[Bug 1919035] [NEW] Assertion failure in fifo8_pop

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug 1919035] [NEW] Assertion failure in fifo8_pop_buf() through am53c97

From:	Cheolwoo,Myung
Subject:	[Bug 1919035] [NEW] Assertion failure in fifo8_pop_buf() through am53c974
Date:	Sat, 13 Mar 2021 17:26:36 -0000

Public bug reported:

Hello,

Using hypervisor fuzzer, hyfuzz, I found an assertion failure through
am53c974 emulator.

A malicious guest user/process could use this flaw to abort the QEMU
process on the host, resulting in a denial of service.

This was found in version 5.2.0 (master, 3f8d1885e4)


```
qemu-system-i386: ../util/fifo8.c:73: fifo8_pop_buf: Assertion `max > 0 && max 
<= fifo->num' failed.

#0  0x00007ffff0218fb7 in __GI_raise (sig=sig@entry=0x6) at 
../sysdeps/unix/sysv/linux/raise.c:51
#1  0x00007ffff021a921 in __GI_abort () at abort.c:79
#2  0x00007ffff020a48a in __assert_fail_base (fmt=0x7ffff0391750 "%s%s%s:%u: 
%s%sAssertion `%s' failed.\n%n", assertion=assertion@entry=0x555558ed24a0 "max 
> 0 && max <= fifo->num", file=file@entry=0x555558ed2380 "../util/fifo8.c", 
line=line@entry=0x49, function=function@entry=0x555558ed24e0 
<__PRETTY_FUNCTION__.16603> "fifo8_pop_buf") at assert.c:92
#3  0x00007ffff020a502 in __GI___assert_fail 
(assertion=assertion@entry=0x555558ed24a0 "max > 0 && max <= fifo->num", 
file=file@entry=0x555558ed2380 "../util/fifo8.c", line=line@entry=0x49, 
function=function@entry=0x555558ed24e0 <__PRETTY_FUNCTION__.16603> 
"fifo8_pop_buf") at assert.c:101
#4  0x000055555877519a in fifo8_pop_buf (fifo=fifo@entry=0x61f000005200, 
max=max@entry=0xff, num=num@entry=0x7fff72bfa550) at ../util/fifo8.c:73
#5  0x00005555572b7d9a in do_cmd (s=s@entry=0x61f000005088) at 
../hw/scsi/esp.c:328
#6  0x00005555572b879a in esp_do_nodma (s=s@entry=0x61f000005088) at 
../hw/scsi/esp.c:701
#7  0x00005555572bfd79 in handle_ti (s=0x61f000005088) at ../hw/scsi/esp.c:848
#8  0x00005555572c419c in esp_reg_write (s=0x61f000005088, 
saddr=saddr@entry=0x3, val=<optimized out>) at ../hw/scsi/esp.c:987
#9  0x0000555557bb916a in esp_pci_io_write (opaque=0x61f000004680, 
addr=<optimized out>, val=<optimized out>, size=<optimized out>) at 
../hw/scsi/esp-pci.c:214
#10 0x000055555817ea28 in memory_region_write_accessor (mr=0x61f000004f70, 
addr=<optimized out>, value=<optimized out>, size=<optimized out>, 
shift=<optimized out>, mask=<optimized out>, attrs=...) at 
../softmmu/memory.c:491
#11 0x0000555558176671 in access_with_adjusted_size (addr=addr@entry=0xc, 
value=value@entry=0x7fff72bfb2a8, size=size@entry=0x1, 
access_size_min=<optimized out>, access_size_max=<optimized out>, access_fn=
    0x55555817e7c0 <memory_region_write_accessor>, mr=0x61f000004f70, 
attrs=...) at ../softmmu/memory.c:552
#12 0x00005555581892aa in memory_region_dispatch_write 
(mr=mr@entry=0x61f000004f70, addr=<optimized out>, data=<optimized out>, 
data@entry=0x10, op=op@entry=MO_8, attrs=..., attrs@entry=...) at 
../softmmu/memory.c:1508
#13 0x0000555558024b66 in address_space_stb (as=<optimized out>, 
addr=<optimized out>, val=<optimized out>, attrs=..., result=0x0) at 
/home/cwmyung/prj/hyfuzz/src/qemu-master/memory_ldst.c.inc:382
#14 0x00007fff93236d3c in code_gen_buffer ()
#15 0x0000555557e793bb in cpu_tb_exec (tb_exit=<optimized out>, itb=<optimized 
out>, cpu=0x62e0000004b4) at ../accel/tcg/cpu-exec.c:190
#16 0x0000555557e793bb in cpu_loop_exec_tb (tb_exit=<optimized out>, 
last_tb=<optimized out>, tb=<optimized out>, cpu=0x62e0000004b4) at 
../accel/tcg/cpu-exec.c:673
#17 0x0000555557e793bb in cpu_exec (cpu=cpu@entry=0x62e000000400) at 
../accel/tcg/cpu-exec.c:798
#18 0x0000555557f5fc5a in tcg_cpus_exec (cpu=cpu@entry=0x62e000000400) at 
../accel/tcg/tcg-accel-ops.c:68
#19 0x00005555582260af in mttcg_cpu_thread_fn (arg=arg@entry=0x62e000000400) at 
../accel/tcg/tcg-accel-ops-mttcg.c:70
#20 0x0000555558777b05 in qemu_thread_start (args=<optimized out>) at 
../util/qemu-thread-posix.c:521
#21 0x00007ffff05d26db in start_thread (arg=0x7fff72bff700) at 
pthread_create.c:463
#22 0x00007ffff02fb71f in clone () at 
../sysdeps/unix/sysv/linux/x86_64/clone.S:95
```


To reproduce the assertion failure, please run the QEMU with the following 
command line.

```

$ ./qemu-system-i386 -m 512 -drive
file=./hyfuzz.img,index=0,media=disk,format=raw -device am53c974,id=scsi
-device scsi-hd,drive=SysDisk -drive id=SysDisk,if=none,file=./disk.img

```

Please let me know if I can provide any further info.

Thank you.

- Cheolwoo, Myung (Seoul National University)

** Affects: qemu
     Importance: Undecided
         Status: New


** Tags: fuzzer

** Attachment added: "attachment.tar.gz"
   
https://bugs.launchpad.net/bugs/1919035/+attachment/5476279/+files/attachment.tar.gz

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1919035

Title:
  Assertion failure in fifo8_pop_buf() through am53c974

Status in QEMU:
  New

Bug description:
  Hello,

  Using hypervisor fuzzer, hyfuzz, I found an assertion failure through
  am53c974 emulator.

  A malicious guest user/process could use this flaw to abort the QEMU
  process on the host, resulting in a denial of service.

  This was found in version 5.2.0 (master, 3f8d1885e4)

  
  ```
  qemu-system-i386: ../util/fifo8.c:73: fifo8_pop_buf: Assertion `max > 0 && 
max <= fifo->num' failed.

  #0  0x00007ffff0218fb7 in __GI_raise (sig=sig@entry=0x6) at 
../sysdeps/unix/sysv/linux/raise.c:51
  #1  0x00007ffff021a921 in __GI_abort () at abort.c:79
  #2  0x00007ffff020a48a in __assert_fail_base (fmt=0x7ffff0391750 "%s%s%s:%u: 
%s%sAssertion `%s' failed.\n%n", assertion=assertion@entry=0x555558ed24a0 "max 
> 0 && max <= fifo->num", file=file@entry=0x555558ed2380 "../util/fifo8.c", 
line=line@entry=0x49, function=function@entry=0x555558ed24e0 
<__PRETTY_FUNCTION__.16603> "fifo8_pop_buf") at assert.c:92
  #3  0x00007ffff020a502 in __GI___assert_fail 
(assertion=assertion@entry=0x555558ed24a0 "max > 0 && max <= fifo->num", 
file=file@entry=0x555558ed2380 "../util/fifo8.c", line=line@entry=0x49, 
function=function@entry=0x555558ed24e0 <__PRETTY_FUNCTION__.16603> 
"fifo8_pop_buf") at assert.c:101
  #4  0x000055555877519a in fifo8_pop_buf (fifo=fifo@entry=0x61f000005200, 
max=max@entry=0xff, num=num@entry=0x7fff72bfa550) at ../util/fifo8.c:73
  #5  0x00005555572b7d9a in do_cmd (s=s@entry=0x61f000005088) at 
../hw/scsi/esp.c:328
  #6  0x00005555572b879a in esp_do_nodma (s=s@entry=0x61f000005088) at 
../hw/scsi/esp.c:701
  #7  0x00005555572bfd79 in handle_ti (s=0x61f000005088) at ../hw/scsi/esp.c:848
  #8  0x00005555572c419c in esp_reg_write (s=0x61f000005088, 
saddr=saddr@entry=0x3, val=<optimized out>) at ../hw/scsi/esp.c:987
  #9  0x0000555557bb916a in esp_pci_io_write (opaque=0x61f000004680, 
addr=<optimized out>, val=<optimized out>, size=<optimized out>) at 
../hw/scsi/esp-pci.c:214
  #10 0x000055555817ea28 in memory_region_write_accessor (mr=0x61f000004f70, 
addr=<optimized out>, value=<optimized out>, size=<optimized out>, 
shift=<optimized out>, mask=<optimized out>, attrs=...) at 
../softmmu/memory.c:491
  #11 0x0000555558176671 in access_with_adjusted_size (addr=addr@entry=0xc, 
value=value@entry=0x7fff72bfb2a8, size=size@entry=0x1, 
access_size_min=<optimized out>, access_size_max=<optimized out>, access_fn=
      0x55555817e7c0 <memory_region_write_accessor>, mr=0x61f000004f70, 
attrs=...) at ../softmmu/memory.c:552
  #12 0x00005555581892aa in memory_region_dispatch_write 
(mr=mr@entry=0x61f000004f70, addr=<optimized out>, data=<optimized out>, 
data@entry=0x10, op=op@entry=MO_8, attrs=..., attrs@entry=...) at 
../softmmu/memory.c:1508
  #13 0x0000555558024b66 in address_space_stb (as=<optimized out>, 
addr=<optimized out>, val=<optimized out>, attrs=..., result=0x0) at 
/home/cwmyung/prj/hyfuzz/src/qemu-master/memory_ldst.c.inc:382
  #14 0x00007fff93236d3c in code_gen_buffer ()
  #15 0x0000555557e793bb in cpu_tb_exec (tb_exit=<optimized out>, 
itb=<optimized out>, cpu=0x62e0000004b4) at ../accel/tcg/cpu-exec.c:190
  #16 0x0000555557e793bb in cpu_loop_exec_tb (tb_exit=<optimized out>, 
last_tb=<optimized out>, tb=<optimized out>, cpu=0x62e0000004b4) at 
../accel/tcg/cpu-exec.c:673
  #17 0x0000555557e793bb in cpu_exec (cpu=cpu@entry=0x62e000000400) at 
../accel/tcg/cpu-exec.c:798
  #18 0x0000555557f5fc5a in tcg_cpus_exec (cpu=cpu@entry=0x62e000000400) at 
../accel/tcg/tcg-accel-ops.c:68
  #19 0x00005555582260af in mttcg_cpu_thread_fn (arg=arg@entry=0x62e000000400) 
at ../accel/tcg/tcg-accel-ops-mttcg.c:70
  #20 0x0000555558777b05 in qemu_thread_start (args=<optimized out>) at 
../util/qemu-thread-posix.c:521
  #21 0x00007ffff05d26db in start_thread (arg=0x7fff72bff700) at 
pthread_create.c:463
  #22 0x00007ffff02fb71f in clone () at 
../sysdeps/unix/sysv/linux/x86_64/clone.S:95
  ```

  
  To reproduce the assertion failure, please run the QEMU with the following 
command line.

  ```

  $ ./qemu-system-i386 -m 512 -drive
  file=./hyfuzz.img,index=0,media=disk,format=raw -device
  am53c974,id=scsi -device scsi-hd,drive=SysDisk -drive
  id=SysDisk,if=none,file=./disk.img

  ```

  Please let me know if I can provide any further info.

  Thank you.

  - Cheolwoo, Myung (Seoul National University)

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1919035/+subscriptions

[Prev in Thread]

Current Thread

[Next in Thread]

[Bug 1919035] [NEW] Assertion failure in fifo8_pop_buf() through am53c974, Cheolwoo,Myung <=
- [Bug 1919035] Re: Assertion failure in fifo8_pop_buf() through am53c974, Alexander Bulekov, 2021/03/14
- [Bug 1919035] Re: Assertion failure in fifo8_pop_buf() through am53c974, Mark Cave-Ayland, 2021/03/17

Prev by Date: Re: [PATCH 0/3] hw: Constify VMStateDescription
Next by Date: Re: [PATCH 01/26] meson: Split out tcg/meson.build
Previous by thread: [PATCH 0/3] hw: Constify VMStateDescription
Next by thread: [Bug 1919035] Re: Assertion failure in fifo8_pop_buf() through am53c974
Index(es):
- Date
- Thread