QEMU

arm_gic: Abort in gic_clear_pending_sgi

Bug #1913914 reported by Alexander Bulekov on 2021-01-31

This bug report is a duplicate of: Bug #1914353: QEMU: aarch64: :GIC: out-of-bounds access via interrupt ID. Edit Remove

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	QEMU	New	Undecided	Unassigned

Bug Description

Reproducer:
cat << EOF | ./qemu-system-aarch64 \
-machine virt,accel=qtest -qtest stdio
write 0x8000000 0x1 0x02
write 0x8010000 0x1 0x03
write 0x8010004 0x1 0x10
write 0x8000f2f 0x1 0x0
writel 0x8000f00 0x2065559
write 0x8000d56 0x1 0x0
readl 0x801000b
EOF

Stacktrace:
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../qemu/hw/intc/arm_gic.c:173:28 in
../qemu/hw/intc/arm_gic.c:173:28: runtime error: load of misaligned address 0x6290000215c1 for type 'uint32_t' (aka 'unsigned int'), which requires 16 byte alignment
0x6290000215c1: note: pointer points here
00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 1c 00 00 80 60 00 00 00 00 00 00 00
              ^
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../qemu/hw/intc/arm_gic.c:173:28 in
[R +0.117623] readl 0x8010015
[R +0.117718] readl 0x801000b
qemu-fuzz-aarch64: ../qemu/hw/intc/arm_gic.c:580: uint32_t gic_clear_pending_sgi(GICState *, int, int): Assertion `s->sgi_pending[irq][cpu] != 0' failed.
==762== ERROR: libFuzzer: deadly signal
    #0 0x563d4e2371f1 in __sanitizer_print_stack_trace (/home/alxndr/build-asan/qemu-fuzz-aarch64+0x350d1f1)
    #1 0x563d4e182348 in fuzzer::PrintStackTrace() (/home/alxndr/build-asan/qemu-fuzz-aarch64+0x3458348)
    #2 0x563d4e167493 in fuzzer::Fuzzer::CrashCallback() (/home/alxndr/build-asan/qemu-fuzz-aarch64+0x343d493)
    #3 0x7feabe05350f (/lib/x86_64-linux-gnu/libpthread.so.0+0x1350f)
    #4 0x7feabde8e080 in __libc_signal_restore_set /build/glibc-suXNNi/glibc-2.29/signal/../sysdeps/unix/sysv/linux/internal-signals.h:84:10
    #5 0x7feabde8e080 in raise /build/glibc-suXNNi/glibc-2.29/signal/../sysdeps/unix/sysv/linux/raise.c:48:3
    #6 0x7feabde79534 in abort /build/glibc-suXNNi/glibc-2.29/stdlib/abort.c:79:7
    #7 0x7feabde7940e in __assert_fail_base /build/glibc-suXNNi/glibc-2.29/assert/assert.c:92:3
    #8 0x7feabde86b91 in __assert_fail /build/glibc-suXNNi/glibc-2.29/assert/assert.c:101:3
    #9 0x563d4eba2a3c in gic_clear_pending_sgi /home/alxndr/build-asan/../qemu/hw/intc/arm_gic.c:580:9
    #10 0x563d4eba2a3c in gic_acknowledge_irq /home/alxndr/build-asan/../qemu/hw/intc/arm_gic.c:630:19
    #11 0x563d4ebb4ca4 in gic_cpu_read /home/alxndr/build-asan/../qemu/hw/intc/arm_gic.c:1615:17
    #12 0x563d4ebab538 in gic_thiscpu_read /home/alxndr/build-asan/../qemu/hw/intc/arm_gic.c:1771:12
    #13 0x563d5029ec2d in memory_region_read_with_attrs_accessor /home/alxndr/build-asan/../qemu/softmmu/memory.c:464:9
    #14 0x563d502705f3 in access_with_adjusted_size /home/alxndr/build-asan/../qemu/softmmu/memory.c:552:18
    #15 0x563d5026eb44 in memory_region_dispatch_read1 /home/alxndr/build-asan/../qemu/softmmu/memory.c
    #16 0x563d5026eb44 in memory_region_dispatch_read /home/alxndr/build-asan/../qemu/softmmu/memory.c:1449:9
    #17 0x563d5048c5bf in flatview_read_continue /home/alxndr/build-asan/../qemu/softmmu/physmem.c:2822:23
    #18 0x563d504a9a9b in address_space_read /home/alxndr/qemu/include/exec/memory.h:2484:26
    #19 0x563d504a9a9b in qtest_process_command /home/alxndr/build-asan/../qemu/softmmu/qtest.c:568:13
    #20 0x563d504a497f in qtest_process_inbuf /home/alxndr/build-asan/../qemu/softmmu/qtest.c:797:9
    #21 0x563d504a46d5 in qtest_server_inproc_recv /home/alxndr/build-asan/../qemu/softmmu/qtest.c:904:9
    #22 0x563d50ce5cc8 in qtest_sendf /home/alxndr/build-asan/../qemu/tests/qtest/libqtest.c:438:5
    #23 0x563d50ce73a3 in qtest_read /home/alxndr/build-asan/../qemu/tests/qtest/libqtest.c:1032:5
    #24 0x563d4e264499 in __wrap_qtest_readl /home/alxndr/build-asan/../qemu/tests/qtest/fuzz/qtest_wrappers.c:138:16
    #25 0x563d4e26ee5b in op_read /home/alxndr/build-asan/../qemu/tests/qtest/fuzz/generic_fuzz.c:432:13
    #26 0x563d4e26dc46 in generic_fuzz /home/alxndr/build-asan/../qemu/tests/qtest/fuzz/generic_fuzz.c:681:17
    #27 0x563d4e261283 in LLVMFuzzerTestOneInput /home/alxndr/build-asan/../qemu/tests/qtest/fuzz/fuzz.c:151:5
    #28 0x563d4e168b51 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/alxndr/build-asan/qemu-fuzz-aarch64+0x343eb51)
    #29 0x563d4e1542c2 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/home/alxndr/build-asan/qemu-fuzz-aarch64+0x342a2c2)
    #30 0x563d4e159d76 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/alxndr/build-asan/qemu-fuzz-aarch64+0x342fd76)
    #31 0x563d4e182a32 in main (/home/alxndr/build-asan/qemu-fuzz-aarch64+0x3458a32)
    #32 0x7feabde7abba in __libc_start_main /build/glibc-suXNNi/glibc-2.29/csu/../csu/libc-start.c:308:16
    #33 0x563d4e12e989 in _start (/home/alxndr/build-asan/qemu-fuzz-aarch64+0x3404989)

Tags:

Report a bug

This report contains Public information

Everyone can see this information.

Duplicate of bug #1914353 Remove

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.