[OSS-Fuzz] ahci: stack overflow in ahci_cond_start_engines
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
QEMU |
Expired
|
Undecided
|
Unassigned |
Bug Description
=== Reproducer ===
while true; do cat << EOF; done | ./qemu-system-i386 -machine q35 -nodefaults -nographic -qtest stdio -accel qtest
outl 0xcf8 0x8000fa27
outl 0xcfc 0x37414537
outl 0xcf8 0x8000fa01
outl 0xcfc 0x4606ce74
writew 0x37000f01 0x215a
writeq 0x37000100 0xfffaf
writeq 0x37000115 0xffff373d27004037
outl 0xcf8 0x8000fa01
outl 0xcfc 0x4606ce74
writeq 0x370000ff 0x3700011500
writeq 0x37000115 0xc41ffffff035a5a
outl 0xcf8 0x8000ea04
outb 0xcfc 0x15
outl 0xcf8 0x8000ea00
outw 0xcfc 0x5a1f
writeq 0x37000115 0x100007765746972
writeq 0x37000115 0xbf00000000000000
outl 0xcf8 0x8000ea04
outb 0xcfc 0x15
outl 0xcf8 0x8000fa46
outb 0xcfc 0xff
clock_step
writeq 0x37000115 0xaf
writeq 0x37000115 0x6301275541af7415
writeq 0x37000115 0xafaf5a5a743715
outb 0x64 0xfe
EOF
=== Stack Trace ===
==887446==ERROR: UndefinedBehavi
#0 vfprintf
#1 fprintf
#2 ahci_mem_write /src/qemu/
#3 memory_
#4 access_
#5 memory_
#6 flatview_
#7 flatview_write /src/qemu/
#8 address_space_write /src/qemu/
#9 address_space_unmap /src/qemu/
#10 dma_memory_unmap /src/qemu/
#11 map_page /src/qemu/
#12 ahci_map_
#13 ahci_cond_
#14 ahci_port_write /src/qemu/
#15 ahci_mem_write /src/qemu/
#16 memory_
#17 access_
#18 memory_
#19 flatview_
#20 flatview_write /src/qemu/
#21 address_space_write /src/qemu/
#22 address_space_unmap /src/qemu/
#23 dma_memory_unmap /src/qemu/
#24 map_page /src/qemu/
#25 ahci_map_
#26 ahci_cond_
#27 ahci_port_write /src/qemu/
#28 ahci_mem_write /src/qemu/
... Repeat until we run out of stack
Changed in qemu: | |
assignee: | nobody → John Snow (jnsnow) |
tags: | added: fuzzer |
Having a quick look, the problem might be in ahci_cond_ start_engines( ) clb_address( ), then ahci_map_ fis_address( ) fails clb_address( ).
which calls ahci_map_
and we return without calling ahci_unmap_