QEMU

assertion failure in mptsas1068 emulator

Bug #1908513 reported by Cheolwoo,Myung
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
QEMU
Expired
Undecided
Unassigned

Bug Description

Using hypervisor fuzzer, hyfuzz, I found an assertion failure through mptsas1068 emulator.

A malicious guest user/process could use this flaw to abort the QEMU process on the host, resulting in a denial of service.

This was found in version 5.2.0 (master)

qemu-system-i386: ../hw/scsi/mptsas.c:968: void mptsas_interrupt_status_write(MPTSASState *): Assertion
`s->intr_status & MPI_HIS_DOORBELL_INTERRUPT' failed.
[1] 16951 abort (core dumped) /home/cwmyung/prj/hyfuzz/src/qemu-5.2/build/qemu-system-i386 -m 512 -drive

Program terminated with signal SIGABRT, Aborted.
#0 __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:51
51 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
[Current thread is 1 (Thread 0x7fc7d6023700 (LWP 23475))]
gdb-peda$ bt
#0 0x00007fc7efa13f47 in __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:51
#1 0x00007fc7efa158b1 in __GI_abort () at abort.c:79
#2 0x00007fc7efa0542a in __assert_fail_base (fmt=0x7fc7efb8ca38 "%s%s%s:%u: %s%sAssertion `%s' failed.\\n%n", assertion=assertion@entry=0x56439214d593 "s->intr_status & MPI_HIS_DOORBELL_INTERRUPT", file=file@entry=0x56439214d4a7 "../hw/scsi/mptsas.c", line=line@entry=0x3c8, function=function@entry=0x56439214d81c "void mptsas_interrupt_status_write(MPTSASState *)") at assert.c:92
#3 0x00007fc7efa054a2 in __GI___assert_fail (assertion=0x56439214d593 "s->intr_status & MPI_HIS_DOORBELL_INTERRUPT", file=0x56439214d4a7 "../hw/scsi/mptsas.c", line=0x3c8, function=0x56439214d81c "void mptsas_interrupt_status_write(MPTSASState *)") at assert.c:101
#4 0x0000564391a43963 in mptsas_interrupt_status_write (s=<optimized out>) at ../hw/scsi/mptsas.c:968
#5 0x0000564391a43963 in mptsas_mmio_write (opaque=0x5643943dd5b0, addr=0x30, val=0x18000000, size=<optimized out>) at ../hw/scsi/mptsas.c:1052
#6 0x0000564391e08798 in memory_region_write_accessor (mr=<optimized out>, addr=<optimized out>, value=<optimized out>, size=<optimized out>, shift=<optimized out>, mask=<optimized out>, attrs=...)
    at ../softmmu/memory.c:491
#7 0x0000564391e0858e in access_with_adjusted_size (addr=<optimized out>, value=<optimized out>, size=<optimized out>, access_size_min=<optimized out>, access_size_max=<optimized out>, access_fn=<optimized out>, mr=<optimized out>, attrs=...) at ../softmmu/memory.c:552
#8 0x0000564391e0858e in memory_region_dispatch_write (mr=0x5643943ddea0, addr=<optimized out>, data=<optimized out>, op=<optimized out>, attrs=...) at ../softmmu/memory.c:1501
#9 0x0000564391eff228 in io_writex (iotlbentry=<optimized out>, mmu_idx=<optimized out>, val=<optimized out>, addr=<optimized out>, retaddr=<optimized out>, op=<optimized out>, env=<optimized out>)
    at ../accel/tcg/cputlb.c:1378
#10 0x0000564391eff228 in store_helper (env=<optimized out>, addr=<optimized out>, val=<optimized out>, oi=<optimized out>, retaddr=<optimized out>, op=MO_32) at ../accel/tcg/cputlb.c:2397
#11 0x0000564391eff228 in helper_le_stl_mmu (env=<optimized out>, addr=<optimized out>, val=0x2, oi=<optimized out>, retaddr=0x7fc78841b401) at ../accel/tcg/cputlb.c:2463
#12 0x00007fc78841b401 in code_gen_buffer ()
#13 0x0000564391dd0da0 in cpu_tb_exec (cpu=0x56439363e650, itb=<optimized out>) at ../accel/tcg/cpu-exec.c:178
#14 0x0000564391dd19eb in cpu_loop_exec_tb (tb=<optimized out>, cpu=<optimized out>, last_tb=<optimized out>, tb_exit=<optimized out>) at ../accel/tcg/cpu-exec.c:658
#15 0x0000564391dd19eb in cpu_exec (cpu=0x56439363e650) at ../accel/tcg/cpu-exec.c:771
#16 0x0000564391e00b9f in tcg_cpu_exec (cpu=<optimized out>) at ../accel/tcg/tcg-cpus.c:243
#17 0x0000564391e00b9f in tcg_cpu_thread_fn (arg=0x56439363e650) at ../accel/tcg/tcg-cpus.c:427
#18 0x00005643920d8775 in qemu_thread_start (args=<optimized out>) at ../util/qemu-thread-posix.c:521
#19 0x00007fc7efdcd6db in start_thread (arg=0x7fc7d6023700) at pthread_create.c:463

To reproduce this issue, please run the QEMU with the following command line.

# To enable ASan option, please set configuration with the following command
$ ./configure --target-list=i386-softmmu --disable-werror --enable-sanitizers
$ make

# To reproduce this issue, please run the QEMU process with the following command line.
$ ./qemu-system-i386 -m 512 -drive file=./hyfuzz.img,index=0,media=disk,format=raw -device mptsas1068,id=scsi -device scsi-hd,drive=SysDisk -drive id=SysDisk,if=none,file=./disk.img

Please let me know if I can provide any further info.
Thank you.

- Cheolwoo, Myung (Seoul National University)

Tags: fuzzer
Revision history for this message
Cheolwoo,Myung (cwmyung) wrote :
Peter Maydell (pmaydell)
tags: added: fuzzer
Revision history for this message
Thomas Huth (th-huth) wrote :

This still triggers with the current version from git master, marking as Confirmed

Changed in qemu:
status: New → Confirmed
Revision history for this message
Thomas Huth (th-huth) wrote : Moved bug report

This is an automated cleanup. This bug report has been moved to QEMU's
new bug tracker on gitlab.com and thus gets marked as 'expired' now.
Please continue with the discussion here:

 https://gitlab.com/qemu-project/qemu/-/issues/304

Changed in qemu:
status: Confirmed → Expired
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.