QEMU

Bug #1890160
Comment #1

Comment 1 for bug 1890160

Revision history for this message

Philippe Mathieu-Daudé (philmd) wrote on 2020-08-03: Re: [Bug 1890160] [NEW] Abort in vmxnet3_validate_queues

Cc'ing Dmitry as he doesn't have lauchpad account :/

On 8/3/20 4:37 PM, Alexander Bulekov wrote:
> Public bug reported:
>
> Hello,
> Reproducer:
>
> cat << EOF | ./i386-softmmu/qemu-system-i386 \
> -device vmxnet3 -m 64 -nodefaults -qtest stdio -nographic
> outl 0xcf8 0x80001014
> outl 0xcfc 0xe0001000
> outl 0xcf8 0x80001018
> outl 0xcf8 0x80001004
> outw 0xcfc 0x7
> write 0x0 0x1 0xe1
> write 0x1 0x1 0xfe
> write 0x2 0x1 0xbe
> write 0x3 0x1 0xba
> write 0x3e 0x1 0xe1

struct Vmxnet3_MiscConf {
    struct Vmxnet3_DriverInfo driverInfo;
    __le64 uptFeatures;
    __le64 ddPA; /* driver data PA */
    __le64 queueDescPA; /* queue descriptor table PA */
    __le32 ddLen; /* driver data len */
    __le32 queueDescLen; /* queue desc. table len in bytes */
    __le32 mtu;
    __le16 maxNumRxSG;
    u8 numTxQueues;
   ^^^
     \_________ @0x3e = 0xe1 = 225 queues (max is 8).

u8 numRxQueues;
__le32 reserved[4];

> writeq 0xe0001020 0xef0bff5ecafe0000
> EOF
>
> ==============================================================
> qemu: hardware error: Bad TX queues number: 225
>
> #6 0x7f04b89d455a in abort /build/glibc-GwnBeO/glibc-2.30/stdlib/abort.c:79:7
> #7 0x558f5be89b67 in hw_error /home/alxndr/Development/qemu/general-fuzz/softmmu/cpus.c:927:5
> #8 0x558f5d3c3968 in vmxnet3_validate_queues /home/alxndr/Development/qemu/general-fuzz/hw/net/vmxnet3.c:1388:9
> #9 0x558f5d3bb716 in vmxnet3_activate_device /home/alxndr/Development/qemu/general-fuzz/hw/net/vmxnet3.c:1449:5
> #10 0x558f5d3b6fba in vmxnet3_handle_command /home/alxndr/Development/qemu/general-fuzz/hw/net/vmxnet3.c:1576:9
> #11 0x558f5d3b410f in vmxnet3_io_bar1_write /home/alxndr/Development/qemu/general-fuzz/hw/net/vmxnet3.c:1772:9
> #12 0x558f5bec4193 in memory_region_write_accessor /home/alxndr/Development/qemu/general-fuzz/softmmu/memory.c:483:5
> #13 0x558f5bec3637 in access_with_adjusted_size /home/alxndr/Development/qemu/general-fuzz/softmmu/memory.c:544:18
> #14 0x558f5bec1256 in memory_region_dispatch_write /home/alxndr/Development/qemu/general-fuzz/softmmu/memory.c:1466:16
>
> -Alex
>
> ** Affects: qemu
> Importance: Undecided
> Status: New
>

Cc'ing Dmitry as he doesn't have lauchpad account :/

On 8/3/20 4:37 PM, Alexander Bulekov wrote:
> Public bug reported:
> 
> Hello,
> Reproducer:
> 
> cat << EOF | ./i386-softmmu/qemu-system-i386 \
> -device vmxnet3 -m 64 -nodefaults -qtest stdio -nographic
> outl 0xcf8 0x80001014
> outl 0xcfc 0xe0001000
> outl 0xcf8 0x80001018
> outl 0xcf8 0x80001004
> outw 0xcfc 0x7
> write 0x0 0x1 0xe1
> write 0x1 0x1 0xfe
> write 0x2 0x1 0xbe
> write 0x3 0x1 0xba
> write 0x3e 0x1 0xe1

struct Vmxnet3_MiscConf {
    struct Vmxnet3_DriverInfo driverInfo;
    __le64        uptFeatures;
    __le64        ddPA;         /* driver data PA */
    __le64        queueDescPA;  /* queue descriptor table PA */
    __le32        ddLen;        /* driver data len */
    __le32        queueDescLen; /* queue desc. table len in bytes */
    __le32        mtu;
    __le16        maxNumRxSG;
    u8        numTxQueues;
   ^^^
     \_________ @0x3e = 0xe1 = 225 queues (max is 8).

u8        numRxQueues;
    __le32        reserved[4];

> writeq 0xe0001020 0xef0bff5ecafe0000
> EOF
> 
> ==============================================================
> qemu: hardware error: Bad TX queues number: 225
> 
>     #6 0x7f04b89d455a in abort /build/glibc-GwnBeO/glibc-2.30/stdlib/abort.c:79:7
>     #7 0x558f5be89b67 in hw_error /home/alxndr/Development/qemu/general-fuzz/softmmu/cpus.c:927:5
>     #8 0x558f5d3c3968 in vmxnet3_validate_queues /home/alxndr/Development/qemu/general-fuzz/hw/net/vmxnet3.c:1388:9
>     #9 0x558f5d3bb716 in vmxnet3_activate_device /home/alxndr/Development/qemu/general-fuzz/hw/net/vmxnet3.c:1449:5
>     #10 0x558f5d3b6fba in vmxnet3_handle_command /home/alxndr/Development/qemu/general-fuzz/hw/net/vmxnet3.c:1576:9
>     #11 0x558f5d3b410f in vmxnet3_io_bar1_write /home/alxndr/Development/qemu/general-fuzz/hw/net/vmxnet3.c:1772:9
>     #12 0x558f5bec4193 in memory_region_write_accessor /home/alxndr/Development/qemu/general-fuzz/softmmu/memory.c:483:5
>     #13 0x558f5bec3637 in access_with_adjusted_size /home/alxndr/Development/qemu/general-fuzz/softmmu/memory.c:544:18
>     #14 0x558f5bec1256 in memory_region_dispatch_write /home/alxndr/Development/qemu/general-fuzz/softmmu/memory.c:1466:16
> 
> -Alex
> 
> ** Affects: qemu
>      Importance: Undecided
>          Status: New
>