Assertion failure in fifo8_pop_buf() through am53c974
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
QEMU |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Hello,
Using hypervisor fuzzer, hyfuzz, I found an assertion failure through am53c974 emulator.
A malicious guest user/process could use this flaw to abort the QEMU process on the host, resulting in a denial of service.
This was found in version 5.2.0 (master, 3f8d1885e4)
```
qemu-system-i386: ../util/fifo8.c:73: fifo8_pop_buf: Assertion `max > 0 && max <= fifo->num' failed.
#0 0x00007ffff0218fb7 in __GI_raise (sig=sig@entry=0x6) at ../sysdeps/
#1 0x00007ffff021a921 in __GI_abort () at abort.c:79
#2 0x00007ffff020a48a in __assert_fail_base (fmt=0x7ffff0391750 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=
#3 0x00007ffff020a502 in __GI___assert_fail (assertion=
#4 0x000055555877519a in fifo8_pop_buf (fifo=fifo@
#5 0x00005555572b7d9a in do_cmd (s=s@entry=
#6 0x00005555572b879a in esp_do_nodma (s=s@entry=
#7 0x00005555572bfd79 in handle_ti (s=0x61f000005088) at ../hw/scsi/
#8 0x00005555572c419c in esp_reg_write (s=0x61f000005088, saddr=saddr@
#9 0x0000555557bb916a in esp_pci_io_write (opaque=
#10 0x000055555817ea28 in memory_
#11 0x0000555558176671 in access_
0x55555817e7c0 <memory_
#12 0x00005555581892aa in memory_
#13 0x0000555558024b66 in address_space_stb (as=<optimized out>, addr=<optimized out>, val=<optimized out>, attrs=..., result=0x0) at /home/cwmyung/
#14 0x00007fff93236d3c in code_gen_buffer ()
#15 0x0000555557e793bb in cpu_tb_exec (tb_exit=<optimized out>, itb=<optimized out>, cpu=0x62e0000004b4) at ../accel/
#16 0x0000555557e793bb in cpu_loop_exec_tb (tb_exit=<optimized out>, last_tb=<optimized out>, tb=<optimized out>, cpu=0x62e0000004b4) at ../accel/
#17 0x0000555557e793bb in cpu_exec (cpu=cpu@
#18 0x0000555557f5fc5a in tcg_cpus_exec (cpu=cpu@
#19 0x00005555582260af in mttcg_cpu_thread_fn (arg=arg@
#20 0x0000555558777b05 in qemu_thread_start (args=<optimized out>) at ../util/
#21 0x00007ffff05d26db in start_thread (arg=0x7fff72bf
#22 0x00007ffff02fb71f in clone () at ../sysdeps/
```
To reproduce the assertion failure, please run the QEMU with the following command line.
```
$ ./qemu-system-i386 -m 512 -drive file=./
```
Please let me know if I can provide any further info.
Thank you.
- Cheolwoo, Myung (Seoul National University)
Changed in qemu: | |
status: | Fix Released → Fix Committed |
Changed in qemu: | |
status: | Fix Committed → Fix Released |
QTest reproducer:
/*
* Autogenerated Fuzzer Test Case
*
* This work is licensed under the terms of the GNU GPL, version 2 or
* later. See the COPYING file in the top-level directory.
*/
#include "qemu/osdep.h"
#include "libqos/libqtest.h"
/* if=none, file=null- co://,format= raw -nodefaults -qtest stdio
"scsi- hd,drive= disk0 -drive "
"id=disk0, if=none, file=null- co://,format= raw -nodefaults");
* cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, \
* -m 4G -device am53c974,id=scsi -device scsi-hd,drive=disk0 -drive \
* id=disk0,
* outl 0xcf8 0x80001004
* outw 0xcfc 0x01
* outl 0xcf8 0x8000100e
* outl 0xcfc 0x8a000000
* outl 0x8a09 0x42000000
* outl 0x8a0d 0x00
* outl 0x8a0b 0x1000
* EOF
*/
static void test_fuzz(void)
{
QTestState *s = qtest_init(
"-display none , -m 4G -device am53c974,id=scsi -device "
qtest_outl(s, 0xcf8, 0x80001004);
qtest_outw(s, 0xcfc, 0x01);
qtest_outl(s, 0xcf8, 0x8000100e);
qtest_outl(s, 0xcfc, 0x8a000000);
qtest_outl(s, 0x8a09, 0x42000000);
qtest_outl(s, 0x8a0d, 0x00);
qtest_outl(s, 0x8a0b, 0x1000);
qtest_quit(s);
}
int main(int argc, char **argv)
{
const char *arch = qtest_get_arch();
g_test_ init(&argc, &argv, NULL);
if (strcmp(arch, "i386") == 0) {
qtest_ add_func( "fuzz/test_ fuzz", test_fuzz);
}
return g_test_run();
}