* [Bug 1908515] [NEW] assertion failure in lsi53c810 emulator
@ 2020-12-17 10:54 Cheol-Woo,Myung
2021-01-15 16:09 ` [Bug 1908515] " Peter Maydell
2021-05-14 19:28 ` Thomas Huth
0 siblings, 2 replies; 3+ messages in thread
From: Cheol-Woo,Myung @ 2020-12-17 10:54 UTC (permalink / raw)
To: qemu-devel
Public bug reported:
Hello,
Using hypervisor fuzzer, hyfuzz, I found an assertion failure through
lsi53c810 emulator.
A malicious guest user/process could use this flaw to abort the QEMU
process on the host, resulting in a denial of service.
This was found in version 5.2.0 (master)
qemu-system-i386: ../hw/scsi/lsi53c895a.c:624: void lsi_do_dma(LSIState *, int): Assertion `s->current'
failed.
[1] 1406 abort (core dumped) /home/cwmyung/prj/hyfuzz/src/qemu-5.2/build/i386-softmmu/qemu-system-i386 -m
Program terminated with signal SIGABRT, Aborted.
#0 __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:51
51 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
[Current thread is 1 (Thread 0x7fa9310a8700 (LWP 2076))]
gdb-peda$ bt
#0 0x00007fa94aa98f47 in __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:51
#1 0x00007fa94aa9a8b1 in __GI_abort () at abort.c:79
#2 0x00007fa94aa8a42a in __assert_fail_base (fmt=0x7fa94ac11a38 "%s%s%s:%u: %s%sAssertion `%s' failed.\\n%n", assertion=assertion@entry=0x562851c9eab9 "s->current", file=file@entry=0x562851c9d4f9 "../hw/scsi/lsi53c895a.c", line=line@entry=0x270, function=function@entry=0x562851c9de43 "void lsi_do_dma(LSIState *, int)") at assert.c:92
#3 0x00007fa94aa8a4a2 in __GI___assert_fail (assertion=0x562851c9eab9 "s->current", file=0x562851c9d4f9 "../hw/scsi/lsi53c895a.c", line=0x270, function=0x562851c9de43 "void lsi_do_dma(LSIState *, int)")
at assert.c:101
#4 0x00005628515d9605 in lsi_do_dma (s=0x562855559060, out=0x1) at ../hw/scsi/lsi53c895a.c:624
#5 0x00005628515d5317 in lsi_execute_script (s=<optimized out>) at ../hw/scsi/lsi53c895a.c:1250
#6 0x00005628515cec49 in lsi_reg_writeb (s=0x562855559060, offset=0x2f, val=0x1e)
at ../hw/scsi/lsi53c895a.c:2005
#7 0x0000562851952798 in memory_region_write_accessor (mr=<optimized out>, addr=<optimized out>, value=<optimized out>, size=<optimized out>, shift=<optimized out>, mask=<optimized out>, attrs=...)
at ../softmmu/memory.c:491
#8 0x000056285195258e in access_with_adjusted_size (addr=<optimized out>, value=<optimized out>, size=<optimized out>, access_size_min=<optimized out>, access_size_max=<optimized out>, access_fn=<optimized out>, mr=<optimized out>, attrs=...) at ../softmmu/memory.c:552
#9 0x000056285195258e in memory_region_dispatch_write (mr=0x562855559960, addr=<optimized out>, data=<optimized out>, op=<optimized out>, attrs=...) at ../softmmu/memory.c:1501
#10 0x00005628518e5305 in flatview_write_continue (fv=0x7fa92871f040, addr=0xfebf302c, attrs=..., ptr=0x7fa9310a49b8, len=0x4, addr1=0x7fa9310a3410, l=<optimized out>, mr=0x562855559960)
at ../softmmu/physmem.c:2759
#11 0x00005628518e6ef6 in flatview_write (fv=0x7fa92871f040, addr=0xfebf302c, attrs=..., len=0x4, buf=<optimized out>) at ../softmmu/physmem.c:2799
#12 0x00005628518e6ef6 in subpage_write (opaque=<optimized out>, addr=<optimized out>, value=<optimized out>, len=<optimized out>, attrs=...) at ../softmmu/physmem.c:2465
#13 0x00005628519529a2 in memory_region_write_with_attrs_accessor (mr=<optimized out>, addr=<optimized out>, value=<optimized out>, size=<optimized out>, shift=<optimized out>, mask=<optimized out>, attrs=...) at ../softmmu/memory.c:511
#14 0x00005628519525e1 in access_with_adjusted_size (addr=<optimized out>, size=<optimized out>, access_size_min=<optimized out>, access_size_max=<optimized out>, mr=<optimized out>, attrs=..., value=<optimized out>, access_fn=<optimized out>) at ../softmmu/memory.c:552
#15 0x00005628519525e1 in memory_region_dispatch_write (mr=<optimized out>, addr=<optimized out>, data=<optimized out>, op=<optimized out>, attrs=...) at ../softmmu/memory.c:1508
#16 0x0000562851a49228 in io_writex (iotlbentry=<optimized out>, mmu_idx=<optimized out>, val=<optimized out>, addr=<optimized out>, retaddr=<optimized out>, op=<optimized out>, env=<optimized out>)
at ../accel/tcg/cputlb.c:1378
#17 0x0000562851a49228 in store_helper (env=<optimized out>, addr=<optimized out>, val=<optimized out>, oi=<optimized out>, retaddr=<optimized out>, op=MO_32) at ../accel/tcg/cputlb.c:2397
#18 0x0000562851a49228 in helper_le_stl_mmu (env=<optimized out>, addr=<optimized out>, val=0x2, oi=<optimized out>, retaddr=0x7fa8e44032ee) at ../accel/tcg/cputlb.c:2463
#19 0x00007fa8e44032ee in code_gen_buffer ()
#20 0x000056285191ada0 in cpu_tb_exec (cpu=0x5628547b81a0, itb=<optimized out>)
at ../accel/tcg/cpu-exec.c:178
#21 0x000056285191b9eb in cpu_loop_exec_tb (tb=<optimized out>, cpu=<optimized out>, last_tb=<optimized out>, tb_exit=<optimized out>) at ../accel/tcg/cpu-exec.c:658
#22 0x000056285191b9eb in cpu_exec (cpu=0x5628547b81a0) at ../accel/tcg/cpu-exec.c:771
#23 0x000056285194ab9f in tcg_cpu_exec (cpu=<optimized out>) at ../accel/tcg/tcg-cpus.c:243
#24 0x000056285194ab9f in tcg_cpu_thread_fn (arg=0x5628547b81a0) at ../accel/tcg/tcg-cpus.c:427
#25 0x0000562851c22775 in qemu_thread_start (args=<optimized out>) at ../util/qemu-thread-posix.c:521
#26 0x00007fa94ae526db in start_thread (arg=0x7fa9310a8700) at pthread_create.c:463
#27 0x00007fa94ab7ba3f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
To reproduce this issue, please run the QEMU with the following command
line.
# To enable ASan option, please set configuration with the following command
$ ./configure --target-list=i386-softmmu --disable-werror --enable-sanitizers
$ make
# To reproduce this issue, please run the QEMU process with the following command line.
$ ./qemu-system-i386 -m 512 -drive file=./hyfuzz.img,index=0,media=disk,format=raw -device lsi53c810,id=scsi -device scsi-hd,drive=SysDisk -drive id=SysDisk,if=none,file=./disk.img
Please let me know if I can provide any further info.
Thank you.
- Cheolwoo, Myung (Seoul National University)
** Affects: qemu
Importance: Undecided
Status: New
** Attachment added: "attachment.zip"
https://bugs.launchpad.net/bugs/1908515/+attachment/5444465/+files/attachment.zip
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1908515
Title:
assertion failure in lsi53c810 emulator
Status in QEMU:
New
Bug description:
Hello,
Using hypervisor fuzzer, hyfuzz, I found an assertion failure through
lsi53c810 emulator.
A malicious guest user/process could use this flaw to abort the QEMU
process on the host, resulting in a denial of service.
This was found in version 5.2.0 (master)
qemu-system-i386: ../hw/scsi/lsi53c895a.c:624: void lsi_do_dma(LSIState *, int): Assertion `s->current'
failed.
[1] 1406 abort (core dumped) /home/cwmyung/prj/hyfuzz/src/qemu-5.2/build/i386-softmmu/qemu-system-i386 -m
Program terminated with signal SIGABRT, Aborted.
#0 __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:51
51 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
[Current thread is 1 (Thread 0x7fa9310a8700 (LWP 2076))]
gdb-peda$ bt
#0 0x00007fa94aa98f47 in __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:51
#1 0x00007fa94aa9a8b1 in __GI_abort () at abort.c:79
#2 0x00007fa94aa8a42a in __assert_fail_base (fmt=0x7fa94ac11a38 "%s%s%s:%u: %s%sAssertion `%s' failed.\\n%n", assertion=assertion@entry=0x562851c9eab9 "s->current", file=file@entry=0x562851c9d4f9 "../hw/scsi/lsi53c895a.c", line=line@entry=0x270, function=function@entry=0x562851c9de43 "void lsi_do_dma(LSIState *, int)") at assert.c:92
#3 0x00007fa94aa8a4a2 in __GI___assert_fail (assertion=0x562851c9eab9 "s->current", file=0x562851c9d4f9 "../hw/scsi/lsi53c895a.c", line=0x270, function=0x562851c9de43 "void lsi_do_dma(LSIState *, int)")
at assert.c:101
#4 0x00005628515d9605 in lsi_do_dma (s=0x562855559060, out=0x1) at ../hw/scsi/lsi53c895a.c:624
#5 0x00005628515d5317 in lsi_execute_script (s=<optimized out>) at ../hw/scsi/lsi53c895a.c:1250
#6 0x00005628515cec49 in lsi_reg_writeb (s=0x562855559060, offset=0x2f, val=0x1e)
at ../hw/scsi/lsi53c895a.c:2005
#7 0x0000562851952798 in memory_region_write_accessor (mr=<optimized out>, addr=<optimized out>, value=<optimized out>, size=<optimized out>, shift=<optimized out>, mask=<optimized out>, attrs=...)
at ../softmmu/memory.c:491
#8 0x000056285195258e in access_with_adjusted_size (addr=<optimized out>, value=<optimized out>, size=<optimized out>, access_size_min=<optimized out>, access_size_max=<optimized out>, access_fn=<optimized out>, mr=<optimized out>, attrs=...) at ../softmmu/memory.c:552
#9 0x000056285195258e in memory_region_dispatch_write (mr=0x562855559960, addr=<optimized out>, data=<optimized out>, op=<optimized out>, attrs=...) at ../softmmu/memory.c:1501
#10 0x00005628518e5305 in flatview_write_continue (fv=0x7fa92871f040, addr=0xfebf302c, attrs=..., ptr=0x7fa9310a49b8, len=0x4, addr1=0x7fa9310a3410, l=<optimized out>, mr=0x562855559960)
at ../softmmu/physmem.c:2759
#11 0x00005628518e6ef6 in flatview_write (fv=0x7fa92871f040, addr=0xfebf302c, attrs=..., len=0x4, buf=<optimized out>) at ../softmmu/physmem.c:2799
#12 0x00005628518e6ef6 in subpage_write (opaque=<optimized out>, addr=<optimized out>, value=<optimized out>, len=<optimized out>, attrs=...) at ../softmmu/physmem.c:2465
#13 0x00005628519529a2 in memory_region_write_with_attrs_accessor (mr=<optimized out>, addr=<optimized out>, value=<optimized out>, size=<optimized out>, shift=<optimized out>, mask=<optimized out>, attrs=...) at ../softmmu/memory.c:511
#14 0x00005628519525e1 in access_with_adjusted_size (addr=<optimized out>, size=<optimized out>, access_size_min=<optimized out>, access_size_max=<optimized out>, mr=<optimized out>, attrs=..., value=<optimized out>, access_fn=<optimized out>) at ../softmmu/memory.c:552
#15 0x00005628519525e1 in memory_region_dispatch_write (mr=<optimized out>, addr=<optimized out>, data=<optimized out>, op=<optimized out>, attrs=...) at ../softmmu/memory.c:1508
#16 0x0000562851a49228 in io_writex (iotlbentry=<optimized out>, mmu_idx=<optimized out>, val=<optimized out>, addr=<optimized out>, retaddr=<optimized out>, op=<optimized out>, env=<optimized out>)
at ../accel/tcg/cputlb.c:1378
#17 0x0000562851a49228 in store_helper (env=<optimized out>, addr=<optimized out>, val=<optimized out>, oi=<optimized out>, retaddr=<optimized out>, op=MO_32) at ../accel/tcg/cputlb.c:2397
#18 0x0000562851a49228 in helper_le_stl_mmu (env=<optimized out>, addr=<optimized out>, val=0x2, oi=<optimized out>, retaddr=0x7fa8e44032ee) at ../accel/tcg/cputlb.c:2463
#19 0x00007fa8e44032ee in code_gen_buffer ()
#20 0x000056285191ada0 in cpu_tb_exec (cpu=0x5628547b81a0, itb=<optimized out>)
at ../accel/tcg/cpu-exec.c:178
#21 0x000056285191b9eb in cpu_loop_exec_tb (tb=<optimized out>, cpu=<optimized out>, last_tb=<optimized out>, tb_exit=<optimized out>) at ../accel/tcg/cpu-exec.c:658
#22 0x000056285191b9eb in cpu_exec (cpu=0x5628547b81a0) at ../accel/tcg/cpu-exec.c:771
#23 0x000056285194ab9f in tcg_cpu_exec (cpu=<optimized out>) at ../accel/tcg/tcg-cpus.c:243
#24 0x000056285194ab9f in tcg_cpu_thread_fn (arg=0x5628547b81a0) at ../accel/tcg/tcg-cpus.c:427
#25 0x0000562851c22775 in qemu_thread_start (args=<optimized out>) at ../util/qemu-thread-posix.c:521
#26 0x00007fa94ae526db in start_thread (arg=0x7fa9310a8700) at pthread_create.c:463
#27 0x00007fa94ab7ba3f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
To reproduce this issue, please run the QEMU with the following
command line.
# To enable ASan option, please set configuration with the following command
$ ./configure --target-list=i386-softmmu --disable-werror --enable-sanitizers
$ make
# To reproduce this issue, please run the QEMU process with the following command line.
$ ./qemu-system-i386 -m 512 -drive file=./hyfuzz.img,index=0,media=disk,format=raw -device lsi53c810,id=scsi -device scsi-hd,drive=SysDisk -drive id=SysDisk,if=none,file=./disk.img
Please let me know if I can provide any further info.
Thank you.
- Cheolwoo, Myung (Seoul National University)
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1908515/+subscriptions
^ permalink raw reply [flat|nested] 3+ messages in thread
* [Bug 1908515] Re: assertion failure in lsi53c810 emulator
2020-12-17 10:54 [Bug 1908515] [NEW] assertion failure in lsi53c810 emulator Cheol-Woo,Myung
@ 2021-01-15 16:09 ` Peter Maydell
2021-05-14 19:28 ` Thomas Huth
1 sibling, 0 replies; 3+ messages in thread
From: Peter Maydell @ 2021-01-15 16:09 UTC (permalink / raw)
To: qemu-devel
** Tags added: fuzzer
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1908515
Title:
assertion failure in lsi53c810 emulator
Status in QEMU:
New
Bug description:
Hello,
Using hypervisor fuzzer, hyfuzz, I found an assertion failure through
lsi53c810 emulator.
A malicious guest user/process could use this flaw to abort the QEMU
process on the host, resulting in a denial of service.
This was found in version 5.2.0 (master)
qemu-system-i386: ../hw/scsi/lsi53c895a.c:624: void lsi_do_dma(LSIState *, int): Assertion `s->current'
failed.
[1] 1406 abort (core dumped) /home/cwmyung/prj/hyfuzz/src/qemu-5.2/build/i386-softmmu/qemu-system-i386 -m
Program terminated with signal SIGABRT, Aborted.
#0 __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:51
51 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
[Current thread is 1 (Thread 0x7fa9310a8700 (LWP 2076))]
gdb-peda$ bt
#0 0x00007fa94aa98f47 in __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:51
#1 0x00007fa94aa9a8b1 in __GI_abort () at abort.c:79
#2 0x00007fa94aa8a42a in __assert_fail_base (fmt=0x7fa94ac11a38 "%s%s%s:%u: %s%sAssertion `%s' failed.\\n%n", assertion=assertion@entry=0x562851c9eab9 "s->current", file=file@entry=0x562851c9d4f9 "../hw/scsi/lsi53c895a.c", line=line@entry=0x270, function=function@entry=0x562851c9de43 "void lsi_do_dma(LSIState *, int)") at assert.c:92
#3 0x00007fa94aa8a4a2 in __GI___assert_fail (assertion=0x562851c9eab9 "s->current", file=0x562851c9d4f9 "../hw/scsi/lsi53c895a.c", line=0x270, function=0x562851c9de43 "void lsi_do_dma(LSIState *, int)")
at assert.c:101
#4 0x00005628515d9605 in lsi_do_dma (s=0x562855559060, out=0x1) at ../hw/scsi/lsi53c895a.c:624
#5 0x00005628515d5317 in lsi_execute_script (s=<optimized out>) at ../hw/scsi/lsi53c895a.c:1250
#6 0x00005628515cec49 in lsi_reg_writeb (s=0x562855559060, offset=0x2f, val=0x1e)
at ../hw/scsi/lsi53c895a.c:2005
#7 0x0000562851952798 in memory_region_write_accessor (mr=<optimized out>, addr=<optimized out>, value=<optimized out>, size=<optimized out>, shift=<optimized out>, mask=<optimized out>, attrs=...)
at ../softmmu/memory.c:491
#8 0x000056285195258e in access_with_adjusted_size (addr=<optimized out>, value=<optimized out>, size=<optimized out>, access_size_min=<optimized out>, access_size_max=<optimized out>, access_fn=<optimized out>, mr=<optimized out>, attrs=...) at ../softmmu/memory.c:552
#9 0x000056285195258e in memory_region_dispatch_write (mr=0x562855559960, addr=<optimized out>, data=<optimized out>, op=<optimized out>, attrs=...) at ../softmmu/memory.c:1501
#10 0x00005628518e5305 in flatview_write_continue (fv=0x7fa92871f040, addr=0xfebf302c, attrs=..., ptr=0x7fa9310a49b8, len=0x4, addr1=0x7fa9310a3410, l=<optimized out>, mr=0x562855559960)
at ../softmmu/physmem.c:2759
#11 0x00005628518e6ef6 in flatview_write (fv=0x7fa92871f040, addr=0xfebf302c, attrs=..., len=0x4, buf=<optimized out>) at ../softmmu/physmem.c:2799
#12 0x00005628518e6ef6 in subpage_write (opaque=<optimized out>, addr=<optimized out>, value=<optimized out>, len=<optimized out>, attrs=...) at ../softmmu/physmem.c:2465
#13 0x00005628519529a2 in memory_region_write_with_attrs_accessor (mr=<optimized out>, addr=<optimized out>, value=<optimized out>, size=<optimized out>, shift=<optimized out>, mask=<optimized out>, attrs=...) at ../softmmu/memory.c:511
#14 0x00005628519525e1 in access_with_adjusted_size (addr=<optimized out>, size=<optimized out>, access_size_min=<optimized out>, access_size_max=<optimized out>, mr=<optimized out>, attrs=..., value=<optimized out>, access_fn=<optimized out>) at ../softmmu/memory.c:552
#15 0x00005628519525e1 in memory_region_dispatch_write (mr=<optimized out>, addr=<optimized out>, data=<optimized out>, op=<optimized out>, attrs=...) at ../softmmu/memory.c:1508
#16 0x0000562851a49228 in io_writex (iotlbentry=<optimized out>, mmu_idx=<optimized out>, val=<optimized out>, addr=<optimized out>, retaddr=<optimized out>, op=<optimized out>, env=<optimized out>)
at ../accel/tcg/cputlb.c:1378
#17 0x0000562851a49228 in store_helper (env=<optimized out>, addr=<optimized out>, val=<optimized out>, oi=<optimized out>, retaddr=<optimized out>, op=MO_32) at ../accel/tcg/cputlb.c:2397
#18 0x0000562851a49228 in helper_le_stl_mmu (env=<optimized out>, addr=<optimized out>, val=0x2, oi=<optimized out>, retaddr=0x7fa8e44032ee) at ../accel/tcg/cputlb.c:2463
#19 0x00007fa8e44032ee in code_gen_buffer ()
#20 0x000056285191ada0 in cpu_tb_exec (cpu=0x5628547b81a0, itb=<optimized out>)
at ../accel/tcg/cpu-exec.c:178
#21 0x000056285191b9eb in cpu_loop_exec_tb (tb=<optimized out>, cpu=<optimized out>, last_tb=<optimized out>, tb_exit=<optimized out>) at ../accel/tcg/cpu-exec.c:658
#22 0x000056285191b9eb in cpu_exec (cpu=0x5628547b81a0) at ../accel/tcg/cpu-exec.c:771
#23 0x000056285194ab9f in tcg_cpu_exec (cpu=<optimized out>) at ../accel/tcg/tcg-cpus.c:243
#24 0x000056285194ab9f in tcg_cpu_thread_fn (arg=0x5628547b81a0) at ../accel/tcg/tcg-cpus.c:427
#25 0x0000562851c22775 in qemu_thread_start (args=<optimized out>) at ../util/qemu-thread-posix.c:521
#26 0x00007fa94ae526db in start_thread (arg=0x7fa9310a8700) at pthread_create.c:463
#27 0x00007fa94ab7ba3f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
To reproduce this issue, please run the QEMU with the following
command line.
# To enable ASan option, please set configuration with the following command
$ ./configure --target-list=i386-softmmu --disable-werror --enable-sanitizers
$ make
# To reproduce this issue, please run the QEMU process with the following command line.
$ ./qemu-system-i386 -m 512 -drive file=./hyfuzz.img,index=0,media=disk,format=raw -device lsi53c810,id=scsi -device scsi-hd,drive=SysDisk -drive id=SysDisk,if=none,file=./disk.img
Please let me know if I can provide any further info.
Thank you.
- Cheolwoo, Myung (Seoul National University)
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1908515/+subscriptions
^ permalink raw reply [flat|nested] 3+ messages in thread
* [Bug 1908515] Re: assertion failure in lsi53c810 emulator
2020-12-17 10:54 [Bug 1908515] [NEW] assertion failure in lsi53c810 emulator Cheol-Woo,Myung
2021-01-15 16:09 ` [Bug 1908515] " Peter Maydell
@ 2021-05-14 19:28 ` Thomas Huth
1 sibling, 0 replies; 3+ messages in thread
From: Thomas Huth @ 2021-05-14 19:28 UTC (permalink / raw)
To: qemu-devel
This is an automated cleanup. This bug report has been moved to QEMU's
new bug tracker on gitlab.com and thus gets marked as 'expired' now.
Please continue with the discussion here:
https://gitlab.com/qemu-project/qemu/-/issues/305
** Changed in: qemu
Status: New => Expired
** Bug watch added: gitlab.com/qemu-project/qemu/-/issues #305
https://gitlab.com/qemu-project/qemu/-/issues/305
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1908515
Title:
assertion failure in lsi53c810 emulator
Status in QEMU:
Expired
Bug description:
Hello,
Using hypervisor fuzzer, hyfuzz, I found an assertion failure through
lsi53c810 emulator.
A malicious guest user/process could use this flaw to abort the QEMU
process on the host, resulting in a denial of service.
This was found in version 5.2.0 (master)
qemu-system-i386: ../hw/scsi/lsi53c895a.c:624: void lsi_do_dma(LSIState *, int): Assertion `s->current'
failed.
[1] 1406 abort (core dumped) /home/cwmyung/prj/hyfuzz/src/qemu-5.2/build/i386-softmmu/qemu-system-i386 -m
Program terminated with signal SIGABRT, Aborted.
#0 __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:51
51 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
[Current thread is 1 (Thread 0x7fa9310a8700 (LWP 2076))]
gdb-peda$ bt
#0 0x00007fa94aa98f47 in __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:51
#1 0x00007fa94aa9a8b1 in __GI_abort () at abort.c:79
#2 0x00007fa94aa8a42a in __assert_fail_base (fmt=0x7fa94ac11a38 "%s%s%s:%u: %s%sAssertion `%s' failed.\\n%n", assertion=assertion@entry=0x562851c9eab9 "s->current", file=file@entry=0x562851c9d4f9 "../hw/scsi/lsi53c895a.c", line=line@entry=0x270, function=function@entry=0x562851c9de43 "void lsi_do_dma(LSIState *, int)") at assert.c:92
#3 0x00007fa94aa8a4a2 in __GI___assert_fail (assertion=0x562851c9eab9 "s->current", file=0x562851c9d4f9 "../hw/scsi/lsi53c895a.c", line=0x270, function=0x562851c9de43 "void lsi_do_dma(LSIState *, int)")
at assert.c:101
#4 0x00005628515d9605 in lsi_do_dma (s=0x562855559060, out=0x1) at ../hw/scsi/lsi53c895a.c:624
#5 0x00005628515d5317 in lsi_execute_script (s=<optimized out>) at ../hw/scsi/lsi53c895a.c:1250
#6 0x00005628515cec49 in lsi_reg_writeb (s=0x562855559060, offset=0x2f, val=0x1e)
at ../hw/scsi/lsi53c895a.c:2005
#7 0x0000562851952798 in memory_region_write_accessor (mr=<optimized out>, addr=<optimized out>, value=<optimized out>, size=<optimized out>, shift=<optimized out>, mask=<optimized out>, attrs=...)
at ../softmmu/memory.c:491
#8 0x000056285195258e in access_with_adjusted_size (addr=<optimized out>, value=<optimized out>, size=<optimized out>, access_size_min=<optimized out>, access_size_max=<optimized out>, access_fn=<optimized out>, mr=<optimized out>, attrs=...) at ../softmmu/memory.c:552
#9 0x000056285195258e in memory_region_dispatch_write (mr=0x562855559960, addr=<optimized out>, data=<optimized out>, op=<optimized out>, attrs=...) at ../softmmu/memory.c:1501
#10 0x00005628518e5305 in flatview_write_continue (fv=0x7fa92871f040, addr=0xfebf302c, attrs=..., ptr=0x7fa9310a49b8, len=0x4, addr1=0x7fa9310a3410, l=<optimized out>, mr=0x562855559960)
at ../softmmu/physmem.c:2759
#11 0x00005628518e6ef6 in flatview_write (fv=0x7fa92871f040, addr=0xfebf302c, attrs=..., len=0x4, buf=<optimized out>) at ../softmmu/physmem.c:2799
#12 0x00005628518e6ef6 in subpage_write (opaque=<optimized out>, addr=<optimized out>, value=<optimized out>, len=<optimized out>, attrs=...) at ../softmmu/physmem.c:2465
#13 0x00005628519529a2 in memory_region_write_with_attrs_accessor (mr=<optimized out>, addr=<optimized out>, value=<optimized out>, size=<optimized out>, shift=<optimized out>, mask=<optimized out>, attrs=...) at ../softmmu/memory.c:511
#14 0x00005628519525e1 in access_with_adjusted_size (addr=<optimized out>, size=<optimized out>, access_size_min=<optimized out>, access_size_max=<optimized out>, mr=<optimized out>, attrs=..., value=<optimized out>, access_fn=<optimized out>) at ../softmmu/memory.c:552
#15 0x00005628519525e1 in memory_region_dispatch_write (mr=<optimized out>, addr=<optimized out>, data=<optimized out>, op=<optimized out>, attrs=...) at ../softmmu/memory.c:1508
#16 0x0000562851a49228 in io_writex (iotlbentry=<optimized out>, mmu_idx=<optimized out>, val=<optimized out>, addr=<optimized out>, retaddr=<optimized out>, op=<optimized out>, env=<optimized out>)
at ../accel/tcg/cputlb.c:1378
#17 0x0000562851a49228 in store_helper (env=<optimized out>, addr=<optimized out>, val=<optimized out>, oi=<optimized out>, retaddr=<optimized out>, op=MO_32) at ../accel/tcg/cputlb.c:2397
#18 0x0000562851a49228 in helper_le_stl_mmu (env=<optimized out>, addr=<optimized out>, val=0x2, oi=<optimized out>, retaddr=0x7fa8e44032ee) at ../accel/tcg/cputlb.c:2463
#19 0x00007fa8e44032ee in code_gen_buffer ()
#20 0x000056285191ada0 in cpu_tb_exec (cpu=0x5628547b81a0, itb=<optimized out>)
at ../accel/tcg/cpu-exec.c:178
#21 0x000056285191b9eb in cpu_loop_exec_tb (tb=<optimized out>, cpu=<optimized out>, last_tb=<optimized out>, tb_exit=<optimized out>) at ../accel/tcg/cpu-exec.c:658
#22 0x000056285191b9eb in cpu_exec (cpu=0x5628547b81a0) at ../accel/tcg/cpu-exec.c:771
#23 0x000056285194ab9f in tcg_cpu_exec (cpu=<optimized out>) at ../accel/tcg/tcg-cpus.c:243
#24 0x000056285194ab9f in tcg_cpu_thread_fn (arg=0x5628547b81a0) at ../accel/tcg/tcg-cpus.c:427
#25 0x0000562851c22775 in qemu_thread_start (args=<optimized out>) at ../util/qemu-thread-posix.c:521
#26 0x00007fa94ae526db in start_thread (arg=0x7fa9310a8700) at pthread_create.c:463
#27 0x00007fa94ab7ba3f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
To reproduce this issue, please run the QEMU with the following
command line.
# To enable ASan option, please set configuration with the following command
$ ./configure --target-list=i386-softmmu --disable-werror --enable-sanitizers
$ make
# To reproduce this issue, please run the QEMU process with the following command line.
$ ./qemu-system-i386 -m 512 -drive file=./hyfuzz.img,index=0,media=disk,format=raw -device lsi53c810,id=scsi -device scsi-hd,drive=SysDisk -drive id=SysDisk,if=none,file=./disk.img
Please let me know if I can provide any further info.
Thank you.
- Cheolwoo, Myung (Seoul National University)
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1908515/+subscriptions
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-05-14 19:41 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-12-17 10:54 [Bug 1908515] [NEW] assertion failure in lsi53c810 emulator Cheol-Woo,Myung
2021-01-15 16:09 ` [Bug 1908515] " Peter Maydell
2021-05-14 19:28 ` Thomas Huth
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).