QEMU

I/O write make QXL abort in qxl_set_mode()

Bug #1880539 reported by Philippe Mathieu-Daudé
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
QEMU
Invalid
Undecided
Unassigned

Bug Description

libFuzzer found:

qxl-0: guest bug: qxl_add_memslot: guest_start > guest_end 0xffffffffffffffff > 0x3ffffff
qemu-fuzz-i386: hw/display/qxl.c:1611: void qxl_set_mode(PCIQXLDevice *, unsigned int, int): Assertion `qxl_add_memslot(d, 0, devmem, QXL_SYNC) == 0' failed.
==8134== ERROR: libFuzzer: deadly signal
    #0 0x55fddfcfb3f0 in __sanitizer_print_stack_trace (qemu-fuzz-i386+0xcb13f0)
    #1 0x55fddfc0a3e1 in fuzzer::PrintStackTrace() (qemu-fuzz-i386+0xbc03e1)
    #2 0x55fddfbeac6f in fuzzer::Fuzzer::CrashCallback() (qemu-fuzz-i386+0xba0c6f)
    #3 0x55fddfbeacc3 in fuzzer::Fuzzer::StaticCrashSignalCallback() (qemu-fuzz-i386+0xba0cc3)
    #4 0x7fd640644c6f (/lib64/libpthread.so.0+0x12c6f)
    #5 0x7fd640483e34 in __GI_raise (/lib64/libc.so.6+0x37e34)
    #6 0x7fd64046e894 in __GI_abort (/lib64/libc.so.6+0x22894)
    #7 0x7fd64046e768 in __assert_fail_base.cold (/lib64/libc.so.6+0x22768)
    #8 0x7fd64047c565 in __GI___assert_fail (/lib64/libc.so.6+0x30565)
    #9 0x55fde08afd8b in qxl_set_mode (qemu-fuzz-i386+0x1865d8b)
    #10 0x55fde08b9602 in ioport_write (qemu-fuzz-i386+0x186f602)
    #11 0x55fddff170a7 in memory_region_write_accessor (qemu-fuzz-i386+0xecd0a7)
    #12 0x55fddff16c13 in access_with_adjusted_size (qemu-fuzz-i386+0xeccc13)
    #13 0x55fddff157b4 in memory_region_dispatch_write (qemu-fuzz-i386+0xecb7b4)

Can be reproduce doing "writeb 0x06 0x23" on QXL I/O (PCI BAR #3).

Command line: 'qemu-system-i386 -display none -M pc -vga qxl'

Revision history for this message
Alexander Bulekov (a1xndr) wrote :

Here's a qtest reproducer for this:
cat << EOF | ./i386-softmmu/qemu-system-i386 -M q35,accel=qtest -qtest null -nographic -vga qxl -qtest stdio -nodefaults
outl 0xcf8 0x80000804
outb 0xcfc 0xff
outl 0xcf8 0x80000819
outl 0xcfc 0x87caff7a
outb 0x86 0x23
EOF

Revision history for this message
Philippe Mathieu-Daudé (philmd) wrote : Moved bug report

This is an automated cleanup. This bug report has been moved to QEMU's
new bug tracker on gitlab.com and thus gets marked as 'invalid' now.
Please continue with the discussion here:

 https://gitlab.com/qemu-project/qemu/-/issues/232

Changed in qemu:
status: New → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.