I/O write make imx_epit_reset() crash

Bug #1880424 reported by Philippe Mathieu-Daudé on 2020-05-24
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
QEMU
Undecided
Unassigned

Bug Description

libFuzzer found:

qemu-fuzz-arm: hw/core/ptimer.c:377: void ptimer_transaction_begin(ptimer_state *): Assertion `!s->in_transaction' failed.
==6041== ERROR: libFuzzer: deadly signal
    #8 0x7fcaba320565 in __GI___assert_fail (/lib64/libc.so.6+0x30565)
    #9 0x563b46f91637 in ptimer_transaction_begin (qemu-fuzz-arm+0x1af1637)
    #10 0x563b476cc4c6 in imx_epit_reset (qemu-fuzz-arm+0x222c4c6)
    #11 0x563b476cd004 in imx_epit_write (qemu-fuzz-arm+0x222d004)
    #12 0x563b46582377 in memory_region_write_accessor (qemu-fuzz-arm+0x10e2377)
    #13 0x563b46581ee3 in access_with_adjusted_size (qemu-fuzz-arm+0x10e1ee3)
    #14 0x563b46580a83 in memory_region_dispatch_write (qemu-fuzz-arm+0x10e0a83)
    #15 0x563b463c5022 in flatview_write_continue (qemu-fuzz-arm+0xf25022)
    #16 0x563b463b4ea2 in flatview_write (qemu-fuzz-arm+0xf14ea2)
    #17 0x563b463b49d4 in address_space_write (qemu-fuzz-arm+0xf149d4)

Reproducer:

qemu-system-arm -M kzm -display none -S -qtest stdio << 'EOF'
writel 0x53f94000 0x110000
EOF

qemu-system-arm: hw/core/ptimer.c:377: ptimer_transaction_begin: Assertion `!s->in_transaction' failed.
Aborted (core dumped)

(gdb) bt
#1 0x00007f4aa4daa895 in abort () at /lib64/libc.so.6
#2 0x00007f4aa4daa769 in _nl_load_domain.cold () at /lib64/libc.so.6
#3 0x00007f4aa4db8566 in annobin_assert.c_end () at /lib64/libc.so.6
#4 0x000055ee85400164 in ptimer_transaction_begin (s=0x55ee873bc4c0) at hw/core/ptimer.c:377
#5 0x000055ee855c7936 in imx_epit_reset (dev=0x55ee871725c0) at hw/timer/imx_epit.c:111
#6 0x000055ee855c7d1b in imx_epit_write (opaque=0x55ee871725c0, offset=0, value=1114112, size=4) at hw/timer/imx_epit.c:209
#7 0x000055ee8513db85 in memory_region_write_accessor (mr=0x55ee871728f0, addr=0, value=0x7fff3012d6f8, size=4, shift=0, mask=4294967295, attrs=...) at memory.c:483
#8 0x000055ee8513dd96 in access_with_adjusted_size (addr=0, value=0x7fff3012d6f8, size=4, access_size_min=1, access_size_max=4, access_fn=
    0x55ee8513daa2 <memory_region_write_accessor>, mr=0x55ee871728f0, attrs=...) at memory.c:545
#9 0x000055ee85140cbd in memory_region_dispatch_write (mr=0x55ee871728f0, addr=0, data=1114112, op=MO_32, attrs=...) at memory.c:1477
#10 0x000055ee850deba5 in flatview_write_continue (fv=0x55ee87181bd0, addr=1408843776, attrs=..., ptr=0x7fff3012d900, len=4, addr1=0, l=4, mr=0x55ee871728f0) at exec.c:3147
#11 0x000055ee850decf3 in flatview_write (fv=0x55ee87181bd0, addr=1408843776, attrs=..., buf=0x7fff3012d900, len=4) at exec.c:3190
#12 0x000055ee850df05d in address_space_write (as=0x55ee8730a560, addr=1408843776, attrs=..., buf=0x7fff3012d900, len=4) at exec.c:3289

Tags: arm Edit Tag help
Peter Maydell (pmaydell) wrote :

Patch on list: https://<email address hidden>/

Changed in qemu:
status: New → In Progress
Thomas Huth (th-huth) wrote :
Changed in qemu:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers