[OSS-Fuzz] Issue 26797: qemu:qemu-fuzz-i386-target-generic-fuzz-virtio-blk: ASSERT: addr < cache->len && 2 <= cache->len - addr
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
QEMU |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Hello,
Reproducer:
cat << EOF | ./i386-
-drive id=mydrive,
-device virtio-
-nodefaults -qtest stdio -nographic
outl 0xcf8 0x80001001
outl 0xcfc 0x6574c1ff
outl 0xcf8 0x8000100e
outl 0xcfc 0xefe5e1e
outl 0xe86 0x3aff9090
outl 0xe84 0x3aff9090
outl 0xe8e 0xe
EOF
qemu-system-i386: /home/alxndr/
Aborted
I can trigger similar assertions with other VIRTIO devices, as-well.
I reported this at some point in Message-ID: <email address hidden> but never created a Launchpad issue...
-Alex
OSS-Fuzz Report: https:/ /bugs.chromium. org/p/oss- fuzz/issues/ detail? id=26797
=== Reproducer (build with --enable- sanitizers) === blk,drive= disk0 \ co://,id= disk0,if= none,format= raw \
cat << EOF | ./qemu-system-i386 -display none \
-machine accel=qtest, -m 512M -machine q35 \
-device virtio-
-drive file=null-
-qtest stdio
outl 0xcf8 0x80001889
outl 0xcfc 0x1000ffff
outl 0xcf8 0x80001897
outl 0xcf8 0x80001890
outl 0xcfc 0x4
outl 0xcf8 0x800018ff
outl 0xcf8 0x80001897
inb 0xcfc
outl 0xcf8 0x8000188a
outl 0xcfc 0xd4624
outl 0xcf8 0x80001897
outl 0xcf8 0x80001806
outl 0xcf8 0x80001897
outl 0xcfc 0xff6ca0ba
outl 0xcf8 0x8000188c
outw 0xcfc 0x14
outl 0xcf8 0x80001897
outl 0xcf8 0x8000185a
outl 0xcf8 0x80001897
outl 0xcfc 0x5f6c6346
inb 0xcfc
outl 0xcf8 0x80001802
outl 0xcfc 0x65a6055
outl 0xcf8 0x80001897
inb 0xcfc
outl 0xcf8 0x80001889
outl 0xcfc 0x1869ffff
outl 0xcf8 0x80001812
outl 0xcf8 0x80001897
outl 0xcfc 0x5f6c6346
outl 0xcf8 0x8000188c
outw 0xcfc 0x24
outl 0xcf8 0x80001890
outl 0xcf8 0x80001897
outl 0xcfc 0x1
outl 0xcf8 0x80001892
outl 0xcfc 0x1ff04
outl 0xcf8 0x8000188c
outw 0xcfc 0x1c
outl 0xcf8 0x80001890
outl 0xcfc 0x1
outl 0xcf8 0x80001897
outl 0xcfc 0xfd467562
outl 0xcf8 0x8000188a
outl 0xcfc 0x245a5546
outl 0xcf8 0x80001890
outl 0xcf8 0x80001897
inb 0xcfc
outl 0xcf8 0x8000188c
outw 0xcfc 0x14
outl 0xcf8 0x80001897
outl 0xcf8 0x80001806
outl 0xcf8 0x80001889
outl 0xcfc 0x1869ffff
outl 0xcf8 0x80001812
outl 0xcf8 0x80001897
outl 0xcfc 0x6c6346
outl 0xcf8 0x8000188c
outw 0xcfc 0x14
outl 0xcf8 0x80001890
outl 0xcf8 0x80001897
outl 0xcfc 0x1ff04
EOF
=== Stack Trace ===
qemu-fuzz- i386-target- generic- fuzz-virtio- blk: /src/qemu/ include/ exec/memory_ ldst_cached. h.inc:88: void address_ space_stw_ le_cached( MemoryRegionCac he *, hwaddr, uint32_t, MemTxAttrs, MemTxResult *): Assertion `addr < cache->len && 2 <= cache->len - addr' failed. print_stack_ trace /src/llvm- project/ compiler- rt/lib/ asan/asan_ stack.cpp: 86:3 :PrintStackTrac e() /src/llvm- project/ compiler- rt/lib/ fuzzer/ FuzzerUtil. cpp:210: 5 :Fuzzer: :CrashCallback( ) /src/llvm- project/ compiler- rt/lib/ fuzzer/ FuzzerLoop. cpp:233: 3 space_stw_ le_cached /src/qemu/ include/ exec/memory_ ldst_cached. h.inc:88: 5 include/ exec/memory_ ldst_phys. h.inc:121: 5 stw_phys_ cached /src/qemu/ include/ hw/virtio/ virtio- access. h:196:9 avail_event /src/qemu/ hw/virtio/ virtio. c:428:5 queue_split_ set_notificatio n /src/qemu/ hw/virtio/ virtio. c:437:9 queue_set_ notification /src/qemu/ hw/virtio/ virtio. c:498:9 blk_handle_ vq /src/qemu/ hw/block/ virtio- blk.c:795: 13 blk_data_ plane_handle_ output /src/qemu/ hw/block/ dataplane/ virtio- blk.c:165: 12 queue_notify_ aio_vq /src/qemu/ hw/virti. ..
==46== ERROR: libFuzzer: deadly signal
#0 0x55deb7b59e61 in __sanitizer_
#1 0x55deb7aa1158 in fuzzer:
#2 0x55deb7a87053 in fuzzer:
#3 0x7fccd310638f in libpthread.so.0
#4 0x7fccd273e437 in gsignal
#5 0x7fccd2740039 in abort
#6 0x7fccd2736be6 in libc.so.6
#7 0x7fccd2736c91 in __assert_fail
#8 0x55deb8416ba3 in address_
#9 0x55deb8416a40 in stw_le_phys_cached /src/qemu/
#10 0x55deb8416a13 in virtio_
#11 0x55deb8416899 in vring_set_
#12 0x55deb8406ba8 in virtio_
#13 0x55deb84067a2 in virtio_
#14 0x55deb84755d3 in virtio_
#15 0x55deb84916ce in virtio_
#16 0x55deb841afaf in virtio_