -0,0 +1,52 @@ +/* + * QTest fuzzer-generated testcase for sb16 audio device + * + * Copyright (c) 2021 Philippe Mathieu-Daudé <f4bug@amsat.org> + * + * SPDX-License-Identifier: GPL-2.0-or-later + */ + +#include "qemu/osdep.h" +#include "libqos/libqtest.h" + +/* + * This used to trigger the assert in audio_calloc + * https://bugs.launchpad.net/qemu/+bug/1910603 + */ +static void test_fuzz_sb16_0x1c(void) +{ + QTestState *s = qtest_init("-M q35 -display none " + "-device sb16,audiodev=snd0 " + "-audiodev none,id=snd0"); + qtest_outw(s, 0x22c, 0x41); + qtest_outb(s, 0x22c, 0x00); + qtest_outw(s, 0x22c, 0x1004); + qtest_outw(s, 0x22c, 0x001c); + qtest_quit(s); +} + +static void test_fuzz_sb16_0x91(void) +{ + QTestState *s = qtest_init("-M pc -display none " + "-device sb16,audiodev=none " + "-audiodev id=none,driver=none"); + qtest_outw(s, 0x22c, 0xf141); + qtest_outb(s, 0x22c, 0x00); + qtest_outb(s, 0x22c, 0x24); + qtest_outb(s, 0x22c, 0x91); + qtest_quit(s); +} + +int main(int argc, char **argv) +{ + const char *arch = qtest_get_arch(); + + g_test_init(&argc, &argv, NULL); + + if (strcmp(arch, "i386") == 0) { + qtest_add_func("fuzz/test_fuzz_sb16/1c", test_fuzz_sb16_0x1c); + qtest_add_func("fuzz/test_fuzz_sb16/91", test_fuzz_sb16_0x91); + } + + return g_test_run(); +} diff --git a/MAINTAINERS b/MAINTAINERS index 5f55404f2fa..7edb26d2293 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -2213,6 +2213,7 @@ F: qapi/audio.json F: tests/qtest/ac97-test.c F: tests/qtest/es1370-test.c F: tests/qtest/intel-hda-test.c +F: tests/qtest/fuzz-sb16-test.c Block layer core M: Kevin Wolf <kwolf@redhat.com> diff --git a/tests/qtest/meson.build b/tests/qtest/meson.build index c3a223a83d6..b03e8541700 100644 --- a/tests/qtest/meson.build +++ b/tests/qtest/meson.build @@ -20,6 +20,7 @@ qtests_generic = \ (config_all_devices.has_key('CONFIG_MEGASAS_SCSI_PCI') ? ['fuzz-megasas-test'] : []) + \ (config_all_devices.has_key('CONFIG_VIRTIO_SCSI') ? ['fuzz-virtio-scsi-test'] : []) + \ + (config_all_devices.has_key('CONFIG_SB16') ? ['fuzz-sb16-test'] : []) + \ [ 'cdrom-test', 'device-introspect-test', -- 2.26.3 ^ permalink raw reply related [flat|nested] 14+ messages in thread
* [Bug 1910603] [PATCH] hw/audio/sb16: Avoid assertion by restricting I/O sampling rate range 2021-06-01 15:18 ` [PATCH] hw/audio/sb16: Avoid assertion by restricting I/O sampling rate range Philippe Mathieu-Daudé @ 2021-06-01 15:18 ` Philippe Mathieu-Daudé 2021-06-14 11:13 ` Philippe Mathieu-Daudé 1 sibling, 0 replies; 14+ messages in thread From: Philippe Mathieu-Daudé @ 2021-06-01 15:18 UTC (permalink / raw) To: qemu-devel While the SB16 seems to work up to 48000 Hz, the "Sound Blaster Series Hardware Programming Guide" limit the sampling range from 4000 Hz to 44100 Hz (Section 3-9, 3-10: Digitized Sound I/O Programming, tables 3-2 and 3-3). Later, section 6-15 (DSP Commands) is more specific regarding the 41h / 42h registers (Set digitized sound output sampling rate): Valid sampling rates range from 5000 to 45000 Hz inclusive. There is no comment regarding error handling if the register is filled with an out-of-range value. (See also section 3-28 "8-bit or 16-bit Auto-initialize Transfer"). Assume limits are enforced in hardware. This fixes triggering an assertion in audio_calloc(): #1 abort #2 audio_bug audio/audio.c:119:9 #3 audio_calloc audio/audio.c:154:9 #4 audio_pcm_sw_alloc_resources_out audio/audio_template.h:116:15 #5 audio_pcm_sw_init_out audio/audio_template.h:175:11 #6 audio_pcm_create_voice_pair_out audio/audio_template.h:410:9 #7 AUD_open_out audio/audio_template.h:503:14 #8 continue_dma8 hw/audio/sb16.c:216:20 #9 dma_cmd8 hw/audio/sb16.c:276:5 #10 command hw/audio/sb16.c:0 #11 dsp_write hw/audio/sb16.c:949:13 #12 portio_write softmmu/ioport.c:205:13 #13 memory_region_write_accessor softmmu/memory.c:491:5 #14 access_with_adjusted_size softmmu/memory.c:552:18 #15 memory_region_dispatch_write softmmu/memory.c:0:13 #16 flatview_write_continue softmmu/physmem.c:2759:23 #17 flatview_write softmmu/physmem.c:2799:14 #18 address_space_write softmmu/physmem.c:2891:18 #19 cpu_outw softmmu/ioport.c:70:5 [*] http://www.baudline.com/solutions/full_duplex/sb16_pci/index.html Fixes: 85571bc7415 ("audio merge (malc)") Buglink: https://bugs.launchpad.net/bugs/1910603 OSS-Fuzz Report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29174 Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> --- hw/audio/sb16.c | 14 ++++++++++ tests/qtest/fuzz-sb16-test.c | 52 ++++++++++++++++++++++++++++++++++++ MAINTAINERS | 1 + tests/qtest/meson.build | 1 + 4 files changed, 68 insertions(+) create mode 100644 tests/qtest/fuzz-sb16-test.c diff --git a/hw/audio/sb16.c b/hw/audio/sb16.c index 8b207004102..5cf121fe363 100644 --- a/hw/audio/sb16.c +++ b/hw/audio/sb16.c @@ -115,6 +115,9 @@ struct SB16State { PortioList portio_list; }; +#define SAMPLE_RATE_MIN 5000 +#define SAMPLE_RATE_MAX 45000 + static void SB_audio_callback (void *opaque, int free); static int magic_of_irq (int irq) @@ -241,6 +244,17 @@ static void dma_cmd8 (SB16State *s, int mask, int dma_len) int tmp = (256 - s->time_const); s->freq = (1000000 + (tmp / 2)) / tmp; } + if (s->freq < SAMPLE_RATE_MIN) { + qemu_log_mask(LOG_GUEST_ERROR, + "sampling range too low: %d, increasing to %u\n", + s->freq, SAMPLE_RATE_MIN); + s->freq = SAMPLE_RATE_MIN; + } else if (s->freq > SAMPLE_RATE_MAX) { + qemu_log_mask(LOG_GUEST_ERROR, + "sampling range too high: %d, decreasing to %u\n", + s->freq, SAMPLE_RATE_MAX); + s->freq = SAMPLE_RATE_MAX; + } if (dma_len != -1) { s->block_size = dma_len << s->fmt_stereo; diff --git a/tests/qtest/fuzz-sb16-test.c b/tests/qtest/fuzz-sb16-test.c new file mode 100644 index 00000000000..51030cd7dc4 --- /dev/null +++ b/tests/qtest/fuzz-sb16-test.c @@ -0,0 +1,52 @@ +/* + * QTest fuzzer-generated testcase for sb16 audio device + * + * Copyright (c) 2021 Philippe Mathieu-Daudé <f4bug@amsat.org> + * + * SPDX-License-Identifier: GPL-2.0-or-later + */ + +#include "qemu/osdep.h" +#include "libqos/libqtest.h" + +/* + * This used to trigger the assert in audio_calloc + * https://bugs.launchpad.net/qemu/+bug/1910603 + */ +static void test_fuzz_sb16_0x1c(void) +{ + QTestState *s = qtest_init("-M q35 -display none " + "-device sb16,audiodev=snd0 " + "-audiodev none,id=snd0"); + qtest_outw(s, 0x22c, 0x41); + qtest_outb(s, 0x22c, 0x00); + qtest_outw(s, 0x22c, 0x1004); + qtest_outw(s, 0x22c, 0x001c); + qtest_quit(s); +} + +static void test_fuzz_sb16_0x91(void) +{ + QTestState *s = qtest_init("-M pc -display none " + "-device sb16,audiodev=none " + "-audiodev id=none,driver=none"); + qtest_outw(s, 0x22c, 0xf141); + qtest_outb(s, 0x22c, 0x00); + qtest_outb(s, 0x22c, 0x24); + qtest_outb(s, 0x22c, 0x91); + qtest_quit(s); +} + +int main(int argc, char **argv) +{ + const char *arch = qtest_get_arch(); + + g_test_init(&argc, &argv, NULL); + + if (strcmp(arch, "i386") == 0) { + qtest_add_func("fuzz/test_fuzz_sb16/1c", test_fuzz_sb16_0x1c); + qtest_add_func("fuzz/test_fuzz_sb16/91", test_fuzz_sb16_0x91); + } + + return g_test_run(); +} diff --git a/MAINTAINERS b/MAINTAINERS index 5f55404f2fa..7edb26d2293 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -2213,6 +2213,7 @@ F: qapi/audio.json F: tests/qtest/ac97-test.c F: tests/qtest/es1370-test.c F: tests/qtest/intel-hda-test.c +F: tests/qtest/fuzz-sb16-test.c Block layer core M: Kevin Wolf <kwolf@redhat.com> diff --git a/tests/qtest/meson.build b/tests/qtest/meson.build index c3a223a83d6..b03e8541700 100644 --- a/tests/qtest/meson.build +++ b/tests/qtest/meson.build @@ -20,6 +20,7 @@ qtests_generic = \ (config_all_devices.has_key('CONFIG_MEGASAS_SCSI_PCI') ? ['fuzz-megasas-test'] : []) + \ (config_all_devices.has_key('CONFIG_VIRTIO_SCSI') ? ['fuzz-virtio-scsi-test'] : []) + \ + (config_all_devices.has_key('CONFIG_SB16') ? ['fuzz-sb16-test'] : []) + \ [ 'cdrom-test', 'device-introspect-test', -- 2.26.3 -- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/1910603 Title: [OSS-Fuzz] Issue 29174 sb16: Abrt in audio_bug Status in QEMU: Confirmed Bug description: === Reproducer === cat << EOF | ../build-system/qemu-system-i386 \ -machine q35 -device sb16,audiodev=snd0 \ -audiodev none,id=snd0 -nographic -nodefaults \ -qtest stdio outw 0x22c 0x41 outb 0x22c 0x0 outw 0x22c 0x1004 outw 0x22c 0x1c EOF === Stack Trace === A bug was just triggered in audio_calloc Save all your work and restart without audio I am sorry Context: Aborted #0 raise #1 abort #2 audio_bug /src/qemu/audio/audio.c:119:9 #3 audio_calloc /src/qemu/audio/audio.c:154:9 #4 audio_pcm_sw_alloc_resources_out /src/qemu/audio/audio_template.h:116:15 #5 audio_pcm_sw_init_out /src/qemu/audio/audio_template.h:175:11 #6 audio_pcm_create_voice_pair_out /src/qemu/audio/audio_template.h:410:9 #7 AUD_open_out /src/qemu/audio/audio_template.h:503:14 #8 continue_dma8 /src/qemu/hw/audio/sb16.c:216:20 #9 dma_cmd8 /src/qemu/hw/audio/sb16.c:276:5 #10 command /src/qemu/hw/audio/sb16.c:0 #11 dsp_write /src/qemu/hw/audio/sb16.c:949:13 #12 portio_write /src/qemu/softmmu/ioport.c:205:13 #13 memory_region_write_accessor /src/qemu/softmmu/memory.c:491:5 #14 access_with_adjusted_size /src/qemu/softmmu/memory.c:552:18 #15 memory_region_dispatch_write /src/qemu/softmmu/memory.c:0:13 #16 flatview_write_continue /src/qemu/softmmu/physmem.c:2759:23 #17 flatview_write /src/qemu/softmmu/physmem.c:2799:14 #18 address_space_write /src/qemu/softmmu/physmem.c:2891:18 #19 cpu_outw /src/qemu/softmmu/ioport.c:70:5 OSS-Fuzz Report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29174 To manage notifications about this bug go to: https://bugs.launchpad.net/qemu/+bug/1910603/+subscriptions ^ permalink raw reply related [flat|nested] 14+ messages in thread
* Re: [PATCH] hw/audio/sb16: Avoid assertion by restricting I/O sampling rate range 2021-06-01 15:18 ` [PATCH] hw/audio/sb16: Avoid assertion by restricting I/O sampling rate range Philippe Mathieu-Daudé 2021-06-01 15:18 ` [Bug 1910603] " Philippe Mathieu-Daudé @ 2021-06-14 11:13 ` Philippe Mathieu-Daudé 2021-06-14 12:11 ` Qiang Liu 1 sibling, 1 reply; 14+ messages in thread From: Philippe Mathieu-Daudé @ 2021-06-14 11:13 UTC (permalink / raw) To: Alexander Bulekov; +Cc: Qiang Liu, qemu-devel, Gerd Hoffmann ping? On 6/1/21 5:18 PM, Philippe Mathieu-Daudé wrote: > While the SB16 seems to work up to 48000 Hz, the "Sound Blaster Series > Hardware Programming Guide" limit the sampling range from 4000 Hz to > 44100 Hz (Section 3-9, 3-10: Digitized Sound I/O Programming, tables > 3-2 and 3-3). > > Later, section 6-15 (DSP Commands) is more specific regarding the 41h / > 42h registers (Set digitized sound output sampling rate): > > Valid sampling rates range from 5000 to 45000 Hz inclusive. > > There is no comment regarding error handling if the register is filled > with an out-of-range value. (See also section 3-28 "8-bit or 16-bit > Auto-initialize Transfer"). Assume limits are enforced in hardware. > > This fixes triggering an assertion in audio_calloc(): > > #1 abort > #2 audio_bug audio/audio.c:119:9 > #3 audio_calloc audio/audio.c:154:9 > #4 audio_pcm_sw_alloc_resources_out audio/audio_template.h:116:15 > #5 audio_pcm_sw_init_out audio/audio_template.h:175:11 > #6 audio_pcm_create_voice_pair_out audio/audio_template.h:410:9 > #7 AUD_open_out audio/audio_template.h:503:14 > #8 continue_dma8 hw/audio/sb16.c:216:20 > #9 dma_cmd8 hw/audio/sb16.c:276:5 > #10 command hw/audio/sb16.c:0 > #11 dsp_write hw/audio/sb16.c:949:13 > #12 portio_write softmmu/ioport.c:205:13 > #13 memory_region_write_accessor softmmu/memory.c:491:5 > #14 access_with_adjusted_size softmmu/memory.c:552:18 > #15 memory_region_dispatch_write softmmu/memory.c:0:13 > #16 flatview_write_continue softmmu/physmem.c:2759:23 > #17 flatview_write softmmu/physmem.c:2799:14 > #18 address_space_write softmmu/physmem.c:2891:18 > #19 cpu_outw softmmu/ioport.c:70:5 > > [*] http://www.baudline.com/solutions/full_duplex/sb16_pci/index.html > > Fixes: 85571bc7415 ("audio merge (malc)") > Buglink: https://bugs.launchpad.net/bugs/1910603 > OSS-Fuzz Report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29174 > Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> > --- > hw/audio/sb16.c | 14 ++++++++++ > tests/qtest/fuzz-sb16-test.c | 52 ++++++++++++++++++++++++++++++++++++ > MAINTAINERS | 1 + > tests/qtest/meson.build | 1 + > 4 files changed, 68 insertions(+) > create mode 100644 tests/qtest/fuzz-sb16-test.c > > diff --git a/hw/audio/sb16.c b/hw/audio/sb16.c > index 8b207004102..5cf121fe363 100644 > --- a/hw/audio/sb16.c > +++ b/hw/audio/sb16.c > @@ -115,6 +115,9 @@ struct SB16State { > PortioList portio_list; > }; > > +#define SAMPLE_RATE_MIN 5000 > +#define SAMPLE_RATE_MAX 45000 > + > static void SB_audio_callback (void *opaque, int free); > > static int magic_of_irq (int irq) > @@ -241,6 +244,17 @@ static void dma_cmd8 (SB16State *s, int mask, int dma_len) > int tmp = (256 - s->time_const); > s->freq = (1000000 + (tmp / 2)) / tmp; > } > + if (s->freq < SAMPLE_RATE_MIN) { > + qemu_log_mask(LOG_GUEST_ERROR, > + "sampling range too low: %d, increasing to %u\n", > + s->freq, SAMPLE_RATE_MIN); > + s->freq = SAMPLE_RATE_MIN; > + } else if (s->freq > SAMPLE_RATE_MAX) { > + qemu_log_mask(LOG_GUEST_ERROR, > + "sampling range too high: %d, decreasing to %u\n", > + s->freq, SAMPLE_RATE_MAX); > + s->freq = SAMPLE_RATE_MAX; > + } > > if (dma_len != -1) { > s->block_size = dma_len << s->fmt_stereo; > diff --git a/tests/qtest/fuzz-sb16-test.c b/tests/qtest/fuzz-sb16-test.c > new file mode 100644 > index 00000000000..51030cd7dc4 > --- /dev/null > +++ b/tests/qtest/fuzz-sb16-test.c > @@ -0,0 +1,52 @@ > +/* > + * QTest fuzzer-generated testcase for sb16 audio device > + * > + * Copyright (c) 2021 Philippe Mathieu-Daudé <f4bug@amsat.org> > + * > + * SPDX-License-Identifier: GPL-2.0-or-later > + */ > + > +#include "qemu/osdep.h" > +#include "libqos/libqtest.h" > + > +/* > + * This used to trigger the assert in audio_calloc > + * https://bugs.launchpad.net/qemu/+bug/1910603 > + */ > +static void test_fuzz_sb16_0x1c(void) > +{ > + QTestState *s = qtest_init("-M q35 -display none " > + "-device sb16,audiodev=snd0 " > + "-audiodev none,id=snd0"); > + qtest_outw(s, 0x22c, 0x41); > + qtest_outb(s, 0x22c, 0x00); > + qtest_outw(s, 0x22c, 0x1004); > + qtest_outw(s, 0x22c, 0x001c); > + qtest_quit(s); > +} > + > +static void test_fuzz_sb16_0x91(void) > +{ > + QTestState *s = qtest_init("-M pc -display none " > + "-device sb16,audiodev=none " > + "-audiodev id=none,driver=none"); > + qtest_outw(s, 0x22c, 0xf141); > + qtest_outb(s, 0x22c, 0x00); > + qtest_outb(s, 0x22c, 0x24); > + qtest_outb(s, 0x22c, 0x91); > + qtest_quit(s); > +} > + > +int main(int argc, char **argv) > +{ > + const char *arch = qtest_get_arch(); > + > + g_test_init(&argc, &argv, NULL); > + > + if (strcmp(arch, "i386") == 0) { > + qtest_add_func("fuzz/test_fuzz_sb16/1c", test_fuzz_sb16_0x1c); > + qtest_add_func("fuzz/test_fuzz_sb16/91", test_fuzz_sb16_0x91); > + } > + > + return g_test_run(); > +} > diff --git a/MAINTAINERS b/MAINTAINERS > index 5f55404f2fa..7edb26d2293 100644 > --- a/MAINTAINERS > +++ b/MAINTAINERS > @@ -2213,6 +2213,7 @@ F: qapi/audio.json > F: tests/qtest/ac97-test.c > F: tests/qtest/es1370-test.c > F: tests/qtest/intel-hda-test.c > +F: tests/qtest/fuzz-sb16-test.c > > Block layer core > M: Kevin Wolf <kwolf@redhat.com> > diff --git a/tests/qtest/meson.build b/tests/qtest/meson.build > index c3a223a83d6..b03e8541700 100644 > --- a/tests/qtest/meson.build > +++ b/tests/qtest/meson.build > @@ -20,6 +20,7 @@ > qtests_generic = \ > (config_all_devices.has_key('CONFIG_MEGASAS_SCSI_PCI') ? ['fuzz-megasas-test'] : []) + \ > (config_all_devices.has_key('CONFIG_VIRTIO_SCSI') ? ['fuzz-virtio-scsi-test'] : []) + \ > + (config_all_devices.has_key('CONFIG_SB16') ? ['fuzz-sb16-test'] : []) + \ > [ > 'cdrom-test', > 'device-introspect-test', > ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH] hw/audio/sb16: Avoid assertion by restricting I/O sampling rate range 2021-06-14 11:13 ` Philippe Mathieu-Daudé @ 2021-06-14 12:11 ` Qiang Liu 2021-06-14 15:06 ` Philippe Mathieu-Daudé 0 siblings, 1 reply; 14+ messages in thread From: Qiang Liu @ 2021-06-14 12:11 UTC (permalink / raw) To: Philippe Mathieu-Daudé; +Cc: Alexander Bulekov, qemu-devel, Gerd Hoffmann Hi Phil, Thanks for inviting me. I've applied your patch. It seems fine because my sb16 fuzzer is running for another 24 hours and it has no crash yet. I can also double-check the specification. Best, Qiang On Mon, Jun 14, 2021 at 7:13 PM Philippe Mathieu-Daudé <f4bug@amsat.org> wrote: > > ping? > > On 6/1/21 5:18 PM, Philippe Mathieu-Daudé wrote: > > While the SB16 seems to work up to 48000 Hz, the "Sound Blaster Series > > Hardware Programming Guide" limit the sampling range from 4000 Hz to > > 44100 Hz (Section 3-9, 3-10: Digitized Sound I/O Programming, tables > > 3-2 and 3-3). > > > > Later, section 6-15 (DSP Commands) is more specific regarding the 41h / > > 42h registers (Set digitized sound output sampling rate): > > > > Valid sampling rates range from 5000 to 45000 Hz inclusive. > > > > There is no comment regarding error handling if the register is filled > > with an out-of-range value. (See also section 3-28 "8-bit or 16-bit > > Auto-initialize Transfer"). Assume limits are enforced in hardware. > > > > This fixes triggering an assertion in audio_calloc(): > > > > #1 abort > > #2 audio_bug audio/audio.c:119:9 > > #3 audio_calloc audio/audio.c:154:9 > > #4 audio_pcm_sw_alloc_resources_out audio/audio_template.h:116:15 > > #5 audio_pcm_sw_init_out audio/audio_template.h:175:11 > > #6 audio_pcm_create_voice_pair_out audio/audio_template.h:410:9 > > #7 AUD_open_out audio/audio_template.h:503:14 > > #8 continue_dma8 hw/audio/sb16.c:216:20 > > #9 dma_cmd8 hw/audio/sb16.c:276:5 > > #10 command hw/audio/sb16.c:0 > > #11 dsp_write hw/audio/sb16.c:949:13 > > #12 portio_write softmmu/ioport.c:205:13 > > #13 memory_region_write_accessor softmmu/memory.c:491:5 > > #14 access_with_adjusted_size softmmu/memory.c:552:18 > > #15 memory_region_dispatch_write softmmu/memory.c:0:13 > > #16 flatview_write_continue softmmu/physmem.c:2759:23 > > #17 flatview_write softmmu/physmem.c:2799:14 > > #18 address_space_write softmmu/physmem.c:2891:18 > > #19 cpu_outw softmmu/ioport.c:70:5 > > > > [*] http://www.baudline.com/solutions/full_duplex/sb16_pci/index.html > > > > Fixes: 85571bc7415 ("audio merge (malc)") > > Buglink: https://bugs.launchpad.net/bugs/1910603 > > OSS-Fuzz Report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29174 > > Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> > > --- > > hw/audio/sb16.c | 14 ++++++++++ > > tests/qtest/fuzz-sb16-test.c | 52 ++++++++++++++++++++++++++++++++++++ > > MAINTAINERS | 1 + > > tests/qtest/meson.build | 1 + > > 4 files changed, 68 insertions(+) > > create mode 100644 tests/qtest/fuzz-sb16-test.c > > > > diff --git a/hw/audio/sb16.c b/hw/audio/sb16.c > > index 8b207004102..5cf121fe363 100644 > > --- a/hw/audio/sb16.c > > +++ b/hw/audio/sb16.c > > @@ -115,6 +115,9 @@ struct SB16State { > > PortioList portio_list; > > }; > > > > +#define SAMPLE_RATE_MIN 5000 > > +#define SAMPLE_RATE_MAX 45000 > > + > > static void SB_audio_callback (void *opaque, int free); > > > > static int magic_of_irq (int irq) > > @@ -241,6 +244,17 @@ static void dma_cmd8 (SB16State *s, int mask, int dma_len) > > int tmp = (256 - s->time_const); > > s->freq = (1000000 + (tmp / 2)) / tmp; > > } > > + if (s->freq < SAMPLE_RATE_MIN) { > > + qemu_log_mask(LOG_GUEST_ERROR, > > + "sampling range too low: %d, increasing to %u\n", > > + s->freq, SAMPLE_RATE_MIN); > > + s->freq = SAMPLE_RATE_MIN; > > + } else if (s->freq > SAMPLE_RATE_MAX) { > > + qemu_log_mask(LOG_GUEST_ERROR, > > + "sampling range too high: %d, decreasing to %u\n", > > + s->freq, SAMPLE_RATE_MAX); > > + s->freq = SAMPLE_RATE_MAX; > > + } > > > > if (dma_len != -1) { > > s->block_size = dma_len << s->fmt_stereo; > > diff --git a/tests/qtest/fuzz-sb16-test.c b/tests/qtest/fuzz-sb16-test.c > > new file mode 100644 > > index 00000000000..51030cd7dc4 > > --- /dev/null > > +++ b/tests/qtest/fuzz-sb16-test.c > > @@ -0,0 +1,52 @@ > > +/* > > + * QTest fuzzer-generated testcase for sb16 audio device > > + * > > + * Copyright (c) 2021 Philippe Mathieu-Daudé <f4bug@amsat.org> > > + * > > + * SPDX-License-Identifier: GPL-2.0-or-later > > + */ > > + > > +#include "qemu/osdep.h" > > +#include "libqos/libqtest.h" > > + > > +/* > > + * This used to trigger the assert in audio_calloc > > + * https://bugs.launchpad.net/qemu/+bug/1910603 > > + */ > > +static void test_fuzz_sb16_0x1c(void) > > +{ > > + QTestState *s = qtest_init("-M q35 -display none " > > + "-device sb16,audiodev=snd0 " > > + "-audiodev none,id=snd0"); > > + qtest_outw(s, 0x22c, 0x41); > > + qtest_outb(s, 0x22c, 0x00); > > + qtest_outw(s, 0x22c, 0x1004); > > + qtest_outw(s, 0x22c, 0x001c); > > + qtest_quit(s); > > +} > > + > > +static void test_fuzz_sb16_0x91(void) > > +{ > > + QTestState *s = qtest_init("-M pc -display none " > > + "-device sb16,audiodev=none " > > + "-audiodev id=none,driver=none"); > > + qtest_outw(s, 0x22c, 0xf141); > > + qtest_outb(s, 0x22c, 0x00); > > + qtest_outb(s, 0x22c, 0x24); > > + qtest_outb(s, 0x22c, 0x91); > > + qtest_quit(s); > > +} > > + > > +int main(int argc, char **argv) > > +{ > > + const char *arch = qtest_get_arch(); > > + > > + g_test_init(&argc, &argv, NULL); > > + > > + if (strcmp(arch, "i386") == 0) { > > + qtest_add_func("fuzz/test_fuzz_sb16/1c", test_fuzz_sb16_0x1c); > > + qtest_add_func("fuzz/test_fuzz_sb16/91", test_fuzz_sb16_0x91); > > + } > > + > > + return g_test_run(); > > +} > > diff --git a/MAINTAINERS b/MAINTAINERS > > index 5f55404f2fa..7edb26d2293 100644 > > --- a/MAINTAINERS > > +++ b/MAINTAINERS > > @@ -2213,6 +2213,7 @@ F: qapi/audio.json > > F: tests/qtest/ac97-test.c > > F: tests/qtest/es1370-test.c > > F: tests/qtest/intel-hda-test.c > > +F: tests/qtest/fuzz-sb16-test.c > > > > Block layer core > > M: Kevin Wolf <kwolf@redhat.com> > > diff --git a/tests/qtest/meson.build b/tests/qtest/meson.build > > index c3a223a83d6..b03e8541700 100644 > > --- a/tests/qtest/meson.build > > +++ b/tests/qtest/meson.build > > @@ -20,6 +20,7 @@ > > qtests_generic = \ > > (config_all_devices.has_key('CONFIG_MEGASAS_SCSI_PCI') ? ['fuzz-megasas-test'] : []) + \ > > (config_all_devices.has_key('CONFIG_VIRTIO_SCSI') ? ['fuzz-virtio-scsi-test'] : []) + \ > > + (config_all_devices.has_key('CONFIG_SB16') ? ['fuzz-sb16-test'] : []) + \ > > [ > > 'cdrom-test', > > 'device-introspect-test', > > ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH] hw/audio/sb16: Avoid assertion by restricting I/O sampling rate range 2021-06-14 12:11 ` Qiang Liu @ 2021-06-14 15:06 ` Philippe Mathieu-Daudé 2021-06-15 13:43 ` Qiang Liu 0 siblings, 1 reply; 14+ messages in thread From: Philippe Mathieu-Daudé @ 2021-06-14 15:06 UTC (permalink / raw) To: Qiang Liu; +Cc: Alexander Bulekov, qemu-devel, Gerd Hoffmann On 6/14/21 2:11 PM, Qiang Liu wrote: > Hi Phil, > > Thanks for inviting me. I've applied your patch. It seems fine > because my sb16 fuzzer is running for another 24 hours and > it has no crash yet. Thanks for testing! Can we use your "Tested-by: Qiang Liu <cyruscyliu@gmail.com>" tag? > I can also double-check the specification. If you do, please send a "Reviewed-by: Qiang Liu <cyruscyliu@gmail.com>" tag :) > Best, > Qiang > > On Mon, Jun 14, 2021 at 7:13 PM Philippe Mathieu-Daudé <f4bug@amsat.org> wrote: >> >> ping? >> >> On 6/1/21 5:18 PM, Philippe Mathieu-Daudé wrote: >>> While the SB16 seems to work up to 48000 Hz, the "Sound Blaster Series >>> Hardware Programming Guide" limit the sampling range from 4000 Hz to >>> 44100 Hz (Section 3-9, 3-10: Digitized Sound I/O Programming, tables >>> 3-2 and 3-3). >>> >>> Later, section 6-15 (DSP Commands) is more specific regarding the 41h / >>> 42h registers (Set digitized sound output sampling rate): >>> >>> Valid sampling rates range from 5000 to 45000 Hz inclusive. >>> >>> There is no comment regarding error handling if the register is filled >>> with an out-of-range value. (See also section 3-28 "8-bit or 16-bit >>> Auto-initialize Transfer"). Assume limits are enforced in hardware. >>> >>> This fixes triggering an assertion in audio_calloc(): >>> >>> #1 abort >>> #2 audio_bug audio/audio.c:119:9 >>> #3 audio_calloc audio/audio.c:154:9 >>> #4 audio_pcm_sw_alloc_resources_out audio/audio_template.h:116:15 >>> #5 audio_pcm_sw_init_out audio/audio_template.h:175:11 >>> #6 audio_pcm_create_voice_pair_out audio/audio_template.h:410:9 >>> #7 AUD_open_out audio/audio_template.h:503:14 >>> #8 continue_dma8 hw/audio/sb16.c:216:20 >>> #9 dma_cmd8 hw/audio/sb16.c:276:5 >>> #10 command hw/audio/sb16.c:0 >>> #11 dsp_write hw/audio/sb16.c:949:13 >>> #12 portio_write softmmu/ioport.c:205:13 >>> #13 memory_region_write_accessor softmmu/memory.c:491:5 >>> #14 access_with_adjusted_size softmmu/memory.c:552:18 >>> #15 memory_region_dispatch_write softmmu/memory.c:0:13 >>> #16 flatview_write_continue softmmu/physmem.c:2759:23 >>> #17 flatview_write softmmu/physmem.c:2799:14 >>> #18 address_space_write softmmu/physmem.c:2891:18 >>> #19 cpu_outw softmmu/ioport.c:70:5 >>> >>> [*] http://www.baudline.com/solutions/full_duplex/sb16_pci/index.html >>> >>> Fixes: 85571bc7415 ("audio merge (malc)") >>> Buglink: https://bugs.launchpad.net/bugs/1910603 >>> OSS-Fuzz Report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29174 >>> Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> >>> --- >>> hw/audio/sb16.c | 14 ++++++++++ >>> tests/qtest/fuzz-sb16-test.c | 52 ++++++++++++++++++++++++++++++++++++ >>> MAINTAINERS | 1 + >>> tests/qtest/meson.build | 1 + >>> 4 files changed, 68 insertions(+) >>> create mode 100644 tests/qtest/fuzz-sb16-test.c >>> >>> diff --git a/hw/audio/sb16.c b/hw/audio/sb16.c >>> index 8b207004102..5cf121fe363 100644 >>> --- a/hw/audio/sb16.c >>> +++ b/hw/audio/sb16.c >>> @@ -115,6 +115,9 @@ struct SB16State { >>> PortioList portio_list; >>> }; >>> >>> +#define SAMPLE_RATE_MIN 5000 >>> +#define SAMPLE_RATE_MAX 45000 >>> + >>> static void SB_audio_callback (void *opaque, int free); >>> >>> static int magic_of_irq (int irq) >>> @@ -241,6 +244,17 @@ static void dma_cmd8 (SB16State *s, int mask, int dma_len) >>> int tmp = (256 - s->time_const); >>> s->freq = (1000000 + (tmp / 2)) / tmp; >>> } >>> + if (s->freq < SAMPLE_RATE_MIN) { >>> + qemu_log_mask(LOG_GUEST_ERROR, >>> + "sampling range too low: %d, increasing to %u\n", >>> + s->freq, SAMPLE_RATE_MIN); >>> + s->freq = SAMPLE_RATE_MIN; >>> + } else if (s->freq > SAMPLE_RATE_MAX) { >>> + qemu_log_mask(LOG_GUEST_ERROR, >>> + "sampling range too high: %d, decreasing to %u\n", >>> + s->freq, SAMPLE_RATE_MAX); >>> + s->freq = SAMPLE_RATE_MAX; >>> + } >>> >>> if (dma_len != -1) { >>> s->block_size = dma_len << s->fmt_stereo; >>> diff --git a/tests/qtest/fuzz-sb16-test.c b/tests/qtest/fuzz-sb16-test.c >>> new file mode 100644 >>> index 00000000000..51030cd7dc4 >>> --- /dev/null >>> +++ b/tests/qtest/fuzz-sb16-test.c >>> @@ -0,0 +1,52 @@ >>> +/* >>> + * QTest fuzzer-generated testcase for sb16 audio device >>> + * >>> + * Copyright (c) 2021 Philippe Mathieu-Daudé <f4bug@amsat.org> >>> + * >>> + * SPDX-License-Identifier: GPL-2.0-or-later >>> + */ >>> + >>> +#include "qemu/osdep.h" >>> +#include "libqos/libqtest.h" >>> + >>> +/* >>> + * This used to trigger the assert in audio_calloc >>> + * https://bugs.launchpad.net/qemu/+bug/1910603 >>> + */ >>> +static void test_fuzz_sb16_0x1c(void) >>> +{ >>> + QTestState *s = qtest_init("-M q35 -display none " >>> + "-device sb16,audiodev=snd0 " >>> + "-audiodev none,id=snd0"); >>> + qtest_outw(s, 0x22c, 0x41); >>> + qtest_outb(s, 0x22c, 0x00); >>> + qtest_outw(s, 0x22c, 0x1004); >>> + qtest_outw(s, 0x22c, 0x001c); >>> + qtest_quit(s); >>> +} >>> + >>> +static void test_fuzz_sb16_0x91(void) >>> +{ >>> + QTestState *s = qtest_init("-M pc -display none " >>> + "-device sb16,audiodev=none " >>> + "-audiodev id=none,driver=none"); >>> + qtest_outw(s, 0x22c, 0xf141); >>> + qtest_outb(s, 0x22c, 0x00); >>> + qtest_outb(s, 0x22c, 0x24); >>> + qtest_outb(s, 0x22c, 0x91); >>> + qtest_quit(s); >>> +} >>> + >>> +int main(int argc, char **argv) >>> +{ >>> + const char *arch = qtest_get_arch(); >>> + >>> + g_test_init(&argc, &argv, NULL); >>> + >>> + if (strcmp(arch, "i386") == 0) { >>> + qtest_add_func("fuzz/test_fuzz_sb16/1c", test_fuzz_sb16_0x1c); >>> + qtest_add_func("fuzz/test_fuzz_sb16/91", test_fuzz_sb16_0x91); >>> + } >>> + >>> + return g_test_run(); >>> +} >>> diff --git a/MAINTAINERS b/MAINTAINERS >>> index 5f55404f2fa..7edb26d2293 100644 >>> --- a/MAINTAINERS >>> +++ b/MAINTAINERS >>> @@ -2213,6 +2213,7 @@ F: qapi/audio.json >>> F: tests/qtest/ac97-test.c >>> F: tests/qtest/es1370-test.c >>> F: tests/qtest/intel-hda-test.c >>> +F: tests/qtest/fuzz-sb16-test.c >>> >>> Block layer core >>> M: Kevin Wolf <kwolf@redhat.com> >>> diff --git a/tests/qtest/meson.build b/tests/qtest/meson.build >>> index c3a223a83d6..b03e8541700 100644 >>> --- a/tests/qtest/meson.build >>> +++ b/tests/qtest/meson.build >>> @@ -20,6 +20,7 @@ >>> qtests_generic = \ >>> (config_all_devices.has_key('CONFIG_MEGASAS_SCSI_PCI') ? ['fuzz-megasas-test'] : []) + \ >>> (config_all_devices.has_key('CONFIG_VIRTIO_SCSI') ? ['fuzz-virtio-scsi-test'] : []) + \ >>> + (config_all_devices.has_key('CONFIG_SB16') ? ['fuzz-sb16-test'] : []) + \ >>> [ >>> 'cdrom-test', >>> 'device-introspect-test', >>> > ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH] hw/audio/sb16: Avoid assertion by restricting I/O sampling rate range 2021-06-14 15:06 ` Philippe Mathieu-Daudé @ 2021-06-15 13:43 ` Qiang Liu 2021-06-16 9:16 ` Gerd Hoffmann 0 siblings, 1 reply; 14+ messages in thread From: Qiang Liu @ 2021-06-15 13:43 UTC (permalink / raw) To: Philippe Mathieu-Daudé; +Cc: Alexander Bulekov, qemu-devel, Gerd Hoffmann On Mon, Jun 14, 2021 at 11:06 PM Philippe Mathieu-Daudé <f4bug@amsat.org> wrote: > > On 6/14/21 2:11 PM, Qiang Liu wrote: > > Hi Phil, > > > > Thanks for inviting me. I've applied your patch. It seems fine > > because my sb16 fuzzer is running for another 24 hours and > > it has no crash yet. > > Thanks for testing! > > Can we use your "Tested-by: Qiang Liu <cyruscyliu@gmail.com>" tag? Yes. My sb16 fuzzer has no crash yet after 24h, so I think the patch is good. > > I can also double-check the specification. > > If you do, please send a "Reviewed-by: Qiang Liu <cyruscyliu@gmail.com>" > tag :) Yes, I did. I agree to follow the specific frequency limit regarding the 41h/42h registers. > >>> Valid sampling rates range from 5000 to 45000 Hz inclusive. Should I send this patch with tag V2? > > Best, > > Qiang > > > > On Mon, Jun 14, 2021 at 7:13 PM Philippe Mathieu-Daudé <f4bug@amsat.org> wrote: > >> > >> ping? > >> > >> On 6/1/21 5:18 PM, Philippe Mathieu-Daudé wrote: > >>> While the SB16 seems to work up to 48000 Hz, the "Sound Blaster Series > >>> Hardware Programming Guide" limit the sampling range from 4000 Hz to > >>> 44100 Hz (Section 3-9, 3-10: Digitized Sound I/O Programming, tables > >>> 3-2 and 3-3). > >>> > >>> Later, section 6-15 (DSP Commands) is more specific regarding the 41h / > >>> 42h registers (Set digitized sound output sampling rate): > >>> > >>> Valid sampling rates range from 5000 to 45000 Hz inclusive. > >>> > >>> There is no comment regarding error handling if the register is filled > >>> with an out-of-range value. (See also section 3-28 "8-bit or 16-bit > >>> Auto-initialize Transfer"). Assume limits are enforced in hardware. > >>> > >>> This fixes triggering an assertion in audio_calloc(): > >>> > >>> #1 abort > >>> #2 audio_bug audio/audio.c:119:9 > >>> #3 audio_calloc audio/audio.c:154:9 > >>> #4 audio_pcm_sw_alloc_resources_out audio/audio_template.h:116:15 > >>> #5 audio_pcm_sw_init_out audio/audio_template.h:175:11 > >>> #6 audio_pcm_create_voice_pair_out audio/audio_template.h:410:9 > >>> #7 AUD_open_out audio/audio_template.h:503:14 > >>> #8 continue_dma8 hw/audio/sb16.c:216:20 > >>> #9 dma_cmd8 hw/audio/sb16.c:276:5 > >>> #10 command hw/audio/sb16.c:0 > >>> #11 dsp_write hw/audio/sb16.c:949:13 > >>> #12 portio_write softmmu/ioport.c:205:13 > >>> #13 memory_region_write_accessor softmmu/memory.c:491:5 > >>> #14 access_with_adjusted_size softmmu/memory.c:552:18 > >>> #15 memory_region_dispatch_write softmmu/memory.c:0:13 > >>> #16 flatview_write_continue softmmu/physmem.c:2759:23 > >>> #17 flatview_write softmmu/physmem.c:2799:14 > >>> #18 address_space_write softmmu/physmem.c:2891:18 > >>> #19 cpu_outw softmmu/ioport.c:70:5 > >>> > >>> [*] http://www.baudline.com/solutions/full_duplex/sb16_pci/index.html > >>> > >>> Fixes: 85571bc7415 ("audio merge (malc)") > >>> Buglink: https://bugs.launchpad.net/bugs/1910603 > >>> OSS-Fuzz Report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29174 > >>> Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> > >>> --- > >>> hw/audio/sb16.c | 14 ++++++++++ > >>> tests/qtest/fuzz-sb16-test.c | 52 ++++++++++++++++++++++++++++++++++++ > >>> MAINTAINERS | 1 + > >>> tests/qtest/meson.build | 1 + > >>> 4 files changed, 68 insertions(+) > >>> create mode 100644 tests/qtest/fuzz-sb16-test.c > >>> > >>> diff --git a/hw/audio/sb16.c b/hw/audio/sb16.c > >>> index 8b207004102..5cf121fe363 100644 > >>> --- a/hw/audio/sb16.c > >>> +++ b/hw/audio/sb16.c > >>> @@ -115,6 +115,9 @@ struct SB16State { > >>> PortioList portio_list; > >>> }; > >>> > >>> +#define SAMPLE_RATE_MIN 5000 > >>> +#define SAMPLE_RATE_MAX 45000 > >>> + > >>> static void SB_audio_callback (void *opaque, int free); > >>> > >>> static int magic_of_irq (int irq) > >>> @@ -241,6 +244,17 @@ static void dma_cmd8 (SB16State *s, int mask, int dma_len) > >>> int tmp = (256 - s->time_const); > >>> s->freq = (1000000 + (tmp / 2)) / tmp; > >>> } > >>> + if (s->freq < SAMPLE_RATE_MIN) { > >>> + qemu_log_mask(LOG_GUEST_ERROR, > >>> + "sampling range too low: %d, increasing to %u\n", > >>> + s->freq, SAMPLE_RATE_MIN); > >>> + s->freq = SAMPLE_RATE_MIN; > >>> + } else if (s->freq > SAMPLE_RATE_MAX) { > >>> + qemu_log_mask(LOG_GUEST_ERROR, > >>> + "sampling range too high: %d, decreasing to %u\n", > >>> + s->freq, SAMPLE_RATE_MAX); > >>> + s->freq = SAMPLE_RATE_MAX; > >>> + } > >>> > >>> if (dma_len != -1) { > >>> s->block_size = dma_len << s->fmt_stereo; > >>> diff --git a/tests/qtest/fuzz-sb16-test.c b/tests/qtest/fuzz-sb16-test.c > >>> new file mode 100644 > >>> index 00000000000..51030cd7dc4 > >>> --- /dev/null > >>> +++ b/tests/qtest/fuzz-sb16-test.c > >>> @@ -0,0 +1,52 @@ > >>> +/* > >>> + * QTest fuzzer-generated testcase for sb16 audio device > >>> + * > >>> + * Copyright (c) 2021 Philippe Mathieu-Daudé <f4bug@amsat.org> > >>> + * > >>> + * SPDX-License-Identifier: GPL-2.0-or-later > >>> + */ > >>> + > >>> +#include "qemu/osdep.h" > >>> +#include "libqos/libqtest.h" > >>> + > >>> +/* > >>> + * This used to trigger the assert in audio_calloc > >>> + * https://bugs.launchpad.net/qemu/+bug/1910603 > >>> + */ > >>> +static void test_fuzz_sb16_0x1c(void) > >>> +{ > >>> + QTestState *s = qtest_init("-M q35 -display none " > >>> + "-device sb16,audiodev=snd0 " > >>> + "-audiodev none,id=snd0"); > >>> + qtest_outw(s, 0x22c, 0x41); > >>> + qtest_outb(s, 0x22c, 0x00); > >>> + qtest_outw(s, 0x22c, 0x1004); > >>> + qtest_outw(s, 0x22c, 0x001c); > >>> + qtest_quit(s); > >>> +} > >>> + > >>> +static void test_fuzz_sb16_0x91(void) > >>> +{ > >>> + QTestState *s = qtest_init("-M pc -display none " > >>> + "-device sb16,audiodev=none " > >>> + "-audiodev id=none,driver=none"); > >>> + qtest_outw(s, 0x22c, 0xf141); > >>> + qtest_outb(s, 0x22c, 0x00); > >>> + qtest_outb(s, 0x22c, 0x24); > >>> + qtest_outb(s, 0x22c, 0x91); > >>> + qtest_quit(s); > >>> +} > >>> + > >>> +int main(int argc, char **argv) > >>> +{ > >>> + const char *arch = qtest_get_arch(); > >>> + > >>> + g_test_init(&argc, &argv, NULL); > >>> + > >>> + if (strcmp(arch, "i386") == 0) { > >>> + qtest_add_func("fuzz/test_fuzz_sb16/1c", test_fuzz_sb16_0x1c); > >>> + qtest_add_func("fuzz/test_fuzz_sb16/91", test_fuzz_sb16_0x91); > >>> + } > >>> + > >>> + return g_test_run(); > >>> +} > >>> diff --git a/MAINTAINERS b/MAINTAINERS > >>> index 5f55404f2fa..7edb26d2293 100644 > >>> --- a/MAINTAINERS > >>> +++ b/MAINTAINERS > >>> @@ -2213,6 +2213,7 @@ F: qapi/audio.json > >>> F: tests/qtest/ac97-test.c > >>> F: tests/qtest/es1370-test.c > >>> F: tests/qtest/intel-hda-test.c > >>> +F: tests/qtest/fuzz-sb16-test.c > >>> > >>> Block layer core > >>> M: Kevin Wolf <kwolf@redhat.com> > >>> diff --git a/tests/qtest/meson.build b/tests/qtest/meson.build > >>> index c3a223a83d6..b03e8541700 100644 > >>> --- a/tests/qtest/meson.build > >>> +++ b/tests/qtest/meson.build > >>> @@ -20,6 +20,7 @@ > >>> qtests_generic = \ > >>> (config_all_devices.has_key('CONFIG_MEGASAS_SCSI_PCI') ? ['fuzz-megasas-test'] : []) + \ > >>> (config_all_devices.has_key('CONFIG_VIRTIO_SCSI') ? ['fuzz-virtio-scsi-test'] : []) + \ > >>> + (config_all_devices.has_key('CONFIG_SB16') ? ['fuzz-sb16-test'] : []) + \ > >>> [ > >>> 'cdrom-test', > >>> 'device-introspect-test', > >>> > > ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH] hw/audio/sb16: Avoid assertion by restricting I/O sampling rate range 2021-06-15 13:43 ` Qiang Liu @ 2021-06-16 9:16 ` Gerd Hoffmann 2021-06-16 10:41 ` Philippe Mathieu-Daudé 0 siblings, 1 reply; 14+ messages in thread From: Gerd Hoffmann @ 2021-06-16 9:16 UTC (permalink / raw) To: Qiang Liu; +Cc: Alexander Bulekov, Philippe Mathieu-Daudé, qemu-devel Hi, > Should I send this patch with tag V2? Yes, please. thanks, Gerd ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH] hw/audio/sb16: Avoid assertion by restricting I/O sampling rate range 2021-06-16 9:16 ` Gerd Hoffmann @ 2021-06-16 10:41 ` Philippe Mathieu-Daudé 0 siblings, 0 replies; 14+ messages in thread From: Philippe Mathieu-Daudé @ 2021-06-16 10:41 UTC (permalink / raw) To: Gerd Hoffmann, Qiang Liu; +Cc: Alexander Bulekov, qemu-devel On 6/16/21 11:16 AM, Gerd Hoffmann wrote: > Hi, > >> Should I send this patch with tag V2? > > Yes, please. I don't understand why. Shouldn't it be enough if Qiang Liu replies with "Tested-by: Qiang Liu <cyruscyliu@gmail.com>" ? ^ permalink raw reply [flat|nested] 14+ messages in thread
* [Bug 1910603] Re: [OSS-Fuzz] Issue 29174 sb16: Abrt in audio_bug 2021-01-07 22:25 [Bug 1910603] [NEW] [OSS-Fuzz] Issue 29174 sb16: Abrt in audio_bug Alexander Bulekov ` (2 preceding siblings ...) 2021-06-01 15:18 ` [PATCH] hw/audio/sb16: Avoid assertion by restricting I/O sampling rate range Philippe Mathieu-Daudé @ 2021-06-19 19:45 ` Alexander Bulekov 2021-06-20 17:22 ` Thomas Huth 2021-08-25 7:12 ` Thomas Huth 5 siblings, 0 replies; 14+ messages in thread From: Alexander Bulekov @ 2021-06-19 19:45 UTC (permalink / raw) To: qemu-devel OSS-Fuzz confirms this is fixed: https://bugs.chromium.org/p/oss- fuzz/issues/detail?id=30574#c4 ** Changed in: qemu Status: Confirmed => Fix Committed -- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/1910603 Title: [OSS-Fuzz] Issue 29174 sb16: Abrt in audio_bug Status in QEMU: Fix Committed Bug description: === Reproducer === cat << EOF | ../build-system/qemu-system-i386 \ -machine q35 -device sb16,audiodev=snd0 \ -audiodev none,id=snd0 -nographic -nodefaults \ -qtest stdio outw 0x22c 0x41 outb 0x22c 0x0 outw 0x22c 0x1004 outw 0x22c 0x1c EOF === Stack Trace === A bug was just triggered in audio_calloc Save all your work and restart without audio I am sorry Context: Aborted #0 raise #1 abort #2 audio_bug /src/qemu/audio/audio.c:119:9 #3 audio_calloc /src/qemu/audio/audio.c:154:9 #4 audio_pcm_sw_alloc_resources_out /src/qemu/audio/audio_template.h:116:15 #5 audio_pcm_sw_init_out /src/qemu/audio/audio_template.h:175:11 #6 audio_pcm_create_voice_pair_out /src/qemu/audio/audio_template.h:410:9 #7 AUD_open_out /src/qemu/audio/audio_template.h:503:14 #8 continue_dma8 /src/qemu/hw/audio/sb16.c:216:20 #9 dma_cmd8 /src/qemu/hw/audio/sb16.c:276:5 #10 command /src/qemu/hw/audio/sb16.c:0 #11 dsp_write /src/qemu/hw/audio/sb16.c:949:13 #12 portio_write /src/qemu/softmmu/ioport.c:205:13 #13 memory_region_write_accessor /src/qemu/softmmu/memory.c:491:5 #14 access_with_adjusted_size /src/qemu/softmmu/memory.c:552:18 #15 memory_region_dispatch_write /src/qemu/softmmu/memory.c:0:13 #16 flatview_write_continue /src/qemu/softmmu/physmem.c:2759:23 #17 flatview_write /src/qemu/softmmu/physmem.c:2799:14 #18 address_space_write /src/qemu/softmmu/physmem.c:2891:18 #19 cpu_outw /src/qemu/softmmu/ioport.c:70:5 OSS-Fuzz Report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29174 To manage notifications about this bug go to: https://bugs.launchpad.net/qemu/+bug/1910603/+subscriptions ^ permalink raw reply [flat|nested] 14+ messages in thread
* [Bug 1910603] Re: [OSS-Fuzz] Issue 29174 sb16: Abrt in audio_bug 2021-01-07 22:25 [Bug 1910603] [NEW] [OSS-Fuzz] Issue 29174 sb16: Abrt in audio_bug Alexander Bulekov ` (3 preceding siblings ...) 2021-06-19 19:45 ` [Bug 1910603] Re: [OSS-Fuzz] Issue 29174 sb16: Abrt in audio_bug Alexander Bulekov @ 2021-06-20 17:22 ` Thomas Huth 2021-08-25 7:12 ` Thomas Huth 5 siblings, 0 replies; 14+ messages in thread From: Thomas Huth @ 2021-06-20 17:22 UTC (permalink / raw) To: qemu-devel Fixed by: https://gitlab.com/qemu-project/qemu/-/commit/a2cd86a94a881b38a7d8bb67c619 -- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/1910603 Title: [OSS-Fuzz] Issue 29174 sb16: Abrt in audio_bug Status in QEMU: Fix Committed Bug description: === Reproducer === cat << EOF | ../build-system/qemu-system-i386 \ -machine q35 -device sb16,audiodev=snd0 \ -audiodev none,id=snd0 -nographic -nodefaults \ -qtest stdio outw 0x22c 0x41 outb 0x22c 0x0 outw 0x22c 0x1004 outw 0x22c 0x1c EOF === Stack Trace === A bug was just triggered in audio_calloc Save all your work and restart without audio I am sorry Context: Aborted #0 raise #1 abort #2 audio_bug /src/qemu/audio/audio.c:119:9 #3 audio_calloc /src/qemu/audio/audio.c:154:9 #4 audio_pcm_sw_alloc_resources_out /src/qemu/audio/audio_template.h:116:15 #5 audio_pcm_sw_init_out /src/qemu/audio/audio_template.h:175:11 #6 audio_pcm_create_voice_pair_out /src/qemu/audio/audio_template.h:410:9 #7 AUD_open_out /src/qemu/audio/audio_template.h:503:14 #8 continue_dma8 /src/qemu/hw/audio/sb16.c:216:20 #9 dma_cmd8 /src/qemu/hw/audio/sb16.c:276:5 #10 command /src/qemu/hw/audio/sb16.c:0 #11 dsp_write /src/qemu/hw/audio/sb16.c:949:13 #12 portio_write /src/qemu/softmmu/ioport.c:205:13 #13 memory_region_write_accessor /src/qemu/softmmu/memory.c:491:5 #14 access_with_adjusted_size /src/qemu/softmmu/memory.c:552:18 #15 memory_region_dispatch_write /src/qemu/softmmu/memory.c:0:13 #16 flatview_write_continue /src/qemu/softmmu/physmem.c:2759:23 #17 flatview_write /src/qemu/softmmu/physmem.c:2799:14 #18 address_space_write /src/qemu/softmmu/physmem.c:2891:18 #19 cpu_outw /src/qemu/softmmu/ioport.c:70:5 OSS-Fuzz Report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29174 To manage notifications about this bug go to: https://bugs.launchpad.net/qemu/+bug/1910603/+subscriptions ^ permalink raw reply [flat|nested] 14+ messages in thread
* [Bug 1910603] Re: [OSS-Fuzz] Issue 29174 sb16: Abrt in audio_bug 2021-01-07 22:25 [Bug 1910603] [NEW] [OSS-Fuzz] Issue 29174 sb16: Abrt in audio_bug Alexander Bulekov ` (4 preceding siblings ...) 2021-06-20 17:22 ` Thomas Huth @ 2021-08-25 7:12 ` Thomas Huth 5 siblings, 0 replies; 14+ messages in thread From: Thomas Huth @ 2021-08-25 7:12 UTC (permalink / raw) To: qemu-devel ** Changed in: qemu Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/1910603 Title: [OSS-Fuzz] Issue 29174 sb16: Abrt in audio_bug Status in QEMU: Fix Released Bug description: === Reproducer === cat << EOF | ../build-system/qemu-system-i386 \ -machine q35 -device sb16,audiodev=snd0 \ -audiodev none,id=snd0 -nographic -nodefaults \ -qtest stdio outw 0x22c 0x41 outb 0x22c 0x0 outw 0x22c 0x1004 outw 0x22c 0x1c EOF === Stack Trace === A bug was just triggered in audio_calloc Save all your work and restart without audio I am sorry Context: Aborted #0 raise #1 abort #2 audio_bug /src/qemu/audio/audio.c:119:9 #3 audio_calloc /src/qemu/audio/audio.c:154:9 #4 audio_pcm_sw_alloc_resources_out /src/qemu/audio/audio_template.h:116:15 #5 audio_pcm_sw_init_out /src/qemu/audio/audio_template.h:175:11 #6 audio_pcm_create_voice_pair_out /src/qemu/audio/audio_template.h:410:9 #7 AUD_open_out /src/qemu/audio/audio_template.h:503:14 #8 continue_dma8 /src/qemu/hw/audio/sb16.c:216:20 #9 dma_cmd8 /src/qemu/hw/audio/sb16.c:276:5 #10 command /src/qemu/hw/audio/sb16.c:0 #11 dsp_write /src/qemu/hw/audio/sb16.c:949:13 #12 portio_write /src/qemu/softmmu/ioport.c:205:13 #13 memory_region_write_accessor /src/qemu/softmmu/memory.c:491:5 #14 access_with_adjusted_size /src/qemu/softmmu/memory.c:552:18 #15 memory_region_dispatch_write /src/qemu/softmmu/memory.c:0:13 #16 flatview_write_continue /src/qemu/softmmu/physmem.c:2759:23 #17 flatview_write /src/qemu/softmmu/physmem.c:2799:14 #18 address_space_write /src/qemu/softmmu/physmem.c:2891:18 #19 cpu_outw /src/qemu/softmmu/ioport.c:70:5 OSS-Fuzz Report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29174 To manage notifications about this bug go to: https://bugs.launchpad.net/qemu/+bug/1910603/+subscriptions ^ permalink raw reply [flat|nested] 14+ messages in thread
end of thread, other threads:[~2021-08-25 7:24 UTC | newest] Thread overview: 14+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2021-01-07 22:25 [Bug 1910603] [NEW] [OSS-Fuzz] Issue 29174 sb16: Abrt in audio_bug Alexander Bulekov 2021-01-15 16:09 ` [Bug 1910603] " Peter Maydell 2021-05-26 15:31 ` Thomas Huth 2021-06-01 15:18 ` [PATCH] hw/audio/sb16: Avoid assertion by restricting I/O sampling rate range Philippe Mathieu-Daudé 2021-06-01 15:18 ` [Bug 1910603] " Philippe Mathieu-Daudé 2021-06-14 11:13 ` Philippe Mathieu-Daudé 2021-06-14 12:11 ` Qiang Liu 2021-06-14 15:06 ` Philippe Mathieu-Daudé 2021-06-15 13:43 ` Qiang Liu 2021-06-16 9:16 ` Gerd Hoffmann 2021-06-16 10:41 ` Philippe Mathieu-Daudé 2021-06-19 19:45 ` [Bug 1910603] Re: [OSS-Fuzz] Issue 29174 sb16: Abrt in audio_bug Alexander Bulekov 2021-06-20 17:22 ` Thomas Huth 2021-08-25 7:12 ` Thomas Huth
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).