I/O write make imx_epit_reset() crash
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
QEMU |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
libFuzzer found:
qemu-fuzz-arm: hw/core/
==6041== ERROR: libFuzzer: deadly signal
#8 0x7fcaba320565 in __GI___assert_fail (/lib64/
#9 0x563b46f91637 in ptimer_
#10 0x563b476cc4c6 in imx_epit_reset (qemu-fuzz-
#11 0x563b476cd004 in imx_epit_write (qemu-fuzz-
#12 0x563b46582377 in memory_
#13 0x563b46581ee3 in access_
#14 0x563b46580a83 in memory_
#15 0x563b463c5022 in flatview_
#16 0x563b463b4ea2 in flatview_write (qemu-fuzz-
#17 0x563b463b49d4 in address_space_write (qemu-fuzz-
Reproducer:
qemu-system-arm -M kzm -display none -S -qtest stdio << 'EOF'
writel 0x53f94000 0x110000
EOF
qemu-system-arm: hw/core/
Aborted (core dumped)
(gdb) bt
#1 0x00007f4aa4daa895 in abort () at /lib64/libc.so.6
#2 0x00007f4aa4daa769 in _nl_load_
#3 0x00007f4aa4db8566 in annobin_
#4 0x000055ee85400164 in ptimer_
#5 0x000055ee855c7936 in imx_epit_reset (dev=0x55ee8717
#6 0x000055ee855c7d1b in imx_epit_write (opaque=
#7 0x000055ee8513db85 in memory_
#8 0x000055ee8513dd96 in access_
0x55ee8513daa2 <memory_
#9 0x000055ee85140cbd in memory_
#10 0x000055ee850deba5 in flatview_
#11 0x000055ee850decf3 in flatview_write (fv=0x55ee87181bd0, addr=1408843776, attrs=..., buf=0x7fff3012d900, len=4) at exec.c:3190
#12 0x000055ee850df05d in address_space_write (as=0x55ee8730a560, addr=1408843776, attrs=..., buf=0x7fff3012d900, len=4) at exec.c:3289
Patch on list: https://<email address hidden>/