abort issue locates in hw/usb/hcd-ohci.c:1297:ohci_frame_boundary
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
QEMU |
Invalid
|
Undecided
|
Unassigned |
Bug Description
Hello,
I found an assertion failure in hw/usb/
This was found in latest version 5.2.0.
my reproduced environment is as follows:
Host: ubuntu 18.04
Guest: ubuntu 18.04
QEMU boot command line:
qemu-system-x86_64 -enable-kvm -boot c -m 4G -drive format=
backtrace is as follows
pwndbg> bt
#0 0x00007fdf392aa438 in __GI_raise (sig=sig@entry=6) at ../sysdeps/
#1 0x00007fdf392ac03a in __GI_abort () at abort.c:89
#2 0x000055c613721118 in ohci_frame_boundary (opaque=
#3 0x000055c6140bdf0e in timerlist_
#4 0x000055c6140be15a in qemu_clock_
#5 0x000055c6140beac7 in qemu_clock_
#6 0x000055c6140a1938 in main_loop_wait (nonblocking=0) at util/main-
#7 0x000055c6125d87e9 in qemu_main_loop () at /home/dell/
#8 0x000055c613f216ea in main (argc=7, argv=0x7fff174c
#9 0x00007fdf39295840 in __libc_start_main (main=0x55c613f
#10 0x000055c6120a4349 in _start ()
The poc is attached.
tags: | added: fuzzer |
Changed in qemu: | |
status: | Incomplete → Confirmed |
Seems to be the same as OSS-Fuzz Issue 29224
=== Reproducer ===
cat << EOF | ./qemu-system-i386 -machine q35 \
-machine accel=qtest, -m 512M -nodefaults \
-device pci-ohci -display none -qtest stdio
outl 0xcf8 0x80000801
outl 0xcfc 0x16000000
outl 0xcf8 0x80000813
outl 0xcfc 0x23
clock_step
write 0x23000004 0x1 0x84
clock_step
write 0x0 0x1 0x7e
write 0x1 0x1 0xaa
write 0x3 0x1 0x16
write 0x1600aa8a 0x1 0xa0
write 0xa1 0x1 0x80
write 0xa4 0x1 0x20
clock_step
EOF
=== Stack Trace === hw/usb/ hcd-ohci. c:1297: 13 run_timers /src/qemu/ util/qemu- timer.c: 574:9 run_timers /src/qemu/ util/qemu- timer.c: 588:12 softmmu/ qtest.c: 356:9 command /src/qemu/ softmmu/ qtest.c: 752:9 softmmu/ qtest.c: 797:9 inproc_ recv /src/qemu/ softmmu/ qtest.c: 904:9 tests/qtest/ libqtest. c:1388: 5 tests/qtest/ libqtest. c:438:5 step_next /src/qemu/ tests/qtest/ libqtest. c:910:5 tests/qtest/ fuzz/generic_ fuzz.c: 575:5 tests/qtest/ fuzz/generic_ fuzz.c: 681:17
==6351==ERROR: AddressSanitizer: ABRT on unknown address 0x0539000018cf (pc 0x7f675c885438 bp 0x7fff157e6150 sp 0x7fff157e5e68 T0)
#0 raise
#1 abort
#2 ohci_frame_boundary /src/qemu/
#3 timerlist_
#4 qemu_clock_
#5 qtest_clock_warp /src/qemu/
#6 qtest_process_
#7 qtest_process_inbuf /src/qemu/
#8 qtest_server_
#9 send_wrapper /src/qemu/
#10 qtest_sendf /src/qemu/
#11 qtest_clock_
#12 op_clock_step /src/qemu/
#13 generic_fuzz /src/qemu/
https:/ /bugs.chromium. org/p/oss- fuzz/issues/ detail? id=29176