On Fri, 15 May 2020, Launchpad Bug Tracker wrote:
> You have been subscribed to a public bug by Philippe Mathieu-Daudé (philmd):
>
> Hello,
> While fuzzing, I found inputs that trigger assertion failures in
> ati_reg_read_offs/ati_reg_write_offs
>
> uint32_t extract32(uint32_t, int, int): Assertion `start >= 0 && length
>> 0 && length <= 32 - start' failed
>
> #3 0x00007ffff6866092 in __GI___assert_fail (assertion=0x555556e760c0 <str> "start >= 0 && length > 0 && length <= 32 - start", file=0x555556e76120 <str> "/home/alxndr/Development/qemu/include/qemu/bitops.h", line=0x12c, function=0x555556e76180 <__PRETTY_FUNCTION__.extract32> "uint32_t extract32(uint32_t, int, int)") at assert.c:101
> #4 0x000055555653d8a7 in ati_mm_read (opaque=<optimized out>, addr=0x1a, size=<optimized out>) at /home/alxndr/Development/qemu/include/qemu/log-for-trace.h:29
> #5 0x000055555653c825 in ati_mm_read (opaque=<optimized out>, addr=0x4, size=<optimized out>) at /home/alxndr/Development/qemu/hw/display/ati.c:289
> #6 0x000055555601446e in memory_region_read_accessor (mr=0x63100004dc20, addr=<optimized out>, value=<optimized out>, size=<optimized out>, shift=<optimized out>, mask=<optimized out>, attrs=...) at /home/alxndr/Development/qemu/memory.c:434
> #7 0x0000555556001a70 in access_with_adjusted_size (addr=<optimized out>, value=<optimized out>, size=<optimized out>, access_size_min=<optimized out>, access_size_max=<optimized out>, access_fn=<optimized out>, mr=0x63100004dc20, attrs=...) at /home/alxndr/Development/qemu/memory.c:544
> #8 0x0000555556001a70 in memory_region_dispatch_read1 (mr=0x63100004dc20, addr=0x4, pval=<optimized out>, size=0x4, attrs=...) at /home/alxndr/Development/qemu/memory.c:1396
Here's a stack trace with --enable debug which is more useful:
#4 0x0000555555b39464 in extract32 (value=0, start=16, length=32) at /home/balaton/src/qemu/include/qemu/bitops.h:300
#5 0x0000555555b3a45f in ati_reg_read_offs (reg=0, offs=2, size=4) at hw/display/ati.c:269
#6 0x0000555555b3a9f1 in ati_mm_read (opaque=0x555556f35610, addr=26, size=4) at hw/display/ati.c:299
#7 0x0000555555b3a988 in ati_mm_read (opaque=0x555556f35610, addr=4, size=4) at hw/display/ati.c:290
It's trying to do an indexed read via MM_DATA reg of the middle of reg
0x18 BIOS_2_SCRATCH which ends up calling ati_reg_read_offs with out of
bound values. Maybe we should clamp size somewhere.
On Fri, 15 May 2020, Launchpad Bug Tracker wrote: read_offs/ ati_reg_ write_offs 0x555556e760c0 <str> "start >= 0 && length > 0 && length <= 32 - start", file=0x555556e76120 <str> "/home/ alxndr/ Development/ qemu/include/ qemu/bitops. h", line=0x12c, function= 0x555556e76180 <__PRETTY_ FUNCTION_ _.extract32> "uint32_t extract32(uint32_t, int, int)") at assert.c:101 Development/ qemu/include/ qemu/log- for-trace. h:29 Development/ qemu/hw/ display/ ati.c:289 region_ read_accessor (mr=0x63100004dc20, addr=<optimized out>, value=<optimized out>, size=<optimized out>, shift=<optimized out>, mask=<optimized out>, attrs=...) at /home/alxndr/ Development/ qemu/memory. c:434 with_adjusted_ size (addr=<optimized out>, value=<optimized out>, size=<optimized out>, access_ size_min= <optimized out>, access_ size_max= <optimized out>, access_ fn=<optimized out>, mr=0x63100004dc20, attrs=...) at /home/alxndr/ Development/ qemu/memory. c:544 region_ dispatch_ read1 (mr=0x63100004dc20, addr=0x4, pval=<optimized out>, size=0x4, attrs=...) at /home/alxndr/ Development/ qemu/memory. c:1396
> You have been subscribed to a public bug by Philippe Mathieu-Daudé (philmd):
>
> Hello,
> While fuzzing, I found inputs that trigger assertion failures in
> ati_reg_
>
> uint32_t extract32(uint32_t, int, int): Assertion `start >= 0 && length
>> 0 && length <= 32 - start' failed
>
> #3 0x00007ffff6866092 in __GI___assert_fail (assertion=
> #4 0x000055555653d8a7 in ati_mm_read (opaque=<optimized out>, addr=0x1a, size=<optimized out>) at /home/alxndr/
> #5 0x000055555653c825 in ati_mm_read (opaque=<optimized out>, addr=0x4, size=<optimized out>) at /home/alxndr/
> #6 0x000055555601446e in memory_
> #7 0x0000555556001a70 in access_
> #8 0x0000555556001a70 in memory_
Here's a stack trace with --enable debug which is more useful:
#4 0x0000555555b39464 in extract32 (value=0, start=16, length=32) at /home/balaton/ src/qemu/ include/ qemu/bitops. h:300 ati.c:269 0x555556f35610, addr=26, size=4) at hw/display/ ati.c:299 0x555556f35610, addr=4, size=4) at hw/display/ ati.c:290
#5 0x0000555555b3a45f in ati_reg_read_offs (reg=0, offs=2, size=4) at hw/display/
#6 0x0000555555b3a9f1 in ati_mm_read (opaque=
#7 0x0000555555b3a988 in ati_mm_read (opaque=
It's trying to do an indexed read via MM_DATA reg of the middle of reg
0x18 BIOS_2_SCRATCH which ends up calling ati_reg_read_offs with out of
bound values. Maybe we should clamp size somewhere.
Regards,
BALATON Zoltan