I/O writes make cirrus_invalidate_region() crash
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
QEMU |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
As of commit d19f1ab0, LLVM libFuzzer found:
qemu-fuzz-i386: hw/display/
==1336555== ERROR: libFuzzer: deadly signal
#0 0xaaaaaf943ce4 in __sanitizer_
#1 0xaaaaaf899474 in fuzzer:
#2 0xaaaaaf884c80 in fuzzer:
#3 0xffff9b4e8568 (linux-
#4 0xffff99ac406c in __libc_
#5 0xffff99ac406c in raise /build/
#6 0xffff99ab0d64 in abort /build/
#7 0xffff99abd5d8 in __assert_fail_base /build/
#8 0xffff99abd640 in __assert_fail /build/
#9 0xaaaab040768c in cirrus_
#10 0xaaaab0405404 in cirrus_
#11 0xaaaab0402a88 in cirrus_bitblt_start
#12 0xaaaab04046a8 in cirrus_write_bitblt
#13 0xaaaab0400db4 in cirrus_vga_write_gr
#14 0xaaaab03fd33c in cirrus_
#15 0xaaaaafb41674 in memory_
#16 0xaaaaafb411ec in access_
#17 0xaaaaafb40180 in memory_
#18 0xaaaaaf995dfc in flatview_
#19 0xaaaaaf985bd8 in flatview_write
#20 0xaaaaaf98574c in address_space_write
#21 0xaaaab110510c in ioport_fuzz_qtest
#22 0xaaaab1103a48 in i440fx_fuzz_qtest
#23 0xaaaab11010d8 in LLVMFuzzerTestO
Reproducer:
qemu-system-i386 -M isapc,accel=qtest -vga cirrus -qtest stdio << 'EOF'
outl 0x03b1 0x2fdc1001
outb 0x03cc 0xe
outb 0x03cc 0xe
outb 0x03cc 0x2f
outb 0x03cc 0xe
outb 0x03cc 0x2f
outb 0x03cc 0xe
outl 0x03cc 0xedc100e
outb 0x03cc 0x2f
outl 0x03cc 0xe24f40e
outl 0x03cc 0x2f23dc12
outl 0x03cc 0xe23f40e
outl 0x03cc 0xe31dc12
outb 0x03cc 0x2f
outl 0x03cc 0xe2af40e
outl 0x03cc 0x2f235612
outl 0x03cc 0xe23f40e
outl 0x03cc 0xe31dc12
outb 0x03cc 0x2f
outl 0x03cc 0x2fdcf40e
outb 0x03cc 0xe
outl 0x03cc 0xedc100e
outb 0x03cc 0x2f
outl 0x03cc 0xe24f40e
outl 0x03cc 0xe23dc12
outb 0x03cc 0x2f
outl 0x03cc 0xedc100e
outl 0x03cc 0x2fdc400e
outb 0x03cc 0xe
outl 0x03cc 0xe130100e
outb 0x03cc 0x2f
outl 0x03cc 0xe23f40e
outl 0x03cc 0xe31dc12
outb 0x03cc 0x2f
outl 0x03cc 0xe33f40e
outl 0x03cc 0xdc235612
outb 0x03cc 0xe
outl 0x03cc 0x2fdc400e
outb 0x03cc 0xe
outl 0x03cc 0xfb24100e
outb 0x03cc 0x2f
outl 0x03cc 0xdc10dc0e
outl 0x03cc 0x2f31dc12
outl 0x03cc 0xe23f40e
outl 0x03cc 0xe31dc12
outb 0x03cc 0x2f
outl 0x03cc 0xe23f40e
outl 0x03cc 0xe31dc12
outb 0x03cc 0x2f
outl 0x03cc 0x1021f40e
EOF
qemu-system-i386: hw/display/
Aborted (core dumped)
(gdb) bt
#0 0x00007f1d019fee35 in raise () at /lib64/libc.so.6
#1 0x00007f1d019e9895 in abort () at /lib64/libc.so.6
#2 0x00007f1d019e9769 in _nl_load_
#3 0x00007f1d019f7566 in annobin_
#4 0x00005645cb447a37 in cirrus_
#5 0x00005645cb447cc8 in cirrus_
#6 0x00005645cb448886 in cirrus_bitblt_start (s=0x5645cd237540) at hw/display/
#7 0x00005645cb448dd1 in cirrus_write_bitblt (s=0x5645cd237540, reg_value=47) at hw/display/
#8 0x00005645cb449b02 in cirrus_vga_write_gr (s=0x5645cd237540, reg_index=49, reg_value=47) at hw/display/
#9 0x00005645cb44bb2f in cirrus_
#10 0x00005645cb1e0d6e in memory_
#11 0x00005645cb1e0f7f in access_
0x5645cb1e0c8b <memory_
#12 0x00005645cb1e3e9d in memory_
#13 0x00005645cb1845e5 in flatview_
#14 0x00005645cb18472a in flatview_write (fv=0x5645cd65e510, addr=972, attrs=..., buf=0x7fff178d6da4, len=4) at exec.c:3177
#15 0x00005645cb184a7d in address_space_write (as=0x5645cbd7bb20 <address_space_io>, addr=972, attrs=..., buf=0x7fff178d6da4, len=4) at exec.c:3268
#16 0x00005645cb1db385 in cpu_outl (addr=972, val=791796754) at ioport.c:80
Making this bug public as secalert@ said "if an unprivileged guest user can not trigger it, it can be treated as a normal bug".