[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug 1902112] Re: [OSS-Fuzz] Issue 26693: qemu:qemu-fuzz-i386-target-gen
From: |
Alexander Bulekov |
Subject: |
[Bug 1902112] Re: [OSS-Fuzz] Issue 26693: qemu:qemu-fuzz-i386-target-generic-fuzz-xhci: Index-out-of-bounds in xhci_runtime_write |
Date: |
Tue, 17 Nov 2020 15:57:31 -0000 |
ClusterFuzz testcase 5747786781556736 is verified as fixed in https
://oss-
fuzz.com/revisions?job=libfuzzer_ubsan_qemu&range=202011040616:202011060622
** Changed in: qemu
Status: New => Fix Committed
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1902112
Title:
[OSS-Fuzz] Issue 26693: qemu:qemu-fuzz-i386-target-generic-fuzz-xhci:
Index-out-of-bounds in xhci_runtime_write
Status in QEMU:
Fix Committed
Bug description:
OSS-Fuzz Report: https://bugs.chromium.org/p/oss-
fuzz/issues/detail?id=26693
=== Reproducer (build with --enable-sanitizers) ===
export UBSAN_OPTIONS="print_stacktrace=1:silence_unsigned_overflow=1"
cat << EOF | ./qemu-system-i386 -display none -machine\
accel=qtest, -m 512M -machine q35 -nodefaults -drive\
file=null-co://,if=none,format=raw,id=disk0 -device\
qemu-xhci,id=xhci -device usb-tablet,bus=xhci.0\
-device usb-bot -device usb-storage,drive=disk0\
-chardev null,id=cd0 -chardev null,id=cd1 -device\
usb-braille,chardev=cd0 -device usb-ccid -device\
usb-ccid -device usb-kbd -device usb-mouse -device\
usb-serial,chardev=cd1 -device usb-tablet -device\
usb-wacom-tablet -device usb-audio -qtest stdio
outl 0xcf8 0x80000803
outl 0xcfc 0x18caffff
outl 0xcf8 0x80000810
outl 0xcfc 0x555a2e46
write 0x555a1004 0x4 0xe7b9aa7a
EOF
=== Stack Trace ===
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
../hw/usb/hcd-xhci.c:3012:30 in
../hw/usb/hcd-xhci.c:3012:30: runtime error: index -1 out of bounds for type
'XHCIInterrupter [16]'
#0 0x55bd2e97c8b0 in xhci_runtime_write /src/qemu/hw/usb/hcd-xhci.c:3012:30
#1 0x55bd2edfdd13 in memory_region_write_accessor
/src/qemu/softmmu/memory.c:484:5
#2 0x55bd2edfdb14 in access_with_adjusted_size
/src/qemu/softmmu/memory.c:545:18
#3 0x55bd2edfd54b in memory_region_dispatch_write
/src/qemu/softmmu/memory.c:0:13
#4 0x55bd2ed7fa46 in flatview_write_continue
/src/qemu/softmmu/physmem.c:2767:23
#5 0x55bd2ed7cac0 in flatview_write /src/qemu/softmmu/physmem.c:2807:14
#6 0x55bd2ed7c9f8 in address_space_write /src/qemu/softmmu/physmem.c:2899:18
#7 0x55bd2e85cf9b in __wrap_qtest_writeq
/src/qemu/tests/qtest/fuzz/qtest_wrappers.c:187:9
#8 0x55bd2e85b7b1 in op_write /src/qemu/tests/qtest/fuzz/generic_fuzz.c:476:13
#9 0x55bd2e85a84c in generic_fuzz
/src/qemu/tests/qtest/fuzz/generic_fuzz.c:678:17
#10 0x55bd2e85dd6f in LLVMFuzzerTestOneInput
/src/qemu/tests/qtest/fuzz/fuzz.c:150:5
#11 0x55bd2e7e9661 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*,
unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:595:15
#12 0x55bd2e7d4732 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*,
unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:323:6
#13 0x55bd2e7da7ee in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned
char const*, unsigned long))
/src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:852:9
#14 0x55bd2e8027d2 in main
/src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
#15 0x7f3d153b783f in __libc_start_main
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1902112/+subscriptions
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Bug 1902112] Re: [OSS-Fuzz] Issue 26693: qemu:qemu-fuzz-i386-target-generic-fuzz-xhci: Index-out-of-bounds in xhci_runtime_write,
Alexander Bulekov <=