Re: Assertion failure through vring_split_desc

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Assertion failure through vring_split_desc_read

From:	Alexander Bulekov
Subject:	Re: Assertion failure through vring_split_desc_read
Date:	Thu, 14 May 2020 09:50:07 -0400
User-agent:	NeoMutt/20180716

On 200514 1012, Philippe Mathieu-Daudé wrote:
> On 5/14/20 1:24 AM, John Snow wrote:
> > 
> > 
> > On 5/10/20 11:51 PM, Alexander Bulekov wrote:
> > > Hello,
> > > While fuzzing, I found an input that triggers an assertion failure
> > > through virtio-rng -> vring_split_desc_read. Maybe this is related to:
> > > Message-ID: <address@hidden>
> > > Assertion failure through virtio_lduw_phys_cached
> > > 
> > > #8 0x7fe6a9acf091 in __assert_fail 
> > > /build/glibc-GwnBeO/glibc-2.30/assert/assert.c:101:3
> > > #9 0x564cbe7d96fd in address_space_read_cached 
> > > include/exec/memory.h:2423:5
> > > #10 0x564cbe7e79c5 in vring_split_desc_read hw/virtio/virtio.c:236:5
> > > #11 0x564cbe7e84ce in virtqueue_split_read_next_desc 
> > > hw/virtio/virtio.c:929:5
> > > #12 0x564cbe78f86b in virtqueue_split_get_avail_bytes 
> > > hw/virtio/virtio.c:1009:18
> > > #13 0x564cbe78ab22 in virtqueue_get_avail_bytes hw/virtio/virtio.c:1208:9
> > > #14 0x564cc08aade1 in get_request_size hw/virtio/virtio-rng.c:40:5
> > > #15 0x564cc08aa20b in virtio_rng_process hw/virtio/virtio-rng.c:115:12
> > > #16 0x564cc08a8c48 in virtio_rng_set_status hw/virtio/virtio-rng.c:172:5
> > > #17 0x564cbe7a50be in virtio_set_status hw/virtio/virtio.c:1876:9
> > > #18 0x564cc08d1b8f in virtio_pci_common_write 
> > > hw/virtio/virtio-pci.c:1245:9
> > > 
> > > I can reproduce it in a qemu 5.0 build using these qtest commands:
> > > https://paste.debian.net/plain/1146089
> > > (not including them here, as some are quite long)
> > > 
> > > wget https://paste.debian.net/plain/1146089 -O qtest-trace; 
> > > ~/Development/qemu/build/i386-softmmu/qemu-system-i386 -M pc-q35-5.0  
> > > -device virtio-rng-pci,addr=04.0 -display none -nodefaults -nographic 
> > > -qtest stdio < qtest-trace
> > > 
> > > Please let me know if I can provide any further info.
> > > -Alex
> > > 
> > 
> > Do you have a writeup somewhere of how you are approaching fuzzing and
> > how you've found this pile of bugs so far?
> 
> There is docs/devel/fuzzing.txt:
> 
> https://git.qemu.org/?p=qemu.git;a=blob;f=docs/devel/fuzzing.txt;hb=v5.0.0
> 
> > 
> > Might make for a good blog post.

I am working on a patchset for the particular fuzzer I used to find
these bugs. With that, I'll also update docs/devel/fuzzing.txt.

> 
> Good idea!

Yes I agree :)

> 
> > 
> > --js
> > 
> > 
>

[Prev in Thread]

Current Thread

[Next in Thread]

Assertion failure through vring_split_desc_read, Alexander Bulekov, 2020/05/10
- Re: Assertion failure through vring_split_desc_read, Laurent Vivier, 2020/05/12
  - Re: Assertion failure through vring_split_desc_read, Laurent Vivier, 2020/05/12
- Re: Assertion failure through vring_split_desc_read, John Snow, 2020/05/13
  - Re: Assertion failure through vring_split_desc_read, Philippe Mathieu-Daudé, 2020/05/14
    - Re: Assertion failure through vring_split_desc_read, Alexander Bulekov <=
    - Re: Assertion failure through vring_split_desc_read, John Snow, 2020/05/14

Prev by Date: Re: [PATCH V2 3/4] target/microblaze: gdb: Fix incorrect SReg reporting
Next by Date: Re: [PATCH V2 4/4] target/microblaze: monitor: Increase the number of registers reported
Previous by thread: Re: Assertion failure through vring_split_desc_read
Next by thread: Re: Assertion failure through vring_split_desc_read
Index(es):
- Date
- Thread