[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug 1910941] Re: Assertion `addr < cache->len && 2 <= cache->len - addr
|
From: |
Thomas Huth |
|
Subject: |
[Bug 1910941] Re: Assertion `addr < cache->len && 2 <= cache->len - addr' in virtio-blk |
|
Date: |
Fri, 14 May 2021 18:46:21 -0000 |
This is an automated cleanup. This bug report has been moved to QEMU's
new bug tracker on gitlab.com and thus gets marked as 'expired' now.
Please continue with the discussion here:
https://gitlab.com/qemu-project/qemu/-/issues/301
** Changed in: qemu
Status: New => Expired
** Bug watch added: gitlab.com/qemu-project/qemu/-/issues #301
https://gitlab.com/qemu-project/qemu/-/issues/301
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1910941
Title:
Assertion `addr < cache->len && 2 <= cache->len - addr' in virtio-blk
Status in QEMU:
Expired
Bug description:
Hello,
Using hypervisor fuzzer, hyfuzz, I found an assertion failure through
virtio-blk emulator.
A malicious guest user/process could use this flaw to abort the QEMU
process on the host, resulting in a denial of service.
This was found in version 5.2.0 (master)
```
qemu-system-i386:
/home/cwmyung/prj/hyfuzz/src/qemu-master/include/exec/memory_ldst_cached.h.inc:88:
void address_space_stw_le_cached(MemoryRegionCache *, hwaddr, uint32_t,
MemTxAttrs, MemTxResult *): Assertion `addr < cache->len && 2 <= cache->len -
addr' failed.
[1] 1877 abort (core dumped)
/home/cwmyung/prj/hyfuzz/src/qemu-master/build/i386-softmmu/qemu-system-i386
Program terminated with signal SIGABRT, Aborted.
#0 0x00007f71cc171f47 in __GI_raise (sig=sig@entry=0x6) at
../sysdeps/unix/sysv/linux/raise.c:51
#1 0x00007f71cc1738b1 in __GI_abort () at abort.c:79
#2 0x00007f71cc16342a in __assert_fail_base (fmt=0x7f71cc2eaa38 "%s%s%s:%u:
%s%sAssertion `%s' failed.\n%n", assertion=assertion@entry=0x56537b324230 "addr
< cache->len && 2 <= cache->len - addr", file=file@entry=0x56537b32425c
"/home/cwmyung/prj/hyfuzz/src/qemu-master/include/exec/memory_ldst_cached.h.inc",
line=line@entry=0x58, function=function@entry=0x56537b3242ab "void
address_space_stw_le_cached(MemoryRegionCache *, hwaddr, uint32_t, MemTxAttrs,
MemTxResult *)") at assert.c:92
#3 0x00007f71cc1634a2 in __GI___assert_fail (assertion=0x56537b324230 "addr
< cache->len && 2 <= cache->len - addr", file=0x56537b32425c
"/home/cwmyung/prj/hyfuzz/src/qemu-master/include/exec/memory_ldst_cached.h.inc",
line=0x58, function=0x56537b3242ab "void
address_space_stw_le_cached(MemoryRegionCache *, hwaddr, uint32_t, MemTxAttrs,
MemTxResult *)") at assert.c:101
#4 0x000056537af3c917 in address_space_stw_le_cached (attrs=...,
result=<optimized out>, cache=<optimized out>, addr=<optimized out>,
val=<optimized out>) at
/home/cwmyung/prj/hyfuzz/src/qemu-master/include/exec/memory_ldst_cached.h.inc:88
#5 0x000056537af3c917 in stw_le_phys_cached (cache=<optimized out>,
addr=<optimized out>, val=<optimized out>) at
/home/cwmyung/prj/hyfuzz/src/qemu-master/include/exec/memory_ldst_phys.h.inc:121
#6 0x000056537af3c917 in virtio_stw_phys_cached (vdev=<optimized out>,
cache=<optimized out>, pa=<optimized out>, value=<optimized out>) at
/home/cwmyung/prj/hyfuzz/src/qemu-master/include/hw/virtio/virtio-access.h:196
#7 0x000056537af2b809 in vring_set_avail_event (vq=<optimized out>, val=0x0)
at ../hw/virtio/virtio.c:429
#8 0x000056537af2b809 in virtio_queue_split_set_notification (vq=<optimized
out>, enable=<optimized out>) at ../hw/virtio/virtio.c:438
#9 0x000056537af2b809 in virtio_queue_set_notification (vq=<optimized out>,
enable=0x1) at ../hw/virtio/virtio.c:499
#10 0x000056537b07ce1c in virtio_blk_handle_vq (s=0x56537d6bb3a0,
vq=0x56537d6c0680) at ../hw/block/virtio-blk.c:795
#11 0x000056537af3eb4d in virtio_queue_notify_aio_vq (vq=0x56537d6c0680) at
../hw/virtio/virtio.c:2326
#12 0x000056537af3ba04 in virtio_queue_host_notifier_aio_read (n=<optimized
out>) at ../hw/virtio/virtio.c:3533
#13 0x000056537b20901c in aio_dispatch_handler (ctx=0x56537c4179f0,
node=0x7f71a810b370) at ../util/aio-posix.c:329
#14 0x000056537b20838c in aio_dispatch_handlers (ctx=<optimized out>) at
../util/aio-posix.c:372
#15 0x000056537b20838c in aio_dispatch (ctx=0x56537c4179f0) at
../util/aio-posix.c:382
#16 0x000056537b1f99cb in aio_ctx_dispatch (source=0x2,
callback=0x7ffc8add9f90, user_data=0x0) at ../util/async.c:306
#17 0x00007f71d1c10417 in g_main_context_dispatch () at
/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
#18 0x000056537b1f1bab in glib_pollfds_poll () at ../util/main-loop.c:232
#19 0x000056537b1f1bab in os_host_main_loop_wait (timeout=<optimized out>) at
../util/main-loop.c:255
#20 0x000056537b1f1bab in main_loop_wait (nonblocking=<optimized out>) at
../util/main-loop.c:531
#21 0x000056537af879d7 in qemu_main_loop () at ../softmmu/runstate.c:720
#22 0x000056537a928a3b in main (argc=<optimized out>, argc@entry=0x15,
argv=<optimized out>, argv@entry=0x7ffc8adda718, envp=<optimized out>) at
../softmmu/main.c:50
#23 0x00007f71cc154b97 in __libc_start_main (main=0x56537a928a30 <main>,
argc=0x15, argv=0x7ffc8adda718, init=<optimized out>, fini=<optimized out>,
rtld_fini=<optimized out>, stack_end=0x7ffc8adda708) at ../csu/libc-start.c:310
#24 0x000056537a92894a in _start ()
```
To reproduce this issue, please run the QEMU with the following
command line.
```
# To reproduce this issue, please run the QEMU process with the
following command line.
$ qemu-system-i386 -m 512 -drive
file=hyfuzz.img,index=0,media=disk,format=raw -device virtio-blk-
pci,drive=drive0,id=virtblk0,num-queues=4 -drive
file=disk.img,if=none,id=drive0
```
Please let me know if I can provide any further info.
Thank you.
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1910941/+subscriptions
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Bug 1910941] Re: Assertion `addr < cache->len && 2 <= cache->len - addr' in virtio-blk,
Thomas Huth <=