[Bug 1908515] Re: assertion failure in lsi53c810 emulator
This is an automated cleanup. This bug report has been moved to QEMU's new bug tracker on gitlab.com and thus gets marked as 'expired' now. Please continue with the discussion here: https://gitlab.com/qemu-project/qemu/-/issues/305 ** Changed in: qemu Status: New => Expired ** Bug watch added: gitlab.com/qemu-project/qemu/-/issues #305 https://gitlab.com/qemu-project/qemu/-/issues/305 -- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/1908515 Title: assertion failure in lsi53c810 emulator Status in QEMU: Expired Bug description: Hello, Using hypervisor fuzzer, hyfuzz, I found an assertion failure through lsi53c810 emulator. A malicious guest user/process could use this flaw to abort the QEMU process on the host, resulting in a denial of service. This was found in version 5.2.0 (master) qemu-system-i386: ../hw/scsi/lsi53c895a.c:624: void lsi_do_dma(LSIState *, int): Assertion `s->current' failed. [1]1406 abort (core dumped) /home/cwmyung/prj/hyfuzz/src/qemu-5.2/build/i386-softmmu/qemu-system-i386 -m Program terminated with signal SIGABRT, Aborted. #0 __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:51 51 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory. [Current thread is 1 (Thread 0x7fa9310a8700 (LWP 2076))] gdb-peda$ bt #0 0x7fa94aa98f47 in __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:51 #1 0x7fa94aa9a8b1 in __GI_abort () at abort.c:79 #2 0x7fa94aa8a42a in __assert_fail_base (fmt=0x7fa94ac11a38 "%s%s%s:%u: %s%sAssertion `%s' failed.\\n%n", assertion=assertion@entry=0x562851c9eab9 "s->current", file=file@entry=0x562851c9d4f9 "../hw/scsi/lsi53c895a.c", line=line@entry=0x270, function=function@entry=0x562851c9de43 "void lsi_do_dma(LSIState *, int)") at assert.c:92 #3 0x7fa94aa8a4a2 in __GI___assert_fail (assertion=0x562851c9eab9 "s->current", file=0x562851c9d4f9 "../hw/scsi/lsi53c895a.c", line=0x270, function=0x562851c9de43 "void lsi_do_dma(LSIState *, int)") at assert.c:101 #4 0x5628515d9605 in lsi_do_dma (s=0x56289060, out=0x1) at ../hw/scsi/lsi53c895a.c:624 #5 0x5628515d5317 in lsi_execute_script (s=) at ../hw/scsi/lsi53c895a.c:1250 #6 0x5628515cec49 in lsi_reg_writeb (s=0x56289060, offset=0x2f, val=0x1e) at ../hw/scsi/lsi53c895a.c:2005 #7 0x562851952798 in memory_region_write_accessor (mr=, addr=, value=, size=, shift=, mask=, attrs=...) at ../softmmu/memory.c:491 #8 0x56285195258e in access_with_adjusted_size (addr=, value=, size=, access_size_min=, access_size_max=, access_fn=, mr=, attrs=...) at ../softmmu/memory.c:552 #9 0x56285195258e in memory_region_dispatch_write (mr=0x56289960, addr=, data=, op=, attrs=...) at ../softmmu/memory.c:1501 #10 0x5628518e5305 in flatview_write_continue (fv=0x7fa92871f040, addr=0xfebf302c, attrs=..., ptr=0x7fa9310a49b8, len=0x4, addr1=0x7fa9310a3410, l=, mr=0x56289960) at ../softmmu/physmem.c:2759 #11 0x5628518e6ef6 in flatview_write (fv=0x7fa92871f040, addr=0xfebf302c, attrs=..., len=0x4, buf=) at ../softmmu/physmem.c:2799 #12 0x5628518e6ef6 in subpage_write (opaque=, addr=, value=, len=, attrs=...) at ../softmmu/physmem.c:2465 #13 0x5628519529a2 in memory_region_write_with_attrs_accessor (mr=, addr=, value=, size=, shift=, mask=, attrs=...) at ../softmmu/memory.c:511 #14 0x5628519525e1 in access_with_adjusted_size (addr=, size=, access_size_min=, access_size_max=, mr=, attrs=..., value=, access_fn=) at ../softmmu/memory.c:552 #15 0x5628519525e1 in memory_region_dispatch_write (mr=, addr=, data=, op=, attrs=...) at ../softmmu/memory.c:1508 #16 0x562851a49228 in io_writex (iotlbentry=, mmu_idx=, val=, addr=, retaddr=, op=, env=) at ../accel/tcg/cputlb.c:1378 #17 0x562851a49228 in store_helper (env=, addr=, val=, oi=, retaddr=, op=MO_32) at ../accel/tcg/cputlb.c:2397 #18 0x562851a49228 in helper_le_stl_mmu (env=, addr=, val=0x2, oi=, retaddr=0x7fa8e44032ee) at ../accel/tcg/cputlb.c:2463 #19 0x7fa8e44032ee in code_gen_buffer () #20 0x56285191ada0 in cpu_tb_exec (cpu=0x5628547b81a0, itb=) at ../accel/tcg/cpu-exec.c:178 #21 0x56285191b9eb in cpu_loop_exec_tb (tb=, cpu=, last_tb=, tb_exit=) at ../accel/tcg/cpu-exec.c:658 #22 0x56285191b9eb in cpu_exec (cpu=0x5628547b81a0) at ../accel/tcg/cpu-exec.c:771 #23 0x56285194ab9f in tcg_cpu_exec (cpu=) at ../accel/tcg/tcg-cpus.c:243 #24 0x56285194ab9f in tcg_cpu_thread_fn (arg=0x5628547b81a0) at ../accel/tcg/tcg-cpus.c:427 #25 0x562851c22775 in qemu_thread_start (args=) at ../util/qemu-thread-posix.c:521 #26 0x7fa94ae526db in start_thread (arg=0x7fa9310a8700) at pthread_create.c:463 #27 0x7fa94ab7ba3f in clone () at ../sysdeps/unix/sysv/linux/x86_
[Bug 1908515] Re: assertion failure in lsi53c810 emulator
** Tags added: fuzzer -- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/1908515 Title: assertion failure in lsi53c810 emulator Status in QEMU: New Bug description: Hello, Using hypervisor fuzzer, hyfuzz, I found an assertion failure through lsi53c810 emulator. A malicious guest user/process could use this flaw to abort the QEMU process on the host, resulting in a denial of service. This was found in version 5.2.0 (master) qemu-system-i386: ../hw/scsi/lsi53c895a.c:624: void lsi_do_dma(LSIState *, int): Assertion `s->current' failed. [1]1406 abort (core dumped) /home/cwmyung/prj/hyfuzz/src/qemu-5.2/build/i386-softmmu/qemu-system-i386 -m Program terminated with signal SIGABRT, Aborted. #0 __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:51 51 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory. [Current thread is 1 (Thread 0x7fa9310a8700 (LWP 2076))] gdb-peda$ bt #0 0x7fa94aa98f47 in __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:51 #1 0x7fa94aa9a8b1 in __GI_abort () at abort.c:79 #2 0x7fa94aa8a42a in __assert_fail_base (fmt=0x7fa94ac11a38 "%s%s%s:%u: %s%sAssertion `%s' failed.\\n%n", assertion=assertion@entry=0x562851c9eab9 "s->current", file=file@entry=0x562851c9d4f9 "../hw/scsi/lsi53c895a.c", line=line@entry=0x270, function=function@entry=0x562851c9de43 "void lsi_do_dma(LSIState *, int)") at assert.c:92 #3 0x7fa94aa8a4a2 in __GI___assert_fail (assertion=0x562851c9eab9 "s->current", file=0x562851c9d4f9 "../hw/scsi/lsi53c895a.c", line=0x270, function=0x562851c9de43 "void lsi_do_dma(LSIState *, int)") at assert.c:101 #4 0x5628515d9605 in lsi_do_dma (s=0x56289060, out=0x1) at ../hw/scsi/lsi53c895a.c:624 #5 0x5628515d5317 in lsi_execute_script (s=) at ../hw/scsi/lsi53c895a.c:1250 #6 0x5628515cec49 in lsi_reg_writeb (s=0x56289060, offset=0x2f, val=0x1e) at ../hw/scsi/lsi53c895a.c:2005 #7 0x562851952798 in memory_region_write_accessor (mr=, addr=, value=, size=, shift=, mask=, attrs=...) at ../softmmu/memory.c:491 #8 0x56285195258e in access_with_adjusted_size (addr=, value=, size=, access_size_min=, access_size_max=, access_fn=, mr=, attrs=...) at ../softmmu/memory.c:552 #9 0x56285195258e in memory_region_dispatch_write (mr=0x56289960, addr=, data=, op=, attrs=...) at ../softmmu/memory.c:1501 #10 0x5628518e5305 in flatview_write_continue (fv=0x7fa92871f040, addr=0xfebf302c, attrs=..., ptr=0x7fa9310a49b8, len=0x4, addr1=0x7fa9310a3410, l=, mr=0x56289960) at ../softmmu/physmem.c:2759 #11 0x5628518e6ef6 in flatview_write (fv=0x7fa92871f040, addr=0xfebf302c, attrs=..., len=0x4, buf=) at ../softmmu/physmem.c:2799 #12 0x5628518e6ef6 in subpage_write (opaque=, addr=, value=, len=, attrs=...) at ../softmmu/physmem.c:2465 #13 0x5628519529a2 in memory_region_write_with_attrs_accessor (mr=, addr=, value=, size=, shift=, mask=, attrs=...) at ../softmmu/memory.c:511 #14 0x5628519525e1 in access_with_adjusted_size (addr=, size=, access_size_min=, access_size_max=, mr=, attrs=..., value=, access_fn=) at ../softmmu/memory.c:552 #15 0x5628519525e1 in memory_region_dispatch_write (mr=, addr=, data=, op=, attrs=...) at ../softmmu/memory.c:1508 #16 0x562851a49228 in io_writex (iotlbentry=, mmu_idx=, val=, addr=, retaddr=, op=, env=) at ../accel/tcg/cputlb.c:1378 #17 0x562851a49228 in store_helper (env=, addr=, val=, oi=, retaddr=, op=MO_32) at ../accel/tcg/cputlb.c:2397 #18 0x562851a49228 in helper_le_stl_mmu (env=, addr=, val=0x2, oi=, retaddr=0x7fa8e44032ee) at ../accel/tcg/cputlb.c:2463 #19 0x7fa8e44032ee in code_gen_buffer () #20 0x56285191ada0 in cpu_tb_exec (cpu=0x5628547b81a0, itb=) at ../accel/tcg/cpu-exec.c:178 #21 0x56285191b9eb in cpu_loop_exec_tb (tb=, cpu=, last_tb=, tb_exit=) at ../accel/tcg/cpu-exec.c:658 #22 0x56285191b9eb in cpu_exec (cpu=0x5628547b81a0) at ../accel/tcg/cpu-exec.c:771 #23 0x56285194ab9f in tcg_cpu_exec (cpu=) at ../accel/tcg/tcg-cpus.c:243 #24 0x56285194ab9f in tcg_cpu_thread_fn (arg=0x5628547b81a0) at ../accel/tcg/tcg-cpus.c:427 #25 0x562851c22775 in qemu_thread_start (args=) at ../util/qemu-thread-posix.c:521 #26 0x7fa94ae526db in start_thread (arg=0x7fa9310a8700) at pthread_create.c:463 #27 0x7fa94ab7ba3f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95 To reproduce this issue, please run the QEMU with the following command line. # To enable ASan option, please set configuration with the following command $ ./configure --target-list=i386-softmmu --disable-werror --enable-sanitizers $ make # To reproduce this issue, please run the QEMU process with the following command line. $ ./qemu-system-i386 -
