Bug #1890333 “[OSS-Fuzz] Issue 26797: qemu:qemu-fuzz-i386-targe...” : Bugs : QEMU

Revision history for this message

Alexander Bulekov (a1xndr) wrote on 2020-11-01:

#1

Download full text (4.6 KiB)

OSS-Fuzz Report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=26797

=== Reproducer (build with --enable-sanitizers) ===
cat << EOF | ./qemu-system-i386 -display none \
-machine accel=qtest, -m 512M -machine q35 \
-device virtio-blk,drive=disk0 \
-drive file=null-co://,id=disk0,if=none,format=raw \
-qtest stdio
outl 0xcf8 0x80001889
outl 0xcfc 0x1000ffff
outl 0xcf8 0x80001897
outl 0xcf8 0x80001890
outl 0xcfc 0x4
outl 0xcf8 0x800018ff
outl 0xcf8 0x80001897
inb 0xcfc
outl 0xcf8 0x8000188a
outl 0xcfc 0xd4624
outl 0xcf8 0x80001897
outl 0xcf8 0x80001806
outl 0xcf8 0x80001897
outl 0xcfc 0xff6ca0ba
outl 0xcf8 0x8000188c
outw 0xcfc 0x14
outl 0xcf8 0x80001897
outl 0xcf8 0x8000185a
outl 0xcf8 0x80001897
outl 0xcfc 0x5f6c6346
inb 0xcfc
outl 0xcf8 0x80001802
outl 0xcfc 0x65a6055
outl 0xcf8 0x80001897
inb 0xcfc
outl 0xcf8 0x80001889
outl 0xcfc 0x1869ffff
outl 0xcf8 0x80001812
outl 0xcf8 0x80001897
outl 0xcfc 0x5f6c6346
outl 0xcf8 0x8000188c
outw 0xcfc 0x24
outl 0xcf8 0x80001890
outl 0xcf8 0x80001897
outl 0xcfc 0x1
outl 0xcf8 0x80001892
outl 0xcfc 0x1ff04
outl 0xcf8 0x8000188c
outw 0xcfc 0x1c
outl 0xcf8 0x80001890
outl 0xcfc 0x1
outl 0xcf8 0x80001897
outl 0xcfc 0xfd467562
outl 0xcf8 0x8000188a
outl 0xcfc 0x245a5546
outl 0xcf8 0x80001890
outl 0xcf8 0x80001897
inb 0xcfc
outl 0xcf8 0x8000188c
outw 0xcfc 0x14
outl 0xcf8 0x80001897
outl 0xcf8 0x80001806
outl 0xcf8 0x80001889
outl 0xcfc 0x1869ffff
outl 0xcf8 0x80001812
outl 0xcf8 0x80001897
outl 0xcfc 0x6c6346
outl 0xcf8 0x8000188c
outw 0xcfc 0x14
outl 0xcf8 0x80001890
outl 0xcf8 0x80001897
outl 0xcfc 0x1ff04
EOF

=== Stack Trace ===

qemu-fuzz-i386-target-generic-fuzz-virtio-blk: /src/qemu/include/exec/memory_ldst_cached.h.inc:88: void address_space_stw_le_cached(MemoryRegionCache *, hwaddr, uint32_t, MemTxAttrs, MemTxResult *): Assertion `addr < cache->len && 2 <= cache->len - addr' failed.
==46== ERROR: libFuzzer: deadly signal
#0 0x55deb7b59e61 in __sanitizer_print_stack_trace /src/llvm-project/compiler-rt/lib/asan/asan_stack.cpp:86:3
#1 0x55deb7aa1158 in fuzzer::PrintStackTrace() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerUtil.cpp:210:5
#2 0x55deb7a87053 in fuzzer::Fuzzer::CrashCallback() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:233:3
#3 0x7fccd310638f in libpthread.so.0
#4 0x7fccd273e437 in gsignal
#5 0x7fccd2740039 in abort
#6 0x7fccd2736be6 in libc.so.6
#7 0x7fccd2736c91 in __assert_fail
#8 0x55deb8416ba3 in address_space_stw_le_cached /src/qemu/include/exec/memory_ldst_cached.h.inc:88:5
#9 0x55deb8416a40 in stw_le_phys_cached /src/qemu/include/exec/memory_ldst_phys.h.inc:121:5
#10 0x55deb8416a13 in virtio_stw_phys_cached /src/qemu/include/hw/virtio/virtio-access.h:196:9
#11 0x55deb8416899 in vring_set_avail_event /src/qemu/hw/virtio/virtio.c:428:5
#12 0x55deb8406ba8 in virtio_queue_split_set_notification /src/qemu/hw/virtio/virtio.c:437:9
#13 0x55deb84067a2 in virtio_queue_set_notification /src/qemu/hw/virtio/virtio.c:498:9
#14 0x55deb84755d3 in virtio_blk_handle_vq /src/qemu/hw/block/virtio-blk.c:795:13
#15 0x55deb84916ce in virtio_blk_data_plane_handle_output /src/qemu/hw/block/dataplane/virtio-blk.c:165:12
#16 0x55deb841afaf in virtio_queue_notify_aio_vq /src/qemu/hw/virti...

OSS-Fuzz Report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=26797

=== Reproducer (build with --enable-sanitizers) ===
cat << EOF | ./qemu-system-i386 -display none \
-machine accel=qtest, -m 512M -machine q35 \
-device virtio-blk,drive=disk0 \
-drive file=null-co://,id=disk0,if=none,format=raw \
-qtest stdio
outl 0xcf8 0x80001889
outl 0xcfc 0x1000ffff
outl 0xcf8 0x80001897
outl 0xcf8 0x80001890
outl 0xcfc 0x4
outl 0xcf8 0x800018ff
outl 0xcf8 0x80001897
inb 0xcfc
outl 0xcf8 0x8000188a
outl 0xcfc 0xd4624
outl 0xcf8 0x80001897
outl 0xcf8 0x80001806
outl 0xcf8 0x80001897
outl 0xcfc 0xff6ca0ba
outl 0xcf8 0x8000188c
outw 0xcfc 0x14
outl 0xcf8 0x80001897
outl 0xcf8 0x8000185a
outl 0xcf8 0x80001897
outl 0xcfc 0x5f6c6346
inb 0xcfc
outl 0xcf8 0x80001802
outl 0xcfc 0x65a6055
outl 0xcf8 0x80001897
inb 0xcfc
outl 0xcf8 0x80001889
outl 0xcfc 0x1869ffff
outl 0xcf8 0x80001812
outl 0xcf8 0x80001897
outl 0xcfc 0x5f6c6346
outl 0xcf8 0x8000188c
outw 0xcfc 0x24
outl 0xcf8 0x80001890
outl 0xcf8 0x80001897
outl 0xcfc 0x1
outl 0xcf8 0x80001892
outl 0xcfc 0x1ff04
outl 0xcf8 0x8000188c
outw 0xcfc 0x1c
outl 0xcf8 0x80001890
outl 0xcfc 0x1
outl 0xcf8 0x80001897
outl 0xcfc 0xfd467562
outl 0xcf8 0x8000188a
outl 0xcfc 0x245a5546
outl 0xcf8 0x80001890
outl 0xcf8 0x80001897
inb 0xcfc
outl 0xcf8 0x8000188c
outw 0xcfc 0x14
outl 0xcf8 0x80001897
outl 0xcf8 0x80001806
outl 0xcf8 0x80001889
outl 0xcfc 0x1869ffff
outl 0xcf8 0x80001812
outl 0xcf8 0x80001897
outl 0xcfc 0x6c6346
outl 0xcf8 0x8000188c
outw 0xcfc 0x14
outl 0xcf8 0x80001890
outl 0xcf8 0x80001897
outl 0xcfc 0x1ff04
EOF

=== Stack Trace ===

qemu-fuzz-i386-target-generic-fuzz-virtio-blk: /src/qemu/include/exec/memory_ldst_cached.h.inc:88: void address_space_stw_le_cached(MemoryRegionCache *, hwaddr, uint32_t, MemTxAttrs, MemTxResult *): Assertion `addr < cache->len && 2 <= cache->len - addr' failed.
==46== ERROR: libFuzzer: deadly signal
#0 0x55deb7b59e61 in __sanitizer_print_stack_trace /src/llvm-project/compiler-rt/lib/asan/asan_stack.cpp:86:3
#1 0x55deb7aa1158 in fuzzer::PrintStackTrace() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerUtil.cpp:210:5
#2 0x55deb7a87053 in fuzzer::Fuzzer::CrashCallback() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:233:3
#3 0x7fccd310638f in libpthread.so.0
#4 0x7fccd273e437 in gsignal
#5 0x7fccd2740039 in abort
#6 0x7fccd2736be6 in libc.so.6
#7 0x7fccd2736c91 in __assert_fail
#8 0x55deb8416ba3 in address_space_stw_le_cached /src/qemu/include/exec/memory_ldst_cached.h.inc:88:5
#9 0x55deb8416a40 in stw_le_phys_cached /src/qemu/include/exec/memory_ldst_phys.h.inc:121:5
#10 0x55deb8416a13 in virtio_stw_phys_cached /src/qemu/include/hw/virtio/virtio-access.h:196:9
#11 0x55deb8416899 in vring_set_avail_event /src/qemu/hw/virtio/virtio.c:428:5
#12 0x55deb8406ba8 in virtio_queue_split_set_notification /src/qemu/hw/virtio/virtio.c:437:9
#13 0x55deb84067a2 in virtio_queue_set_notification /src/qemu/hw/virtio/virtio.c:498:9
#14 0x55deb84755d3 in virtio_blk_handle_vq /src/qemu/hw/block/virtio-blk.c:795:13
#15 0x55deb84916ce in virtio_blk_data_plane_handle_output /src/qemu/hw/block/dataplane/virtio-blk.c:165:12
#16 0x55deb841afaf in virtio_queue_notify_aio_vq /src/qemu/hw/virtio/virtio.c:2325:15
#17 0x55deb8415adb in virtio_queue_host_notifier_aio_read /src/qemu/hw/virtio/virtio.c:3529:9
#18 0x55deb892af84 in aio_dispatch_handler /src/qemu/util/aio-posix.c:329:9
#19 0x55deb8929b8a in aio_dispatch_handlers /src/qemu/util/aio-posix.c:372:20
#20 0x55deb8929ac0 in aio_dispatch /src/qemu/util/aio-posix.c:382:5
#21 0x55deb893ae2c in aio_ctx_dispatch /src/qemu/util/async.c:306:5
#22 0x7fccd3868196 in g_main_context_dispatch
#23 0x55deb8947fed in glib_pollfds_poll /src/qemu/util/main-loop.c:221:9
#24 0x55deb8947264 in os_host_main_loop_wait /src/qemu/util/main-loop.c:244:5
#25 0x55deb8946f25 in main_loop_wait /src/qemu/util/main-loop.c:520:11
#26 0x55deb7b8806a in flush_events /src/qemu/tests/qtest/fuzz/fuzz.c:48:9
#27 0x55deb7b85a32 in generic_fuzz /src/qemu/tests/qtest/fuzz/generic_fuzz.c:681:17
#28 0x55deb7b88450 in LLVMFuzzerTestOneInput /src/qemu/tests/qtest/fuzz/fuzz.c:150:5
#29 0x55deb7a887c1 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:595:15
#30 0x55deb7a73892 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:323:6
#31 0x55deb7a7994e in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:852:9
#32 0x55deb7aa1932 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
#33 0x7fccd272983f in __libc_start_main
#34 0x55deb7a4eb38 in _start

summary:	- Assertion failure in address_space_stw_le_cached through virtio-* - devices + [OSS-Fuzz] Issue 26693: qemu:qemu-fuzz-i386-target-generic-fuzz-xhci: + Index-out-of-bounds in xhci_runtime_write Assertion failure in + address_space_stw_le_cached through virtio-* devices
summary:	- [OSS-Fuzz] Issue 26693: qemu:qemu-fuzz-i386-target-generic-fuzz-xhci: - Index-out-of-bounds in xhci_runtime_write Assertion failure in - address_space_stw_le_cached through virtio-* devices + [OSS-Fuzz] Issue 26797: qemu:qemu-fuzz-i386-target-generic-fuzz-virtio- + blk: ASSERT: addr < cache->len && 2 <= cache->len - addr

Revision history for this message

Thomas Huth (th-huth) wrote on 2020-12-10:

#2

Fix in commit 2d69eba5fe52045b2c8b0d04fd3806414352afc1

Changed in qemu:
status:	New → Fix Released

Revision history for this message

Qiuhao Li (qiuhao) wrote on 2020-12-15:

#3

Hi,

It seems while the minimized producer doesn't fail the assertion now, the original reproducer provided by OSS-Fuzz[1] can still crash the latest QEMU (1758428, Dec 12, built with --enable-sanitizers --enable-fuzzing). Could anyone check if they trigger different bugs?

Tested on:
  Ubuntu: 20.04.1 5.4.0-58-generic x86_64
  clang: 10.0.0-4ubuntu1
  glibc: 2.31-0ubuntu9.1
  libglib2.0-dev: 2.64.3-1~ubuntu20.04.1

[1] https://bugs.launchpad.net/qemu/+bug/1890333/comments/1

Revision history for this message

Qiuhao Li (qiuhao) wrote on 2020-12-15:

#4

There is a new bug that fails the same assertion, and maybe its minimized producer will help:
https://bugs.launchpad.net/qemu/+bug/1908062

QEMU

[OSS-Fuzz] Issue 26797: qemu:qemu-fuzz-i386-target-generic-fuzz-virtio-blk: ASSERT: addr < cache->len && 2 <= cache->len - addr

Bug Description

Other bug subscribers

Remote bug watches