[OSS-Fuzz] Issue 26693: qemu:qemu-fuzz-i386-target-generic-fuzz-xhci: Index-out-of-bounds in xhci_runtime_write
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
QEMU |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
OSS-Fuzz Report: https:/
=== Reproducer (build with --enable-
export UBSAN_OPTIONS=
cat << EOF | ./qemu-system-i386 -display none -machine\
accel=qtest, -m 512M -machine q35 -nodefaults -drive\
file=null-
qemu-xhci,id=xhci -device usb-tablet,
-device usb-bot -device usb-storage,
-chardev null,id=cd0 -chardev null,id=cd1 -device\
usb-braille,
usb-ccid -device usb-kbd -device usb-mouse -device\
usb-serial,
usb-wacom-tablet -device usb-audio -qtest stdio
outl 0xcf8 0x80000803
outl 0xcfc 0x18caffff
outl 0xcf8 0x80000810
outl 0xcfc 0x555a2e46
write 0x555a1004 0x4 0xe7b9aa7a
EOF
=== Stack Trace ===
SUMMARY: UndefinedBehavi
../hw/usb/
#0 0x55bd2e97c8b0 in xhci_runtime_write /src/qemu/
#1 0x55bd2edfdd13 in memory_
#2 0x55bd2edfdb14 in access_
#3 0x55bd2edfd54b in memory_
#4 0x55bd2ed7fa46 in flatview_
#5 0x55bd2ed7cac0 in flatview_write /src/qemu/
#6 0x55bd2ed7c9f8 in address_space_write /src/qemu/
#7 0x55bd2e85cf9b in __wrap_qtest_writeq /src/qemu/
#8 0x55bd2e85b7b1 in op_write /src/qemu/
#9 0x55bd2e85a84c in generic_fuzz /src/qemu/
#10 0x55bd2e85dd6f in LLVMFuzzerTestO
#11 0x55bd2e7e9661 in fuzzer:
#12 0x55bd2e7d4732 in fuzzer:
#13 0x55bd2e7da7ee in fuzzer:
#14 0x55bd2e8027d2 in main /src/llvm-
#15 0x7f3d153b783f in __libc_start_main
ClusterFuzz testcase 5747786781556736 is verified as fixed in https:/ /oss-fuzz. com/revisions? job=libfuzzer_ ubsan_qemu& range=202011040 616:20201106062 2