Cc'ing maintainers.
./scripts/get_maintainer.pl -f hw/net/vmxnet3.c Dmitry Fleytman <email address hidden> (maintainer:Vmware) Jason Wang <email address hidden> (odd fixer:Network devices)
On 4/26/21 5:19 AM, Alexander Bulekov wrote: > Public bug reported: > > === Stacktrace === > > qemu-fuzz-i386: ../hw/net/vmxnet3.c:1096: void vmxnet3_io_bar0_write(void *, hwaddr, uint64_t, unsigned int): Assertion `tx_queue_idx <= s->txq_num' failed. > ==602353== ERROR: libFuzzer: deadly signal > #5 0x7fe4b93a7ce0 in raise signal/../sysdeps/unix/sysv/linux/raise.c:48:3 > #6 0x7fe4b9391536 in abort stdlib/abort.c:79:7 > #7 0x7fe4b939140e in __assert_fail_base assert/assert.c:92:3 > #8 0x7fe4b93a0661 in __assert_fail assert/assert.c:101:3 > #9 0x563e6cf5ebb5 in vmxnet3_io_bar0_write hw/net/vmxnet3.c:1096:9 > #10 0x563e6eefdb00 in memory_region_write_accessor softmmu/memory.c:491:5 > #11 0x563e6eefcfdd in access_with_adjusted_size softmmu/memory.c:552:18 > #12 0x563e6eefac90 in memory_region_dispatch_write softmmu/memory.c:1502:16 > #13 0x563e6e834e16 in flatview_write_continue softmmu/physmem.c:2746:23 > #14 0x563e6e81cd38 in flatview_write softmmu/physmem.c:2786:14 > #15 0x563e6e81c868 in address_space_write softmmu/physmem.c:2878:18 > > === Reproducer === > cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, -m \ > 512M -machine q35 -nodefaults -device vmxnet3,netdev=net0 -netdev \ > user,id=net0 -qtest stdio > outl 0xcf8 0x80000810 > outl 0xcfc 0xe0000000 > outl 0xcf8 0x80000814 > outl 0xcf8 0x80000804 > outw 0xcfc 0x7 > outl 0xcf8 0x80000815 > outl 0xcfc 0xffff00b5 > write 0x0 0x1 0xe1 > write 0x1 0x1 0xfe > write 0x2 0x1 0xbe > write 0x3 0x1 0xba > write 0xff00b020 0x4 0x0000feca > write 0xe0000630 0x1 0x00 > EOF > > > === Testcase === > > /* > * Autogenerated Fuzzer Test Case > * > * This work is licensed under the terms of the GNU GPL, version 2 or later. > * See the COPYING file in the top-level directory. > */ > > #include "qemu/osdep.h" > > #include "libqos/libqtest.h" > > static void test_fuzz(void) { > QTestState *s = qtest_init(" -display none , -m 512M -machine q35 -nodefaults " > "-device vmxnet3,netdev=net0 -netdev user,id=net0"); > qtest_outl(s, 0xcf8, 0x80000810); > qtest_outl(s, 0xcfc, 0xe0000000); > qtest_outl(s, 0xcf8, 0x80000814); > qtest_outl(s, 0xcf8, 0x80000804); > qtest_outw(s, 0xcfc, 0x7); > qtest_outl(s, 0xcf8, 0x80000815); > qtest_outl(s, 0xcfc, 0xffff00b5); > qtest_bufwrite(s, 0x0, "\xe1", 0x1); > qtest_bufwrite(s, 0x1, "\xfe", 0x1); > qtest_bufwrite(s, 0x2, "\xbe", 0x1); > qtest_bufwrite(s, 0x3, "\xba", 0x1); > qtest_bufwrite(s, 0xff00b020, "\x00\x00\xfe\xca", 0x4); > qtest_bufwrite(s, 0xe0000630, "\x00", 0x1); > qtest_quit(s); > } > int main(int argc, char **argv) { > const char *arch = qtest_get_arch(); > > g_test_init(&argc, &argv, NULL); > > if (strcmp(arch, "i386") == 0) { > qtest_add_func("fuzz/test_fuzz", test_fuzz); > } > > return g_test_run(); > } > > > === OSS-Fuzz Report === > https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=33603 > https://oss-fuzz.com/testcase?key=6071483232288768 > > ** Affects: qemu > Importance: Undecided > Status: New > > > ** Tags: fuzzer > > ** Tags removed: fuzz > ** Tags added: fuzzer >
Cc'ing maintainers.
./scripts/ get_maintainer. pl -f hw/net/vmxnet3.c
Dmitry Fleytman <email address hidden> (maintainer:Vmware)
Jason Wang <email address hidden> (odd fixer:Network devices)
On 4/26/21 5:19 AM, Alexander Bulekov wrote: vmxnet3. c:1096: void vmxnet3_ io_bar0_ write(void *, hwaddr, uint64_t, unsigned int): Assertion `tx_queue_idx <= s->txq_num' failed. ../sysdeps/ unix/sysv/ linux/raise. c:48:3 assert. c:92:3 assert. c:101:3 io_bar0_ write hw/net/ vmxnet3. c:1096: 9 region_ write_accessor softmmu/ memory. c:491:5 with_adjusted_ size softmmu/ memory. c:552:18 region_ dispatch_ write softmmu/ memory. c:1502: 16 write_continue softmmu/ physmem. c:2746: 23 physmem. c:2786: 14 physmem. c:2878: 18 func("fuzz/ test_fuzz" , test_fuzz); /bugs.chromium. org/p/oss- fuzz/issues/ detail? id=33603 /oss-fuzz. com/testcase? key=60714832322 88768
> Public bug reported:
>
> === Stacktrace ===
>
> qemu-fuzz-i386: ../hw/net/
> ==602353== ERROR: libFuzzer: deadly signal
> #5 0x7fe4b93a7ce0 in raise signal/
> #6 0x7fe4b9391536 in abort stdlib/abort.c:79:7
> #7 0x7fe4b939140e in __assert_fail_base assert/
> #8 0x7fe4b93a0661 in __assert_fail assert/
> #9 0x563e6cf5ebb5 in vmxnet3_
> #10 0x563e6eefdb00 in memory_
> #11 0x563e6eefcfdd in access_
> #12 0x563e6eefac90 in memory_
> #13 0x563e6e834e16 in flatview_
> #14 0x563e6e81cd38 in flatview_write softmmu/
> #15 0x563e6e81c868 in address_space_write softmmu/
>
> === Reproducer ===
> cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, -m \
> 512M -machine q35 -nodefaults -device vmxnet3,netdev=net0 -netdev \
> user,id=net0 -qtest stdio
> outl 0xcf8 0x80000810
> outl 0xcfc 0xe0000000
> outl 0xcf8 0x80000814
> outl 0xcf8 0x80000804
> outw 0xcfc 0x7
> outl 0xcf8 0x80000815
> outl 0xcfc 0xffff00b5
> write 0x0 0x1 0xe1
> write 0x1 0x1 0xfe
> write 0x2 0x1 0xbe
> write 0x3 0x1 0xba
> write 0xff00b020 0x4 0x0000feca
> write 0xe0000630 0x1 0x00
> EOF
>
>
> === Testcase ===
>
> /*
> * Autogenerated Fuzzer Test Case
> *
> * This work is licensed under the terms of the GNU GPL, version 2 or later.
> * See the COPYING file in the top-level directory.
> */
>
> #include "qemu/osdep.h"
>
> #include "libqos/libqtest.h"
>
> static void test_fuzz(void) {
> QTestState *s = qtest_init(" -display none , -m 512M -machine q35 -nodefaults "
> "-device vmxnet3,netdev=net0 -netdev user,id=net0");
> qtest_outl(s, 0xcf8, 0x80000810);
> qtest_outl(s, 0xcfc, 0xe0000000);
> qtest_outl(s, 0xcf8, 0x80000814);
> qtest_outl(s, 0xcf8, 0x80000804);
> qtest_outw(s, 0xcfc, 0x7);
> qtest_outl(s, 0xcf8, 0x80000815);
> qtest_outl(s, 0xcfc, 0xffff00b5);
> qtest_bufwrite(s, 0x0, "\xe1", 0x1);
> qtest_bufwrite(s, 0x1, "\xfe", 0x1);
> qtest_bufwrite(s, 0x2, "\xbe", 0x1);
> qtest_bufwrite(s, 0x3, "\xba", 0x1);
> qtest_bufwrite(s, 0xff00b020, "\x00\x00\xfe\xca", 0x4);
> qtest_bufwrite(s, 0xe0000630, "\x00", 0x1);
> qtest_quit(s);
> }
> int main(int argc, char **argv) {
> const char *arch = qtest_get_arch();
>
> g_test_init(&argc, &argv, NULL);
>
> if (strcmp(arch, "i386") == 0) {
> qtest_add_
> }
>
> return g_test_run();
> }
>
>
> === OSS-Fuzz Report ===
> https:/
> https:/
>
> ** Affects: qemu
> Importance: Undecided
> Status: New
>
>
> ** Tags: fuzzer
>
> ** Tags removed: fuzz
> ** Tags added: fuzzer
>