QEMU

[Fuzz] qemu-system-i386 virtio-mouse: Assertion in address_space_lduw_le_cached failed

Bug #1913510 reported by Qiuhao Li on 2021-01-28

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	QEMU	Expired	Undecided	Unassigned

Bug Description

--[ Reproducer

cat << EOF | ./build/qemu-system-i386 -machine q35,accel=qtest -nodefaults \
-device virtio-mouse -display none -qtest stdio
outl 0xcf8 0x80000820
outl 0xcfc 0xe0004000
outl 0xcf8 0x80000804
outb 0xcfc 0x02
write 0xe000400c 0x4 0x003fe62e
write 0xe0004016 0x1 0x01
write 0xe0004024 0x1 0x01
write 0xe000401c 0x1 0x01
write 0xe0007007 0x1 0x00
write 0xe0004018 0x1 0x41
write 0xe0007007 0x1 0x00
EOF

--[ Output

[I 1611805425.711054] OPENED
[R +0.040080] outl 0xcf8 0x80000820
OK
[S +0.040117] OK
[R +0.040136] outl 0xcfc 0xe0004000
OK
[S +0.040155] OK
[R +0.040165] outl 0xcf8 0x80000804
OK
[S +0.040172] OK
[R +0.040184] outb 0xcfc 0x02
OK
[S +0.040683] OK
[R +0.040702] write 0xe000400c 0x4 0x003fe62e
OK
[S +0.040735] OK
[R +0.040743] write 0xe0004016 0x1 0x01
OK
[S +0.040748] OK
[R +0.040755] write 0xe0004024 0x1 0x01
OK
[S +0.040760] OK
[R +0.040767] write 0xe000401c 0x1 0x01
OK
[S +0.040785] OK
[R +0.040792] write 0xe0007007 0x1 0x00
OK
[S +0.040810] OK
[R +0.040817] write 0xe0004018 0x1 0x41
OK
[S +0.040822] OK
[R +0.040839] write 0xe0007007 0x1 0x00
qemu-system-i386: /home/ubuntu/qemu/include/exec/memory_ldst_cached.h.inc:54: uint32_t address_space_lduw_le_cached(MemoryRegionCache *, hwaddr, MemTxAttrs, MemTxResult *): Assertion `addr < cache->len && 2 <= cache->len - addr' failed.

-- [ Original ASAN report

qemu-fuzz-i386: /home/ubuntu/qemu/include/exec/memory_ldst_cached.h.inc:54: uint32_t address_space_lduw_le_cached(MemoryRegionCache *, hwaddr, MemTxAttrs, MemTxResult *): Assertion `addr < cache->len && 2 <= cache->len - addr' failed.
==3406167== ERROR: libFuzzer: deadly signal
    #0 0x5644e4ae0f21 in __sanitizer_print_stack_trace (/home/ubuntu/qemu/build/qemu-fuzz-i386+0x2a47f21)
    #1 0x5644e4a29fe8 in fuzzer::PrintStackTrace() (/home/ubuntu/qemu/build/qemu-fuzz-i386+0x2990fe8)
    #2 0x5644e4a10023 in fuzzer::Fuzzer::CrashCallback() (/home/ubuntu/qemu/build/qemu-fuzz-i386+0x2977023)
    #3 0x7f77e2a4b3bf (/lib/x86_64-linux-gnu/libpthread.so.0+0x153bf)
    #4 0x7f77e285c18a in raise (/lib/x86_64-linux-gnu/libc.so.6+0x4618a)
    #5 0x7f77e283b858 in abort (/lib/x86_64-linux-gnu/libc.so.6+0x25858)
    #6 0x7f77e283b728 (/lib/x86_64-linux-gnu/libc.so.6+0x25728)
    #7 0x7f77e284cf35 in __assert_fail (/lib/x86_64-linux-gnu/libc.so.6+0x36f35)
    #8 0x5644e60051b2 in address_space_lduw_le_cached /home/ubuntu/qemu/include/exec/memory_ldst_cached.h.inc:54:5
    #9 0x5644e60051b2 in lduw_le_phys_cached /home/ubuntu/qemu/include/exec/memory_ldst_phys.h.inc:91:12
    #10 0x5644e60051b2 in virtio_lduw_phys_cached /home/ubuntu/qemu/include/hw/virtio/virtio-access.h:166:12
    #11 0x5644e5ff476d in vring_avail_ring /home/ubuntu/qemu/build/../hw/virtio/virtio.c:327:12
    #12 0x5644e5ff476d in vring_get_used_event /home/ubuntu/qemu/build/../hw/virtio/virtio.c:333:12
    #13 0x5644e5ff476d in virtio_split_should_notify /home/ubuntu/qemu/build/../hw/virtio/virtio.c:2473:35
    #14 0x5644e5ff476d in virtio_should_notify /home/ubuntu/qemu/build/../hw/virtio/virtio.c:2524:16
    #15 0x5644e5ff5556 in virtio_notify /home/ubuntu/qemu/build/../hw/virtio/virtio.c:2566:14
    #16 0x5644e5571d2a in virtio_input_handle_sts /home/ubuntu/qemu/build/../hw/input/virtio-input.c:100:5
    #17 0x5644e5ff20ec in virtio_queue_notify /home/ubuntu/qemu/build/../hw/virtio/virtio.c:2366:9
    #18 0x5644e60908fb in memory_region_write_accessor /home/ubuntu/qemu/build/../softmmu/memory.c:491:5
    #19 0x5644e6090363 in access_with_adjusted_size /home/ubuntu/qemu/build/../softmmu/memory.c:552:18
    #20 0x5644e608fbc0 in memory_region_dispatch_write /home/ubuntu/qemu/build/../softmmu/memory.c
    #21 0x5644e5b97bc6 in flatview_write_continue /home/ubuntu/qemu/build/../softmmu/physmem.c:2759:23
    #22 0x5644e5b8d328 in flatview_write /home/ubuntu/qemu/build/../softmmu/physmem.c:2799:14
    #23 0x5644e5b8d328 in address_space_write /home/ubuntu/qemu/build/../softmmu/physmem.c:2891:18
    #24 0x5644e6018906 in qtest_process_command /home/ubuntu/qemu/build/../softmmu/qtest.c:539:13
    #25 0x5644e60159df in qtest_process_inbuf /home/ubuntu/qemu/build/../softmmu/qtest.c:797:9
    #26 0x5644e6015735 in qtest_server_inproc_recv /home/ubuntu/qemu/build/../softmmu/qtest.c:904:9
    #27 0x5644e667cf68 in qtest_sendf /home/ubuntu/qemu/build/../tests/qtest/libqtest.c:438:5
    #28 0x5644e667e54e in qtest_write /home/ubuntu/qemu/build/../tests/qtest/libqtest.c:1002:5
    #29 0x5644e667e54e in qtest_writeq /home/ubuntu/qemu/build/../tests/qtest/libqtest.c:1023:5
    #30 0x5644e4b1037e in __wrap_qtest_writeq /home/ubuntu/qemu/build/../tests/qtest/fuzz/qtest_wrappers.c:190:9
    #31 0x5644e4b1c33d in op_write /home/ubuntu/qemu/build/../tests/qtest/fuzz/generic_fuzz.c:479:13
    #32 0x5644e4b1a259 in generic_fuzz /home/ubuntu/qemu/build/../tests/qtest/fuzz/generic_fuzz.c:681:17
    #33 0x5644e4b0b333 in LLVMFuzzerTestOneInput /home/ubuntu/qemu/build/../tests/qtest/fuzz/fuzz.c:151:5
    #34 0x5644e4a11581 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/ubuntu/qemu/build/qemu-fuzz-i386+0x2978581)
    #35 0x5644e49fcc92 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/home/ubuntu/qemu/build/qemu-fuzz-i386+0x2963c92)
    #36 0x5644e4a02cfe in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/ubuntu/qemu/build/qemu-fuzz-i386+0x2969cfe)
    #37 0x5644e4a2a7c2 in main (/home/ubuntu/qemu/build/qemu-fuzz-i386+0x29917c2)
    #38 0x7f77e283d0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #39 0x5644e49d739d in _start (/home/ubuntu/qemu/build/qemu-fuzz-i386+0x293e39d)

Tags:

Qiuhao Li (qiuhao) on 2021-01-28

tags:

added: fuzzer

Revision history for this message

Thomas Huth (th-huth) wrote on 2021-05-14: Moved bug report

This is an automated cleanup. This bug report has been moved to QEMU's
new bug tracker on gitlab.com and thus gets marked as 'expired' now.
Please continue with the discussion here:

https://gitlab.com/qemu-project/qemu/-/issues/302

Changed in qemu:
status:	New → Expired

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

auto-gitlab.com-qemu-project-qemu-- #302
[opened Fuzzer Launchpad workflow::Needs Info] Edit

Bug watches keep track of this bug in other bug trackers.