This assert was found during fuzzing and can be triggered with some qtest
commands.
So instead of assert failure I suggest to handle this error and abort the
command.
This patch is required at least to improve fuzzing process and do not spam with
this assert.
RFC.
Found by Linux Verification Center (linuxtesting.org) with libFuzzer.
Fixes: ed78352a59 ("ide: Fix incorrect handling of some PRDTs in ide_dma_cb()")
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2777
Signed-off-by: Artem Nasonov <[email protected]>
---
hw/ide/core.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/hw/ide/core.c b/hw/ide/core.c
index f9baba59e9..baca7121ec 100644
--- a/hw/ide/core.c
+++ b/hw/ide/core.c
@@ -931,7 +931,10 @@ static void ide_dma_cb(void *opaque, int ret)
s->io_buffer_size = n * 512;
prep_size = s->bus->dma->ops->prepare_buf(s->bus->dma, s->io_buffer_size);
/* prepare_buf() must succeed and respect the limit */
- assert(prep_size >= 0 && prep_size <= n * 512);
+ if (prep_size < 0 || prep_size > n * 512) {
+ ide_dma_error(s);
+ return;
+ }
/*
* Now prep_size stores the number of bytes in the sglist, and
--
2.39.5
