QEMU

  1. Bug #1926111
  2. Comment #1

Comment 1 for bug 1926111

Revision history for this message
Philippe Mathieu-Daudé (philmd) wrote : Re: [Bug 1926111] [NEW] Assertion `tx_queue_idx <= s->txq_num' failed in vmxnet3_io_bar0_write

Cc'ing maintainers.

./scripts/get_maintainer.pl -f hw/net/vmxnet3.c
Dmitry Fleytman <email address hidden> (maintainer:Vmware)
Jason Wang <email address hidden> (odd fixer:Network devices)

On 4/26/21 5:19 AM, Alexander Bulekov wrote:
> Public bug reported:
>
> === Stacktrace ===
>
> qemu-fuzz-i386: ../hw/net/vmxnet3.c:1096: void vmxnet3_io_bar0_write(void *, hwaddr, uint64_t, unsigned int): Assertion `tx_queue_idx <= s->txq_num' failed.
> ==602353== ERROR: libFuzzer: deadly signal
> #5 0x7fe4b93a7ce0 in raise signal/../sysdeps/unix/sysv/linux/raise.c:48:3
> #6 0x7fe4b9391536 in abort stdlib/abort.c:79:7
> #7 0x7fe4b939140e in __assert_fail_base assert/assert.c:92:3
> #8 0x7fe4b93a0661 in __assert_fail assert/assert.c:101:3
> #9 0x563e6cf5ebb5 in vmxnet3_io_bar0_write hw/net/vmxnet3.c:1096:9
> #10 0x563e6eefdb00 in memory_region_write_accessor softmmu/memory.c:491:5
> #11 0x563e6eefcfdd in access_with_adjusted_size softmmu/memory.c:552:18
> #12 0x563e6eefac90 in memory_region_dispatch_write softmmu/memory.c:1502:16
> #13 0x563e6e834e16 in flatview_write_continue softmmu/physmem.c:2746:23
> #14 0x563e6e81cd38 in flatview_write softmmu/physmem.c:2786:14
> #15 0x563e6e81c868 in address_space_write softmmu/physmem.c:2878:18
>
> === Reproducer ===
> cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, -m \
> 512M -machine q35 -nodefaults -device vmxnet3,netdev=net0 -netdev \
> user,id=net0 -qtest stdio
> outl 0xcf8 0x80000810
> outl 0xcfc 0xe0000000
> outl 0xcf8 0x80000814
> outl 0xcf8 0x80000804
> outw 0xcfc 0x7
> outl 0xcf8 0x80000815
> outl 0xcfc 0xffff00b5
> write 0x0 0x1 0xe1
> write 0x1 0x1 0xfe
> write 0x2 0x1 0xbe
> write 0x3 0x1 0xba
> write 0xff00b020 0x4 0x0000feca
> write 0xe0000630 0x1 0x00
> EOF
>
>
> === Testcase ===
>
> /*
> * Autogenerated Fuzzer Test Case
> *
> * This work is licensed under the terms of the GNU GPL, version 2 or later.
> * See the COPYING file in the top-level directory.
> */
>
> #include "qemu/osdep.h"
>
> #include "libqos/libqtest.h"
>
> static void test_fuzz(void) {
> QTestState *s = qtest_init(" -display none , -m 512M -machine q35 -nodefaults "
> "-device vmxnet3,netdev=net0 -netdev user,id=net0");
> qtest_outl(s, 0xcf8, 0x80000810);
> qtest_outl(s, 0xcfc, 0xe0000000);
> qtest_outl(s, 0xcf8, 0x80000814);
> qtest_outl(s, 0xcf8, 0x80000804);
> qtest_outw(s, 0xcfc, 0x7);
> qtest_outl(s, 0xcf8, 0x80000815);
> qtest_outl(s, 0xcfc, 0xffff00b5);
> qtest_bufwrite(s, 0x0, "\xe1", 0x1);
> qtest_bufwrite(s, 0x1, "\xfe", 0x1);
> qtest_bufwrite(s, 0x2, "\xbe", 0x1);
> qtest_bufwrite(s, 0x3, "\xba", 0x1);
> qtest_bufwrite(s, 0xff00b020, "\x00\x00\xfe\xca", 0x4);
> qtest_bufwrite(s, 0xe0000630, "\x00", 0x1);
> qtest_quit(s);
> }
> int main(int argc, char **argv) {
> const char *arch = qtest_get_arch();
>
> g_test_init(&argc, &argv, NULL);
>
> if (strcmp(arch, "i386") == 0) {
> qtest_add_func("fuzz/test_fuzz", test_fuzz);
> }
>
> return g_test_run();
> }
>
>
> === OSS-Fuzz Report ===
> https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=33603
> https://oss-fuzz.com/testcase?key=6071483232288768
>
> ** Affects: qemu
> Importance: Undecided
> Status: New
>
>
> ** Tags: fuzzer
>
> ** Tags removed: fuzz
> ** Tags added: fuzzer
>