Cc'ing Dmitry On 5/11/20 8:04 PM, Alexander Bulekov wrote: > Public bug reported: > > Hello, > While fuzzing, I found an input that triggers an assertion failure in > eth_get_gso_type through the e1000e: > > #1 0x00007ffff685755b in __GI_abort () at abort.c:79 > #2 0x00007ffff7c75dc3 in () at /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0 > #3 0x00007ffff7cd0b0a in g_assertion_message_expr () at > /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0 > #4 0x0000555556875f33 in eth_get_gso_type (l3_proto=<optimized out>, > l3_hdr=<optimized out>, l4proto=<optimized out>) at > /home/alxndr/Development/qemu/net/eth.c:76 > #5 0x00005555565e09ac in net_tx_pkt_get_gso_type (pkt=0x631000014800, > tso_enable=0x1) at /home/alxndr/Development/qemu/hw/net/net_tx_pkt.c:300 > #6 0x00005555565e09ac in net_tx_pkt_build_vheader (pkt=0x631000014800, > tso_enable=<optimized out>, csum_enable=<optimized out>, gso_size=<optimized > out>) at /home/alxndr/Development/qemu/hw/net/net_tx_pkt.c:316 > #7 0x000055555660bdb1 in e1000e_setup_tx_offloads (core=0x7fffeeb754e0, > tx=0x7fffeeb95748) at /home/alxndr/Development/qemu/hw/net/e1000e_core.c:637 > #8 0x000055555660bdb1 in e1000e_tx_pkt_send (core=0x7fffeeb754e0, > tx=0x7fffeeb95748, queue_index=<optimized out>) at > /home/alxndr/Development/qemu/hw/net/e1000e_core.c:658 > #9 0x000055555660bdb1 in e1000e_process_tx_desc (core=0x7fffeeb754e0, > tx=0x7fffeeb95748, dp=<optimized out>, queue_index=<optimized out>) at > /home/alxndr/Development/qemu/hw/net/e1000e_core.c:743 > #10 0x000055555660bdb1 in e1000e_start_xmit (core=core@entry=0x7fffeeb754e0, > txr=<optimized out>, txr@entry=0x7fffffffbe60) at > /home/alxndr/Development/qemu/hw/net/e1000e_core.c:934 > #11 0x0000555556607e2e in e1000e_set_tctl (core=0x7fffeeb754e0, > index=<optimized out>, val=<optimized out>) at > /home/alxndr/Development/qemu/hw/net/e1000e_core.c:2431 > #12 0x00005555565f90fd in e1000e_core_write (core=<optimized out>, > addr=<optimized out>, val=<optimized out>, size=<optimized out>) at > /home/alxndr/Development/qemu/hw/net/e1000e_core.c:3261 > #13 0x0000555555ff4337 in memory_region_write_accessor (mr=<optimized out>, > addr=<optimized out>, value=<optimized out>, size=<optimized out>, > shift=<optimized out>, mask=<optimized out>, attrs=...) at > /home/alxndr/Development/qemu/memory.c:483 > #14 0x0000555555ff3ce0 in access_with_adjusted_size (addr=<optimized out>, > value=<optimized out>, size=<optimized out>, access_size_min=<optimized out>, > access_size_max=<optimized out>, access_fn=<optimized out>, > mr=0x7fffeeb75110, attrs=...) at /home/alxndr/Development/qemu/memory.c:544 > #15 0x0000555555ff3ce0 in memory_region_dispatch_write (mr=<optimized out>, > addr=<optimized out>, data=0x2b, op=<optimized out>, attrs=...) at > /home/alxndr/Development/qemu/memory.c:1476 > > I can reproduce it in qemu 5.0 built with using: > cat << EOF | ~/Development/qemu/build/i386-softmmu/qemu-system-i386 -M > pc-q35-5.0 -netdev user,id=qtest-bn0 -device e1000e,netdev=qtest-bn0 -display > none -nodefaults -nographic -qtest stdio -monitor none -serial none > outl 0xcf8 0x80000810 > outl 0xcfc 0xe0000000 > outl 0xcf8 0x80000814 > outl 0xcf8 0x80000804 > outw 0xcfc 0x7 > outl 0xcf8 0x800008a2 > write 0xe0000420 0x1fc > 0x3ff9ffdf00000000002467ff272d2f3ff9ffdf0000000000246fff272d2f3ff9ffdf00000000002477ff272d2f3ff9ffdf0000000000247fff272d2f3ff9ffdf00000000002487ff272d2f3ff9ffdf0000000000248fff272d2f3ff9ffdf00000000002497ff272d2f3ff9ffdf0000000000249fff272d2f3ff9ffdf000000000024a7ff272d2f3ff9ffdf000000000024afff272d2f3ff9ffdf000000000024b7ff272d2f3ff9ffdf000000000024bfff272d2f3ff9ffdf000000000024c7ff272d2f3ff9ffdf000000000024cfff272d2f3ff9ffdf000000000024d7ff272d2f3ff9ffdf000000000024dfff272d2f3ff9ffdf000000000024e7ff272d2f3ff9ffdf000000000024efff272d2f3ff9ffdf000000000024f7ff272d2f3ff9ffdf000000000024ffff272d2f3ff9ffdf00000000002407ff272d2f3ff9ffdf0000000000240fff272d2f3ff9ffdf00000000002417ff272d2f3ff9ffdf0000000000241fff272d2f3ff9ffdf00000000002427ff272d2f3ff9ffdf0000000000242fff272d2f3ff9ffdf00000000002437ff272d2f3ff9ffdf0000000000243fff272d2f3ff9ffdf00000000002447ff272d2f3ff9ffdf0000000000244fff272d2f3ff9ffdf00000000002457ff272d2f3ff9ffdf0000000000245fff272d2f3ff9ffdf00000000002467ff272d2f3ff9ffdf0000000000246fff27 > write 0xe00000b8 0x349 > 0xa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52b > EOF > > I also attached the trace to this launchpad report, in case the > formatting is broken: > > qemu-system-i386 -M pc-q35-5.0 -netdev user,id=qtest-bn0 -device > e1000e,netdev=qtest-bn0 -display none -nodefaults -nographic -qtest > stdio -monitor none -serial none < attachment > > Please let me know if I can provide any further info. > -Alex > > ** Affects: qemu > Importance: Undecided > Status: New > > ** Attachment added: "attachment" > > https://bugs.launchpad.net/bugs/1878067/+attachment/5369990/+files/attachment >