* [Bug 1905444] [NEW] [OSS-Fuzz] Issue 27796 in oss-fuzz: qemu:qemu-fuzz-i386-target-generic-fuzz-xhci: Stack-overflow in address_space_stl_internal
@ 2020-11-24 17:18 Alexander Bulekov
2021-01-15 16:16 ` [Bug 1905444] " Peter Maydell
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Alexander Bulekov @ 2020-11-24 17:18 UTC (permalink / raw)
To: qemu-devel
Public bug reported:
affects qemu
OSS-Fuzz Report: https://bugs.chromium.org/p/oss-
fuzz/issues/detail?id=27796
=== Reproducer (build with --enable-sanitizers) ===
cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, \
-m 512M -machine q35 -nodefaults \
-drive file=null-co://,if=none,format=raw,id=disk0 \
-device qemu-xhci,id=xhci -device usb-tablet,bus=xhci.0 \
-qtest-log none -qtest stdio
outl 0xcf8 0x80000803
outw 0xcfc 0x5e46
outl 0xcf8 0x80000810
outl 0xcfc 0xff5a5e46
write 0xff5a5020 0x6 0xffffffff0b70
outl 0xcf8 0x80000893
outb 0xcfc 0x93
writel 0xff5a7000 0xff5a5020
write 0xff5a700c 0x4 0x0c0c2e58
write 0xff5a4040 0x4 0x00d26001
write 0xff5a4044 0x4 0x0000030
EOF
=== Stack Trace ===
==50473==ERROR: AddressSanitizer: stack-overflow on address 0x7ffe3ec97e28 (pc 0x55e292eac159 bp 0x7ffe3ec98670 sp 0x7ffe3ec97e30 T0)
#0 0x55e292eac159 in __asan_memcpy (u-system-i386+0x2a0e159)
#1 0x55e2944bc04e in flatview_do_translate softmmu/physmem.c:513:12
#2 0x55e2944dbe90 in flatview_translate softmmu/physmem.c:563:15
#3 0x55e2944dbe90 in address_space_translate include/exec/memory.h:2362:12
#4 0x55e2944dbe90 in address_space_stl_internal memory_ldst.c.inc:316:10
#5 0x55e29393d2a0 in xhci_intr_update hw/usb/hcd-xhci.c:554:13
#6 0x55e29393efb9 in xhci_runtime_write hw/usb/hcd-xhci.c:3032:9
#7 0x55e294230428 in memory_region_write_accessor softmmu/memory.c:484:5
#8 0x55e29422fe63 in access_with_adjusted_size softmmu/memory.c:545:18
#9 0x55e29422f6fc in memory_region_dispatch_write softmmu/memory.c
#10 0x55e2944dc03c in address_space_stl_internal memory_ldst.c.inc:319:13
#11 0x55e29393d2a0 in xhci_intr_update hw/usb/hcd-xhci.c:554:13
#12 0x55e29393efb9 in xhci_runtime_write hw/usb/hcd-xhci.c:3032:9
#13 0x55e294230428 in memory_region_write_accessor softmmu/memory.c:484:5
#14 0x55e29422fe63 in access_with_adjusted_size softmmu/memory.c:545:18
#15 0x55e29422f6fc in memory_region_dispatch_write softmmu/memory.c
#16 0x55e2944dc03c in address_space_stl_internal memory_ldst.c.inc:319:13
#17 0x55e29393d2a0 in xhci_intr_update hw/usb/hcd-xhci.c:554:13
#18 0x55e29393efb9 in xhci_runtime_write hw/usb/hcd-xhci.c:3032:9
** Affects: qemu
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1905444
Title:
[OSS-Fuzz] Issue 27796 in oss-fuzz: qemu:qemu-fuzz-i386-target-
generic-fuzz-xhci: Stack-overflow in address_space_stl_internal
Status in QEMU:
New
Bug description:
affects qemu
OSS-Fuzz Report: https://bugs.chromium.org/p/oss-
fuzz/issues/detail?id=27796
=== Reproducer (build with --enable-sanitizers) ===
cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, \
-m 512M -machine q35 -nodefaults \
-drive file=null-co://,if=none,format=raw,id=disk0 \
-device qemu-xhci,id=xhci -device usb-tablet,bus=xhci.0 \
-qtest-log none -qtest stdio
outl 0xcf8 0x80000803
outw 0xcfc 0x5e46
outl 0xcf8 0x80000810
outl 0xcfc 0xff5a5e46
write 0xff5a5020 0x6 0xffffffff0b70
outl 0xcf8 0x80000893
outb 0xcfc 0x93
writel 0xff5a7000 0xff5a5020
write 0xff5a700c 0x4 0x0c0c2e58
write 0xff5a4040 0x4 0x00d26001
write 0xff5a4044 0x4 0x0000030
EOF
=== Stack Trace ===
==50473==ERROR: AddressSanitizer: stack-overflow on address 0x7ffe3ec97e28 (pc 0x55e292eac159 bp 0x7ffe3ec98670 sp 0x7ffe3ec97e30 T0)
#0 0x55e292eac159 in __asan_memcpy (u-system-i386+0x2a0e159)
#1 0x55e2944bc04e in flatview_do_translate softmmu/physmem.c:513:12
#2 0x55e2944dbe90 in flatview_translate softmmu/physmem.c:563:15
#3 0x55e2944dbe90 in address_space_translate include/exec/memory.h:2362:12
#4 0x55e2944dbe90 in address_space_stl_internal memory_ldst.c.inc:316:10
#5 0x55e29393d2a0 in xhci_intr_update hw/usb/hcd-xhci.c:554:13
#6 0x55e29393efb9 in xhci_runtime_write hw/usb/hcd-xhci.c:3032:9
#7 0x55e294230428 in memory_region_write_accessor softmmu/memory.c:484:5
#8 0x55e29422fe63 in access_with_adjusted_size softmmu/memory.c:545:18
#9 0x55e29422f6fc in memory_region_dispatch_write softmmu/memory.c
#10 0x55e2944dc03c in address_space_stl_internal memory_ldst.c.inc:319:13
#11 0x55e29393d2a0 in xhci_intr_update hw/usb/hcd-xhci.c:554:13
#12 0x55e29393efb9 in xhci_runtime_write hw/usb/hcd-xhci.c:3032:9
#13 0x55e294230428 in memory_region_write_accessor softmmu/memory.c:484:5
#14 0x55e29422fe63 in access_with_adjusted_size softmmu/memory.c:545:18
#15 0x55e29422f6fc in memory_region_dispatch_write softmmu/memory.c
#16 0x55e2944dc03c in address_space_stl_internal memory_ldst.c.inc:319:13
#17 0x55e29393d2a0 in xhci_intr_update hw/usb/hcd-xhci.c:554:13
#18 0x55e29393efb9 in xhci_runtime_write hw/usb/hcd-xhci.c:3032:9
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1905444/+subscriptions
^ permalink raw reply [flat|nested] 4+ messages in thread
* [Bug 1905444] Re: [OSS-Fuzz] Issue 27796 in oss-fuzz: qemu:qemu-fuzz-i386-target-generic-fuzz-xhci: Stack-overflow in address_space_stl_internal
2020-11-24 17:18 [Bug 1905444] [NEW] [OSS-Fuzz] Issue 27796 in oss-fuzz: qemu:qemu-fuzz-i386-target-generic-fuzz-xhci: Stack-overflow in address_space_stl_internal Alexander Bulekov
@ 2021-01-15 16:16 ` Peter Maydell
2021-05-31 18:42 ` Thomas Huth
2021-08-25 7:17 ` Thomas Huth
2 siblings, 0 replies; 4+ messages in thread
From: Peter Maydell @ 2021-01-15 16:16 UTC (permalink / raw)
To: qemu-devel
** Tags added: fuzzer
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1905444
Title:
[OSS-Fuzz] Issue 27796 in oss-fuzz: qemu:qemu-fuzz-i386-target-
generic-fuzz-xhci: Stack-overflow in address_space_stl_internal
Status in QEMU:
New
Bug description:
affects qemu
OSS-Fuzz Report: https://bugs.chromium.org/p/oss-
fuzz/issues/detail?id=27796
=== Reproducer (build with --enable-sanitizers) ===
cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, \
-m 512M -machine q35 -nodefaults \
-drive file=null-co://,if=none,format=raw,id=disk0 \
-device qemu-xhci,id=xhci -device usb-tablet,bus=xhci.0 \
-qtest-log none -qtest stdio
outl 0xcf8 0x80000803
outw 0xcfc 0x5e46
outl 0xcf8 0x80000810
outl 0xcfc 0xff5a5e46
write 0xff5a5020 0x6 0xffffffff0b70
outl 0xcf8 0x80000893
outb 0xcfc 0x93
writel 0xff5a7000 0xff5a5020
write 0xff5a700c 0x4 0x0c0c2e58
write 0xff5a4040 0x4 0x00d26001
write 0xff5a4044 0x4 0x0000030
EOF
=== Stack Trace ===
==50473==ERROR: AddressSanitizer: stack-overflow on address 0x7ffe3ec97e28 (pc 0x55e292eac159 bp 0x7ffe3ec98670 sp 0x7ffe3ec97e30 T0)
#0 0x55e292eac159 in __asan_memcpy (u-system-i386+0x2a0e159)
#1 0x55e2944bc04e in flatview_do_translate softmmu/physmem.c:513:12
#2 0x55e2944dbe90 in flatview_translate softmmu/physmem.c:563:15
#3 0x55e2944dbe90 in address_space_translate include/exec/memory.h:2362:12
#4 0x55e2944dbe90 in address_space_stl_internal memory_ldst.c.inc:316:10
#5 0x55e29393d2a0 in xhci_intr_update hw/usb/hcd-xhci.c:554:13
#6 0x55e29393efb9 in xhci_runtime_write hw/usb/hcd-xhci.c:3032:9
#7 0x55e294230428 in memory_region_write_accessor softmmu/memory.c:484:5
#8 0x55e29422fe63 in access_with_adjusted_size softmmu/memory.c:545:18
#9 0x55e29422f6fc in memory_region_dispatch_write softmmu/memory.c
#10 0x55e2944dc03c in address_space_stl_internal memory_ldst.c.inc:319:13
#11 0x55e29393d2a0 in xhci_intr_update hw/usb/hcd-xhci.c:554:13
#12 0x55e29393efb9 in xhci_runtime_write hw/usb/hcd-xhci.c:3032:9
#13 0x55e294230428 in memory_region_write_accessor softmmu/memory.c:484:5
#14 0x55e29422fe63 in access_with_adjusted_size softmmu/memory.c:545:18
#15 0x55e29422f6fc in memory_region_dispatch_write softmmu/memory.c
#16 0x55e2944dc03c in address_space_stl_internal memory_ldst.c.inc:319:13
#17 0x55e29393d2a0 in xhci_intr_update hw/usb/hcd-xhci.c:554:13
#18 0x55e29393efb9 in xhci_runtime_write hw/usb/hcd-xhci.c:3032:9
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1905444/+subscriptions
^ permalink raw reply [flat|nested] 4+ messages in thread
* [Bug 1905444] Re: [OSS-Fuzz] Issue 27796 in oss-fuzz: qemu:qemu-fuzz-i386-target-generic-fuzz-xhci: Stack-overflow in address_space_stl_internal
2020-11-24 17:18 [Bug 1905444] [NEW] [OSS-Fuzz] Issue 27796 in oss-fuzz: qemu:qemu-fuzz-i386-target-generic-fuzz-xhci: Stack-overflow in address_space_stl_internal Alexander Bulekov
2021-01-15 16:16 ` [Bug 1905444] " Peter Maydell
@ 2021-05-31 18:42 ` Thomas Huth
2021-08-25 7:17 ` Thomas Huth
2 siblings, 0 replies; 4+ messages in thread
From: Thomas Huth @ 2021-05-31 18:42 UTC (permalink / raw)
To: qemu-devel
As mentioned by Alexander here:
https://lists.gnu.org/archive/html/qemu-devel/2021-05/msg08637.html
this has likely been fixed by this commit here:
https://gitlab.com/qemu-project/qemu/-/commit/3c6151cd11ae7e4a7dae10f8c17ab1fe2f0a73bf
... thus I'm marking this as fixed now. If it occurs again, please open a new ticket in the Gitlab bug tracker. Thanks!
** Changed in: qemu
Status: New => Fix Committed
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1905444
Title:
[OSS-Fuzz] Issue 27796 in oss-fuzz: qemu:qemu-fuzz-i386-target-
generic-fuzz-xhci: Stack-overflow in address_space_stl_internal
Status in QEMU:
Fix Committed
Bug description:
affects qemu
OSS-Fuzz Report: https://bugs.chromium.org/p/oss-
fuzz/issues/detail?id=27796
=== Reproducer (build with --enable-sanitizers) ===
cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, \
-m 512M -machine q35 -nodefaults \
-drive file=null-co://,if=none,format=raw,id=disk0 \
-device qemu-xhci,id=xhci -device usb-tablet,bus=xhci.0 \
-qtest-log none -qtest stdio
outl 0xcf8 0x80000803
outw 0xcfc 0x5e46
outl 0xcf8 0x80000810
outl 0xcfc 0xff5a5e46
write 0xff5a5020 0x6 0xffffffff0b70
outl 0xcf8 0x80000893
outb 0xcfc 0x93
writel 0xff5a7000 0xff5a5020
write 0xff5a700c 0x4 0x0c0c2e58
write 0xff5a4040 0x4 0x00d26001
write 0xff5a4044 0x4 0x0000030
EOF
=== Stack Trace ===
==50473==ERROR: AddressSanitizer: stack-overflow on address 0x7ffe3ec97e28 (pc 0x55e292eac159 bp 0x7ffe3ec98670 sp 0x7ffe3ec97e30 T0)
#0 0x55e292eac159 in __asan_memcpy (u-system-i386+0x2a0e159)
#1 0x55e2944bc04e in flatview_do_translate softmmu/physmem.c:513:12
#2 0x55e2944dbe90 in flatview_translate softmmu/physmem.c:563:15
#3 0x55e2944dbe90 in address_space_translate include/exec/memory.h:2362:12
#4 0x55e2944dbe90 in address_space_stl_internal memory_ldst.c.inc:316:10
#5 0x55e29393d2a0 in xhci_intr_update hw/usb/hcd-xhci.c:554:13
#6 0x55e29393efb9 in xhci_runtime_write hw/usb/hcd-xhci.c:3032:9
#7 0x55e294230428 in memory_region_write_accessor softmmu/memory.c:484:5
#8 0x55e29422fe63 in access_with_adjusted_size softmmu/memory.c:545:18
#9 0x55e29422f6fc in memory_region_dispatch_write softmmu/memory.c
#10 0x55e2944dc03c in address_space_stl_internal memory_ldst.c.inc:319:13
#11 0x55e29393d2a0 in xhci_intr_update hw/usb/hcd-xhci.c:554:13
#12 0x55e29393efb9 in xhci_runtime_write hw/usb/hcd-xhci.c:3032:9
#13 0x55e294230428 in memory_region_write_accessor softmmu/memory.c:484:5
#14 0x55e29422fe63 in access_with_adjusted_size softmmu/memory.c:545:18
#15 0x55e29422f6fc in memory_region_dispatch_write softmmu/memory.c
#16 0x55e2944dc03c in address_space_stl_internal memory_ldst.c.inc:319:13
#17 0x55e29393d2a0 in xhci_intr_update hw/usb/hcd-xhci.c:554:13
#18 0x55e29393efb9 in xhci_runtime_write hw/usb/hcd-xhci.c:3032:9
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1905444/+subscriptions
^ permalink raw reply [flat|nested] 4+ messages in thread
* [Bug 1905444] Re: [OSS-Fuzz] Issue 27796 in oss-fuzz: qemu:qemu-fuzz-i386-target-generic-fuzz-xhci: Stack-overflow in address_space_stl_internal
2020-11-24 17:18 [Bug 1905444] [NEW] [OSS-Fuzz] Issue 27796 in oss-fuzz: qemu:qemu-fuzz-i386-target-generic-fuzz-xhci: Stack-overflow in address_space_stl_internal Alexander Bulekov
2021-01-15 16:16 ` [Bug 1905444] " Peter Maydell
2021-05-31 18:42 ` Thomas Huth
@ 2021-08-25 7:17 ` Thomas Huth
2 siblings, 0 replies; 4+ messages in thread
From: Thomas Huth @ 2021-08-25 7:17 UTC (permalink / raw)
To: qemu-devel
** Changed in: qemu
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1905444
Title:
[OSS-Fuzz] Issue 27796 in oss-fuzz: qemu:qemu-fuzz-i386-target-
generic-fuzz-xhci: Stack-overflow in address_space_stl_internal
Status in QEMU:
Fix Released
Bug description:
affects qemu
OSS-Fuzz Report: https://bugs.chromium.org/p/oss-
fuzz/issues/detail?id=27796
=== Reproducer (build with --enable-sanitizers) ===
cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, \
-m 512M -machine q35 -nodefaults \
-drive file=null-co://,if=none,format=raw,id=disk0 \
-device qemu-xhci,id=xhci -device usb-tablet,bus=xhci.0 \
-qtest-log none -qtest stdio
outl 0xcf8 0x80000803
outw 0xcfc 0x5e46
outl 0xcf8 0x80000810
outl 0xcfc 0xff5a5e46
write 0xff5a5020 0x6 0xffffffff0b70
outl 0xcf8 0x80000893
outb 0xcfc 0x93
writel 0xff5a7000 0xff5a5020
write 0xff5a700c 0x4 0x0c0c2e58
write 0xff5a4040 0x4 0x00d26001
write 0xff5a4044 0x4 0x0000030
EOF
=== Stack Trace ===
==50473==ERROR: AddressSanitizer: stack-overflow on address 0x7ffe3ec97e28 (pc 0x55e292eac159 bp 0x7ffe3ec98670 sp 0x7ffe3ec97e30 T0)
#0 0x55e292eac159 in __asan_memcpy (u-system-i386+0x2a0e159)
#1 0x55e2944bc04e in flatview_do_translate softmmu/physmem.c:513:12
#2 0x55e2944dbe90 in flatview_translate softmmu/physmem.c:563:15
#3 0x55e2944dbe90 in address_space_translate include/exec/memory.h:2362:12
#4 0x55e2944dbe90 in address_space_stl_internal memory_ldst.c.inc:316:10
#5 0x55e29393d2a0 in xhci_intr_update hw/usb/hcd-xhci.c:554:13
#6 0x55e29393efb9 in xhci_runtime_write hw/usb/hcd-xhci.c:3032:9
#7 0x55e294230428 in memory_region_write_accessor softmmu/memory.c:484:5
#8 0x55e29422fe63 in access_with_adjusted_size softmmu/memory.c:545:18
#9 0x55e29422f6fc in memory_region_dispatch_write softmmu/memory.c
#10 0x55e2944dc03c in address_space_stl_internal memory_ldst.c.inc:319:13
#11 0x55e29393d2a0 in xhci_intr_update hw/usb/hcd-xhci.c:554:13
#12 0x55e29393efb9 in xhci_runtime_write hw/usb/hcd-xhci.c:3032:9
#13 0x55e294230428 in memory_region_write_accessor softmmu/memory.c:484:5
#14 0x55e29422fe63 in access_with_adjusted_size softmmu/memory.c:545:18
#15 0x55e29422f6fc in memory_region_dispatch_write softmmu/memory.c
#16 0x55e2944dc03c in address_space_stl_internal memory_ldst.c.inc:319:13
#17 0x55e29393d2a0 in xhci_intr_update hw/usb/hcd-xhci.c:554:13
#18 0x55e29393efb9 in xhci_runtime_write hw/usb/hcd-xhci.c:3032:9
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1905444/+subscriptions
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2021-08-25 7:33 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-11-24 17:18 [Bug 1905444] [NEW] [OSS-Fuzz] Issue 27796 in oss-fuzz: qemu:qemu-fuzz-i386-target-generic-fuzz-xhci: Stack-overflow in address_space_stl_internal Alexander Bulekov
2021-01-15 16:16 ` [Bug 1905444] " Peter Maydell
2021-05-31 18:42 ` Thomas Huth
2021-08-25 7:17 ` Thomas Huth
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).