[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug 1904652] Re: Assertion failure in usb-ohci

From: Peter Maydell
Subject: [Bug 1904652] Re: Assertion failure in usb-ohci
Date: Fri, 15 Jan 2021 16:16:59 -0000

** Tags added: fuzzer

You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.

  Assertion failure in usb-ohci

Status in QEMU:

Bug description:

  Using hypervisor fuzzer, hyfuzz, I found an assertion failure through

  A malicious guest user/process could use this flaw to abort the QEMU
  process on the host, resulting in a denial of service.

  This was found in version 5.2.0 (master)



  Program terminated with signal SIGABRT, Aborted.

  #0  __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:51
  51      ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
  [Current thread is 1 (Thread 0x7f34d0411440 (LWP 9418))]
  gdb-peda$ bt
  #0  0x00007f34c8d4ef47 in __GI_raise (sig=sig@entry=0x6) at 
  #1  0x00007f34c8d508b1 in __GI_abort () at abort.c:79
  #2  0x000055d3a2081844 in ohci_frame_boundary (opaque=0x55d3a4ecdaf0) at 
  #3  0x000055d3a25be155 in timerlist_run_timers (timer_list=0x55d3a3fd9840) at 
  #4  0x000055d3a25beaba in qemu_clock_run_timers (type=QEMU_CLOCK_VIRTUAL) at 
  #5  0x000055d3a25beaba in qemu_clock_run_all_timers () at 
  #6  0x000055d3a25e69a1 in main_loop_wait (nonblocking=<optimized out>) at 
  #7  0x000055d3a2433972 in qemu_main_loop () at ../softmmu/vl.c:1678
  #8  0x000055d3a1d0969b in main (argc=<optimized out>, argc@entry=0x15, 
argv=<optimized out>,
      argv@entry=0x7ffc6de722a8, envp=<optimized out>) at ../softmmu/main.c:50
  #9  0x00007f34c8d31b97 in __libc_start_main (main=
      0x55d3a1d09690 <main>, argc=0x15, argv=0x7ffc6de722a8, init=<optimized 
out>, fini=<optimized out>, rtld_fini=<optimized out>, 
stack_end=0x7ffc6de72298) at ../csu/libc-start.c:310
  #10 0x000055d3a1d095aa in _start ()

  To reproduce the assertion failure, please run the QEMU with the
  following command line.

  [Terminal 1]

  $ qemu-system-i386 -m 512 -drive
  file=./fs.img,index=1,media=disk,format=raw -drive
  file=./hyfuzz.img,index=0,media=disk,format=raw -drive
  if=none,id=stick,file=./usbdisk.img,format=raw -device pci-ohci,id=usb
  -device usb-storage,bus=usb.0,drive=stick

  [Terminal 2]

  $ ./repro_log ./fs.img ./pci-ohci


  Please let me know if I can provide any further info.
  -Cheolwoo, Myung (Seoul National University)

To manage notifications about this bug go to:

reply via email to

[Prev in Thread] Current Thread [Next in Thread]