QEMU

Assertion `addr < cache->len && 2 <= cache->len - addr' in virtio-blk

Bug #1910941 reported by Cheolwoo,Myung
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
QEMU
Expired
Undecided
Unassigned

Bug Description

Hello,

Using hypervisor fuzzer, hyfuzz, I found an assertion failure through virtio-blk emulator.

A malicious guest user/process could use this flaw to abort the QEMU process on the host, resulting in a denial of service.

This was found in version 5.2.0 (master)

```

qemu-system-i386: /home/cwmyung/prj/hyfuzz/src/qemu-master/include/exec/memory_ldst_cached.h.inc:88: void address_space_stw_le_cached(MemoryRegionCache *, hwaddr, uint32_t, MemTxAttrs, MemTxResult *): Assertion `addr < cache->len && 2 <= cache->len - addr' failed.
[1] 1877 abort (core dumped) /home/cwmyung/prj/hyfuzz/src/qemu-master/build/i386-softmmu/qemu-system-i386

Program terminated with signal SIGABRT, Aborted.
#0 0x00007f71cc171f47 in __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:51
#1 0x00007f71cc1738b1 in __GI_abort () at abort.c:79
#2 0x00007f71cc16342a in __assert_fail_base (fmt=0x7f71cc2eaa38 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=assertion@entry=0x56537b324230 "addr < cache->len && 2 <= cache->len - addr", file=file@entry=0x56537b32425c "/home/cwmyung/prj/hyfuzz/src/qemu-master/include/exec/memory_ldst_cached.h.inc", line=line@entry=0x58, function=function@entry=0x56537b3242ab "void address_space_stw_le_cached(MemoryRegionCache *, hwaddr, uint32_t, MemTxAttrs, MemTxResult *)") at assert.c:92
#3 0x00007f71cc1634a2 in __GI___assert_fail (assertion=0x56537b324230 "addr < cache->len && 2 <= cache->len - addr", file=0x56537b32425c "/home/cwmyung/prj/hyfuzz/src/qemu-master/include/exec/memory_ldst_cached.h.inc", line=0x58, function=0x56537b3242ab "void address_space_stw_le_cached(MemoryRegionCache *, hwaddr, uint32_t, MemTxAttrs, MemTxResult *)") at assert.c:101
#4 0x000056537af3c917 in address_space_stw_le_cached (attrs=..., result=<optimized out>, cache=<optimized out>, addr=<optimized out>, val=<optimized out>) at /home/cwmyung/prj/hyfuzz/src/qemu-master/include/exec/memory_ldst_cached.h.inc:88
#5 0x000056537af3c917 in stw_le_phys_cached (cache=<optimized out>, addr=<optimized out>, val=<optimized out>) at /home/cwmyung/prj/hyfuzz/src/qemu-master/include/exec/memory_ldst_phys.h.inc:121
#6 0x000056537af3c917 in virtio_stw_phys_cached (vdev=<optimized out>, cache=<optimized out>, pa=<optimized out>, value=<optimized out>) at /home/cwmyung/prj/hyfuzz/src/qemu-master/include/hw/virtio/virtio-access.h:196
#7 0x000056537af2b809 in vring_set_avail_event (vq=<optimized out>, val=0x0) at ../hw/virtio/virtio.c:429
#8 0x000056537af2b809 in virtio_queue_split_set_notification (vq=<optimized out>, enable=<optimized out>) at ../hw/virtio/virtio.c:438
#9 0x000056537af2b809 in virtio_queue_set_notification (vq=<optimized out>, enable=0x1) at ../hw/virtio/virtio.c:499
#10 0x000056537b07ce1c in virtio_blk_handle_vq (s=0x56537d6bb3a0, vq=0x56537d6c0680) at ../hw/block/virtio-blk.c:795
#11 0x000056537af3eb4d in virtio_queue_notify_aio_vq (vq=0x56537d6c0680) at ../hw/virtio/virtio.c:2326
#12 0x000056537af3ba04 in virtio_queue_host_notifier_aio_read (n=<optimized out>) at ../hw/virtio/virtio.c:3533
#13 0x000056537b20901c in aio_dispatch_handler (ctx=0x56537c4179f0, node=0x7f71a810b370) at ../util/aio-posix.c:329
#14 0x000056537b20838c in aio_dispatch_handlers (ctx=<optimized out>) at ../util/aio-posix.c:372
#15 0x000056537b20838c in aio_dispatch (ctx=0x56537c4179f0) at ../util/aio-posix.c:382
#16 0x000056537b1f99cb in aio_ctx_dispatch (source=0x2, callback=0x7ffc8add9f90, user_data=0x0) at ../util/async.c:306
#17 0x00007f71d1c10417 in g_main_context_dispatch () at /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
#18 0x000056537b1f1bab in glib_pollfds_poll () at ../util/main-loop.c:232
#19 0x000056537b1f1bab in os_host_main_loop_wait (timeout=<optimized out>) at ../util/main-loop.c:255
#20 0x000056537b1f1bab in main_loop_wait (nonblocking=<optimized out>) at ../util/main-loop.c:531
#21 0x000056537af879d7 in qemu_main_loop () at ../softmmu/runstate.c:720
#22 0x000056537a928a3b in main (argc=<optimized out>, argc@entry=0x15, argv=<optimized out>, argv@entry=0x7ffc8adda718, envp=<optimized out>) at ../softmmu/main.c:50
#23 0x00007f71cc154b97 in __libc_start_main (main=0x56537a928a30 <main>, argc=0x15, argv=0x7ffc8adda718, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffc8adda708) at ../csu/libc-start.c:310
#24 0x000056537a92894a in _start ()

```

To reproduce this issue, please run the QEMU with the following command line.

```

# To reproduce this issue, please run the QEMU process with the following command line.

$ qemu-system-i386 -m 512 -drive file=hyfuzz.img,index=0,media=disk,format=raw -device virtio-blk-pci,drive=drive0,id=virtblk0,num-queues=4 -drive file=disk.img,if=none,id=drive0

```

Please let me know if I can provide any further info.

Thank you.

Tags: fuzzer
Revision history for this message
Cheolwoo,Myung (cwmyung) wrote :
Revision history for this message
Alexander Bulekov (a1xndr) wrote :

This is OSS-Fuzz Issue 26797

=== Reproducer ===
cat << EOF | ./qemu-system-i386 -machine q35 \
-device virtio-blk,drive=disk0 \
-drive file=null-co://,id=disk0,if=none,format=raw \
-serial none -monitor none -qtest stdio -nographic
outl 0xcf8 0x80001890
outl 0xcfc 0x4
outl 0xcf8 0x8000188a
outl 0xcfc 0xd4624
outl 0xcf8 0x80001894
outl 0xcfc 0x20000002
outl 0xcf8 0x80001889
outl 0xcfc 0x18000000
outl 0xcf8 0x80001896
outl 0xcfc 0x0
outl 0xcf8 0x8000188c
outw 0xcfc 0x20
outl 0xcf8 0x80001894
outl 0xcfc 0x1
outl 0xcf8 0x8000188c
outw 0xcfc 0x1c
outl 0xcf8 0x80001895
outl 0xcfc 0x0
outl 0xcf8 0x80001889
outl 0xcfc 0x18000000
outl 0xcf8 0x80001894
outl 0xcfc 0x40
outl 0xcf8 0x8000188c
outw 0xcfc 0x14
outl 0xcf8 0x80001894
outl 0xcfc 0x1004
EOF

=== Stack Trace ===
qemu-fuzz-i386-target-generic-fuzz-virtio-blk: /src/qemu/include/exec/memory_ldst_cached.h.inc:88: void address_space_stw_le_cached(MemoryRegionCache *, hwaddr, uint32_t, MemTxAttrs, MemTxResult *): Assertion `addr < cache->len && 2 <= cache->len - addr' failed.

==2382430== ERROR: libFuzzer: deadly signal
#8 address_space_stw_le_cached /src/qemu/include/exec/memory_ldst_cached.h.inc:88:5
#9 stw_le_phys_cached /src/qemu/include/exec/memory_ldst_phys.h.inc:121:5
#10 virtio_stw_phys_cached /src/qemu/include/hw/virtio/virtio-access.h:196:9
#11 vring_set_avail_event /src/qemu/hw/virtio/virtio.c:429:5
#12 virtio_queue_split_set_notification /src/qemu/hw/virtio/virtio.c:438:9
#13 virtio_queue_set_notification /src/qemu/hw/virtio/virtio.c:499:9
#14 virtio_blk_handle_vq /src/qemu/hw/block/virtio-blk.c:795:13
#15 virtio_blk_data_plane_handle_output /src/qemu/hw/block/dataplane/virtio-blk.c:165:12
#16 virtio_queue_notify_aio_vq /src/qemu/hw/virtio/virtio.c:2326:15
#17 virtio_queue_host_notifier_aio_read /src/qemu/hw/virtio/virtio.c:3533:9
#18 aio_dispatch_handler /src/qemu/util/aio-posix.c:329:9
#19 aio_dispatch_handlers /src/qemu/util/aio-posix.c:372:20
#20 aio_dispatch /src/qemu/util/aio-posix.c:382:5
#21 aio_ctx_dispatch /src/qemu/util/async.c:306:5
#22 g_main_context_dispatch
#23 glib_pollfds_poll /src/qemu/util/main-loop.c:232:9
#24 os_host_main_loop_wait /src/qemu/util/main-loop.c:255:5
#25 main_loop_wait /src/qemu/util/main-loop.c:531:11
#26 flush_events /src/qemu/tests/qtest/fuzz/fuzz.c:49:9
#27 generic_fuzz /src/qemu/tests/qtest/fuzz/generic_fuzz.c:683:17

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2qemu-fuzz-i386-target-generic-fuzz-virtio-blk: /src/qemu/include/exec/memory_ldst_cached.h.inc:88: void address_space_stw_le_cached(MemoryRegionCache *, hwaddr, uint32_t, MemTxAttrs, MemTxResult *): Assertion `addr < cache->len && 2 <= cache->len - addr' failed.6797

Peter Maydell (pmaydell)
tags: added: fuzzer
Revision history for this message
Thomas Huth (th-huth) wrote : Moved bug report

This is an automated cleanup. This bug report has been moved to QEMU's
new bug tracker on gitlab.com and thus gets marked as 'expired' now.
Please continue with the discussion here:

 https://gitlab.com/qemu-project/qemu/-/issues/301

Changed in qemu:
status: New → Expired
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.