QEMU

I/O write make imx_epit_reset() crash

Bug #1880424 reported by Philippe Mathieu-Daudé
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
QEMU
Fix Released
Undecided
Unassigned

Bug Description

libFuzzer found:

qemu-fuzz-arm: hw/core/ptimer.c:377: void ptimer_transaction_begin(ptimer_state *): Assertion `!s->in_transaction' failed.
==6041== ERROR: libFuzzer: deadly signal
    #8 0x7fcaba320565 in __GI___assert_fail (/lib64/libc.so.6+0x30565)
    #9 0x563b46f91637 in ptimer_transaction_begin (qemu-fuzz-arm+0x1af1637)
    #10 0x563b476cc4c6 in imx_epit_reset (qemu-fuzz-arm+0x222c4c6)
    #11 0x563b476cd004 in imx_epit_write (qemu-fuzz-arm+0x222d004)
    #12 0x563b46582377 in memory_region_write_accessor (qemu-fuzz-arm+0x10e2377)
    #13 0x563b46581ee3 in access_with_adjusted_size (qemu-fuzz-arm+0x10e1ee3)
    #14 0x563b46580a83 in memory_region_dispatch_write (qemu-fuzz-arm+0x10e0a83)
    #15 0x563b463c5022 in flatview_write_continue (qemu-fuzz-arm+0xf25022)
    #16 0x563b463b4ea2 in flatview_write (qemu-fuzz-arm+0xf14ea2)
    #17 0x563b463b49d4 in address_space_write (qemu-fuzz-arm+0xf149d4)

Reproducer:

qemu-system-arm -M kzm -display none -S -qtest stdio << 'EOF'
writel 0x53f94000 0x110000
EOF

qemu-system-arm: hw/core/ptimer.c:377: ptimer_transaction_begin: Assertion `!s->in_transaction' failed.
Aborted (core dumped)

(gdb) bt
#1 0x00007f4aa4daa895 in abort () at /lib64/libc.so.6
#2 0x00007f4aa4daa769 in _nl_load_domain.cold () at /lib64/libc.so.6
#3 0x00007f4aa4db8566 in annobin_assert.c_end () at /lib64/libc.so.6
#4 0x000055ee85400164 in ptimer_transaction_begin (s=0x55ee873bc4c0) at hw/core/ptimer.c:377
#5 0x000055ee855c7936 in imx_epit_reset (dev=0x55ee871725c0) at hw/timer/imx_epit.c:111
#6 0x000055ee855c7d1b in imx_epit_write (opaque=0x55ee871725c0, offset=0, value=1114112, size=4) at hw/timer/imx_epit.c:209
#7 0x000055ee8513db85 in memory_region_write_accessor (mr=0x55ee871728f0, addr=0, value=0x7fff3012d6f8, size=4, shift=0, mask=4294967295, attrs=...) at memory.c:483
#8 0x000055ee8513dd96 in access_with_adjusted_size (addr=0, value=0x7fff3012d6f8, size=4, access_size_min=1, access_size_max=4, access_fn=
    0x55ee8513daa2 <memory_region_write_accessor>, mr=0x55ee871728f0, attrs=...) at memory.c:545
#9 0x000055ee85140cbd in memory_region_dispatch_write (mr=0x55ee871728f0, addr=0, data=1114112, op=MO_32, attrs=...) at memory.c:1477
#10 0x000055ee850deba5 in flatview_write_continue (fv=0x55ee87181bd0, addr=1408843776, attrs=..., ptr=0x7fff3012d900, len=4, addr1=0, l=4, mr=0x55ee871728f0) at exec.c:3147
#11 0x000055ee850decf3 in flatview_write (fv=0x55ee87181bd0, addr=1408843776, attrs=..., buf=0x7fff3012d900, len=4) at exec.c:3190
#12 0x000055ee850df05d in address_space_write (as=0x55ee8730a560, addr=1408843776, attrs=..., buf=0x7fff3012d900, len=4) at exec.c:3289

Tags: arm
Revision history for this message
Peter Maydell (pmaydell) wrote :

Patch on list: https://<email address hidden>/

Changed in qemu:
status: New → In Progress
Revision history for this message
Thomas Huth (th-huth) wrote :

Patch has been included here:
https://git.qemu.org/?p=qemu.git;a=commitdiff;h=13557fd392890cbd985

Changed in qemu:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.