[Bug 1879227] Re: Assertion failure in e1000e_write_lgcy_rx_descr

Thomas Huth Tue, 15 Jun 2021 11:27:29 -0700

According to some automatic bisecting, it seems like this was fixed by
this commit here:


 commit c2cb511634012344e3d0fe49a037a33b12d8a98a
 hw/net/e1000e: advance desc_offset in case of null descriptor


** Changed in: qemu
       Status: Incomplete => Fix Released

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1879227

Title:
  Assertion failure in e1000e_write_lgcy_rx_descr

Status in QEMU:
  Fix Released

Bug description:
  Hello,
  While fuzzing, I found an input which triggers an assertion failure in
  e1000e_write_lgcy_rx_descr:

  qemu-system-i386: /home/alxndr/Development/qemu/hw/net/e1000e_core.c:1283: 
void e1000e_write_lgcy_rx_descr(E1000ECore *, uint8_t *, struct NetRxPkt *, 
const E1000E_RSSInfo *, uint16_t): Assertion `!rss_info->enabled' failed.
  Aborted
  #3  0x00007ffff684d092 in __GI___assert_fail (assertion=0x5555583704c0 <str> 
"!rss_info->enabled", file=0x555558361080 <str> 
"/home/alxndr/Development/qemu/hw/net/e1000e_core.c", line=0x503, 
function=0x555558370500 <__PRETTY_FUNCTION__.e1000e_write_lgcy_rx_descr> "void 
e1000e_write_lgcy_rx_descr(E1000ECore *, uint8_t *, struct NetRxPkt *, const 
E1000E_RSSInfo *, uint16_t)") at assert.c:101
  #4  0x0000555557209937 in e1000e_write_lgcy_rx_descr (core=0x7fffee0dd4e0, 
desc=0x7fffffff8720 "}}}}}}\253?", pkt=0x61100004b900, rss_info=0x7fffffff8c50, 
length=0xcb) at /home/alxndr/Development/qemu/hw/net/e1000e_core.c:1283
  #5  0x0000555557206b0b in e1000e_write_rx_descr (core=0x7fffee0dd4e0, 
desc=0x7fffffff8720 "}}}}}}\253?", pkt=0x61100004b900, rss_info=0x7fffffff8c50, 
ps_hdr_len=0x0, written=0x7fffffff87c0) at 
/home/alxndr/Development/qemu/hw/net/e1000e_core.c:1360
  #6  0x00005555571f8507 in e1000e_write_packet_to_guest (core=0x7fffee0dd4e0, 
pkt=0x61100004b900, rxr=0x7fffffff8c30, rss_info=0x7fffffff8c50) at 
/home/alxndr/Development/qemu/hw/net/e1000e_core.c:1607
  #7  0x00005555571f5670 in e1000e_receive_iov (core=0x7fffee0dd4e0, 
iov=0x61900004e780, iovcnt=0x4) at 
/home/alxndr/Development/qemu/hw/net/e1000e_core.c:1709
  #8  0x00005555571f1afc in e1000e_nc_receive_iov (nc=0x614000007460, 
iov=0x61900004e780, iovcnt=0x4) at 
/home/alxndr/Development/qemu/hw/net/e1000e.c:213
  #9  0x00005555571d5977 in net_tx_pkt_sendv (pkt=0x631000028800, 
nc=0x614000007460, iov=0x61900004e780, iov_cnt=0x4) at 
/home/alxndr/Development/qemu/hw/net/net_tx_pkt.c:544
  #10 0x00005555571d50e4 in net_tx_pkt_send (pkt=0x631000028800, 
nc=0x614000007460) at /home/alxndr/Development/qemu/hw/net/net_tx_pkt.c:620
  #11 0x00005555571d638f in net_tx_pkt_send_loopback (pkt=0x631000028800, 
nc=0x614000007460) at /home/alxndr/Development/qemu/hw/net/net_tx_pkt.c:633
  #12 0x000055555722b600 in e1000e_tx_pkt_send (core=0x7fffee0dd4e0, 
tx=0x7fffee0fd748, queue_index=0x0) at 
/home/alxndr/Development/qemu/hw/net/e1000e_core.c:664
  #13 0x0000555557229ca6 in e1000e_process_tx_desc (core=0x7fffee0dd4e0, 
tx=0x7fffee0fd748, dp=0x7fffffff9440, queue_index=0x0) at 
/home/alxndr/Development/qemu/hw/net/e1000e_core.c:743
  #14 0x0000555557228ea5 in e1000e_start_xmit (core=0x7fffee0dd4e0, 
txr=0x7fffffff9640) at /home/alxndr/Development/qemu/hw/net/e1000e_core.c:934
  #15 0x000055555721c70f in e1000e_set_tdt (core=0x7fffee0dd4e0, index=0xe06, 
val=0xcb) at /home/alxndr/Development/qemu/hw/net/e1000e_core.c:2451
  #16 0x00005555571fa436 in e1000e_core_write (core=0x7fffee0dd4e0, addr=0x438, 
val=0xcb, size=0x4) at /home/alxndr/Development/qemu/hw/net/e1000e_core.c:3261
  #17 0x00005555571ed11c in e1000e_mmio_write (opaque=0x7fffee0da800, 
addr=0x438, val=0xcb, size=0x4) at 
/home/alxndr/Development/qemu/hw/net/e1000e.c:109
  #18 0x00005555565e78b2 in memory_region_write_accessor (mr=0x7fffee0dd110, 
addr=0x438, value=0x7fffffff9cb0, size=0x4, shift=0x0, mask=0xffffffff, 
attrs=...) at /home/alxndr/Development/qemu/memory.c:483
  #19 0x00005555565e7212 in access_with_adjusted_size (addr=0x438, 
value=0x7fffffff9cb0, size=0x1, access_size_min=0x4, access_size_max=0x4, 
access_fn=0x5555565e72e0 <memory_region_write_accessor>, mr=0x7fffee0dd110, 
attrs=...) at /home/alxndr/Development/qemu/memory.c:544
  #20 0x00005555565e5c31 in memory_region_dispatch_write (mr=0x7fffee0dd110, 
addr=0x438, data=0xcb, op=MO_8, attrs=...) at 
/home/alxndr/Development/qemu/memory.c:1476
  #21 0x00005555563f04b9 in flatview_write_continue (fv=0x606000037880, 
addr=0xe1020438, attrs=..., ptr=0x61900009ba80, len=0x1, addr1=0x438, l=0x1, 
mr=0x7fffee0dd110) at /home/alxndr/Development/qemu/exec.c:3137
  #22 0x00005555563df2dd in flatview_write (fv=0x606000037880, addr=0xe10200a8, 
attrs=..., buf=0x61900009ba80, len=0x391) at 
/home/alxndr/Development/qemu/exec.c:3177

  
  I can reproduce this in qemu 5.0  using these qtest commands:

  cat << EOF | ./qemu-system-i386 \
  -qtest stdio -nographic -monitor none -serial none \
  -M pc-q35-5.0
  outl 0xcf8 0x80001010
  outl 0xcfc 0xe1020000
  outl 0xcf8 0x80001014
  outl 0xcf8 0x80001004
  outw 0xcfc 0x7
  outl 0xcf8 0x800010a2
  write 0xe1025008 0x4 0xfbffa3fa
  write 0xed040c 0x3 0x080047
  write 0xe1020077 0x3c2 
0xce0004ed0000000000cb008405120002e100000000ff000801ffff02ce0004ed0000000000cb008405120002e100000000ff000a01ffff02ce0004ed0000000000cb008405120002e100000000ff000c01ffff02ce0004ed0000000000cb008405120002e100000000ff000e01ffff02ce0004ed0000000000cb008405120002e100000000ff001001ffff02ce0004ed0000000000cb008405120002e100000000ff001201ffff02ce0004ed0000000000cb008405120002e100000000ff001401ffff02ce0004ed0000000000cb008405120002e100000000ff001601ffff02ce0004ed0000000000cb008405120002e100000000ff001801ffff02ce0004ed0000000000cb008405120002e100000000ff001a01ffff02ce0004ed0000000000cb008405120002e100000000ff001c01ffff02ce0004ed0000000000cb008405120002e100000000ff001e01ffff02ce0004ed0000000000cb008405120002e100000000ff002001ffff02ce0004ed0000000000cb008405120002e100000000ff002201ffff02ce0004ed0000000000cb008405120002e100000000ff002401ffff02ce0004ed0000000000cb008405120002e100000000ff002601ffff02ce0004ed0000000000cb008405120002e100000000ff002801ffff02ce0004ed0000000000cb008405120002e100000000ff002a01ffff02ce0004ed0000000000cb008405120002e100000000ff002c01ffff02ce0004ed0000000000cb008405120002e100000000ff002e01ffff02ce0004ed0000000000cb008405120002e100000000ff003001ffff02ce0004ed0000000000cb008405120002e100000000ff003201ffff02ce0004ed0000000000cb008405120002e100000000ff003401ffff02ce0004ed0000000000cb008405120002e100000000ff003601ffff02ce0004ed0000000000cb008405120002e100000000ff003801ffff02ce0004ed0000000000cb008405120002e100000000ff003a01ffff02ce0004ed0000000000cb008405120002e100000000ff003c01ffff02ce0004ed0000000000cb008405120002e100000000ff003e01ffff02ce0004ed0000000000cb008405120002e100000000ff004001ffff02ce0004ed0000000000cb008405120002e100000000ff004201ffff02ce0004ed0000000000cb008405120002e100000000ff004401ffff02ce0004ed0000000000cb008405120002e100000000ff004601ffff02ce0004ed0000000000cb008405120002e100000000ff004801ffff02ce0004ed0000000000cb008405120002e100000000ff004a01ffff02ce0004ed0000000000cb
  EOF

  Also attaching them to this report, in case they are formatted incorrectly:
  ./qemu-system-i386 \
  -qtest stdio -nographic -monitor none -serial none \
  -M pc-q35-5.0 < attachment

  Please let me know if I can provide any further info.
  -Alex

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1879227/+subscriptions

[Bug 1879227] Re: Assertion failure in e1000e_write_lgcy_rx_descr

Reply via email to