QEMU

Bug #1525123
Comment #4

Comment 4 for bug 1525123

Revision history for this message

Alexander Bulekov (a1xndr) wrote on 2020-05-13:

attachment Edit (630 bytes, text/plain)

Hello,
While fuzzing, I found an input that triggers this assertion-failure in usb_ep_get

/home/alxndr/Development/qemu/hw/usb/core.c:723: struct USBEndpoint *usb_ep_get(USBDevice *, int, int): Assertion `pid == USB_TOKEN_IN || pid == USB_TOKEN_OUT' failed.
#3 0x00007ffff6866092 in __GI___assert_fail (assertion=0x555557fd2c60 <str> "pid == USB_TOKEN_IN || pid == USB_TOKEN_OUT", file=0x555557fd1ec0 <str> "/home/alxndr/Development/qemu/hw/usb/core.c", line=0x2d3, function=0x555557fd2c00 <__PRETTY_FUNCTION__.usb_ep_get> "struct USBEndpoint *usb_ep_get(USBDevice *, int, int)") at assert.c:101
#4 0x000055555724690a in usb_ep_get (dev=0x623000001d00, pid=0x0, ep=0x2) at /home/alxndr/Development/qemu/hw/usb/core.c:723
#5 0x00005555572bdd8e in ehci_execute (p=0x611000048480, action=0x555557fdd860 <str> "process") at /home/alxndr/Development/qemu/hw/usb/hcd-ehci.c:1366
#6 0x00005555572b74a3 in ehci_state_execute (q=0x60d000004f10) at /home/alxndr/Development/qemu/hw/usb/hcd-ehci.c:1942
#7 0x00005555572b3510 in ehci_advance_state (ehci=0x62100002d9f0, async=0x1) at /home/alxndr/Development/qemu/hw/usb/hcd-ehci.c:2083
#8 0x00005555572b2db9 in ehci_advance_async_state (ehci=0x62100002d9f0) at /home/alxndr/Development/qemu/hw/usb/hcd-ehci.c:2152
#9 0x00005555572a29c3 in ehci_work_bh (opaque=0x62100002d9f0) at /home/alxndr/Development/qemu/hw/usb/hcd-ehci.c:2320
#10 0x0000555557bfba60 in aio_bh_call (bh=0x60400001cd90) at /home/alxndr/Development/qemu/util/async.c:136
#11 0x0000555557bfc1fe in aio_bh_poll (ctx=0x61300008fa00) at /home/alxndr/Development/qemu/util/async.c:164
#12 0x0000555557c149e8 in aio_dispatch (ctx=0x61300008fa00) at /home/alxndr/Development/qemu/util/aio-posix.c:380
#13 0x0000555557c00455 in aio_ctx_dispatch (source=0x61300008fa00, callback=0x0, user_data=0x0) at /home/alxndr/Development/qemu/util/async.c:306
#14 0x00007ffff7ca89ee in g_main_context_dispatch () at /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0

I can reproduce it in qemu 5.0 using:

cat << EOF | ~/Development/qemu/build/i386-softmmu/qemu-system-i386 \
-qtest stdio -nographic -monitor none -serial none \
-M pc-q35-5.0 -machine q35 \
-device ich9-usb-ehci1,bus=pcie.0,addr=1d.7,multifunction=on,id=ich9-ehci-1 \
-drive if=none,id=usbcdrom,media=cdrom \
-device usb-storage,bus=ich9-ehci-1.0,port=2,drive=usbcdrom \
-display none -nodefaults -nographic
outl 0xcf8 0x8000ef10
outl 0xcfc 0xe0000000
outl 0xcf8 0x8000ef14
outl 0xcf8 0x8000ef04
outw 0xcfc 0x7
outl 0xcf8 0x8000fa20
write 0xe0000020 0x4b 0x21fe00695501ff21fe00695501ff21fe00695501ff21fe00695501ff21fe00695501ff21fe00695501ff21fe00695501ff21fe00695501ff21fe00695501ff21fe00695501ff21fe006955
write 0x5 0x1 0x92
write 0x15 0x3 0x92ab01
write 0x1b 0x1 0xab
write 0x1ab9208 0x2 0x92ab
EOF

I also attached the commands to this launchpad report, in case the formatting
is broken:

qemu-system-i386 \
-qtest stdio -nographic -monitor none -serial none \
-M pc-q35-5.0 -machine q35 \
-device ich9-usb-ehci1,bus=pcie.0,addr=1d.7,multifunction=on,id=ich9-ehci-1 \
-drive if=none,id=usbcdrom,media=cdrom \
-device usb-storage,bus=ich9-ehci-1.0,port=2,drive=usbcdrom \
-display none -nodefaults -nographic < attachment

Please let me know if I can provide any further info.
-Alex

Hello,
While fuzzing, I found an input that triggers this assertion-failure in usb_ep_get

/home/alxndr/Development/qemu/hw/usb/core.c:723: struct USBEndpoint *usb_ep_get(USBDevice *, int, int): Assertion `pid == USB_TOKEN_IN || pid == USB_TOKEN_OUT' failed.
#3  0x00007ffff6866092 in __GI___assert_fail (assertion=0x555557fd2c60 <str> "pid == USB_TOKEN_IN || pid == USB_TOKEN_OUT", file=0x555557fd1ec0 <str> "/home/alxndr/Development/qemu/hw/usb/core.c", line=0x2d3, function=0x555557fd2c00 <__PRETTY_FUNCTION__.usb_ep_get> "struct USBEndpoint *usb_ep_get(USBDevice *, int, int)") at assert.c:101
#4  0x000055555724690a in usb_ep_get (dev=0x623000001d00, pid=0x0, ep=0x2) at /home/alxndr/Development/qemu/hw/usb/core.c:723
#5  0x00005555572bdd8e in ehci_execute (p=0x611000048480, action=0x555557fdd860 <str> "process") at /home/alxndr/Development/qemu/hw/usb/hcd-ehci.c:1366
#6  0x00005555572b74a3 in ehci_state_execute (q=0x60d000004f10) at /home/alxndr/Development/qemu/hw/usb/hcd-ehci.c:1942
#7  0x00005555572b3510 in ehci_advance_state (ehci=0x62100002d9f0, async=0x1) at /home/alxndr/Development/qemu/hw/usb/hcd-ehci.c:2083
#8  0x00005555572b2db9 in ehci_advance_async_state (ehci=0x62100002d9f0) at /home/alxndr/Development/qemu/hw/usb/hcd-ehci.c:2152
#9  0x00005555572a29c3 in ehci_work_bh (opaque=0x62100002d9f0) at /home/alxndr/Development/qemu/hw/usb/hcd-ehci.c:2320
#10 0x0000555557bfba60 in aio_bh_call (bh=0x60400001cd90) at /home/alxndr/Development/qemu/util/async.c:136
#11 0x0000555557bfc1fe in aio_bh_poll (ctx=0x61300008fa00) at /home/alxndr/Development/qemu/util/async.c:164
#12 0x0000555557c149e8 in aio_dispatch (ctx=0x61300008fa00) at /home/alxndr/Development/qemu/util/aio-posix.c:380
#13 0x0000555557c00455 in aio_ctx_dispatch (source=0x61300008fa00, callback=0x0, user_data=0x0) at /home/alxndr/Development/qemu/util/async.c:306
#14 0x00007ffff7ca89ee in g_main_context_dispatch () at /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0

I can reproduce it in qemu 5.0 using:

I also attached the commands to this launchpad report, in case the formatting
is broken:

Please let me know if I can provide any further info.
-Alex