qemu-system-i386 virtio-vga: Assertion in address_space_stw_le_cached failed again
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
QEMU |
Expired
|
Undecided
|
Unassigned |
Bug Description
When I was fuzzing virtio-vga device of the latest QEMU (1758428, Dec 12, built with --enable-sanitizers --enable-fuzzing), an assertion failed in include/
--[ Reproducer
cat << EOF | ./build/
-machine q35 -display none -nodefaults -device virtio-vga -qtest stdio
outl 0xcf8 0x8000081c
outb 0xcfc 0xc3
outl 0xcf8 0x80000804
outb 0xcfc 0x06
write 0xc300001024 0x2 0x0040
write 0xc300001028 0x1 0x5a
write 0xc30000101c 0x1 0x01
writel 0xc30000100c 0x20000000
write 0xc300001016 0x3 0x80a080
write 0xc300003002 0x1 0x80
write 0x5c 0x1 0x10
EOF
--[ Output
==35337==WARNING: ASan doesn't fully support makecontext/
[I 1607946348.442865] OPENED
[R +0.059305] outl 0xcf8 0x8000081c
OK
[S +0.059326] OK
[R +0.059338] outb 0xcfc 0xc3
OK
[S +0.059355] OK
[R +0.059363] outl 0xcf8 0x80000804
OK
[S +0.059369] OK
[R +0.059381] outb 0xcfc 0x06
OK
[S +0.061094] OK
[R +0.061107] write 0xc300001024 0x2 0x0040
OK
[S +0.061120] OK
[R +0.061127] write 0xc300001028 0x1 0x5a
OK
[S +0.061135] OK
[R +0.061142] write 0xc30000101c 0x1 0x01
OK
[S +0.061158] OK
[R +0.061167] writel 0xc30000100c 0x20000000
OK
[S +0.061212] OK
[R +0.061222] write 0xc300001016 0x3 0x80a080
OK
[S +0.061231] OK
[R +0.061238] write 0xc300003002 0x1 0x80
OK
[S +0.061247] OK
[R +0.061253] write 0x5c 0x1 0x10
OK
[S +0.061403] OK
qemu-system-i386: /home/qiuhao/
--[ Environment
Ubuntu 20.04.1 5.4.0-58-generic x86_64
clang: 10.0.0-4ubuntu1
glibc: 2.31-0ubuntu9.1
libglib2.0-dev: 2.64.3-
--[ Note
Alexander Bulekov found the same assertion failure on 2020-08-04, https:/
Fam Zheng found the same assertion failure on 2018-09-29, https:/
tags: | added: fuzzer |
--[ Original Fuzzing output
./build/ qemu-fuzz- i386 --fuzz- target= generic- fuzz-virtio- vga ../fuzz/ 20201208/ crash-da778083c 63d2b24d8f77803 83b2602a7a15635 2
qemu-fuzz-i386: /home/qiuhao/ hack/qemu/ include/ exec/memory_ ldst_cached. h.inc:88: void address_ space_stw_ le_cached( MemoryRegionCac he *, hwaddr, uint32_t, MemTxAttrs, MemTxResult *): Assertion `addr < cache->len && 2 <= cache->len - addr' failed. print_stack_ trace (/home/ qiuhao/ hack/qemu/ build/qemu- fuzz-i386+ 0x305dc81) :PrintStackTrac e() (/home/ qiuhao/ hack/qemu/ build/qemu- fuzz-i386+ 0x2fa8dd8) :Fuzzer: :CrashCallback( ) (/home/ qiuhao/ hack/qemu/ build/qemu- fuzz-i386+ 0x2f8df23) 64-linux- gnu/libpthread. so.0+0x153bf) signal_ restore_ set /build/ glibc-ZN95T4/ glibc-2. 31/signal/ ../sysdeps/ unix/sysv/ linux/internal- signals. h:86:3 glibc-ZN95T4/ glibc-2. 31/signal/ ../sysdeps/ unix/sysv/ linux/raise. c:48:3 glibc-ZN95T4/ glibc-2. 31/stdlib/ abort.c: 79:7 glibc-ZN95T4/ glibc-2. 31/assert/ assert. c:92:3 glibc-ZN95T4/ glibc-2. 31/assert/ assert. c:101:3 space_stw_ le_cached /home/qiuhao/ hack/qemu/ include/ exec/memory_ ldst_cached. h.inc:88: 5 hack/qemu/ include/ exec/memory_ ldst_phys. h.inc:121: 5 stw_phys_ cached /home/qiuhao/ hack/qemu/ include/ hw/virtio/ virtio- access. h:196:9 avail_event /home/qiuhao/ hack/qemu/ build/. ./hw/virtio/ virtio. c:429:5 hack/qemu/ build/. ./hw/virtio/ virtio. c:1452: 9 hack/qemu/ build/. ./hw/virtio/ virtio. c:1695: 16 gpu_handle_ ctrl /home/qiuhao/ hack/qemu/ build/. ./hw/display/ virtio- gpu.c:877: 11 hack/qemu/ build/. ./hw/display/ virtio- gpu.c:898: 5 hack/qemu/ build/. ./util/ async.c: 136:5 hack/qemu/ build/. ./util/ async.c: 164:13 hack/qemu/ build/. ./util/ aio-posix. c:381:5 hack/qemu/ build/. ./util/ async.c: 306:5 context_ dispatch (/lib/x86_ 64-linux- gnu/libglib- 2.0.so. 0+0x51fbc) hack/qemu/ build/. ./util/ main-loop. c:221:9 main_loop_ wait /home/qiuhao/ hack/qemu/ build/. ./util/ main-loop. c:244:5 hack/qemu/ build/. ./util/ main-loop. c:520:11 hack/qemu/ build/. ./tests/ qtest/fuzz/ fuzz.c: 49:9 hack/qemu/ build/. ./tests/ qtest/fuzz/ generic_ fuzz.c: ...
==37260== ERROR: libFuzzer: deadly signal
#0 0x56336c2ebc81 in __sanitizer_
#1 0x56336c236dd8 in fuzzer:
#2 0x56336c21bf23 in fuzzer:
#3 0x7f3122f7b3bf (/lib/x86_
#4 0x7f3122d8c18a in __libc_
#5 0x7f3122d8c18a in raise /build/
#6 0x7f3122d6b858 in abort /build/
#7 0x7f3122d6b728 in __assert_fail_base /build/
#8 0x7f3122d7cf35 in __assert_fail /build/
#9 0x56336ec7c8ab in address_
#10 0x56336ec7b746 in stw_le_phys_cached /home/qiuhao/
#11 0x56336ec7acf8 in virtio_
#12 0x56336ec79f7b in vring_set_
#13 0x56336ec376f5 in virtqueue_split_pop /home/qiuhao/
#14 0x56336ec3131c in virtqueue_pop /home/qiuhao/
#15 0x56336c57fa43 in virtio_
#16 0x56336c57f6d9 in virtio_gpu_ctrl_bh /home/qiuhao/
#17 0x563370ad4952 in aio_bh_call /home/qiuhao/
#18 0x563370ad6352 in aio_bh_poll /home/qiuhao/
#19 0x563370a2773b in aio_dispatch /home/qiuhao/
#20 0x563370adfd5e in aio_ctx_dispatch /home/qiuhao/
#21 0x7f312319afbc in g_main_
#22 0x563370942137 in glib_pollfds_poll /home/qiuhao/
#23 0x56337093fa37 in os_host_
#24 0x56337093f387 in main_loop_wait /home/qiuhao/
#25 0x56336c33ec22 in flush_events /home/qiuhao/
#26 0x56336c33311b in generic_fuzz /home/qiuhao/