Assertion failures in ati_reg_read_offs/ati_reg_write_offs
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
QEMU |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Hello,
While fuzzing, I found inputs that trigger assertion failures in
ati_reg_
uint32_t extract32(uint32_t, int, int): Assertion `start >= 0 && length > 0 && length <= 32 - start' failed
#3 0x00007ffff6866092 in __GI___assert_fail (assertion=
#4 0x000055555653d8a7 in ati_mm_read (opaque=<optimized out>, addr=0x1a, size=<optimized out>) at /home/alxndr/
#5 0x000055555653c825 in ati_mm_read (opaque=<optimized out>, addr=0x4, size=<optimized out>) at /home/alxndr/
#6 0x000055555601446e in memory_
#7 0x0000555556001a70 in access_
#8 0x0000555556001a70 in memory_
I can reproduce it in qemu 5.0 built with using:
cat << EOF | ~/Development/
outl 0xcf8 0x80001018
outl 0xcfc 0xe2000000
outl 0xcf8 0x8000101c
outl 0xcf8 0x80001004
outw 0xcfc 0x7
outl 0xcf8 0x8000fa20
write 0xe2000004 0x1 0x1a
readq 0xe2000000
EOF
Similarly for ati_reg_write_offs:
cat << EOF | ~/Development/
outl 0xcf8 0x80001018
outl 0xcfc 0xe2000000
outl 0xcf8 0x8000101c
outl 0xcf8 0x80001004
outw 0xcfc 0x7
outl 0xcf8 0x8000fa20
write 0xe2000000 0x8 0x6a00000000006a00
EOF
I also attached the traces to this launchpad report, in case the formatting is broken:
qemu-system-i386 -M pc-q35-5.0 -device ati-vga -nographic -qtest stdio -monitor none -serial none < attachment
Please let me know if I can provide any further info.
-Alex
Hello,
Please disregard this - I submitted it to the wrong launchpad site