[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug 1908515] [NEW] assertion failure in lsi53c810 emulator
|
From: |
Cheol-Woo,Myung |
|
Subject: |
[Bug 1908515] [NEW] assertion failure in lsi53c810 emulator |
|
Date: |
Thu, 17 Dec 2020 10:54:29 -0000 |
Public bug reported:
Hello,
Using hypervisor fuzzer, hyfuzz, I found an assertion failure through
lsi53c810 emulator.
A malicious guest user/process could use this flaw to abort the QEMU
process on the host, resulting in a denial of service.
This was found in version 5.2.0 (master)
qemu-system-i386: ../hw/scsi/lsi53c895a.c:624: void lsi_do_dma(LSIState *,
int): Assertion `s->current'
failed.
[1] 1406 abort (core dumped)
/home/cwmyung/prj/hyfuzz/src/qemu-5.2/build/i386-softmmu/qemu-system-i386 -m
Program terminated with signal SIGABRT, Aborted.
#0 __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:51
51 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
[Current thread is 1 (Thread 0x7fa9310a8700 (LWP 2076))]
gdb-peda$ bt
#0 0x00007fa94aa98f47 in __GI_raise (sig=sig@entry=0x6) at
../sysdeps/unix/sysv/linux/raise.c:51
#1 0x00007fa94aa9a8b1 in __GI_abort () at abort.c:79
#2 0x00007fa94aa8a42a in __assert_fail_base (fmt=0x7fa94ac11a38 "%s%s%s:%u:
%s%sAssertion `%s' failed.\\n%n", assertion=assertion@entry=0x562851c9eab9
"s->current", file=file@entry=0x562851c9d4f9 "../hw/scsi/lsi53c895a.c",
line=line@entry=0x270, function=function@entry=0x562851c9de43 "void
lsi_do_dma(LSIState *, int)") at assert.c:92
#3 0x00007fa94aa8a4a2 in __GI___assert_fail (assertion=0x562851c9eab9
"s->current", file=0x562851c9d4f9 "../hw/scsi/lsi53c895a.c", line=0x270,
function=0x562851c9de43 "void lsi_do_dma(LSIState *, int)")
at assert.c:101
#4 0x00005628515d9605 in lsi_do_dma (s=0x562855559060, out=0x1) at
../hw/scsi/lsi53c895a.c:624
#5 0x00005628515d5317 in lsi_execute_script (s=<optimized out>) at
../hw/scsi/lsi53c895a.c:1250
#6 0x00005628515cec49 in lsi_reg_writeb (s=0x562855559060, offset=0x2f,
val=0x1e)
at ../hw/scsi/lsi53c895a.c:2005
#7 0x0000562851952798 in memory_region_write_accessor (mr=<optimized out>,
addr=<optimized out>, value=<optimized out>, size=<optimized out>,
shift=<optimized out>, mask=<optimized out>, attrs=...)
at ../softmmu/memory.c:491
#8 0x000056285195258e in access_with_adjusted_size (addr=<optimized out>,
value=<optimized out>, size=<optimized out>, access_size_min=<optimized out>,
access_size_max=<optimized out>, access_fn=<optimized out>, mr=<optimized out>,
attrs=...) at ../softmmu/memory.c:552
#9 0x000056285195258e in memory_region_dispatch_write (mr=0x562855559960,
addr=<optimized out>, data=<optimized out>, op=<optimized out>, attrs=...) at
../softmmu/memory.c:1501
#10 0x00005628518e5305 in flatview_write_continue (fv=0x7fa92871f040,
addr=0xfebf302c, attrs=..., ptr=0x7fa9310a49b8, len=0x4, addr1=0x7fa9310a3410,
l=<optimized out>, mr=0x562855559960)
at ../softmmu/physmem.c:2759
#11 0x00005628518e6ef6 in flatview_write (fv=0x7fa92871f040, addr=0xfebf302c,
attrs=..., len=0x4, buf=<optimized out>) at ../softmmu/physmem.c:2799
#12 0x00005628518e6ef6 in subpage_write (opaque=<optimized out>,
addr=<optimized out>, value=<optimized out>, len=<optimized out>, attrs=...) at
../softmmu/physmem.c:2465
#13 0x00005628519529a2 in memory_region_write_with_attrs_accessor
(mr=<optimized out>, addr=<optimized out>, value=<optimized out>,
size=<optimized out>, shift=<optimized out>, mask=<optimized out>, attrs=...)
at ../softmmu/memory.c:511
#14 0x00005628519525e1 in access_with_adjusted_size (addr=<optimized out>,
size=<optimized out>, access_size_min=<optimized out>,
access_size_max=<optimized out>, mr=<optimized out>, attrs=...,
value=<optimized out>, access_fn=<optimized out>) at ../softmmu/memory.c:552
#15 0x00005628519525e1 in memory_region_dispatch_write (mr=<optimized out>,
addr=<optimized out>, data=<optimized out>, op=<optimized out>, attrs=...) at
../softmmu/memory.c:1508
#16 0x0000562851a49228 in io_writex (iotlbentry=<optimized out>,
mmu_idx=<optimized out>, val=<optimized out>, addr=<optimized out>,
retaddr=<optimized out>, op=<optimized out>, env=<optimized out>)
at ../accel/tcg/cputlb.c:1378
#17 0x0000562851a49228 in store_helper (env=<optimized out>, addr=<optimized
out>, val=<optimized out>, oi=<optimized out>, retaddr=<optimized out>,
op=MO_32) at ../accel/tcg/cputlb.c:2397
#18 0x0000562851a49228 in helper_le_stl_mmu (env=<optimized out>,
addr=<optimized out>, val=0x2, oi=<optimized out>, retaddr=0x7fa8e44032ee) at
../accel/tcg/cputlb.c:2463
#19 0x00007fa8e44032ee in code_gen_buffer ()
#20 0x000056285191ada0 in cpu_tb_exec (cpu=0x5628547b81a0, itb=<optimized out>)
at ../accel/tcg/cpu-exec.c:178
#21 0x000056285191b9eb in cpu_loop_exec_tb (tb=<optimized out>, cpu=<optimized
out>, last_tb=<optimized out>, tb_exit=<optimized out>) at
../accel/tcg/cpu-exec.c:658
#22 0x000056285191b9eb in cpu_exec (cpu=0x5628547b81a0) at
../accel/tcg/cpu-exec.c:771
#23 0x000056285194ab9f in tcg_cpu_exec (cpu=<optimized out>) at
../accel/tcg/tcg-cpus.c:243
#24 0x000056285194ab9f in tcg_cpu_thread_fn (arg=0x5628547b81a0) at
../accel/tcg/tcg-cpus.c:427
#25 0x0000562851c22775 in qemu_thread_start (args=<optimized out>) at
../util/qemu-thread-posix.c:521
#26 0x00007fa94ae526db in start_thread (arg=0x7fa9310a8700) at
pthread_create.c:463
#27 0x00007fa94ab7ba3f in clone () at
../sysdeps/unix/sysv/linux/x86_64/clone.S:95
To reproduce this issue, please run the QEMU with the following command
line.
# To enable ASan option, please set configuration with the following command
$ ./configure --target-list=i386-softmmu --disable-werror --enable-sanitizers
$ make
# To reproduce this issue, please run the QEMU process with the following
command line.
$ ./qemu-system-i386 -m 512 -drive
file=./hyfuzz.img,index=0,media=disk,format=raw -device lsi53c810,id=scsi
-device scsi-hd,drive=SysDisk -drive id=SysDisk,if=none,file=./disk.img
Please let me know if I can provide any further info.
Thank you.
- Cheolwoo, Myung (Seoul National University)
** Affects: qemu
Importance: Undecided
Status: New
** Attachment added: "attachment.zip"
https://bugs.launchpad.net/bugs/1908515/+attachment/5444465/+files/attachment.zip
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1908515
Title:
assertion failure in lsi53c810 emulator
Status in QEMU:
New
Bug description:
Hello,
Using hypervisor fuzzer, hyfuzz, I found an assertion failure through
lsi53c810 emulator.
A malicious guest user/process could use this flaw to abort the QEMU
process on the host, resulting in a denial of service.
This was found in version 5.2.0 (master)
qemu-system-i386: ../hw/scsi/lsi53c895a.c:624: void lsi_do_dma(LSIState *,
int): Assertion `s->current'
failed.
[1] 1406 abort (core dumped)
/home/cwmyung/prj/hyfuzz/src/qemu-5.2/build/i386-softmmu/qemu-system-i386 -m
Program terminated with signal SIGABRT, Aborted.
#0 __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:51
51 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
[Current thread is 1 (Thread 0x7fa9310a8700 (LWP 2076))]
gdb-peda$ bt
#0 0x00007fa94aa98f47 in __GI_raise (sig=sig@entry=0x6) at
../sysdeps/unix/sysv/linux/raise.c:51
#1 0x00007fa94aa9a8b1 in __GI_abort () at abort.c:79
#2 0x00007fa94aa8a42a in __assert_fail_base (fmt=0x7fa94ac11a38 "%s%s%s:%u:
%s%sAssertion `%s' failed.\\n%n", assertion=assertion@entry=0x562851c9eab9
"s->current", file=file@entry=0x562851c9d4f9 "../hw/scsi/lsi53c895a.c",
line=line@entry=0x270, function=function@entry=0x562851c9de43 "void
lsi_do_dma(LSIState *, int)") at assert.c:92
#3 0x00007fa94aa8a4a2 in __GI___assert_fail (assertion=0x562851c9eab9
"s->current", file=0x562851c9d4f9 "../hw/scsi/lsi53c895a.c", line=0x270,
function=0x562851c9de43 "void lsi_do_dma(LSIState *, int)")
at assert.c:101
#4 0x00005628515d9605 in lsi_do_dma (s=0x562855559060, out=0x1) at
../hw/scsi/lsi53c895a.c:624
#5 0x00005628515d5317 in lsi_execute_script (s=<optimized out>) at
../hw/scsi/lsi53c895a.c:1250
#6 0x00005628515cec49 in lsi_reg_writeb (s=0x562855559060, offset=0x2f,
val=0x1e)
at ../hw/scsi/lsi53c895a.c:2005
#7 0x0000562851952798 in memory_region_write_accessor (mr=<optimized out>,
addr=<optimized out>, value=<optimized out>, size=<optimized out>,
shift=<optimized out>, mask=<optimized out>, attrs=...)
at ../softmmu/memory.c:491
#8 0x000056285195258e in access_with_adjusted_size (addr=<optimized out>,
value=<optimized out>, size=<optimized out>, access_size_min=<optimized out>,
access_size_max=<optimized out>, access_fn=<optimized out>, mr=<optimized out>,
attrs=...) at ../softmmu/memory.c:552
#9 0x000056285195258e in memory_region_dispatch_write (mr=0x562855559960,
addr=<optimized out>, data=<optimized out>, op=<optimized out>, attrs=...) at
../softmmu/memory.c:1501
#10 0x00005628518e5305 in flatview_write_continue (fv=0x7fa92871f040,
addr=0xfebf302c, attrs=..., ptr=0x7fa9310a49b8, len=0x4, addr1=0x7fa9310a3410,
l=<optimized out>, mr=0x562855559960)
at ../softmmu/physmem.c:2759
#11 0x00005628518e6ef6 in flatview_write (fv=0x7fa92871f040, addr=0xfebf302c,
attrs=..., len=0x4, buf=<optimized out>) at ../softmmu/physmem.c:2799
#12 0x00005628518e6ef6 in subpage_write (opaque=<optimized out>,
addr=<optimized out>, value=<optimized out>, len=<optimized out>, attrs=...) at
../softmmu/physmem.c:2465
#13 0x00005628519529a2 in memory_region_write_with_attrs_accessor
(mr=<optimized out>, addr=<optimized out>, value=<optimized out>,
size=<optimized out>, shift=<optimized out>, mask=<optimized out>, attrs=...)
at ../softmmu/memory.c:511
#14 0x00005628519525e1 in access_with_adjusted_size (addr=<optimized out>,
size=<optimized out>, access_size_min=<optimized out>,
access_size_max=<optimized out>, mr=<optimized out>, attrs=...,
value=<optimized out>, access_fn=<optimized out>) at ../softmmu/memory.c:552
#15 0x00005628519525e1 in memory_region_dispatch_write (mr=<optimized out>,
addr=<optimized out>, data=<optimized out>, op=<optimized out>, attrs=...) at
../softmmu/memory.c:1508
#16 0x0000562851a49228 in io_writex (iotlbentry=<optimized out>,
mmu_idx=<optimized out>, val=<optimized out>, addr=<optimized out>,
retaddr=<optimized out>, op=<optimized out>, env=<optimized out>)
at ../accel/tcg/cputlb.c:1378
#17 0x0000562851a49228 in store_helper (env=<optimized out>, addr=<optimized
out>, val=<optimized out>, oi=<optimized out>, retaddr=<optimized out>,
op=MO_32) at ../accel/tcg/cputlb.c:2397
#18 0x0000562851a49228 in helper_le_stl_mmu (env=<optimized out>,
addr=<optimized out>, val=0x2, oi=<optimized out>, retaddr=0x7fa8e44032ee) at
../accel/tcg/cputlb.c:2463
#19 0x00007fa8e44032ee in code_gen_buffer ()
#20 0x000056285191ada0 in cpu_tb_exec (cpu=0x5628547b81a0, itb=<optimized
out>)
at ../accel/tcg/cpu-exec.c:178
#21 0x000056285191b9eb in cpu_loop_exec_tb (tb=<optimized out>,
cpu=<optimized out>, last_tb=<optimized out>, tb_exit=<optimized out>) at
../accel/tcg/cpu-exec.c:658
#22 0x000056285191b9eb in cpu_exec (cpu=0x5628547b81a0) at
../accel/tcg/cpu-exec.c:771
#23 0x000056285194ab9f in tcg_cpu_exec (cpu=<optimized out>) at
../accel/tcg/tcg-cpus.c:243
#24 0x000056285194ab9f in tcg_cpu_thread_fn (arg=0x5628547b81a0) at
../accel/tcg/tcg-cpus.c:427
#25 0x0000562851c22775 in qemu_thread_start (args=<optimized out>) at
../util/qemu-thread-posix.c:521
#26 0x00007fa94ae526db in start_thread (arg=0x7fa9310a8700) at
pthread_create.c:463
#27 0x00007fa94ab7ba3f in clone () at
../sysdeps/unix/sysv/linux/x86_64/clone.S:95
To reproduce this issue, please run the QEMU with the following
command line.
# To enable ASan option, please set configuration with the following command
$ ./configure --target-list=i386-softmmu --disable-werror --enable-sanitizers
$ make
# To reproduce this issue, please run the QEMU process with the following
command line.
$ ./qemu-system-i386 -m 512 -drive
file=./hyfuzz.img,index=0,media=disk,format=raw -device lsi53c810,id=scsi
-device scsi-hd,drive=SysDisk -drive id=SysDisk,if=none,file=./disk.img
Please let me know if I can provide any further info.
Thank you.
- Cheolwoo, Myung (Seoul National University)
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1908515/+subscriptions
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Bug 1908515] [NEW] assertion failure in lsi53c810 emulator,
Cheol-Woo,Myung <=