QEMU

Assertion failure `mr != NULL' failed through usb-ehci

Bug #1901532 reported by Cheolwoo,Myung on 2020-10-26

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	QEMU	Fix Released	Undecided	Unassigned

Bug Description

Hello,

Using hypervisor fuzzer, hyfuzz, I found an assertion failure through usb-ehci.

This was found in version 5.0.1 (stable-5.0).

--------

qemu-system-i386: src/qemu-repro/exec.c:3581: address_space_unmap: Assertion `mr != NULL' failed.
[1] 14721 abort src/qemu-repro/build/i386-softmmu/qemu-system-i386

To reproduce the assertion failure, please run the QEMU with following command line.

```
$ qemu-system-i386 -drive file=./hyfuzz.img,index=0,media=disk,format=raw -m 512 -drive if=none,id=stick,file=./usbdisk.img -device usb-ehci,id=ehci -device usb-storage,bus=ehci.0,drive=stick
```

Tags:

CVE References

2020-25723

Revision history for this message

Cheolwoo,Myung (cwmyung) wrote on 2020-10-26:

attachment.zip Edit (1.3 MiB, application/zip)

Cheolwoo,Myung (cwmyung) on 2020-12-17

Changed in qemu:
status:	New → Confirmed

Peter Maydell (pmaydell) on 2021-01-15

tags:

added: fuzzer

Revision history for this message

Thomas Huth (th-huth) wrote on 2021-05-11:

Can you still reproduce this with QEMU v6.0 ? For me, qemu now does not crash anymore, so I assume this might have been fixed within the past months?

Changed in qemu:
status:	Confirmed → Incomplete

Revision history for this message

Thomas Huth (th-huth) wrote on 2021-06-16:

This problem got fixed by this commit:

2fdb42d840400d58f2e706ecca82c142b97bcbd6
hw: ehci: check return value of 'usb_packet_map'

Thus let's close this ticket now.

Changed in qemu:
status:	Incomplete → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Bug attachments

attachment.zip Edit

Add attachment

Remote bug watches

Bug watches keep track of this bug in other bug trackers.