QEMU

assert issue locates in xhci_kick_epctx() in hw/usb/hcd-xhci.c

Bug #1902612 reported by Gaoning Pan
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
QEMU
New
Undecided
Gaoning Pan

Bug Description

Hello,

I found an assertion failure through hw/usb/hcd-xhci.c.

This was found in latest version 5.1.0.

An assertion-failure flaw was found in xhci_kick_epctx() in hw/usb/hcd-xhci.c . XHCI slot's endpoint context is enabled in xhci_configure_slot(), whose ep_ctx structure is controlled by user. With uninitialized endPoint context could trigger assert(ring->dequeue != 0). The guest system could use this flaw to crash the qemu resulting in denial of service.

To reproduce the assertion failure, please run the QEMU with following command line.

$ qemu-system-x86_64 -enable-kvm -boot c -m 2G -drive format=qcow2,file=./ubuntu.img -nic user,model=rtl8139,hostfwd=tcp:0.0.0.0:5555-:22 -device nec-usb-xhci,id=xhci -device usb-tablet,bus=xhci.0,port=1,id=usbdev1

The poc is attached.

Backtrace is as follows:
#0 0x00007f6dfd4c4f47 in __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:51
#1 0x00007f6dfd4c68b1 in __GI_abort () at abort.c:79
#2 0x00007f6dfd4b642a in __assert_fail_base (fmt=0x7f6dfd63da38 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=assertion@entry=0x55e9b9d38a64 "ring->dequeue != 0", file=file@entry=0x55e9b9d388c0 "hw/usb/hcd-xhci.c", line=line@entry=0x7a3, function=function@entry=0x55e9b9d3a5c0 <__PRETTY_FUNCTION__.29754> "xhci_kick_epctx") at assert.c:92
#3 0x00007f6dfd4b64a2 in __GI___assert_fail (assertion=assertion@entry=0x55e9b9d38a64 "ring->dequeue != 0", file=file@entry=0x55e9b9d388c0 "hw/usb/hcd-xhci.c", line=line@entry=0x7a3, function=function@entry=0x55e9b9d3a5c0 <__PRETTY_FUNCTION__.29754> "xhci_kick_epctx") at assert.c:101
#4 0x000055e9b9a3292f in xhci_kick_epctx (epctx=0x7f6da836b510, streamid=streamid@entry=0x0) at hw/usb/hcd-xhci.c:1955
#5 0x000055e9b9a3c64b in xhci_kick_ep (streamid=0x0, epid=0x1, slotid=0x11, xhci=0x7f6df8b38010) at hw/usb/hcd-xhci.c:1861
#6 0x000055e9b9a3c64b in xhci_doorbell_write (ptr=0x7f6df8b38010, reg=0x11, val=0x1, size=<optimized out>) at hw/usb/hcd-xhci.c:3162
#7 0x000055e9b977d274 in memory_region_write_accessor (mr=0x7f6df8b38d80, addr=0x44, value=<optimized out>, size=0x1, shift=<optimized out>, mask=<optimized out>, attrs=...) at /home/zjusvn/qemu5-hypervisor/qemu-5.0.0/memory.c:483
#8 0x000055e9b977ad86 in access_with_adjusted_size (addr=addr@entry=0x44, value=value@entry=0x7f6dfb915f88, size=size@entry=0x1, access_size_min=<optimized out>, access_size_max=<optimized out>, access_fn=0x55e9b977d1f0 <memory_region_write_accessor>, mr=0x7f6df8b38d80, attrs=...) at /home/zjusvn/qemu5-hypervisor/qemu-5.0.0/memory.c:544
#9 0x000055e9b977f4c8 in memory_region_dispatch_write (mr=mr@entry=0x7f6df8b38d80, addr=0x44, data=<optimized out>, op=<optimized out>, attrs=attrs@entry=...) at /home/zjusvn/qemu5-hypervisor/qemu-5.0.0/memory.c:1483
#10 0x000055e9b972c691 in flatview_write_continue (fv=fv@entry=0x7f6da951f750, addr=addr@entry=0xfebf2044, attrs=..., ptr=ptr@entry=0x7f6dfb9160e0, len=len@entry=0x1, addr1=<optimized out>, l=<optimized out>, mr=0x7f6df8b38d80) at /home/zjusvn/qemu5-hypervisor/qemu-5.0.0/exec.c:3137
#11 0x000055e9b972c826 in flatview_write (fv=0x7f6da951f750, addr=0xfebf2044, attrs=..., buf=buf@entry=0x7f6dfb9160e0, len=0x1) at /home/zjusvn/qemu5-hypervisor/qemu-5.0.0/exec.c:3177
#12 0x000055e9b972c89a in subpage_write (opaque=<optimized out>, addr=<optimized out>, value=<optimized out>, len=<optimized out>, attrs=...) at /home/zjusvn/qemu5-hypervisor/qemu-5.0.0/exec.c:2789
#13 0x000055e9b977b269 in memory_region_write_with_attrs_accessor (mr=0x7f6da9534650, addr=0x44, value=<optimized out>, size=0x1, shift=<optimized out>, mask=<optimized out>, attrs=...) at /home/zjusvn/qemu5-hypervisor/qemu-5.0.0/memory.c:503
#14 0x000055e9b977ad86 in access_with_adjusted_size (addr=addr@entry=0x44, value=value@entry=0x7f6dfb9161f8, size=size@entry=0x1, access_size_min=<optimized out>, access_size_max=<optimized out>, access_fn=0x55e9b977b1e0 <memory_region_write_with_attrs_accessor>, mr=0x7f6da9534650, attrs=...) at /home/zjusvn/qemu5-hypervisor/qemu-5.0.0/memory.c:544
#15 0x000055e9b977f4c8 in memory_region_dispatch_write (mr=0x7f6da9534650, addr=addr@entry=0x44, data=<optimized out>, data@entry=0x1, op=op@entry=MO_8, attrs=...) at /home/zjusvn/qemu5-hypervisor/qemu-5.0.0/memory.c:1483
#16 0x000055e9b979021f in io_writex (env=env@entry=0x55e9baed5b50, iotlbentry=iotlbentry@entry=0x7f6da8b8bc10, mmu_idx=mmu_idx@entry=0x1, val=val@entry=0x1, addr=addr@entry=0x7fbba0601044, retaddr=retaddr@entry=0x7f6db9d90d48, op=MO_8) at /home/zjusvn/qemu5-hypervisor/qemu-5.0.0/accel/tcg/cputlb.c:1084
#17 0x000055e9b9794c42 in store_helper (op=MO_8, retaddr=0x7f6db9d90d48, oi=<optimized out>, val=<optimized out>, addr=0x7fbba0601044, env=0x55e9baed5b50) at /home/zjusvn/qemu5-hypervisor/qemu-5.0.0/accel/tcg/cputlb.c:1954
#18 0x000055e9b9794c42 in helper_ret_stb_mmu (env=0x55e9baed5b50, addr=0x7fbba0601044, val=0x1, oi=<optimized out>, retaddr=0x7f6db9d90d48) at /home/zjusvn/qemu5-hypervisor/qemu-5.0.0/accel/tcg/cputlb.c:2056
#19 0x00007f6db9d90d48 in code_gen_buffer ()
#20 0x000055e9b97a5217 in cpu_tb_exec (itb=<optimized out>, cpu=0x7f6db9d240c0 <code_gen_buffer+97665171>) at /home/zjusvn/qemu5-hypervisor/qemu-5.0.0/accel/tcg/cpu-exec.c:172
#21 0x000055e9b97a5217 in cpu_loop_exec_tb (tb_exit=<synthetic pointer>, last_tb=<synthetic pointer>, tb=<optimized out>, cpu=0x7f6db9d240c0 <code_gen_buffer+97665171>) at /home/zjusvn/qemu5-hypervisor/qemu-5.0.0/accel/tcg/cpu-exec.c:619
#22 0x000055e9b97a5217 in cpu_exec (cpu=cpu@entry=0x55e9baecd2f0) at /home/zjusvn/qemu5-hypervisor/qemu-5.0.0/accel/tcg/cpu-exec.c:732
#23 0x000055e9b976ff9f in tcg_cpu_exec (cpu=0x55e9baecd2f0) at /home/zjusvn/qemu5-hypervisor/qemu-5.0.0/cpus.c:1405
#24 0x000055e9b97723cb in qemu_tcg_cpu_thread_fn (arg=arg@entry=0x55e9baecd2f0) at /home/zjusvn/qemu5-hypervisor/qemu-5.0.0/cpus.c:1713
#25 0x000055e9b9be7d66 in qemu_thread_start (args=<optimized out>) at util/qemu-thread-posix.c:519
#26 0x00007f6dfd87e6db in start_thread (arg=0x7f6dfb917700) at pthread_create.c:463
#27 0x00007f6dfd5a7a3f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Revision history for this message
Gaoning Pan (hades0506) wrote :
Changed in qemu:
assignee: nobody → Gaoning Pan (hades0506)
Revision history for this message
Alexander Bulekov (a1xndr) wrote :

This looks like a duplicate of https://bugs.launchpad.net/qemu/+bug/1883732

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Bug attachments

Remote bug watches

Bug watches keep track of this bug in other bug trackers.