QEMU

  1. Bug #1878067
  2. Comment #3

Comment 3 for bug 1878067

Revision history for this message
Philippe Mathieu-Daudé (philmd) wrote : Re: [Bug 1878067] [NEW] Assertion failure in eth_get_gso_type through the e1000e

Cc'ing Dmitry

On 5/11/20 8:04 PM, Alexander Bulekov wrote:
> Public bug reported:
>
> Hello,
> While fuzzing, I found an input that triggers an assertion failure in
> eth_get_gso_type through the e1000e:
>
> #1 0x00007ffff685755b in __GI_abort () at abort.c:79
> #2 0x00007ffff7c75dc3 in () at /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
> #3 0x00007ffff7cd0b0a in g_assertion_message_expr () at /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
> #4 0x0000555556875f33 in eth_get_gso_type (l3_proto=<optimized out>, l3_hdr=<optimized out>, l4proto=<optimized out>) at /home/alxndr/Development/qemu/net/eth.c:76
> #5 0x00005555565e09ac in net_tx_pkt_get_gso_type (pkt=0x631000014800, tso_enable=0x1) at /home/alxndr/Development/qemu/hw/net/net_tx_pkt.c:300
> #6 0x00005555565e09ac in net_tx_pkt_build_vheader (pkt=0x631000014800, tso_enable=<optimized out>, csum_enable=<optimized out>, gso_size=<optimized out>) at /home/alxndr/Development/qemu/hw/net/net_tx_pkt.c:316
> #7 0x000055555660bdb1 in e1000e_setup_tx_offloads (core=0x7fffeeb754e0, tx=0x7fffeeb95748) at /home/alxndr/Development/qemu/hw/net/e1000e_core.c:637
> #8 0x000055555660bdb1 in e1000e_tx_pkt_send (core=0x7fffeeb754e0, tx=0x7fffeeb95748, queue_index=<optimized out>) at /home/alxndr/Development/qemu/hw/net/e1000e_core.c:658
> #9 0x000055555660bdb1 in e1000e_process_tx_desc (core=0x7fffeeb754e0, tx=0x7fffeeb95748, dp=<optimized out>, queue_index=<optimized out>) at /home/alxndr/Development/qemu/hw/net/e1000e_core.c:743
> #10 0x000055555660bdb1 in e1000e_start_xmit (core=core@entry=0x7fffeeb754e0, txr=<optimized out>, txr@entry=0x7fffffffbe60) at /home/alxndr/Development/qemu/hw/net/e1000e_core.c:934
> #11 0x0000555556607e2e in e1000e_set_tctl (core=0x7fffeeb754e0, index=<optimized out>, val=<optimized out>) at /home/alxndr/Development/qemu/hw/net/e1000e_core.c:2431
> #12 0x00005555565f90fd in e1000e_core_write (core=<optimized out>, addr=<optimized out>, val=<optimized out>, size=<optimized out>) at /home/alxndr/Development/qemu/hw/net/e1000e_core.c:3261
> #13 0x0000555555ff4337 in memory_region_write_accessor (mr=<optimized out>, addr=<optimized out>, value=<optimized out>, size=<optimized out>, shift=<optimized out>, mask=<optimized out>, attrs=...) at /home/alxndr/Development/qemu/memory.c:483
> #14 0x0000555555ff3ce0 in access_with_adjusted_size (addr=<optimized out>, value=<optimized out>, size=<optimized out>, access_size_min=<optimized out>, access_size_max=<optimized out>, access_fn=<optimized out>, mr=0x7fffeeb75110, attrs=...) at /home/alxndr/Development/qemu/memory.c:544
> #15 0x0000555555ff3ce0 in memory_region_dispatch_write (mr=<optimized out>, addr=<optimized out>, data=0x2b, op=<optimized out>, attrs=...) at /home/alxndr/Development/qemu/memory.c:1476
>
> I can reproduce it in qemu 5.0 built with using:
> cat << EOF | ~/Development/qemu/build/i386-softmmu/qemu-system-i386 -M pc-q35-5.0 -netdev user,id=qtest-bn0 -device e1000e,netdev=qtest-bn0 -display none -nodefaults -nographic -qtest stdio -monitor none -serial none
> outl 0xcf8 0x80000810
> outl 0xcfc 0xe0000000
> outl 0xcf8 0x80000814
> outl 0xcf8 0x80000804
> outw 0xcfc 0x7
> outl 0xcf8 0x800008a2
> write 0xe0000420 0x1fc 0x3ff9ffdf00000000002467ff272d2f3ff9ffdf0000000000246fff272d2f3ff9ffdf00000000002477ff272d2f3ff9ffdf0000000000247fff272d2f3ff9ffdf00000000002487ff272d2f3ff9ffdf0000000000248fff272d2f3ff9ffdf00000000002497ff272d2f3ff9ffdf0000000000249fff272d2f3ff9ffdf000000000024a7ff272d2f3ff9ffdf000000000024afff272d2f3ff9ffdf000000000024b7ff272d2f3ff9ffdf000000000024bfff272d2f3ff9ffdf000000000024c7ff272d2f3ff9ffdf000000000024cfff272d2f3ff9ffdf000000000024d7ff272d2f3ff9ffdf000000000024dfff272d2f3ff9ffdf000000000024e7ff272d2f3ff9ffdf000000000024efff272d2f3ff9ffdf000000000024f7ff272d2f3ff9ffdf000000000024ffff272d2f3ff9ffdf00000000002407ff272d2f3ff9ffdf0000000000240fff272d2f3ff9ffdf00000000002417ff272d2f3ff9ffdf0000000000241fff272d2f3ff9ffdf00000000002427ff272d2f3ff9ffdf0000000000242fff272d2f3ff9ffdf00000000002437ff272d2f3ff9ffdf0000000000243fff272d2f3ff9ffdf00000000002447ff272d2f3ff9ffdf0000000000244fff272d2f3ff9ffdf00000000002457ff272d2f3ff9ffdf0000000000245fff272d2f3ff9ffdf00000000002467ff272d2f3ff9ffdf0000000000246fff27
> write 0xe00000b8 0x349 0xa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52b
> EOF
>
> I also attached the trace to this launchpad report, in case the
> formatting is broken:
>
> qemu-system-i386 -M pc-q35-5.0 -netdev user,id=qtest-bn0 -device
> e1000e,netdev=qtest-bn0 -display none -nodefaults -nographic -qtest
> stdio -monitor none -serial none < attachment
>
> Please let me know if I can provide any further info.
> -Alex
>
> ** Affects: qemu
> Importance: Undecided
> Status: New
>
> ** Attachment added: "attachment"
> https://bugs.launchpad.net/bugs/1878067/+attachment/5369990/+files/attachment
>