* [Bug 1907497] [NEW] [OSS-Fuzz] Issue 28435 qemu:qemu-fuzz-i386-target-generic-fuzz-intel-hda: Stack-overflow in ldl_le_dma
@ 2020-12-09 20:30 Alexander Bulekov
2021-01-15 16:12 ` [Bug 1907497] " Peter Maydell
` (8 more replies)
0 siblings, 9 replies; 10+ messages in thread
From: Alexander Bulekov @ 2020-12-09 20:30 UTC (permalink / raw)
To: qemu-devel
Public bug reported:
affects qemu
=== Reproducer (build with --enable-sanitizers) ===
cat << EOF | ./qemu-system-i386 -machine q35 -nodefaults \
-device intel-hda,id=hda0 -device hda-output,bus=hda0.0 \
-device hda-micro,bus=hda0.0 -device hda-duplex,bus=hda0.0 \
-qtest stdio
outl 0xcf8 0x80000804
outw 0xcfc 0xffff
write 0x0 0x1 0x12
write 0x2 0x1 0x2f
outl 0xcf8 0x80000811
outl 0xcfc 0x5a6a4406
write 0x6a44005a 0x1 0x11
write 0x6a44005c 0x1 0x3f
write 0x6a442050 0x4 0x0000446a
write 0x6a44204a 0x1 0xf3
write 0x6a44204c 0x1 0xff
writeq 0x6a44005a 0x17b3f0011
write 0x6a442050 0x4 0x0000446a
write 0x6a44204a 0x1 0xf3
write 0x6a44204c 0x1 0xff
EOF
=== Stack Trace ===
==411958==ERROR: AddressSanitizer: stack-overflow on address 0x7ffcaeb8bc88 (pc 0x55c7c9dc1159 bp 0x7ffcaeb8c4d0 sp 0x7ffcaeb8bc90 T0)
#0 0x55c7c9dc1159 in __asan_memcpy (u-system-i386+0x2a13159)
#1 0x55c7cb2a457e in flatview_do_translate softmmu/physmem.c:513:12
#2 0x55c7cb2bdab0 in flatview_translate softmmu/physmem.c:563:15
#3 0x55c7cb2bdab0 in flatview_read softmmu/physmem.c:2861:10
#4 0x55c7cb2bdab0 in address_space_read_full softmmu/physmem.c:2875:18
#5 0x55c7caaec937 in dma_memory_rw_relaxed include/sysemu/dma.h:87:18
#6 0x55c7caaec937 in dma_memory_rw include/sysemu/dma.h:110:12
#7 0x55c7caaec937 in dma_memory_read include/sysemu/dma.h:116:12
#8 0x55c7caaec937 in ldl_le_dma include/sysemu/dma.h:179:1
#9 0x55c7caaec937 in ldl_le_pci_dma include/hw/pci/pci.h:816:1
#10 0x55c7caaec937 in intel_hda_corb_run hw/audio/intel-hda.c:338:16
#11 0x55c7cb2e7198 in memory_region_write_accessor softmmu/memory.c:491:5
#12 0x55c7cb2e6bd3 in access_with_adjusted_size softmmu/memory.c:552:18
#13 0x55c7cb2e646c in memory_region_dispatch_write softmmu/memory.c
#14 0x55c7cb2c8445 in flatview_write_continue softmmu/physmem.c:2759:23
#15 0x55c7cb2bdfb8 in flatview_write softmmu/physmem.c:2799:14
#16 0x55c7cb2bdfb8 in address_space_write softmmu/physmem.c:2891:18
#17 0x55c7caae2c54 in dma_memory_rw_relaxed include/sysemu/dma.h:87:18
#18 0x55c7caae2c54 in dma_memory_rw include/sysemu/dma.h:110:12
#19 0x55c7caae2c54 in dma_memory_write include/sysemu/dma.h:122:12
#20 0x55c7caae2c54 in stl_le_dma include/sysemu/dma.h:179:1
#21 0x55c7caae2c54 in stl_le_pci_dma include/hw/pci/pci.h:816:1
#22 0x55c7caae2c54 in intel_hda_response hw/audio/intel-hda.c:370:5
#23 0x55c7caaeca00 in intel_hda_corb_run hw/audio/intel-hda.c:342:9
#24 0x55c7cb2e7198 in memory_region_write_accessor softmmu/memory.c:491:5
...
OSS-Fuzz Report: https://bugs.chromium.org/p/oss-
fuzz/issues/detail?id=28435
** Affects: qemu
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1907497
Title:
[OSS-Fuzz] Issue 28435 qemu:qemu-fuzz-i386-target-generic-fuzz-intel-
hda: Stack-overflow in ldl_le_dma
Status in QEMU:
New
Bug description:
affects qemu
=== Reproducer (build with --enable-sanitizers) ===
cat << EOF | ./qemu-system-i386 -machine q35 -nodefaults \
-device intel-hda,id=hda0 -device hda-output,bus=hda0.0 \
-device hda-micro,bus=hda0.0 -device hda-duplex,bus=hda0.0 \
-qtest stdio
outl 0xcf8 0x80000804
outw 0xcfc 0xffff
write 0x0 0x1 0x12
write 0x2 0x1 0x2f
outl 0xcf8 0x80000811
outl 0xcfc 0x5a6a4406
write 0x6a44005a 0x1 0x11
write 0x6a44005c 0x1 0x3f
write 0x6a442050 0x4 0x0000446a
write 0x6a44204a 0x1 0xf3
write 0x6a44204c 0x1 0xff
writeq 0x6a44005a 0x17b3f0011
write 0x6a442050 0x4 0x0000446a
write 0x6a44204a 0x1 0xf3
write 0x6a44204c 0x1 0xff
EOF
=== Stack Trace ===
==411958==ERROR: AddressSanitizer: stack-overflow on address 0x7ffcaeb8bc88 (pc 0x55c7c9dc1159 bp 0x7ffcaeb8c4d0 sp 0x7ffcaeb8bc90 T0)
#0 0x55c7c9dc1159 in __asan_memcpy (u-system-i386+0x2a13159)
#1 0x55c7cb2a457e in flatview_do_translate softmmu/physmem.c:513:12
#2 0x55c7cb2bdab0 in flatview_translate softmmu/physmem.c:563:15
#3 0x55c7cb2bdab0 in flatview_read softmmu/physmem.c:2861:10
#4 0x55c7cb2bdab0 in address_space_read_full softmmu/physmem.c:2875:18
#5 0x55c7caaec937 in dma_memory_rw_relaxed include/sysemu/dma.h:87:18
#6 0x55c7caaec937 in dma_memory_rw include/sysemu/dma.h:110:12
#7 0x55c7caaec937 in dma_memory_read include/sysemu/dma.h:116:12
#8 0x55c7caaec937 in ldl_le_dma include/sysemu/dma.h:179:1
#9 0x55c7caaec937 in ldl_le_pci_dma include/hw/pci/pci.h:816:1
#10 0x55c7caaec937 in intel_hda_corb_run hw/audio/intel-hda.c:338:16
#11 0x55c7cb2e7198 in memory_region_write_accessor softmmu/memory.c:491:5
#12 0x55c7cb2e6bd3 in access_with_adjusted_size softmmu/memory.c:552:18
#13 0x55c7cb2e646c in memory_region_dispatch_write softmmu/memory.c
#14 0x55c7cb2c8445 in flatview_write_continue softmmu/physmem.c:2759:23
#15 0x55c7cb2bdfb8 in flatview_write softmmu/physmem.c:2799:14
#16 0x55c7cb2bdfb8 in address_space_write softmmu/physmem.c:2891:18
#17 0x55c7caae2c54 in dma_memory_rw_relaxed include/sysemu/dma.h:87:18
#18 0x55c7caae2c54 in dma_memory_rw include/sysemu/dma.h:110:12
#19 0x55c7caae2c54 in dma_memory_write include/sysemu/dma.h:122:12
#20 0x55c7caae2c54 in stl_le_dma include/sysemu/dma.h:179:1
#21 0x55c7caae2c54 in stl_le_pci_dma include/hw/pci/pci.h:816:1
#22 0x55c7caae2c54 in intel_hda_response hw/audio/intel-hda.c:370:5
#23 0x55c7caaeca00 in intel_hda_corb_run hw/audio/intel-hda.c:342:9
#24 0x55c7cb2e7198 in memory_region_write_accessor softmmu/memory.c:491:5
...
OSS-Fuzz Report: https://bugs.chromium.org/p/oss-
fuzz/issues/detail?id=28435
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1907497/+subscriptions
^ permalink raw reply [flat|nested] 10+ messages in thread
* [Bug 1907497] Re: [OSS-Fuzz] Issue 28435 qemu:qemu-fuzz-i386-target-generic-fuzz-intel-hda: Stack-overflow in ldl_le_dma
2020-12-09 20:30 [Bug 1907497] [NEW] [OSS-Fuzz] Issue 28435 qemu:qemu-fuzz-i386-target-generic-fuzz-intel-hda: Stack-overflow in ldl_le_dma Alexander Bulekov
@ 2021-01-15 16:12 ` Peter Maydell
2021-06-10 8:48 ` Thomas Huth
` (7 subsequent siblings)
8 siblings, 0 replies; 10+ messages in thread
From: Peter Maydell @ 2021-01-15 16:12 UTC (permalink / raw)
To: qemu-devel
** Tags added: fuzzer
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1907497
Title:
[OSS-Fuzz] Issue 28435 qemu:qemu-fuzz-i386-target-generic-fuzz-intel-
hda: Stack-overflow in ldl_le_dma
Status in QEMU:
New
Bug description:
affects qemu
=== Reproducer (build with --enable-sanitizers) ===
cat << EOF | ./qemu-system-i386 -machine q35 -nodefaults \
-device intel-hda,id=hda0 -device hda-output,bus=hda0.0 \
-device hda-micro,bus=hda0.0 -device hda-duplex,bus=hda0.0 \
-qtest stdio
outl 0xcf8 0x80000804
outw 0xcfc 0xffff
write 0x0 0x1 0x12
write 0x2 0x1 0x2f
outl 0xcf8 0x80000811
outl 0xcfc 0x5a6a4406
write 0x6a44005a 0x1 0x11
write 0x6a44005c 0x1 0x3f
write 0x6a442050 0x4 0x0000446a
write 0x6a44204a 0x1 0xf3
write 0x6a44204c 0x1 0xff
writeq 0x6a44005a 0x17b3f0011
write 0x6a442050 0x4 0x0000446a
write 0x6a44204a 0x1 0xf3
write 0x6a44204c 0x1 0xff
EOF
=== Stack Trace ===
==411958==ERROR: AddressSanitizer: stack-overflow on address 0x7ffcaeb8bc88 (pc 0x55c7c9dc1159 bp 0x7ffcaeb8c4d0 sp 0x7ffcaeb8bc90 T0)
#0 0x55c7c9dc1159 in __asan_memcpy (u-system-i386+0x2a13159)
#1 0x55c7cb2a457e in flatview_do_translate softmmu/physmem.c:513:12
#2 0x55c7cb2bdab0 in flatview_translate softmmu/physmem.c:563:15
#3 0x55c7cb2bdab0 in flatview_read softmmu/physmem.c:2861:10
#4 0x55c7cb2bdab0 in address_space_read_full softmmu/physmem.c:2875:18
#5 0x55c7caaec937 in dma_memory_rw_relaxed include/sysemu/dma.h:87:18
#6 0x55c7caaec937 in dma_memory_rw include/sysemu/dma.h:110:12
#7 0x55c7caaec937 in dma_memory_read include/sysemu/dma.h:116:12
#8 0x55c7caaec937 in ldl_le_dma include/sysemu/dma.h:179:1
#9 0x55c7caaec937 in ldl_le_pci_dma include/hw/pci/pci.h:816:1
#10 0x55c7caaec937 in intel_hda_corb_run hw/audio/intel-hda.c:338:16
#11 0x55c7cb2e7198 in memory_region_write_accessor softmmu/memory.c:491:5
#12 0x55c7cb2e6bd3 in access_with_adjusted_size softmmu/memory.c:552:18
#13 0x55c7cb2e646c in memory_region_dispatch_write softmmu/memory.c
#14 0x55c7cb2c8445 in flatview_write_continue softmmu/physmem.c:2759:23
#15 0x55c7cb2bdfb8 in flatview_write softmmu/physmem.c:2799:14
#16 0x55c7cb2bdfb8 in address_space_write softmmu/physmem.c:2891:18
#17 0x55c7caae2c54 in dma_memory_rw_relaxed include/sysemu/dma.h:87:18
#18 0x55c7caae2c54 in dma_memory_rw include/sysemu/dma.h:110:12
#19 0x55c7caae2c54 in dma_memory_write include/sysemu/dma.h:122:12
#20 0x55c7caae2c54 in stl_le_dma include/sysemu/dma.h:179:1
#21 0x55c7caae2c54 in stl_le_pci_dma include/hw/pci/pci.h:816:1
#22 0x55c7caae2c54 in intel_hda_response hw/audio/intel-hda.c:370:5
#23 0x55c7caaeca00 in intel_hda_corb_run hw/audio/intel-hda.c:342:9
#24 0x55c7cb2e7198 in memory_region_write_accessor softmmu/memory.c:491:5
...
OSS-Fuzz Report: https://bugs.chromium.org/p/oss-
fuzz/issues/detail?id=28435
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1907497/+subscriptions
^ permalink raw reply [flat|nested] 10+ messages in thread
* [Bug 1907497] Re: [OSS-Fuzz] Issue 28435 qemu:qemu-fuzz-i386-target-generic-fuzz-intel-hda: Stack-overflow in ldl_le_dma
2020-12-09 20:30 [Bug 1907497] [NEW] [OSS-Fuzz] Issue 28435 qemu:qemu-fuzz-i386-target-generic-fuzz-intel-hda: Stack-overflow in ldl_le_dma Alexander Bulekov
2021-01-15 16:12 ` [Bug 1907497] " Peter Maydell
@ 2021-06-10 8:48 ` Thomas Huth
2021-06-21 5:57 ` Gianluca Gabruelli
` (6 subsequent siblings)
8 siblings, 0 replies; 10+ messages in thread
From: Thomas Huth @ 2021-06-10 8:48 UTC (permalink / raw)
To: qemu-devel
** Changed in: qemu
Status: New => Confirmed
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1907497
Title:
[OSS-Fuzz] Issue 28435 qemu:qemu-fuzz-i386-target-generic-fuzz-intel-
hda: Stack-overflow in ldl_le_dma
Status in QEMU:
Confirmed
Bug description:
affects qemu
=== Reproducer (build with --enable-sanitizers) ===
cat << EOF | ./qemu-system-i386 -machine q35 -nodefaults \
-device intel-hda,id=hda0 -device hda-output,bus=hda0.0 \
-device hda-micro,bus=hda0.0 -device hda-duplex,bus=hda0.0 \
-qtest stdio
outl 0xcf8 0x80000804
outw 0xcfc 0xffff
write 0x0 0x1 0x12
write 0x2 0x1 0x2f
outl 0xcf8 0x80000811
outl 0xcfc 0x5a6a4406
write 0x6a44005a 0x1 0x11
write 0x6a44005c 0x1 0x3f
write 0x6a442050 0x4 0x0000446a
write 0x6a44204a 0x1 0xf3
write 0x6a44204c 0x1 0xff
writeq 0x6a44005a 0x17b3f0011
write 0x6a442050 0x4 0x0000446a
write 0x6a44204a 0x1 0xf3
write 0x6a44204c 0x1 0xff
EOF
=== Stack Trace ===
==411958==ERROR: AddressSanitizer: stack-overflow on address 0x7ffcaeb8bc88 (pc 0x55c7c9dc1159 bp 0x7ffcaeb8c4d0 sp 0x7ffcaeb8bc90 T0)
#0 0x55c7c9dc1159 in __asan_memcpy (u-system-i386+0x2a13159)
#1 0x55c7cb2a457e in flatview_do_translate softmmu/physmem.c:513:12
#2 0x55c7cb2bdab0 in flatview_translate softmmu/physmem.c:563:15
#3 0x55c7cb2bdab0 in flatview_read softmmu/physmem.c:2861:10
#4 0x55c7cb2bdab0 in address_space_read_full softmmu/physmem.c:2875:18
#5 0x55c7caaec937 in dma_memory_rw_relaxed include/sysemu/dma.h:87:18
#6 0x55c7caaec937 in dma_memory_rw include/sysemu/dma.h:110:12
#7 0x55c7caaec937 in dma_memory_read include/sysemu/dma.h:116:12
#8 0x55c7caaec937 in ldl_le_dma include/sysemu/dma.h:179:1
#9 0x55c7caaec937 in ldl_le_pci_dma include/hw/pci/pci.h:816:1
#10 0x55c7caaec937 in intel_hda_corb_run hw/audio/intel-hda.c:338:16
#11 0x55c7cb2e7198 in memory_region_write_accessor softmmu/memory.c:491:5
#12 0x55c7cb2e6bd3 in access_with_adjusted_size softmmu/memory.c:552:18
#13 0x55c7cb2e646c in memory_region_dispatch_write softmmu/memory.c
#14 0x55c7cb2c8445 in flatview_write_continue softmmu/physmem.c:2759:23
#15 0x55c7cb2bdfb8 in flatview_write softmmu/physmem.c:2799:14
#16 0x55c7cb2bdfb8 in address_space_write softmmu/physmem.c:2891:18
#17 0x55c7caae2c54 in dma_memory_rw_relaxed include/sysemu/dma.h:87:18
#18 0x55c7caae2c54 in dma_memory_rw include/sysemu/dma.h:110:12
#19 0x55c7caae2c54 in dma_memory_write include/sysemu/dma.h:122:12
#20 0x55c7caae2c54 in stl_le_dma include/sysemu/dma.h:179:1
#21 0x55c7caae2c54 in stl_le_pci_dma include/hw/pci/pci.h:816:1
#22 0x55c7caae2c54 in intel_hda_response hw/audio/intel-hda.c:370:5
#23 0x55c7caaeca00 in intel_hda_corb_run hw/audio/intel-hda.c:342:9
#24 0x55c7cb2e7198 in memory_region_write_accessor softmmu/memory.c:491:5
...
OSS-Fuzz Report: https://bugs.chromium.org/p/oss-
fuzz/issues/detail?id=28435
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1907497/+subscriptions
^ permalink raw reply [flat|nested] 10+ messages in thread
* [Bug 1907497] Re: [OSS-Fuzz] Issue 28435 qemu:qemu-fuzz-i386-target-generic-fuzz-intel-hda: Stack-overflow in ldl_le_dma
2020-12-09 20:30 [Bug 1907497] [NEW] [OSS-Fuzz] Issue 28435 qemu:qemu-fuzz-i386-target-generic-fuzz-intel-hda: Stack-overflow in ldl_le_dma Alexander Bulekov
2021-01-15 16:12 ` [Bug 1907497] " Peter Maydell
2021-06-10 8:48 ` Thomas Huth
@ 2021-06-21 5:57 ` Gianluca Gabruelli
2021-06-21 7:18 ` Thomas Huth
` (5 subsequent siblings)
8 siblings, 0 replies; 10+ messages in thread
From: Gianluca Gabruelli @ 2021-06-21 5:57 UTC (permalink / raw)
To: qemu-devel
I think this [0] commit actually fixes this bug, can someone please
confirm it?
[0]
https://github.com/qemu/qemu/commit/1bf8b88f144bee747e386c88d45d772e066bbb36
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1907497
Title:
[OSS-Fuzz] Issue 28435 qemu:qemu-fuzz-i386-target-generic-fuzz-intel-
hda: Stack-overflow in ldl_le_dma
Status in QEMU:
Confirmed
Bug description:
affects qemu
=== Reproducer (build with --enable-sanitizers) ===
cat << EOF | ./qemu-system-i386 -machine q35 -nodefaults \
-device intel-hda,id=hda0 -device hda-output,bus=hda0.0 \
-device hda-micro,bus=hda0.0 -device hda-duplex,bus=hda0.0 \
-qtest stdio
outl 0xcf8 0x80000804
outw 0xcfc 0xffff
write 0x0 0x1 0x12
write 0x2 0x1 0x2f
outl 0xcf8 0x80000811
outl 0xcfc 0x5a6a4406
write 0x6a44005a 0x1 0x11
write 0x6a44005c 0x1 0x3f
write 0x6a442050 0x4 0x0000446a
write 0x6a44204a 0x1 0xf3
write 0x6a44204c 0x1 0xff
writeq 0x6a44005a 0x17b3f0011
write 0x6a442050 0x4 0x0000446a
write 0x6a44204a 0x1 0xf3
write 0x6a44204c 0x1 0xff
EOF
=== Stack Trace ===
==411958==ERROR: AddressSanitizer: stack-overflow on address 0x7ffcaeb8bc88 (pc 0x55c7c9dc1159 bp 0x7ffcaeb8c4d0 sp 0x7ffcaeb8bc90 T0)
#0 0x55c7c9dc1159 in __asan_memcpy (u-system-i386+0x2a13159)
#1 0x55c7cb2a457e in flatview_do_translate softmmu/physmem.c:513:12
#2 0x55c7cb2bdab0 in flatview_translate softmmu/physmem.c:563:15
#3 0x55c7cb2bdab0 in flatview_read softmmu/physmem.c:2861:10
#4 0x55c7cb2bdab0 in address_space_read_full softmmu/physmem.c:2875:18
#5 0x55c7caaec937 in dma_memory_rw_relaxed include/sysemu/dma.h:87:18
#6 0x55c7caaec937 in dma_memory_rw include/sysemu/dma.h:110:12
#7 0x55c7caaec937 in dma_memory_read include/sysemu/dma.h:116:12
#8 0x55c7caaec937 in ldl_le_dma include/sysemu/dma.h:179:1
#9 0x55c7caaec937 in ldl_le_pci_dma include/hw/pci/pci.h:816:1
#10 0x55c7caaec937 in intel_hda_corb_run hw/audio/intel-hda.c:338:16
#11 0x55c7cb2e7198 in memory_region_write_accessor softmmu/memory.c:491:5
#12 0x55c7cb2e6bd3 in access_with_adjusted_size softmmu/memory.c:552:18
#13 0x55c7cb2e646c in memory_region_dispatch_write softmmu/memory.c
#14 0x55c7cb2c8445 in flatview_write_continue softmmu/physmem.c:2759:23
#15 0x55c7cb2bdfb8 in flatview_write softmmu/physmem.c:2799:14
#16 0x55c7cb2bdfb8 in address_space_write softmmu/physmem.c:2891:18
#17 0x55c7caae2c54 in dma_memory_rw_relaxed include/sysemu/dma.h:87:18
#18 0x55c7caae2c54 in dma_memory_rw include/sysemu/dma.h:110:12
#19 0x55c7caae2c54 in dma_memory_write include/sysemu/dma.h:122:12
#20 0x55c7caae2c54 in stl_le_dma include/sysemu/dma.h:179:1
#21 0x55c7caae2c54 in stl_le_pci_dma include/hw/pci/pci.h:816:1
#22 0x55c7caae2c54 in intel_hda_response hw/audio/intel-hda.c:370:5
#23 0x55c7caaeca00 in intel_hda_corb_run hw/audio/intel-hda.c:342:9
#24 0x55c7cb2e7198 in memory_region_write_accessor softmmu/memory.c:491:5
...
OSS-Fuzz Report: https://bugs.chromium.org/p/oss-
fuzz/issues/detail?id=28435
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1907497/+subscriptions
^ permalink raw reply [flat|nested] 10+ messages in thread
* [Bug 1907497] Re: [OSS-Fuzz] Issue 28435 qemu:qemu-fuzz-i386-target-generic-fuzz-intel-hda: Stack-overflow in ldl_le_dma
2020-12-09 20:30 [Bug 1907497] [NEW] [OSS-Fuzz] Issue 28435 qemu:qemu-fuzz-i386-target-generic-fuzz-intel-hda: Stack-overflow in ldl_le_dma Alexander Bulekov
` (2 preceding siblings ...)
2021-06-21 5:57 ` Gianluca Gabruelli
@ 2021-06-21 7:18 ` Thomas Huth
2021-06-22 15:57 ` Mauro Matteo Cascella
` (4 subsequent siblings)
8 siblings, 0 replies; 10+ messages in thread
From: Thomas Huth @ 2021-06-21 7:18 UTC (permalink / raw)
To: qemu-devel
No, I can still reproduce this issue with current version from the git
repo (commit 8f521741e1280f0957ac1) ... when I compile QEMU with Clang
and --enable-sanitizers, the reproducer still crashes with "ERROR:
AddressSanitizer: stack-overflow"
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1907497
Title:
[OSS-Fuzz] Issue 28435 qemu:qemu-fuzz-i386-target-generic-fuzz-intel-
hda: Stack-overflow in ldl_le_dma
Status in QEMU:
Confirmed
Bug description:
affects qemu
=== Reproducer (build with --enable-sanitizers) ===
cat << EOF | ./qemu-system-i386 -machine q35 -nodefaults \
-device intel-hda,id=hda0 -device hda-output,bus=hda0.0 \
-device hda-micro,bus=hda0.0 -device hda-duplex,bus=hda0.0 \
-qtest stdio
outl 0xcf8 0x80000804
outw 0xcfc 0xffff
write 0x0 0x1 0x12
write 0x2 0x1 0x2f
outl 0xcf8 0x80000811
outl 0xcfc 0x5a6a4406
write 0x6a44005a 0x1 0x11
write 0x6a44005c 0x1 0x3f
write 0x6a442050 0x4 0x0000446a
write 0x6a44204a 0x1 0xf3
write 0x6a44204c 0x1 0xff
writeq 0x6a44005a 0x17b3f0011
write 0x6a442050 0x4 0x0000446a
write 0x6a44204a 0x1 0xf3
write 0x6a44204c 0x1 0xff
EOF
=== Stack Trace ===
==411958==ERROR: AddressSanitizer: stack-overflow on address 0x7ffcaeb8bc88 (pc 0x55c7c9dc1159 bp 0x7ffcaeb8c4d0 sp 0x7ffcaeb8bc90 T0)
#0 0x55c7c9dc1159 in __asan_memcpy (u-system-i386+0x2a13159)
#1 0x55c7cb2a457e in flatview_do_translate softmmu/physmem.c:513:12
#2 0x55c7cb2bdab0 in flatview_translate softmmu/physmem.c:563:15
#3 0x55c7cb2bdab0 in flatview_read softmmu/physmem.c:2861:10
#4 0x55c7cb2bdab0 in address_space_read_full softmmu/physmem.c:2875:18
#5 0x55c7caaec937 in dma_memory_rw_relaxed include/sysemu/dma.h:87:18
#6 0x55c7caaec937 in dma_memory_rw include/sysemu/dma.h:110:12
#7 0x55c7caaec937 in dma_memory_read include/sysemu/dma.h:116:12
#8 0x55c7caaec937 in ldl_le_dma include/sysemu/dma.h:179:1
#9 0x55c7caaec937 in ldl_le_pci_dma include/hw/pci/pci.h:816:1
#10 0x55c7caaec937 in intel_hda_corb_run hw/audio/intel-hda.c:338:16
#11 0x55c7cb2e7198 in memory_region_write_accessor softmmu/memory.c:491:5
#12 0x55c7cb2e6bd3 in access_with_adjusted_size softmmu/memory.c:552:18
#13 0x55c7cb2e646c in memory_region_dispatch_write softmmu/memory.c
#14 0x55c7cb2c8445 in flatview_write_continue softmmu/physmem.c:2759:23
#15 0x55c7cb2bdfb8 in flatview_write softmmu/physmem.c:2799:14
#16 0x55c7cb2bdfb8 in address_space_write softmmu/physmem.c:2891:18
#17 0x55c7caae2c54 in dma_memory_rw_relaxed include/sysemu/dma.h:87:18
#18 0x55c7caae2c54 in dma_memory_rw include/sysemu/dma.h:110:12
#19 0x55c7caae2c54 in dma_memory_write include/sysemu/dma.h:122:12
#20 0x55c7caae2c54 in stl_le_dma include/sysemu/dma.h:179:1
#21 0x55c7caae2c54 in stl_le_pci_dma include/hw/pci/pci.h:816:1
#22 0x55c7caae2c54 in intel_hda_response hw/audio/intel-hda.c:370:5
#23 0x55c7caaeca00 in intel_hda_corb_run hw/audio/intel-hda.c:342:9
#24 0x55c7cb2e7198 in memory_region_write_accessor softmmu/memory.c:491:5
...
OSS-Fuzz Report: https://bugs.chromium.org/p/oss-
fuzz/issues/detail?id=28435
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1907497/+subscriptions
^ permalink raw reply [flat|nested] 10+ messages in thread
* [Bug 1907497] Re: [OSS-Fuzz] Issue 28435 qemu:qemu-fuzz-i386-target-generic-fuzz-intel-hda: Stack-overflow in ldl_le_dma
2020-12-09 20:30 [Bug 1907497] [NEW] [OSS-Fuzz] Issue 28435 qemu:qemu-fuzz-i386-target-generic-fuzz-intel-hda: Stack-overflow in ldl_le_dma Alexander Bulekov
` (3 preceding siblings ...)
2021-06-21 7:18 ` Thomas Huth
@ 2021-06-22 15:57 ` Mauro Matteo Cascella
2021-06-30 15:04 ` Gianluca Gabruelli
` (3 subsequent siblings)
8 siblings, 0 replies; 10+ messages in thread
From: Mauro Matteo Cascella @ 2021-06-22 15:57 UTC (permalink / raw)
To: qemu-devel
Just FYI, this issue was assigned CVE-2021-3611 by Red Hat.
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-3611
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1907497
Title:
[OSS-Fuzz] Issue 28435 qemu:qemu-fuzz-i386-target-generic-fuzz-intel-
hda: Stack-overflow in ldl_le_dma
Status in QEMU:
Confirmed
Bug description:
affects qemu
=== Reproducer (build with --enable-sanitizers) ===
cat << EOF | ./qemu-system-i386 -machine q35 -nodefaults \
-device intel-hda,id=hda0 -device hda-output,bus=hda0.0 \
-device hda-micro,bus=hda0.0 -device hda-duplex,bus=hda0.0 \
-qtest stdio
outl 0xcf8 0x80000804
outw 0xcfc 0xffff
write 0x0 0x1 0x12
write 0x2 0x1 0x2f
outl 0xcf8 0x80000811
outl 0xcfc 0x5a6a4406
write 0x6a44005a 0x1 0x11
write 0x6a44005c 0x1 0x3f
write 0x6a442050 0x4 0x0000446a
write 0x6a44204a 0x1 0xf3
write 0x6a44204c 0x1 0xff
writeq 0x6a44005a 0x17b3f0011
write 0x6a442050 0x4 0x0000446a
write 0x6a44204a 0x1 0xf3
write 0x6a44204c 0x1 0xff
EOF
=== Stack Trace ===
==411958==ERROR: AddressSanitizer: stack-overflow on address 0x7ffcaeb8bc88 (pc 0x55c7c9dc1159 bp 0x7ffcaeb8c4d0 sp 0x7ffcaeb8bc90 T0)
#0 0x55c7c9dc1159 in __asan_memcpy (u-system-i386+0x2a13159)
#1 0x55c7cb2a457e in flatview_do_translate softmmu/physmem.c:513:12
#2 0x55c7cb2bdab0 in flatview_translate softmmu/physmem.c:563:15
#3 0x55c7cb2bdab0 in flatview_read softmmu/physmem.c:2861:10
#4 0x55c7cb2bdab0 in address_space_read_full softmmu/physmem.c:2875:18
#5 0x55c7caaec937 in dma_memory_rw_relaxed include/sysemu/dma.h:87:18
#6 0x55c7caaec937 in dma_memory_rw include/sysemu/dma.h:110:12
#7 0x55c7caaec937 in dma_memory_read include/sysemu/dma.h:116:12
#8 0x55c7caaec937 in ldl_le_dma include/sysemu/dma.h:179:1
#9 0x55c7caaec937 in ldl_le_pci_dma include/hw/pci/pci.h:816:1
#10 0x55c7caaec937 in intel_hda_corb_run hw/audio/intel-hda.c:338:16
#11 0x55c7cb2e7198 in memory_region_write_accessor softmmu/memory.c:491:5
#12 0x55c7cb2e6bd3 in access_with_adjusted_size softmmu/memory.c:552:18
#13 0x55c7cb2e646c in memory_region_dispatch_write softmmu/memory.c
#14 0x55c7cb2c8445 in flatview_write_continue softmmu/physmem.c:2759:23
#15 0x55c7cb2bdfb8 in flatview_write softmmu/physmem.c:2799:14
#16 0x55c7cb2bdfb8 in address_space_write softmmu/physmem.c:2891:18
#17 0x55c7caae2c54 in dma_memory_rw_relaxed include/sysemu/dma.h:87:18
#18 0x55c7caae2c54 in dma_memory_rw include/sysemu/dma.h:110:12
#19 0x55c7caae2c54 in dma_memory_write include/sysemu/dma.h:122:12
#20 0x55c7caae2c54 in stl_le_dma include/sysemu/dma.h:179:1
#21 0x55c7caae2c54 in stl_le_pci_dma include/hw/pci/pci.h:816:1
#22 0x55c7caae2c54 in intel_hda_response hw/audio/intel-hda.c:370:5
#23 0x55c7caaeca00 in intel_hda_corb_run hw/audio/intel-hda.c:342:9
#24 0x55c7cb2e7198 in memory_region_write_accessor softmmu/memory.c:491:5
...
OSS-Fuzz Report: https://bugs.chromium.org/p/oss-
fuzz/issues/detail?id=28435
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1907497/+subscriptions
^ permalink raw reply [flat|nested] 10+ messages in thread
* [Bug 1907497] Re: [OSS-Fuzz] Issue 28435 qemu:qemu-fuzz-i386-target-generic-fuzz-intel-hda: Stack-overflow in ldl_le_dma
2020-12-09 20:30 [Bug 1907497] [NEW] [OSS-Fuzz] Issue 28435 qemu:qemu-fuzz-i386-target-generic-fuzz-intel-hda: Stack-overflow in ldl_le_dma Alexander Bulekov
` (4 preceding siblings ...)
2021-06-22 15:57 ` Mauro Matteo Cascella
@ 2021-06-30 15:04 ` Gianluca Gabruelli
2021-06-30 16:44 ` Thomas Huth
` (2 subsequent siblings)
8 siblings, 0 replies; 10+ messages in thread
From: Gianluca Gabruelli @ 2021-06-30 15:04 UTC (permalink / raw)
To: qemu-devel
@Thomas, could you try by compiling qemu with a commit close to the
timeframe mentioned here [0]?
[0] https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28435#c2
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1907497
Title:
[OSS-Fuzz] Issue 28435 qemu:qemu-fuzz-i386-target-generic-fuzz-intel-
hda: Stack-overflow in ldl_le_dma
Status in QEMU:
Confirmed
Bug description:
affects qemu
=== Reproducer (build with --enable-sanitizers) ===
cat << EOF | ./qemu-system-i386 -machine q35 -nodefaults \
-device intel-hda,id=hda0 -device hda-output,bus=hda0.0 \
-device hda-micro,bus=hda0.0 -device hda-duplex,bus=hda0.0 \
-qtest stdio
outl 0xcf8 0x80000804
outw 0xcfc 0xffff
write 0x0 0x1 0x12
write 0x2 0x1 0x2f
outl 0xcf8 0x80000811
outl 0xcfc 0x5a6a4406
write 0x6a44005a 0x1 0x11
write 0x6a44005c 0x1 0x3f
write 0x6a442050 0x4 0x0000446a
write 0x6a44204a 0x1 0xf3
write 0x6a44204c 0x1 0xff
writeq 0x6a44005a 0x17b3f0011
write 0x6a442050 0x4 0x0000446a
write 0x6a44204a 0x1 0xf3
write 0x6a44204c 0x1 0xff
EOF
=== Stack Trace ===
==411958==ERROR: AddressSanitizer: stack-overflow on address 0x7ffcaeb8bc88 (pc 0x55c7c9dc1159 bp 0x7ffcaeb8c4d0 sp 0x7ffcaeb8bc90 T0)
#0 0x55c7c9dc1159 in __asan_memcpy (u-system-i386+0x2a13159)
#1 0x55c7cb2a457e in flatview_do_translate softmmu/physmem.c:513:12
#2 0x55c7cb2bdab0 in flatview_translate softmmu/physmem.c:563:15
#3 0x55c7cb2bdab0 in flatview_read softmmu/physmem.c:2861:10
#4 0x55c7cb2bdab0 in address_space_read_full softmmu/physmem.c:2875:18
#5 0x55c7caaec937 in dma_memory_rw_relaxed include/sysemu/dma.h:87:18
#6 0x55c7caaec937 in dma_memory_rw include/sysemu/dma.h:110:12
#7 0x55c7caaec937 in dma_memory_read include/sysemu/dma.h:116:12
#8 0x55c7caaec937 in ldl_le_dma include/sysemu/dma.h:179:1
#9 0x55c7caaec937 in ldl_le_pci_dma include/hw/pci/pci.h:816:1
#10 0x55c7caaec937 in intel_hda_corb_run hw/audio/intel-hda.c:338:16
#11 0x55c7cb2e7198 in memory_region_write_accessor softmmu/memory.c:491:5
#12 0x55c7cb2e6bd3 in access_with_adjusted_size softmmu/memory.c:552:18
#13 0x55c7cb2e646c in memory_region_dispatch_write softmmu/memory.c
#14 0x55c7cb2c8445 in flatview_write_continue softmmu/physmem.c:2759:23
#15 0x55c7cb2bdfb8 in flatview_write softmmu/physmem.c:2799:14
#16 0x55c7cb2bdfb8 in address_space_write softmmu/physmem.c:2891:18
#17 0x55c7caae2c54 in dma_memory_rw_relaxed include/sysemu/dma.h:87:18
#18 0x55c7caae2c54 in dma_memory_rw include/sysemu/dma.h:110:12
#19 0x55c7caae2c54 in dma_memory_write include/sysemu/dma.h:122:12
#20 0x55c7caae2c54 in stl_le_dma include/sysemu/dma.h:179:1
#21 0x55c7caae2c54 in stl_le_pci_dma include/hw/pci/pci.h:816:1
#22 0x55c7caae2c54 in intel_hda_response hw/audio/intel-hda.c:370:5
#23 0x55c7caaeca00 in intel_hda_corb_run hw/audio/intel-hda.c:342:9
#24 0x55c7cb2e7198 in memory_region_write_accessor softmmu/memory.c:491:5
...
OSS-Fuzz Report: https://bugs.chromium.org/p/oss-
fuzz/issues/detail?id=28435
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1907497/+subscriptions
^ permalink raw reply [flat|nested] 10+ messages in thread
* [Bug 1907497] Re: [OSS-Fuzz] Issue 28435 qemu:qemu-fuzz-i386-target-generic-fuzz-intel-hda: Stack-overflow in ldl_le_dma
2020-12-09 20:30 [Bug 1907497] [NEW] [OSS-Fuzz] Issue 28435 qemu:qemu-fuzz-i386-target-generic-fuzz-intel-hda: Stack-overflow in ldl_le_dma Alexander Bulekov
` (5 preceding siblings ...)
2021-06-30 15:04 ` Gianluca Gabruelli
@ 2021-06-30 16:44 ` Thomas Huth
2021-08-21 4:11 ` Alexander Bulekov
2021-08-21 6:18 ` Thomas Huth
8 siblings, 0 replies; 10+ messages in thread
From: Thomas Huth @ 2021-06-30 16:44 UTC (permalink / raw)
To: qemu-devel
@Gianluca: The problem still reproduces with the current master branch
(commit 13d5f87cc3b94bfccc5), so the problem is definitely not fixed
yet. So no, I certainly won't waste my time trying it on older versions.
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1907497
Title:
[OSS-Fuzz] Issue 28435 qemu:qemu-fuzz-i386-target-generic-fuzz-intel-
hda: Stack-overflow in ldl_le_dma
Status in QEMU:
Confirmed
Bug description:
affects qemu
=== Reproducer (build with --enable-sanitizers) ===
cat << EOF | ./qemu-system-i386 -machine q35 -nodefaults \
-device intel-hda,id=hda0 -device hda-output,bus=hda0.0 \
-device hda-micro,bus=hda0.0 -device hda-duplex,bus=hda0.0 \
-qtest stdio
outl 0xcf8 0x80000804
outw 0xcfc 0xffff
write 0x0 0x1 0x12
write 0x2 0x1 0x2f
outl 0xcf8 0x80000811
outl 0xcfc 0x5a6a4406
write 0x6a44005a 0x1 0x11
write 0x6a44005c 0x1 0x3f
write 0x6a442050 0x4 0x0000446a
write 0x6a44204a 0x1 0xf3
write 0x6a44204c 0x1 0xff
writeq 0x6a44005a 0x17b3f0011
write 0x6a442050 0x4 0x0000446a
write 0x6a44204a 0x1 0xf3
write 0x6a44204c 0x1 0xff
EOF
=== Stack Trace ===
==411958==ERROR: AddressSanitizer: stack-overflow on address 0x7ffcaeb8bc88 (pc 0x55c7c9dc1159 bp 0x7ffcaeb8c4d0 sp 0x7ffcaeb8bc90 T0)
#0 0x55c7c9dc1159 in __asan_memcpy (u-system-i386+0x2a13159)
#1 0x55c7cb2a457e in flatview_do_translate softmmu/physmem.c:513:12
#2 0x55c7cb2bdab0 in flatview_translate softmmu/physmem.c:563:15
#3 0x55c7cb2bdab0 in flatview_read softmmu/physmem.c:2861:10
#4 0x55c7cb2bdab0 in address_space_read_full softmmu/physmem.c:2875:18
#5 0x55c7caaec937 in dma_memory_rw_relaxed include/sysemu/dma.h:87:18
#6 0x55c7caaec937 in dma_memory_rw include/sysemu/dma.h:110:12
#7 0x55c7caaec937 in dma_memory_read include/sysemu/dma.h:116:12
#8 0x55c7caaec937 in ldl_le_dma include/sysemu/dma.h:179:1
#9 0x55c7caaec937 in ldl_le_pci_dma include/hw/pci/pci.h:816:1
#10 0x55c7caaec937 in intel_hda_corb_run hw/audio/intel-hda.c:338:16
#11 0x55c7cb2e7198 in memory_region_write_accessor softmmu/memory.c:491:5
#12 0x55c7cb2e6bd3 in access_with_adjusted_size softmmu/memory.c:552:18
#13 0x55c7cb2e646c in memory_region_dispatch_write softmmu/memory.c
#14 0x55c7cb2c8445 in flatview_write_continue softmmu/physmem.c:2759:23
#15 0x55c7cb2bdfb8 in flatview_write softmmu/physmem.c:2799:14
#16 0x55c7cb2bdfb8 in address_space_write softmmu/physmem.c:2891:18
#17 0x55c7caae2c54 in dma_memory_rw_relaxed include/sysemu/dma.h:87:18
#18 0x55c7caae2c54 in dma_memory_rw include/sysemu/dma.h:110:12
#19 0x55c7caae2c54 in dma_memory_write include/sysemu/dma.h:122:12
#20 0x55c7caae2c54 in stl_le_dma include/sysemu/dma.h:179:1
#21 0x55c7caae2c54 in stl_le_pci_dma include/hw/pci/pci.h:816:1
#22 0x55c7caae2c54 in intel_hda_response hw/audio/intel-hda.c:370:5
#23 0x55c7caaeca00 in intel_hda_corb_run hw/audio/intel-hda.c:342:9
#24 0x55c7cb2e7198 in memory_region_write_accessor softmmu/memory.c:491:5
...
OSS-Fuzz Report: https://bugs.chromium.org/p/oss-
fuzz/issues/detail?id=28435
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1907497/+subscriptions
^ permalink raw reply [flat|nested] 10+ messages in thread
* [Bug 1907497] Re: [OSS-Fuzz] Issue 28435 qemu:qemu-fuzz-i386-target-generic-fuzz-intel-hda: Stack-overflow in ldl_le_dma
2020-12-09 20:30 [Bug 1907497] [NEW] [OSS-Fuzz] Issue 28435 qemu:qemu-fuzz-i386-target-generic-fuzz-intel-hda: Stack-overflow in ldl_le_dma Alexander Bulekov
` (6 preceding siblings ...)
2021-06-30 16:44 ` Thomas Huth
@ 2021-08-21 4:11 ` Alexander Bulekov
2021-08-21 6:18 ` Thomas Huth
8 siblings, 0 replies; 10+ messages in thread
From: Alexander Bulekov @ 2021-08-21 4:11 UTC (permalink / raw)
To: qemu-devel
I moved this report over to QEMU's new bug tracker on gitlab.com.
Please continue with the discussion here:
https://gitlab.com/qemu-project/qemu/-/issues/542
** Bug watch added: gitlab.com/qemu-project/qemu/-/issues #542
https://gitlab.com/qemu-project/qemu/-/issues/542
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1907497
Title:
[OSS-Fuzz] Issue 28435 qemu:qemu-fuzz-i386-target-generic-fuzz-intel-
hda: Stack-overflow in ldl_le_dma
Status in QEMU:
Confirmed
Bug description:
affects qemu
=== Reproducer (build with --enable-sanitizers) ===
cat << EOF | ./qemu-system-i386 -machine q35 -nodefaults \
-device intel-hda,id=hda0 -device hda-output,bus=hda0.0 \
-device hda-micro,bus=hda0.0 -device hda-duplex,bus=hda0.0 \
-qtest stdio
outl 0xcf8 0x80000804
outw 0xcfc 0xffff
write 0x0 0x1 0x12
write 0x2 0x1 0x2f
outl 0xcf8 0x80000811
outl 0xcfc 0x5a6a4406
write 0x6a44005a 0x1 0x11
write 0x6a44005c 0x1 0x3f
write 0x6a442050 0x4 0x0000446a
write 0x6a44204a 0x1 0xf3
write 0x6a44204c 0x1 0xff
writeq 0x6a44005a 0x17b3f0011
write 0x6a442050 0x4 0x0000446a
write 0x6a44204a 0x1 0xf3
write 0x6a44204c 0x1 0xff
EOF
=== Stack Trace ===
==411958==ERROR: AddressSanitizer: stack-overflow on address 0x7ffcaeb8bc88 (pc 0x55c7c9dc1159 bp 0x7ffcaeb8c4d0 sp 0x7ffcaeb8bc90 T0)
#0 0x55c7c9dc1159 in __asan_memcpy (u-system-i386+0x2a13159)
#1 0x55c7cb2a457e in flatview_do_translate softmmu/physmem.c:513:12
#2 0x55c7cb2bdab0 in flatview_translate softmmu/physmem.c:563:15
#3 0x55c7cb2bdab0 in flatview_read softmmu/physmem.c:2861:10
#4 0x55c7cb2bdab0 in address_space_read_full softmmu/physmem.c:2875:18
#5 0x55c7caaec937 in dma_memory_rw_relaxed include/sysemu/dma.h:87:18
#6 0x55c7caaec937 in dma_memory_rw include/sysemu/dma.h:110:12
#7 0x55c7caaec937 in dma_memory_read include/sysemu/dma.h:116:12
#8 0x55c7caaec937 in ldl_le_dma include/sysemu/dma.h:179:1
#9 0x55c7caaec937 in ldl_le_pci_dma include/hw/pci/pci.h:816:1
#10 0x55c7caaec937 in intel_hda_corb_run hw/audio/intel-hda.c:338:16
#11 0x55c7cb2e7198 in memory_region_write_accessor softmmu/memory.c:491:5
#12 0x55c7cb2e6bd3 in access_with_adjusted_size softmmu/memory.c:552:18
#13 0x55c7cb2e646c in memory_region_dispatch_write softmmu/memory.c
#14 0x55c7cb2c8445 in flatview_write_continue softmmu/physmem.c:2759:23
#15 0x55c7cb2bdfb8 in flatview_write softmmu/physmem.c:2799:14
#16 0x55c7cb2bdfb8 in address_space_write softmmu/physmem.c:2891:18
#17 0x55c7caae2c54 in dma_memory_rw_relaxed include/sysemu/dma.h:87:18
#18 0x55c7caae2c54 in dma_memory_rw include/sysemu/dma.h:110:12
#19 0x55c7caae2c54 in dma_memory_write include/sysemu/dma.h:122:12
#20 0x55c7caae2c54 in stl_le_dma include/sysemu/dma.h:179:1
#21 0x55c7caae2c54 in stl_le_pci_dma include/hw/pci/pci.h:816:1
#22 0x55c7caae2c54 in intel_hda_response hw/audio/intel-hda.c:370:5
#23 0x55c7caaeca00 in intel_hda_corb_run hw/audio/intel-hda.c:342:9
#24 0x55c7cb2e7198 in memory_region_write_accessor softmmu/memory.c:491:5
...
OSS-Fuzz Report: https://bugs.chromium.org/p/oss-
fuzz/issues/detail?id=28435
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1907497/+subscriptions
^ permalink raw reply [flat|nested] 10+ messages in thread
* [Bug 1907497] Re: [OSS-Fuzz] Issue 28435 qemu:qemu-fuzz-i386-target-generic-fuzz-intel-hda: Stack-overflow in ldl_le_dma
2020-12-09 20:30 [Bug 1907497] [NEW] [OSS-Fuzz] Issue 28435 qemu:qemu-fuzz-i386-target-generic-fuzz-intel-hda: Stack-overflow in ldl_le_dma Alexander Bulekov
` (7 preceding siblings ...)
2021-08-21 4:11 ` Alexander Bulekov
@ 2021-08-21 6:18 ` Thomas Huth
8 siblings, 0 replies; 10+ messages in thread
From: Thomas Huth @ 2021-08-21 6:18 UTC (permalink / raw)
To: qemu-devel
Thanks for moving it over! ... let's close this one here on Launchpad
now.
** Changed in: qemu
Status: Confirmed => Invalid
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1907497
Title:
[OSS-Fuzz] Issue 28435 qemu:qemu-fuzz-i386-target-generic-fuzz-intel-
hda: Stack-overflow in ldl_le_dma
Status in QEMU:
Invalid
Bug description:
affects qemu
=== Reproducer (build with --enable-sanitizers) ===
cat << EOF | ./qemu-system-i386 -machine q35 -nodefaults \
-device intel-hda,id=hda0 -device hda-output,bus=hda0.0 \
-device hda-micro,bus=hda0.0 -device hda-duplex,bus=hda0.0 \
-qtest stdio
outl 0xcf8 0x80000804
outw 0xcfc 0xffff
write 0x0 0x1 0x12
write 0x2 0x1 0x2f
outl 0xcf8 0x80000811
outl 0xcfc 0x5a6a4406
write 0x6a44005a 0x1 0x11
write 0x6a44005c 0x1 0x3f
write 0x6a442050 0x4 0x0000446a
write 0x6a44204a 0x1 0xf3
write 0x6a44204c 0x1 0xff
writeq 0x6a44005a 0x17b3f0011
write 0x6a442050 0x4 0x0000446a
write 0x6a44204a 0x1 0xf3
write 0x6a44204c 0x1 0xff
EOF
=== Stack Trace ===
==411958==ERROR: AddressSanitizer: stack-overflow on address 0x7ffcaeb8bc88 (pc 0x55c7c9dc1159 bp 0x7ffcaeb8c4d0 sp 0x7ffcaeb8bc90 T0)
#0 0x55c7c9dc1159 in __asan_memcpy (u-system-i386+0x2a13159)
#1 0x55c7cb2a457e in flatview_do_translate softmmu/physmem.c:513:12
#2 0x55c7cb2bdab0 in flatview_translate softmmu/physmem.c:563:15
#3 0x55c7cb2bdab0 in flatview_read softmmu/physmem.c:2861:10
#4 0x55c7cb2bdab0 in address_space_read_full softmmu/physmem.c:2875:18
#5 0x55c7caaec937 in dma_memory_rw_relaxed include/sysemu/dma.h:87:18
#6 0x55c7caaec937 in dma_memory_rw include/sysemu/dma.h:110:12
#7 0x55c7caaec937 in dma_memory_read include/sysemu/dma.h:116:12
#8 0x55c7caaec937 in ldl_le_dma include/sysemu/dma.h:179:1
#9 0x55c7caaec937 in ldl_le_pci_dma include/hw/pci/pci.h:816:1
#10 0x55c7caaec937 in intel_hda_corb_run hw/audio/intel-hda.c:338:16
#11 0x55c7cb2e7198 in memory_region_write_accessor softmmu/memory.c:491:5
#12 0x55c7cb2e6bd3 in access_with_adjusted_size softmmu/memory.c:552:18
#13 0x55c7cb2e646c in memory_region_dispatch_write softmmu/memory.c
#14 0x55c7cb2c8445 in flatview_write_continue softmmu/physmem.c:2759:23
#15 0x55c7cb2bdfb8 in flatview_write softmmu/physmem.c:2799:14
#16 0x55c7cb2bdfb8 in address_space_write softmmu/physmem.c:2891:18
#17 0x55c7caae2c54 in dma_memory_rw_relaxed include/sysemu/dma.h:87:18
#18 0x55c7caae2c54 in dma_memory_rw include/sysemu/dma.h:110:12
#19 0x55c7caae2c54 in dma_memory_write include/sysemu/dma.h:122:12
#20 0x55c7caae2c54 in stl_le_dma include/sysemu/dma.h:179:1
#21 0x55c7caae2c54 in stl_le_pci_dma include/hw/pci/pci.h:816:1
#22 0x55c7caae2c54 in intel_hda_response hw/audio/intel-hda.c:370:5
#23 0x55c7caaeca00 in intel_hda_corb_run hw/audio/intel-hda.c:342:9
#24 0x55c7cb2e7198 in memory_region_write_accessor softmmu/memory.c:491:5
...
OSS-Fuzz Report: https://bugs.chromium.org/p/oss-
fuzz/issues/detail?id=28435
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1907497/+subscriptions
^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2021-08-21 6:27 UTC | newest]
Thread overview: 10+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-12-09 20:30 [Bug 1907497] [NEW] [OSS-Fuzz] Issue 28435 qemu:qemu-fuzz-i386-target-generic-fuzz-intel-hda: Stack-overflow in ldl_le_dma Alexander Bulekov
2021-01-15 16:12 ` [Bug 1907497] " Peter Maydell
2021-06-10 8:48 ` Thomas Huth
2021-06-21 5:57 ` Gianluca Gabruelli
2021-06-21 7:18 ` Thomas Huth
2021-06-22 15:57 ` Mauro Matteo Cascella
2021-06-30 15:04 ` Gianluca Gabruelli
2021-06-30 16:44 ` Thomas Huth
2021-08-21 4:11 ` Alexander Bulekov
2021-08-21 6:18 ` Thomas Huth
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).