[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug 1880539] [NEW] I/O write make QXL abort in qxl_set_mode()
From: |
Philippe Mathieu-Daudé |
Subject: |
[Bug 1880539] [NEW] I/O write make QXL abort in qxl_set_mode() |
Date: |
Mon, 25 May 2020 09:29:19 -0000 |
Public bug reported:
libFuzzer found:
qxl-0: guest bug: qxl_add_memslot: guest_start > guest_end 0xffffffffffffffff >
0x3ffffff
qemu-fuzz-i386: hw/display/qxl.c:1611: void qxl_set_mode(PCIQXLDevice *,
unsigned int, int): Assertion `qxl_add_memslot(d, 0, devmem, QXL_SYNC) == 0'
failed.
==8134== ERROR: libFuzzer: deadly signal
#0 0x55fddfcfb3f0 in __sanitizer_print_stack_trace (qemu-fuzz-i386+0xcb13f0)
#1 0x55fddfc0a3e1 in fuzzer::PrintStackTrace() (qemu-fuzz-i386+0xbc03e1)
#2 0x55fddfbeac6f in fuzzer::Fuzzer::CrashCallback()
(qemu-fuzz-i386+0xba0c6f)
#3 0x55fddfbeacc3 in fuzzer::Fuzzer::StaticCrashSignalCallback()
(qemu-fuzz-i386+0xba0cc3)
#4 0x7fd640644c6f (/lib64/libpthread.so.0+0x12c6f)
#5 0x7fd640483e34 in __GI_raise (/lib64/libc.so.6+0x37e34)
#6 0x7fd64046e894 in __GI_abort (/lib64/libc.so.6+0x22894)
#7 0x7fd64046e768 in __assert_fail_base.cold (/lib64/libc.so.6+0x22768)
#8 0x7fd64047c565 in __GI___assert_fail (/lib64/libc.so.6+0x30565)
#9 0x55fde08afd8b in qxl_set_mode (qemu-fuzz-i386+0x1865d8b)
#10 0x55fde08b9602 in ioport_write (qemu-fuzz-i386+0x186f602)
#11 0x55fddff170a7 in memory_region_write_accessor (qemu-fuzz-i386+0xecd0a7)
#12 0x55fddff16c13 in access_with_adjusted_size (qemu-fuzz-i386+0xeccc13)
#13 0x55fddff157b4 in memory_region_dispatch_write (qemu-fuzz-i386+0xecb7b4)
Can be reproduce doing "writeb 0x06 0x23" on QXL I/O (PCI BAR #3).
Command line: 'qemu-system-i386 -display none -M pc -vga qxl'
** Affects: qemu
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1880539
Title:
I/O write make QXL abort in qxl_set_mode()
Status in QEMU:
New
Bug description:
libFuzzer found:
qxl-0: guest bug: qxl_add_memslot: guest_start > guest_end 0xffffffffffffffff
> 0x3ffffff
qemu-fuzz-i386: hw/display/qxl.c:1611: void qxl_set_mode(PCIQXLDevice *,
unsigned int, int): Assertion `qxl_add_memslot(d, 0, devmem, QXL_SYNC) == 0'
failed.
==8134== ERROR: libFuzzer: deadly signal
#0 0x55fddfcfb3f0 in __sanitizer_print_stack_trace
(qemu-fuzz-i386+0xcb13f0)
#1 0x55fddfc0a3e1 in fuzzer::PrintStackTrace() (qemu-fuzz-i386+0xbc03e1)
#2 0x55fddfbeac6f in fuzzer::Fuzzer::CrashCallback()
(qemu-fuzz-i386+0xba0c6f)
#3 0x55fddfbeacc3 in fuzzer::Fuzzer::StaticCrashSignalCallback()
(qemu-fuzz-i386+0xba0cc3)
#4 0x7fd640644c6f (/lib64/libpthread.so.0+0x12c6f)
#5 0x7fd640483e34 in __GI_raise (/lib64/libc.so.6+0x37e34)
#6 0x7fd64046e894 in __GI_abort (/lib64/libc.so.6+0x22894)
#7 0x7fd64046e768 in __assert_fail_base.cold (/lib64/libc.so.6+0x22768)
#8 0x7fd64047c565 in __GI___assert_fail (/lib64/libc.so.6+0x30565)
#9 0x55fde08afd8b in qxl_set_mode (qemu-fuzz-i386+0x1865d8b)
#10 0x55fde08b9602 in ioport_write (qemu-fuzz-i386+0x186f602)
#11 0x55fddff170a7 in memory_region_write_accessor
(qemu-fuzz-i386+0xecd0a7)
#12 0x55fddff16c13 in access_with_adjusted_size (qemu-fuzz-i386+0xeccc13)
#13 0x55fddff157b4 in memory_region_dispatch_write
(qemu-fuzz-i386+0xecb7b4)
Can be reproduce doing "writeb 0x06 0x23" on QXL I/O (PCI BAR #3).
Command line: 'qemu-system-i386 -display none -M pc -vga qxl'
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1880539/+subscriptions
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Bug 1880539] [NEW] I/O write make QXL abort in qxl_set_mode(),
Philippe Mathieu-Daudé <=