[Bug 1910826] Re: [OSS-Fuzz] Issue 29224 rtl8139: Stack-overflow in rtlNUMBER_transmit_one
https://gitlab.com/qemu-project/qemu/-/commit/5311fb805a4403bba ** Changed in: qemu Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/1910826 Title: [OSS-Fuzz] Issue 29224 rtl8139: Stack-overflow in rtlNUMBER_transmit_one Status in QEMU: Fix Released Bug description: === Reproducer === cat << EOF | ../build/qemu-system-i386 -machine q35 \ -nodefaults -device rtl8139,netdev=net0 \ -netdev user,id=net0 -display none -qtest stdio outl 0xcf8 0x8804 outb 0xcfc 0x26 outl 0xcf8 0x8817 outb 0xcfc 0xff write 0x1 0x1 0x42 write 0x5 0x1 0x42 write 0x9 0x1 0x42 write 0xd 0x1 0x42 write 0xff44 0x4 0x11 write 0xff37 0x1 0x1c writel 0xff30 0xff00 write 0xff40 0x4 0x16 write 0xff10 0x4 0x01020 EOF === Stack Trace === ==2819215==ERROR: AddressSanitizer: stack-overflow on address 0x7ffd2c714040 (pc 0x5639b3a933d9 bp 0x7ffd2c716210 sp 0x7ffd2c714040 T0) #0 rtl8139_transmit_one /src/qemu/hw/net/rtl8139.c:1815 #1 rtl8139_transmit /src/qemu/hw/net/rtl8139.c:2388:9 #2 rtl8139_TxStatus_write /src/qemu/hw/net/rtl8139.c:2442:5 #3 rtl8139_io_writel /src/qemu/hw/net/rtl8139.c:2865:13 #4 rtl8139_ioport_write /src/qemu/hw/net/rtl8139.c:3290:9 #5 memory_region_write_accessor /src/qemu/softmmu/memory.c:491:5 #6 access_with_adjusted_size /src/qemu/softmmu/memory.c:552:18 #7 memory_region_dispatch_write /src/qemu/softmmu/memory.c:0:13 #8 flatview_write_continue /src/qemu/softmmu/physmem.c:2759:23 #9 flatview_write /src/qemu/softmmu/physmem.c:2799:14 #10 address_space_write /src/qemu/softmmu/physmem.c:2891:18 #11 address_space_rw /src/qemu/softmmu/physmem.c:2901:16 #12 dma_memory_rw_relaxed /src/qemu/include/sysemu/dma.h:88:12 #13 dma_memory_rw /src/qemu/include/sysemu/dma.h:127:12 #14 pci_dma_rw /src/qemu/include/hw/pci/pci.h:801:12 #15 pci_dma_write /src/qemu/include/hw/pci/pci.h:837:12 #16 rtl8139_write_buffer /src/qemu/hw/net/rtl8139.c:778:5 #17 rtl8139_do_receive /src/qemu/hw/net/rtl8139.c:1172:9 #18 rtl8139_transfer_frame /src/qemu/hw/net/rtl8139.c:1798:9 #19 rtl8139_transmit_one /src/qemu/hw/net/rtl8139.c:1845:5 #20 rtl8139_transmit /src/qemu/hw/net/rtl8139.c:2388:9 #21 rtl8139_TxStatus_write /src/qemu/hw/net/rtl8139.c:2442:5 #22 rtl8139_io_writel /src/qemu/hw/net/rtl8139.c:2865:13 #23 rtl8139_ioport_write /src/qemu/hw/net/rtl8139.c:3290:9 #24 memory_region_write_accessor /src/qemu/softmmu/memory.c:491:5 #25 access_with_adjusted_size /src/qemu/softmmu/memory.c:552:18 #26 memory_region_dispatch_write /src/qemu/softmmu/memory.c:0:13 #27 flatview_write_continue /src/qemu/softmmu/physmem.c:2759:23 #28 flatview_write /src/qemu/softmmu/physmem.c:2799:14 #29 address_space_write /src/qemu/softmmu/physmem.c:2891:18 #30 address_space_rw /src/qemu/softmmu/physmem.c:2901:16 #31 dma_memory_rw_relaxed /src/qemu/include/sysemu/dma.h:88:12 #32 dma_memory_rw /src/qemu/include/sysemu/dma.h:127:12 #33 pci_dma_rw /src/qemu/include/hw/pci/pci.h:801:12 #34 pci_dma_write /src/qemu/include/hw/pci/pci.h:837:12 #35 rtl8139_write_buffer /src/qemu/hw/net/rtl8139.c:778:5 #36 rtl8139_do_receive /src/qemu/hw/net/rtl8139.c:1172:9 #37 rtl8139_transfer_frame /src/qemu/hw/net/rtl8139.c:1798:9 Repeat until we run out of stack https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29224 To manage notifications about this bug go to: https://bugs.launchpad.net/qemu/+bug/1910826/+subscriptions
[Bug 1910826] Re: [OSS-Fuzz] Issue 29224 rtl8139: Stack-overflow in rtlNUMBER_transmit_one
OSS-Fuzz says this issue has been fixed. ** Changed in: qemu Status: New => Fix Committed -- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/1910826 Title: [OSS-Fuzz] Issue 29224 rtl8139: Stack-overflow in rtlNUMBER_transmit_one Status in QEMU: Fix Committed Bug description: === Reproducer === cat << EOF | ../build/qemu-system-i386 -machine q35 \ -nodefaults -device rtl8139,netdev=net0 \ -netdev user,id=net0 -display none -qtest stdio outl 0xcf8 0x8804 outb 0xcfc 0x26 outl 0xcf8 0x8817 outb 0xcfc 0xff write 0x1 0x1 0x42 write 0x5 0x1 0x42 write 0x9 0x1 0x42 write 0xd 0x1 0x42 write 0xff44 0x4 0x11 write 0xff37 0x1 0x1c writel 0xff30 0xff00 write 0xff40 0x4 0x16 write 0xff10 0x4 0x01020 EOF === Stack Trace === ==2819215==ERROR: AddressSanitizer: stack-overflow on address 0x7ffd2c714040 (pc 0x5639b3a933d9 bp 0x7ffd2c716210 sp 0x7ffd2c714040 T0) #0 rtl8139_transmit_one /src/qemu/hw/net/rtl8139.c:1815 #1 rtl8139_transmit /src/qemu/hw/net/rtl8139.c:2388:9 #2 rtl8139_TxStatus_write /src/qemu/hw/net/rtl8139.c:2442:5 #3 rtl8139_io_writel /src/qemu/hw/net/rtl8139.c:2865:13 #4 rtl8139_ioport_write /src/qemu/hw/net/rtl8139.c:3290:9 #5 memory_region_write_accessor /src/qemu/softmmu/memory.c:491:5 #6 access_with_adjusted_size /src/qemu/softmmu/memory.c:552:18 #7 memory_region_dispatch_write /src/qemu/softmmu/memory.c:0:13 #8 flatview_write_continue /src/qemu/softmmu/physmem.c:2759:23 #9 flatview_write /src/qemu/softmmu/physmem.c:2799:14 #10 address_space_write /src/qemu/softmmu/physmem.c:2891:18 #11 address_space_rw /src/qemu/softmmu/physmem.c:2901:16 #12 dma_memory_rw_relaxed /src/qemu/include/sysemu/dma.h:88:12 #13 dma_memory_rw /src/qemu/include/sysemu/dma.h:127:12 #14 pci_dma_rw /src/qemu/include/hw/pci/pci.h:801:12 #15 pci_dma_write /src/qemu/include/hw/pci/pci.h:837:12 #16 rtl8139_write_buffer /src/qemu/hw/net/rtl8139.c:778:5 #17 rtl8139_do_receive /src/qemu/hw/net/rtl8139.c:1172:9 #18 rtl8139_transfer_frame /src/qemu/hw/net/rtl8139.c:1798:9 #19 rtl8139_transmit_one /src/qemu/hw/net/rtl8139.c:1845:5 #20 rtl8139_transmit /src/qemu/hw/net/rtl8139.c:2388:9 #21 rtl8139_TxStatus_write /src/qemu/hw/net/rtl8139.c:2442:5 #22 rtl8139_io_writel /src/qemu/hw/net/rtl8139.c:2865:13 #23 rtl8139_ioport_write /src/qemu/hw/net/rtl8139.c:3290:9 #24 memory_region_write_accessor /src/qemu/softmmu/memory.c:491:5 #25 access_with_adjusted_size /src/qemu/softmmu/memory.c:552:18 #26 memory_region_dispatch_write /src/qemu/softmmu/memory.c:0:13 #27 flatview_write_continue /src/qemu/softmmu/physmem.c:2759:23 #28 flatview_write /src/qemu/softmmu/physmem.c:2799:14 #29 address_space_write /src/qemu/softmmu/physmem.c:2891:18 #30 address_space_rw /src/qemu/softmmu/physmem.c:2901:16 #31 dma_memory_rw_relaxed /src/qemu/include/sysemu/dma.h:88:12 #32 dma_memory_rw /src/qemu/include/sysemu/dma.h:127:12 #33 pci_dma_rw /src/qemu/include/hw/pci/pci.h:801:12 #34 pci_dma_write /src/qemu/include/hw/pci/pci.h:837:12 #35 rtl8139_write_buffer /src/qemu/hw/net/rtl8139.c:778:5 #36 rtl8139_do_receive /src/qemu/hw/net/rtl8139.c:1172:9 #37 rtl8139_transfer_frame /src/qemu/hw/net/rtl8139.c:1798:9 Repeat until we run out of stack https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29224 To manage notifications about this bug go to: https://bugs.launchpad.net/qemu/+bug/1910826/+subscriptions
[Bug 1910826] Re: [OSS-Fuzz] Issue 29224 rtl8139: Stack-overflow in rtlNUMBER_transmit_one
** Tags added: fuzzer -- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/1910826 Title: [OSS-Fuzz] Issue 29224 rtl8139: Stack-overflow in rtlNUMBER_transmit_one Status in QEMU: New Bug description: === Reproducer === cat << EOF | ../build/qemu-system-i386 -machine q35 \ -nodefaults -device rtl8139,netdev=net0 \ -netdev user,id=net0 -display none -qtest stdio outl 0xcf8 0x8804 outb 0xcfc 0x26 outl 0xcf8 0x8817 outb 0xcfc 0xff write 0x1 0x1 0x42 write 0x5 0x1 0x42 write 0x9 0x1 0x42 write 0xd 0x1 0x42 write 0xff44 0x4 0x11 write 0xff37 0x1 0x1c writel 0xff30 0xff00 write 0xff40 0x4 0x16 write 0xff10 0x4 0x01020 EOF === Stack Trace === ==2819215==ERROR: AddressSanitizer: stack-overflow on address 0x7ffd2c714040 (pc 0x5639b3a933d9 bp 0x7ffd2c716210 sp 0x7ffd2c714040 T0) #0 rtl8139_transmit_one /src/qemu/hw/net/rtl8139.c:1815 #1 rtl8139_transmit /src/qemu/hw/net/rtl8139.c:2388:9 #2 rtl8139_TxStatus_write /src/qemu/hw/net/rtl8139.c:2442:5 #3 rtl8139_io_writel /src/qemu/hw/net/rtl8139.c:2865:13 #4 rtl8139_ioport_write /src/qemu/hw/net/rtl8139.c:3290:9 #5 memory_region_write_accessor /src/qemu/softmmu/memory.c:491:5 #6 access_with_adjusted_size /src/qemu/softmmu/memory.c:552:18 #7 memory_region_dispatch_write /src/qemu/softmmu/memory.c:0:13 #8 flatview_write_continue /src/qemu/softmmu/physmem.c:2759:23 #9 flatview_write /src/qemu/softmmu/physmem.c:2799:14 #10 address_space_write /src/qemu/softmmu/physmem.c:2891:18 #11 address_space_rw /src/qemu/softmmu/physmem.c:2901:16 #12 dma_memory_rw_relaxed /src/qemu/include/sysemu/dma.h:88:12 #13 dma_memory_rw /src/qemu/include/sysemu/dma.h:127:12 #14 pci_dma_rw /src/qemu/include/hw/pci/pci.h:801:12 #15 pci_dma_write /src/qemu/include/hw/pci/pci.h:837:12 #16 rtl8139_write_buffer /src/qemu/hw/net/rtl8139.c:778:5 #17 rtl8139_do_receive /src/qemu/hw/net/rtl8139.c:1172:9 #18 rtl8139_transfer_frame /src/qemu/hw/net/rtl8139.c:1798:9 #19 rtl8139_transmit_one /src/qemu/hw/net/rtl8139.c:1845:5 #20 rtl8139_transmit /src/qemu/hw/net/rtl8139.c:2388:9 #21 rtl8139_TxStatus_write /src/qemu/hw/net/rtl8139.c:2442:5 #22 rtl8139_io_writel /src/qemu/hw/net/rtl8139.c:2865:13 #23 rtl8139_ioport_write /src/qemu/hw/net/rtl8139.c:3290:9 #24 memory_region_write_accessor /src/qemu/softmmu/memory.c:491:5 #25 access_with_adjusted_size /src/qemu/softmmu/memory.c:552:18 #26 memory_region_dispatch_write /src/qemu/softmmu/memory.c:0:13 #27 flatview_write_continue /src/qemu/softmmu/physmem.c:2759:23 #28 flatview_write /src/qemu/softmmu/physmem.c:2799:14 #29 address_space_write /src/qemu/softmmu/physmem.c:2891:18 #30 address_space_rw /src/qemu/softmmu/physmem.c:2901:16 #31 dma_memory_rw_relaxed /src/qemu/include/sysemu/dma.h:88:12 #32 dma_memory_rw /src/qemu/include/sysemu/dma.h:127:12 #33 pci_dma_rw /src/qemu/include/hw/pci/pci.h:801:12 #34 pci_dma_write /src/qemu/include/hw/pci/pci.h:837:12 #35 rtl8139_write_buffer /src/qemu/hw/net/rtl8139.c:778:5 #36 rtl8139_do_receive /src/qemu/hw/net/rtl8139.c:1172:9 #37 rtl8139_transfer_frame /src/qemu/hw/net/rtl8139.c:1798:9 Repeat until we run out of stack https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29224 To manage notifications about this bug go to: https://bugs.launchpad.net/qemu/+bug/1910826/+subscriptions
[Bug 1910826] Re: [OSS-Fuzz] Issue 29224 rtl8139: Stack-overflow in rtlNUMBER_transmit_one
A more concise version and corresponding notes. Might help :) -- [ Reproducer cat << EOF | ../build/qemu-system-i386 -machine q35 \ -nodefaults -device rtl8139,netdev=net0 \ -netdev user,id=net0 -display none -qtest stdio outl 0xcf8 0x8804 outb 0xcfc 0x06 outl 0xcf8 0x8817 outb 0xcfc 0xff write 0xff37 0x1 0x0c writel 0xff30 0xff10 write 0xff40 0x4 0x16 write 0xff44 0x4 0x01 write 0xff10 0x4 0x01 EOF -- [ Notes /* Make the MMIO region start from 0xff00 */ outl 0xcf8 0x8817 outb 0xcfc 0xff /*Command Register: enable receiver and transmitter*/ write 0xff37 0x1 0x0c /* set Receive (Rx) Buffer Start Address at 0xff10 */ /* Note: 0xff10 - 0xff00 = 0x10 is the offset of TSD0*/ writel 0xff30 0xff10 /* TXRR, Tx Retry Count = 1 */ /* set transmit mode into the loopback */ write 0xff40 0x4 0x16 /* Receive Configuration Register: Accept All Packets */ write 0xff44 0x4 0x01 /* TSD0: set Descriptor Size to 1 and trigger a tranfer*/ write 0xff10 0x4 0x01 -- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/1910826 Title: [OSS-Fuzz] Issue 29224 rtl8139: Stack-overflow in rtlNUMBER_transmit_one Status in QEMU: New Bug description: === Reproducer === cat << EOF | ../build/qemu-system-i386 -machine q35 \ -nodefaults -device rtl8139,netdev=net0 \ -netdev user,id=net0 -display none -qtest stdio outl 0xcf8 0x8804 outb 0xcfc 0x26 outl 0xcf8 0x8817 outb 0xcfc 0xff write 0x1 0x1 0x42 write 0x5 0x1 0x42 write 0x9 0x1 0x42 write 0xd 0x1 0x42 write 0xff44 0x4 0x11 write 0xff37 0x1 0x1c writel 0xff30 0xff00 write 0xff40 0x4 0x16 write 0xff10 0x4 0x01020 EOF === Stack Trace === ==2819215==ERROR: AddressSanitizer: stack-overflow on address 0x7ffd2c714040 (pc 0x5639b3a933d9 bp 0x7ffd2c716210 sp 0x7ffd2c714040 T0) #0 rtl8139_transmit_one /src/qemu/hw/net/rtl8139.c:1815 #1 rtl8139_transmit /src/qemu/hw/net/rtl8139.c:2388:9 #2 rtl8139_TxStatus_write /src/qemu/hw/net/rtl8139.c:2442:5 #3 rtl8139_io_writel /src/qemu/hw/net/rtl8139.c:2865:13 #4 rtl8139_ioport_write /src/qemu/hw/net/rtl8139.c:3290:9 #5 memory_region_write_accessor /src/qemu/softmmu/memory.c:491:5 #6 access_with_adjusted_size /src/qemu/softmmu/memory.c:552:18 #7 memory_region_dispatch_write /src/qemu/softmmu/memory.c:0:13 #8 flatview_write_continue /src/qemu/softmmu/physmem.c:2759:23 #9 flatview_write /src/qemu/softmmu/physmem.c:2799:14 #10 address_space_write /src/qemu/softmmu/physmem.c:2891:18 #11 address_space_rw /src/qemu/softmmu/physmem.c:2901:16 #12 dma_memory_rw_relaxed /src/qemu/include/sysemu/dma.h:88:12 #13 dma_memory_rw /src/qemu/include/sysemu/dma.h:127:12 #14 pci_dma_rw /src/qemu/include/hw/pci/pci.h:801:12 #15 pci_dma_write /src/qemu/include/hw/pci/pci.h:837:12 #16 rtl8139_write_buffer /src/qemu/hw/net/rtl8139.c:778:5 #17 rtl8139_do_receive /src/qemu/hw/net/rtl8139.c:1172:9 #18 rtl8139_transfer_frame /src/qemu/hw/net/rtl8139.c:1798:9 #19 rtl8139_transmit_one /src/qemu/hw/net/rtl8139.c:1845:5 #20 rtl8139_transmit /src/qemu/hw/net/rtl8139.c:2388:9 #21 rtl8139_TxStatus_write /src/qemu/hw/net/rtl8139.c:2442:5 #22 rtl8139_io_writel /src/qemu/hw/net/rtl8139.c:2865:13 #23 rtl8139_ioport_write /src/qemu/hw/net/rtl8139.c:3290:9 #24 memory_region_write_accessor /src/qemu/softmmu/memory.c:491:5 #25 access_with_adjusted_size /src/qemu/softmmu/memory.c:552:18 #26 memory_region_dispatch_write /src/qemu/softmmu/memory.c:0:13 #27 flatview_write_continue /src/qemu/softmmu/physmem.c:2759:23 #28 flatview_write /src/qemu/softmmu/physmem.c:2799:14 #29 address_space_write /src/qemu/softmmu/physmem.c:2891:18 #30 address_space_rw /src/qemu/softmmu/physmem.c:2901:16 #31 dma_memory_rw_relaxed /src/qemu/include/sysemu/dma.h:88:12 #32 dma_memory_rw /src/qemu/include/sysemu/dma.h:127:12 #33 pci_dma_rw /src/qemu/include/hw/pci/pci.h:801:12 #34 pci_dma_write /src/qemu/include/hw/pci/pci.h:837:12 #35 rtl8139_write_buffer /src/qemu/hw/net/rtl8139.c:778:5 #36 rtl8139_do_receive /src/qemu/hw/net/rtl8139.c:1172:9 #37 rtl8139_transfer_frame /src/qemu/hw/net/rtl8139.c:1798:9 Repeat until we run out of stack https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29224 To manage notifications about this bug go to: https://bugs.launchpad.net/qemu/+bug/1910826/+subscriptions
