Assertion failure `mr != NULL' failed through usb-ehci

Bug #1901532 reported by Cheolwoo,Myung
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
QEMU
Fix Released
Undecided
Unassigned

Bug Description

Hello,

Using hypervisor fuzzer, hyfuzz, I found an assertion failure through usb-ehci.

This was found in version 5.0.1 (stable-5.0).

--------

qemu-system-i386: src/qemu-repro/exec.c:3581: address_space_unmap: Assertion `mr != NULL' failed.
[1] 14721 abort src/qemu-repro/build/i386-softmmu/qemu-system-i386

To reproduce the assertion failure, please run the QEMU with following command line.

```
$ qemu-system-i386 -drive file=./hyfuzz.img,index=0,media=disk,format=raw -m 512 -drive if=none,id=stick,file=./usbdisk.img -device usb-ehci,id=ehci -device usb-storage,bus=ehci.0,drive=stick
```

Tags: fuzzer

CVE References

Revision history for this message
Cheolwoo,Myung (cwmyung) wrote :
Cheolwoo,Myung (cwmyung)
Changed in qemu:
status: New → Confirmed
Peter Maydell (pmaydell)
tags: added: fuzzer
Revision history for this message
Thomas Huth (th-huth) wrote :

Can you still reproduce this with QEMU v6.0 ? For me, qemu now does not crash anymore, so I assume this might have been fixed within the past months?

Changed in qemu:
status: Confirmed → Incomplete
Revision history for this message
Thomas Huth (th-huth) wrote :

This problem got fixed by this commit:

  2fdb42d840400d58f2e706ecca82c142b97bcbd6
  hw: ehci: check return value of 'usb_packet_map'

Thus let's close this ticket now.

Changed in qemu:
status: Incomplete → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Bug attachments