[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug 1878250] Re: Assertion failure in iov_from_buf_full through the e10
|
From: |
Thomas Huth |
|
Subject: |
[Bug 1878250] Re: Assertion failure in iov_from_buf_full through the e1000e |
|
Date: |
Mon, 17 May 2021 19:21:27 -0000 |
This still triggers with current QEMU development version ... marking as
"Confirmed" ... Alexander, could you please move this ticket to the new
issue tracker at gitlab?
** Changed in: qemu
Status: New => Confirmed
** Tags added: fuzzer net
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1878250
Title:
Assertion failure in iov_from_buf_full through the e1000e
Status in QEMU:
Confirmed
Bug description:
Hello,
While fuzzing, I found an input that triggers an assertion failure in
iov_from_buf_full through the e1000e:
size_t iov_from_buf_full(const struct iovec *, unsigned int, size_t,
const void *, size_t): Assertion `offset == 0' failed.
#3 0x00007ffff6866092 in __GI___assert_fail (assertion=0x5555570c74c0 <str>
"offset == 0", file=0x5555570c7500 <str>
"/home/alxndr/Development/qemu/util/iov.c", line=0x28, function=0x5555570c7560
<__PRETTY_FUNCTION__.iov_from_buf_full> "size_t iov_from_buf_full(const struct
iovec *, unsigned int, size_t, const void *, size_t)") at assert.c:101
#4 0x0000555556c5fa5e in iov_from_buf_full (iov=<optimized out>,
iov_cnt=<optimized out>, offset=<optimized out>, buf=buf@entry=0x7fffffffbb60,
bytes=<optimized out>, bytes@entry=0x2) at
/home/alxndr/Development/qemu/util/iov.c:40
#5 0x00005555565f585e in iov_from_buf (iov=0x7fffffffb830,
iov_cnt=0xffffb830, offset=0x0, buf=0x7fffffffbb60, bytes=0x2) at
/home/alxndr/Development/qemu/include/qemu/iov.h:49
#6 0x00005555565f585e in net_tx_pkt_update_ip_checksums (pkt=<optimized
out>) at /home/alxndr/Development/qemu/hw/net/net_tx_pkt.c:139
#7 0x0000555556621f9c in e1000e_setup_tx_offloads (core=0x7fffeeb754e0,
tx=0x7fffeeb95748) at /home/alxndr/Development/qemu/hw/net/e1000e_core.c:638
#8 0x0000555556621f9c in e1000e_tx_pkt_send (core=0x7fffeeb754e0,
tx=0x7fffeeb95748, queue_index=<optimized out>) at
/home/alxndr/Development/qemu/hw/net/e1000e_core.c:658
#9 0x0000555556621f9c in e1000e_process_tx_desc (core=0x7fffeeb754e0,
tx=0x7fffeeb95748, dp=<optimized out>, queue_index=<optimized out>) at
/home/alxndr/Development/qemu/hw/net/e1000e_core.c:743
#10 0x0000555556621f9c in e1000e_start_xmit (core=<optimized out>,
txr=<optimized out>) at /home/alxndr/Development/qemu/hw/net/e1000e_core.c:934
#11 0x000055555661edb1 in e1000e_set_tdt (core=0x7fffffffb830, index=0xe06,
val=0x563) at /home/alxndr/Development/qemu/hw/net/e1000e_core.c:2451
#12 0x000055555660f2cd in e1000e_core_write (core=<optimized out>,
addr=<optimized out>, val=<optimized out>, size=<optimized out>) at
/home/alxndr/Development/qemu/hw/net/e1000e_core.c:3261
#13 0x00005555560028d7 in memory_region_write_accessor (mr=<optimized out>,
addr=<optimized out>, value=<optimized out>, size=<optimized out>,
shift=<optimized out>, mask=<optimized out>, attrs=...) at
/home/alxndr/Development/qemu/memory.c:483
I can reproduce it in qemu 5.0 using:
cat << EOF | ~/Development/qemu/build/i386-softmmu/qemu-system-i386 -M
pc-q35-5.0 -nographic -qtest stdio -monitor none -serial none
outl 0xcf8 0x80001010
outl 0xcfc 0xe1020000
outl 0xcf8 0x80001014
outl 0xcf8 0x80001004
outw 0xcfc 0x7
outl 0xcf8 0x800010a2
write 0xe10207e8 0x14 0x00002d05225f3f5f5e00000200000000250013ff
write 0x200006a 0xc 0x08004500feffffff02007b06
write 0xe1020098 0x3a2
0x000006ffdf054e411b0002e10000000006ffe1054e411b0002e10000000006ffe3054e411b0002e10000000006ffe5054e411b0002e10000000006ffe7054e411b0002e10000000006ffe9054e411b0002e10000000006ffeb054e411b0002e10000000006ffed054e411b0002e10000000006ffef054e411b0002e10000000006fff1054e411b0002e10000000006fff3054e411b0002e10000000006fff5054e411b0002e10000000006fff7054e411b0002e10000000006fff9054e411b0002e10000000006fffb054e411b0002e10000000006fffd054e411b0002e10000000006ffff054e411b0002e10000000006ff01054e411b0002e10000000006ff03054e411b0002e10000000006ff05054e411b0002e10000000006ff07054e411b0002e10000000006ff09054e411b0002e10000000006ff0b054e411b0002e10000000006ff0d054e411b0002e10000000006ff0f054e411b0002e10000000006ff11054e411b0002e10000000006ff13054e411b0002e10000000006ff15054e411b0002e10000000006ff17054e411b0002e10000000006ff19054e411b0002e10000000006ff1b054e411b0002e10000000006ff1d054e411b0002e10000000006ff1f054e411b0002e10000000006ff21054e411b0002e10000000006ff23054e411b0002e10000000006ff25054e411b0002e10000000006ff27054e411b0002e10000000006ff29054e411b0002e10000000006ff2b054e411b0002e10000000006ff2d054e411b0002e10000000006ff2f054e411b0002e10000000006ff31054e411b0002e10000000006ff33054e411b0002e10000000006ff35054e411b0002e10000000006ff37054e411b0002e10000000006ff39054e411b0002e10000000006ff3b054e411b0002e10000000006ff3d054e411b0002e10000000006ff3f054e411b0002e10000000006ff41054e411b0002e10000000006ff43054e411b0002e10000000006ff45054e411b0002e10000000006ff47054e411b0002e10000000006ff49054e411b0002e10000000006ff4b054e411b0002e10000000006ff4d054e411b0002e10000000006ff4f054e411b0002e10000000006ff51054e411b0002e10000000006ff53054e411b0002e10000000006ff55054e411b0002e10000000006ff57054e411b0002e10000000006ff59054e411b0002e10000000006ff5b054e411b0002e10000000006ff5d054e411b0002e10000000006ff5f054e411b0002e10000000006ff61054e411b0002e10000000006ff6305
EOF
I also attached the traces to this launchpad report, in case the
formatting is broken:
qemu-system-i386 -M pc-q35-5.0 -nographic -qtest stdio -monitor none
-serial none < attachment
Please let me know if I can provide any further info.
-Alex
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1878250/+subscriptions
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Bug 1878250] Re: Assertion failure in iov_from_buf_full through the e1000e,
Thomas Huth <=