This was reported by OSS-Fuzz as Issue 27389
Here is a minimized reproducer:

=== Reproducer ===
cat << EOF | ./qemu-system-i386 -display none\
 -machine accel=qtest -m 512M -machine q35 -nodefaults \
-device e1000e,netdev=net0 -netdev user,id=net0 -qtest stdio
outl 0xcf8 0x80000811
outl 0xcfc 0xc600
outl 0xcf8 0x80000813
outl 0xcfc 0x9d
outl 0xcf8 0x80000801
outl 0xcfc 0x16000000
write 0x9dc6500a 0x2 0x2080
write 0x9dc6011a 0x2 0x1040
write 0x9dc60120 0x1 0xa0
write 0x9dc60102 0x2 0x4e04
outl 0xcf8 0x80000811
outl 0xcfc 0x5ac600
write 0x5ac6042a 0x2 0x00ff
write 0x5ac60402 0x2 0x020
write 0x10 0x1 0xff
write 0x11 0x1 0x01
write 0x19 0x1 0xe7
write 0x1b 0x1 0x11
write 0x20b 0x1 0x08
write 0x20d 0x1 0x15
write 0xac7 0x1 0x10
write 0x5ac6043a 0x1 0x10
EOF

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1878651

Title:
  Assertion failure in e1000e_write_to_rx_buffers

Status in QEMU:
  New

Bug description:
  Hello,
  While fuzzing, I found an input which triggers an assertion failure in 
e1000e_write_to_rx_buffers:
  /home/alxndr/Development/qemu/hw/net/e1000e_core.c:1424: void 
e1000e_write_to_rx_buffers(E1000ECore *, hwaddr (*)[4], e1000e_ba_state *, 
const char *, dma_addr_t): Assertion `bastate->cur_idx < MAX_PS_BUFFERS' failed.
  #0  0x00007ffff686d761 in __GI_raise (sig=sig@entry=0x6) at 
../sysdeps/unix/sysv/linux/raise.c:50
  #1  0x00007ffff685755b in __GI_abort () at abort.c:79
  #2  0x00007ffff685742f in __assert_fail_base (fmt=0x7ffff69bdb48 "%s%s%s:%u: 
%s%sAssertion `%s' failed.\n%n", assertion=0x555557f691e0 <str> 
"bastate->cur_idx < MAX_PS_BUFFERS", file=0x555557f5a080 <str> 
"/home/alxndr/Development/qemu/hw/net/e1000e_core.c", line=0x590, 
function=<optimized out>) at assert.c:92
  #3  0x00007ffff6866092 in __GI___assert_fail (assertion=0x555557f691e0 <str> 
"bastate->cur_idx < MAX_PS_BUFFERS", file=0x555557f5a080 <str> 
"/home/alxndr/Development/qemu/hw/net/e1000e_core.c", line=0x590, 
function=0x555557f69240 <__PRETTY_FUNCTION__.e1000e_write_to_rx_buffers> "void 
e1000e_write_to_rx_buffers(E1000ECore *, hwaddr (*)[4], e1000e_ba_state *, 
const char *, dma_addr_t)") at assert.c:101
  #4  0x0000555556f8fbcd in e1000e_write_to_rx_buffers (core=0x7fffee07c4e0, 
ba=0x7fffffff8860, bastate=0x7fffffff88a0, data=0x7fffe61b8021 "", 
data_len=0x2000) at /home/alxndr/Development/qemu/hw/net/e1000e_core.c:1424
  #5  0x0000555556f82f14 in e1000e_write_packet_to_guest (core=0x7fffee07c4e0, 
pkt=0x61100004b900, rxr=0x7fffffff8d10, rss_info=0x7fffffff8d30) at 
/home/alxndr/Development/qemu/hw/net/e1000e_core.c:1582
  #6  0x0000555556f80960 in e1000e_receive_iov (core=0x7fffee07c4e0, 
iov=0x61900004e780, iovcnt=0x4) at 
/home/alxndr/Development/qemu/hw/net/e1000e_core.c:1709
  #7  0x0000555556f7d457 in e1000e_nc_receive_iov (nc=0x614000007460, 
iov=0x61900004e780, iovcnt=0x4) at 
/home/alxndr/Development/qemu/hw/net/e1000e.c:213
  #8  0x0000555556f64738 in net_tx_pkt_sendv (pkt=0x631000028800, 
nc=0x614000007460, iov=0x61900004e780, iov_cnt=0x4) at 
/home/alxndr/Development/qemu/hw/net/net_tx_pkt.c:544
  #9  0x0000555556f63f0e in net_tx_pkt_send (pkt=0x631000028800, 
nc=0x614000007460) at /home/alxndr/Development/qemu/hw/net/net_tx_pkt.c:620
  #10 0x0000555556f650e5 in net_tx_pkt_send_loopback (pkt=0x631000028800, 
nc=0x614000007460) at /home/alxndr/Development/qemu/hw/net/net_tx_pkt.c:633
  #11 0x0000555556fb026a in e1000e_tx_pkt_send (core=0x7fffee07c4e0, 
tx=0x7fffee09c748, queue_index=0x0) at 
/home/alxndr/Development/qemu/hw/net/e1000e_core.c:664
  #12 0x0000555556faebf6 in e1000e_process_tx_desc (core=0x7fffee07c4e0, 
tx=0x7fffee09c748, dp=0x7fffffff9520, queue_index=0x0) at 
/home/alxndr/Development/qemu/hw/net/e1000e_core.c:743
  #13 0x0000555556fadfa8 in e1000e_start_xmit (core=0x7fffee07c4e0, 
txr=0x7fffffff9720) at /home/alxndr/Development/qemu/hw/net/e1000e_core.c:934
  #14 0x0000555556fa308b in e1000e_set_tdt (core=0x7fffee07c4e0, index=0xe06, 
val=0x563) at /home/alxndr/Development/qemu/hw/net/e1000e_core.c:2451
  #15 0x0000555556f84d7e in e1000e_core_write (core=0x7fffee07c4e0, addr=0x438, 
val=0x563, size=0x4) at /home/alxndr/Development/qemu/hw/net/e1000e_core.c:3261
  #16 0x0000555556f79497 in e1000e_mmio_write (opaque=0x7fffee079800, 
addr=0x438, val=0x563, size=0x4) at 
/home/alxndr/Development/qemu/hw/net/e1000e.c:109
  #17 0x00005555564938b5 in memory_region_write_accessor (mr=0x7fffee07c110, 
addr=0x438, value=0x7fffffff9d90, size=0x4, shift=0x0, mask=0xffffffff, 
attrs=...) at /home/alxndr/Development/qemu/memory.c:483
  #18 0x000055555649328a in access_with_adjusted_size (addr=0x438, 
value=0x7fffffff9d90, size=0x2, access_size_min=0x4, access_size_max=0x4, 
access_fn=0x555556493360 <memory_region_write_accessor>, mr=0x7fffee07c110, 
attrs=...) at /home/alxndr/Development/qemu/memory.c:544
  #19 0x0000555556491df6 in memory_region_dispatch_write (mr=0x7fffee07c110, 
addr=0x438, data=0x563, op=MO_16, attrs=...) at 
/home/alxndr/Development/qemu/memory.c:1476
  #20 0x00005555562cbbf4 in flatview_write_continue (fv=0x606000037820, 
addr=0xe1020438, attrs=..., ptr=0x61900009ba80, len=0x2, addr1=0x438, l=0x2, 
mr=0x7fffee07c110) at /home/alxndr/Development/qemu/exec.c:3137
  #21 0x00005555562bbad9 in flatview_write (fv=0x606000037820, addr=0xe1020023, 
attrs=..., buf=0x61900009ba80, len=0x417) at 
/home/alxndr/Development/qemu/exec.c:3177
  #22 0x00005555562bb609 in address_space_write (as=0x6080000027a0, 
addr=0xe1020023, attrs=..., buf=0x61900009ba80, len=0x417) at 
/home/alxndr/Development/qemu/exec.c:3268
  #23 0x0000555556488c07 in qtest_process_command (chr=0x555559691d00 
<qtest_chr>, words=0x60400001e210) at /home/alxndr/Development/qemu/qtest.c:567
  #24 0x000055555647f187 in qtest_process_inbuf (chr=0x555559691d00 
<qtest_chr>, inbuf=0x61900000f680) at /home/alxndr/Development/qemu/qtest.c:710
  #25 0x000055555647e8b4 in qtest_read (opaque=0x555559691d00 <qtest_chr>, 
buf=0x7fffffffc9e0 
"e2d1b0002e10000000006ff4d055e2d1b0002e10000000006ff4f055e2d1b0002e10000000006ff51055e2d1b0002e10000000006ff53055e2d1b0002e10000000006ff55055e2d1b0002e10000000006ff57055e2d1b0002e10000000006ff59055e2d1b0002e10000000006ff5b055e2d1b0002e10000000006ff5d055e2d1b0002e10000000006ff5f055e2d1b0002e10000000006ff61055e2d1b0002e10000000006ff6305\n-M
 pc-q35-5.0  -device sdhci-pci,sd-spec-version=3 -device sd-card,drive=mydrive 
-drive if=sd,index=0,file=null-co://,format=raw,id=mydrive -nographic 
-nographic\n002e10000000006ff27055e2d1b0002e10000000006ff29055e2d1b0002e10000000006ff2b055e2d1b0002e10000000006ff2d055e2d1b0002e10000000006ff2f055e2d1b0002e10000000006ff31055e2d1b0002e10000000006ff33055e2d1b0002e10000000006ff35055e2d1b0002e10000000006ff37055e2d1b0002e10000000006ff39055e2d1b0002e10000000006ff3b055e2d1b0002e10000000006ff3d055e2d1b0002e10000000006ff3f055e2d1b0002e10000000006ff41055e2d1b0002e10000000006ff43055e2d1b0002e10000000006ff45055e2d1b0002e10000000006ff47055e2d1b0002e10000000006ff49055e2d1b0002e10000000006ff4b055\360U",
 size=0x1f2) at /home/alxndr/Development/qemu/qtest.c:722
  #26 0x00005555579c260c in qemu_chr_be_write_impl (s=0x60f000001d50, 
buf=0x7fffffffc9e0 
"e2d1b0002e10000000006ff4d055e2d1b0002e10000000006ff4f055e2d1b0002e10000000006ff51055e2d1b0002e10000000006ff53055e2d1b0002e10000000006ff55055e2d1b0002e10000000006ff57055e2d1b0002e10000000006ff59055e2d1b0002e10000000006ff5b055e2d1b0002e10000000006ff5d055e2d1b0002e10000000006ff5f055e2d1b0002e10000000006ff61055e2d1b0002e10000000006ff6305\n-M
 pc-q35-5.0  -device sdhci-pci,sd-spec-version=3 -device sd-card,drive=mydrive 
-drive if=sd,index=0,file=null-co://,format=raw,id=mydrive -nographic 
-nographic\n002e10000000006ff27055e2d1b0002e10000000006ff29055e2d1b0002e10000000006ff2b055e2d1b0002e10000000006ff2d055e2d1b0002e10000000006ff2f055e2d1b0002e10000000006ff31055e2d1b0002e10000000006ff33055e2d1b0002e10000000006ff35055e2d1b0002e10000000006ff37055e2d1b0002e10000000006ff39055e2d1b0002e10000000006ff3b055e2d1b0002e10000000006ff3d055e2d1b0002e10000000006ff3f055e2d1b0002e10000000006ff41055e2d1b0002e10000000006ff43055e2d1b0002e10000000006ff45055e2d1b0002e10000000006ff47055e2d1b0002e10000000006ff49055e2d1b0002e10000000006ff4b055\360U",
 len=0x1f2) at /home/alxndr/Development/qemu/chardev/char.c:183
  #27 0x00005555579c275b in qemu_chr_be_write (s=0x60f000001d50, 
buf=0x7fffffffc9e0 
"e2d1b0002e10000000006ff4d055e2d1b0002e10000000006ff4f055e2d1b0002e10000000006ff51055e2d1b0002e10000000006ff53055e2d1b0002e10000000006ff55055e2d1b0002e10000000006ff57055e2d1b0002e10000000006ff59055e2d1b0002e10000000006ff5b055e2d1b0002e10000000006ff5d055e2d1b0002e10000000006ff5f055e2d1b0002e10000000006ff61055e2d1b0002e10000000006ff6305\n-M
 pc-q35-5.0  -device sdhci-pci,sd-spec-version=3 -device sd-card,drive=mydrive 
-drive if=sd,index=0,file=null-co://,format=raw,id=mydrive -nographic 
-nographic\n002e10000000006ff27055e2d1b0002e10000000006ff29055e2d1b0002e10000000006ff2b055e2d1b0002e10000000006ff2d055e2d1b0002e10000000006ff2f055e2d1b0002e10000000006ff31055e2d1b0002e10000000006ff33055e2d1b0002e10000000006ff35055e2d1b0002e10000000006ff37055e2d1b0002e10000000006ff39055e2d1b0002e10000000006ff3b055e2d1b0002e10000000006ff3d055e2d1b0002e10000000006ff3f055e2d1b0002e10000000006ff41055e2d1b0002e10000000006ff43055e2d1b0002e10000000006ff45055e2d1b0002e10000000006ff47055e2d1b0002e10000000006ff49055e2d1b0002e10000000006ff4b055\360U",
 len=0x1f2) at /home/alxndr/Development/qemu/chardev/char.c:195
  #28 0x00005555579cb97a in fd_chr_read (chan=0x6080000026a0, cond=G_IO_IN, 
opaque=0x60f000001d50) at /home/alxndr/Development/qemu/chardev/char-fd.c:68
  #29 0x0000555557a530ea in qio_channel_fd_source_dispatch 
(source=0x60c00002b780, callback=0x5555579cb540 <fd_chr_read>, 
user_data=0x60f000001d50) at /home/alxndr/Development/qemu/io/channel-watch.c:84
  #30 0x00007ffff7ca8898 in g_main_context_dispatch () at 
/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
  #31 0x0000555557c10b85 in glib_pollfds_poll () at 
/home/alxndr/Development/qemu/util/main-loop.c:219
  #32 0x0000555557c0f57e in os_host_main_loop_wait (timeout=0x39c63cc8) at 
/home/alxndr/Development/qemu/util/main-loop.c:242
  #33 0x0000555557c0f177 in main_loop_wait (nonblocking=0x0) at 
/home/alxndr/Development/qemu/util/main-loop.c:518
  #34 0x000055555689fd1e in qemu_main_loop () at 
/home/alxndr/Development/qemu/softmmu/vl.c:1664
  #35 0x0000555557a6a29d in main (argc=0x13, argv=0x7fffffffe0e8, 
envp=0x7fffffffe188) at /home/alxndr/Development/qemu/softmmu/main.c:49

  
  I can reproduce this in qemu 5.0 using these qtest commands:

  cat << EOF | ./qemu-system-i386 \
  -qtest stdio -nographic -monitor none -serial none \
  -M pc-q35-5.0
  outl 0xcf8 0x80001010
  outl 0xcfc 0xe1020000
  outl 0xcf8 0x80001014
  outl 0xcf8 0x80001004
  outw 0xcfc 0x7
  outl 0xcf8 0x800010a2
  write 0xe1020618 0x14 0x0000d0ff2d05575f215e1b0000000000d0ff2d05
  write 0x27 0x800c 0x08004500feffffff00007b06f
  write 0x1b8006 0x8001 0x2f0
  write 0xe1020023 0x417 
0x0002e10000000006ffcf055e2d1b0002e10000000006ffd1055e2d1b0002e10000000006ffd3055e2d1b0002e10000000006ffd5055e2d1b0002e10000000006ffd7055e2d1b0002e10000000006ffd9055e2d1b0002e10000000006ffdb055e2d1b0002e10000000006ffdd055e2d1b0002e10000000006ffdf055e2d1b0002e10000000006ffe1055e2d1b0002e10000000006ffe3055e2d1b0002e10000000006ffe5055e2d1b0002e10000000006ffe7055e2d1b0002e10000000006ffe9055e2d1b0002e10000000006ffeb055e2d1b0002e10000000006ffed055e2d1b0002e10000000006ffef055e2d1b0002e10000000006fff1055e2d1b0002e10000000006fff3055e2d1b0002e10000000006fff5055e2d1b0002e10000000006fff7055e2d1b0002e10000000006fff9055e2d1b0002e10000000006fffb055e2d1b0002e10000000006fffd055e2d1b0002e10000000006ffff055e2d1b0002e10000000006ff01055e2d1b0002e10000000006ff03055e2d1b0002e10000000006ff05055e2d1b0002e10000000006ff07055e2d1b0002e10000000006ff09055e2d1b0002e10000000006ff0b055e2d1b0002e10000000006ff0d055e2d1b0002e10000000006ff0f055e2d1b0002e10000000006ff11055e2d1b0002e10000000006ff13055e2d1b0002e10000000006ff15055e2d1b0002e10000000006ff17055e2d1b0002e10000000006ff19055e2d1b0002e10000000006ff1b055e2d1b0002e10000000006ff1d055e2d1b0002e10000000006ff1f055e2d1b0002e10000000006ff21055e2d1b0002e10000000006ff23055e2d1b0002e10000000006ff25055e2d1b0002e10000000006ff27055e2d1b0002e10000000006ff29055e2d1b0002e10000000006ff2b055e2d1b0002e10000000006ff2d055e2d1b0002e10000000006ff2f055e2d1b0002e10000000006ff31055e2d1b0002e10000000006ff33055e2d1b0002e10000000006ff35055e2d1b0002e10000000006ff37055e2d1b0002e10000000006ff39055e2d1b0002e10000000006ff3b055e2d1b0002e10000000006ff3d055e2d1b0002e10000000006ff3f055e2d1b0002e10000000006ff41055e2d1b0002e10000000006ff43055e2d1b0002e10000000006ff45055e2d1b0002e10000000006ff47055e2d1b0002e10000000006ff49055e2d1b0002e10000000006ff4b055e2d1b0002e10000000006ff4d055e2d1b0002e10000000006ff4f055e2d1b0002e10000000006ff51055e2d1b0002e10000000006ff53055e2d1b0002e10000000006ff55055e2d1b0002e10000000006ff57055e2d1b0002e10000000006ff59055e2d1b0002e10000000006ff5b055e2d1b0002e10000000006ff5d055e2d1b0002e10000000006ff5f055e2d1b0002e10000000006ff61055e2d1b0002e10000000006ff6305
  EOF

  Also attaching them to this report, in case they are formatted incorrectly:
  ./qemu-system-i386 \
  -qtest stdio -nographic -monitor none -serial none \
  -M pc-q35-5.0 < attachment

  Please let me know if I can provide any further info.
  -Alex

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1878651/+subscriptions

Reply via email to