qemu-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug 1910941] [NEW] Assertion `addr < cache->len && 2 <= cache->len - ad


From: Cheol-Woo,Myung
Subject: [Bug 1910941] [NEW] Assertion `addr < cache->len && 2 <= cache->len - addr' in virtio-blk
Date: Mon, 11 Jan 2021 02:47:10 -0000

Public bug reported:

Hello,

Using hypervisor fuzzer, hyfuzz, I found an assertion failure through
virtio-blk emulator.

A malicious guest user/process could use this flaw to abort the QEMU
process on the host, resulting in a denial of service.

This was found in version 5.2.0 (master)

```

qemu-system-i386: 
/home/cwmyung/prj/hyfuzz/src/qemu-master/include/exec/memory_ldst_cached.h.inc:88:
 void address_space_stw_le_cached(MemoryRegionCache *, hwaddr, uint32_t, 
MemTxAttrs, MemTxResult *): Assertion `addr < cache->len && 2 <= cache->len - 
addr' failed.
[1]    1877 abort (core dumped)  
/home/cwmyung/prj/hyfuzz/src/qemu-master/build/i386-softmmu/qemu-system-i386

Program terminated with signal SIGABRT, Aborted.
#0  0x00007f71cc171f47 in __GI_raise (sig=sig@entry=0x6) at 
../sysdeps/unix/sysv/linux/raise.c:51
#1  0x00007f71cc1738b1 in __GI_abort () at abort.c:79
#2  0x00007f71cc16342a in __assert_fail_base (fmt=0x7f71cc2eaa38 "%s%s%s:%u: 
%s%sAssertion `%s' failed.\n%n", assertion=assertion@entry=0x56537b324230 "addr 
< cache->len && 2 <= cache->len - addr", file=file@entry=0x56537b32425c 
"/home/cwmyung/prj/hyfuzz/src/qemu-master/include/exec/memory_ldst_cached.h.inc",
 line=line@entry=0x58, function=function@entry=0x56537b3242ab "void 
address_space_stw_le_cached(MemoryRegionCache *, hwaddr, uint32_t, MemTxAttrs, 
MemTxResult *)") at assert.c:92
#3  0x00007f71cc1634a2 in __GI___assert_fail (assertion=0x56537b324230 "addr < 
cache->len && 2 <= cache->len - addr", file=0x56537b32425c 
"/home/cwmyung/prj/hyfuzz/src/qemu-master/include/exec/memory_ldst_cached.h.inc",
 line=0x58, function=0x56537b3242ab "void 
address_space_stw_le_cached(MemoryRegionCache *, hwaddr, uint32_t, MemTxAttrs, 
MemTxResult *)") at assert.c:101
#4  0x000056537af3c917 in address_space_stw_le_cached (attrs=..., 
result=<optimized out>, cache=<optimized out>, addr=<optimized out>, 
val=<optimized out>) at 
/home/cwmyung/prj/hyfuzz/src/qemu-master/include/exec/memory_ldst_cached.h.inc:88
#5  0x000056537af3c917 in stw_le_phys_cached (cache=<optimized out>, 
addr=<optimized out>, val=<optimized out>) at 
/home/cwmyung/prj/hyfuzz/src/qemu-master/include/exec/memory_ldst_phys.h.inc:121
#6  0x000056537af3c917 in virtio_stw_phys_cached (vdev=<optimized out>, 
cache=<optimized out>, pa=<optimized out>, value=<optimized out>) at 
/home/cwmyung/prj/hyfuzz/src/qemu-master/include/hw/virtio/virtio-access.h:196
#7  0x000056537af2b809 in vring_set_avail_event (vq=<optimized out>, val=0x0) 
at ../hw/virtio/virtio.c:429
#8  0x000056537af2b809 in virtio_queue_split_set_notification (vq=<optimized 
out>, enable=<optimized out>) at ../hw/virtio/virtio.c:438
#9  0x000056537af2b809 in virtio_queue_set_notification (vq=<optimized out>, 
enable=0x1) at ../hw/virtio/virtio.c:499
#10 0x000056537b07ce1c in virtio_blk_handle_vq (s=0x56537d6bb3a0, 
vq=0x56537d6c0680) at ../hw/block/virtio-blk.c:795
#11 0x000056537af3eb4d in virtio_queue_notify_aio_vq (vq=0x56537d6c0680) at 
../hw/virtio/virtio.c:2326
#12 0x000056537af3ba04 in virtio_queue_host_notifier_aio_read (n=<optimized 
out>) at ../hw/virtio/virtio.c:3533
#13 0x000056537b20901c in aio_dispatch_handler (ctx=0x56537c4179f0, 
node=0x7f71a810b370) at ../util/aio-posix.c:329
#14 0x000056537b20838c in aio_dispatch_handlers (ctx=<optimized out>) at 
../util/aio-posix.c:372
#15 0x000056537b20838c in aio_dispatch (ctx=0x56537c4179f0) at 
../util/aio-posix.c:382
#16 0x000056537b1f99cb in aio_ctx_dispatch (source=0x2, 
callback=0x7ffc8add9f90, user_data=0x0) at ../util/async.c:306
#17 0x00007f71d1c10417 in g_main_context_dispatch () at 
/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
#18 0x000056537b1f1bab in glib_pollfds_poll () at ../util/main-loop.c:232
#19 0x000056537b1f1bab in os_host_main_loop_wait (timeout=<optimized out>) at 
../util/main-loop.c:255
#20 0x000056537b1f1bab in main_loop_wait (nonblocking=<optimized out>) at 
../util/main-loop.c:531
#21 0x000056537af879d7 in qemu_main_loop () at ../softmmu/runstate.c:720
#22 0x000056537a928a3b in main (argc=<optimized out>, argc@entry=0x15, 
argv=<optimized out>, argv@entry=0x7ffc8adda718, envp=<optimized out>) at 
../softmmu/main.c:50
#23 0x00007f71cc154b97 in __libc_start_main (main=0x56537a928a30 <main>, 
argc=0x15, argv=0x7ffc8adda718, init=<optimized out>, fini=<optimized out>, 
rtld_fini=<optimized out>, stack_end=0x7ffc8adda708) at ../csu/libc-start.c:310
#24 0x000056537a92894a in _start ()

```

To reproduce this issue, please run the QEMU with the following command
line.

```

# To reproduce this issue, please run the QEMU process with the
following command line.

$ qemu-system-i386 -m 512  -drive
file=hyfuzz.img,index=0,media=disk,format=raw -device virtio-blk-
pci,drive=drive0,id=virtblk0,num-queues=4 -drive
file=disk.img,if=none,id=drive0

```

Please let me know if I can provide any further info.

Thank you.

** Affects: qemu
     Importance: Undecided
         Status: New

** Attachment added: "attachment.tar.gz"
   
https://bugs.launchpad.net/bugs/1910941/+attachment/5451586/+files/attachment.tar.gz

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1910941

Title:
  Assertion `addr < cache->len && 2 <= cache->len - addr' in virtio-blk

Status in QEMU:
  New

Bug description:
  Hello,

  Using hypervisor fuzzer, hyfuzz, I found an assertion failure through
  virtio-blk emulator.

  A malicious guest user/process could use this flaw to abort the QEMU
  process on the host, resulting in a denial of service.

  This was found in version 5.2.0 (master)

  ```

  qemu-system-i386: 
/home/cwmyung/prj/hyfuzz/src/qemu-master/include/exec/memory_ldst_cached.h.inc:88:
 void address_space_stw_le_cached(MemoryRegionCache *, hwaddr, uint32_t, 
MemTxAttrs, MemTxResult *): Assertion `addr < cache->len && 2 <= cache->len - 
addr' failed.
  [1]    1877 abort (core dumped)  
/home/cwmyung/prj/hyfuzz/src/qemu-master/build/i386-softmmu/qemu-system-i386

  Program terminated with signal SIGABRT, Aborted.
  #0  0x00007f71cc171f47 in __GI_raise (sig=sig@entry=0x6) at 
../sysdeps/unix/sysv/linux/raise.c:51
  #1  0x00007f71cc1738b1 in __GI_abort () at abort.c:79
  #2  0x00007f71cc16342a in __assert_fail_base (fmt=0x7f71cc2eaa38 "%s%s%s:%u: 
%s%sAssertion `%s' failed.\n%n", assertion=assertion@entry=0x56537b324230 "addr 
< cache->len && 2 <= cache->len - addr", file=file@entry=0x56537b32425c 
"/home/cwmyung/prj/hyfuzz/src/qemu-master/include/exec/memory_ldst_cached.h.inc",
 line=line@entry=0x58, function=function@entry=0x56537b3242ab "void 
address_space_stw_le_cached(MemoryRegionCache *, hwaddr, uint32_t, MemTxAttrs, 
MemTxResult *)") at assert.c:92
  #3  0x00007f71cc1634a2 in __GI___assert_fail (assertion=0x56537b324230 "addr 
< cache->len && 2 <= cache->len - addr", file=0x56537b32425c 
"/home/cwmyung/prj/hyfuzz/src/qemu-master/include/exec/memory_ldst_cached.h.inc",
 line=0x58, function=0x56537b3242ab "void 
address_space_stw_le_cached(MemoryRegionCache *, hwaddr, uint32_t, MemTxAttrs, 
MemTxResult *)") at assert.c:101
  #4  0x000056537af3c917 in address_space_stw_le_cached (attrs=..., 
result=<optimized out>, cache=<optimized out>, addr=<optimized out>, 
val=<optimized out>) at 
/home/cwmyung/prj/hyfuzz/src/qemu-master/include/exec/memory_ldst_cached.h.inc:88
  #5  0x000056537af3c917 in stw_le_phys_cached (cache=<optimized out>, 
addr=<optimized out>, val=<optimized out>) at 
/home/cwmyung/prj/hyfuzz/src/qemu-master/include/exec/memory_ldst_phys.h.inc:121
  #6  0x000056537af3c917 in virtio_stw_phys_cached (vdev=<optimized out>, 
cache=<optimized out>, pa=<optimized out>, value=<optimized out>) at 
/home/cwmyung/prj/hyfuzz/src/qemu-master/include/hw/virtio/virtio-access.h:196
  #7  0x000056537af2b809 in vring_set_avail_event (vq=<optimized out>, val=0x0) 
at ../hw/virtio/virtio.c:429
  #8  0x000056537af2b809 in virtio_queue_split_set_notification (vq=<optimized 
out>, enable=<optimized out>) at ../hw/virtio/virtio.c:438
  #9  0x000056537af2b809 in virtio_queue_set_notification (vq=<optimized out>, 
enable=0x1) at ../hw/virtio/virtio.c:499
  #10 0x000056537b07ce1c in virtio_blk_handle_vq (s=0x56537d6bb3a0, 
vq=0x56537d6c0680) at ../hw/block/virtio-blk.c:795
  #11 0x000056537af3eb4d in virtio_queue_notify_aio_vq (vq=0x56537d6c0680) at 
../hw/virtio/virtio.c:2326
  #12 0x000056537af3ba04 in virtio_queue_host_notifier_aio_read (n=<optimized 
out>) at ../hw/virtio/virtio.c:3533
  #13 0x000056537b20901c in aio_dispatch_handler (ctx=0x56537c4179f0, 
node=0x7f71a810b370) at ../util/aio-posix.c:329
  #14 0x000056537b20838c in aio_dispatch_handlers (ctx=<optimized out>) at 
../util/aio-posix.c:372
  #15 0x000056537b20838c in aio_dispatch (ctx=0x56537c4179f0) at 
../util/aio-posix.c:382
  #16 0x000056537b1f99cb in aio_ctx_dispatch (source=0x2, 
callback=0x7ffc8add9f90, user_data=0x0) at ../util/async.c:306
  #17 0x00007f71d1c10417 in g_main_context_dispatch () at 
/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
  #18 0x000056537b1f1bab in glib_pollfds_poll () at ../util/main-loop.c:232
  #19 0x000056537b1f1bab in os_host_main_loop_wait (timeout=<optimized out>) at 
../util/main-loop.c:255
  #20 0x000056537b1f1bab in main_loop_wait (nonblocking=<optimized out>) at 
../util/main-loop.c:531
  #21 0x000056537af879d7 in qemu_main_loop () at ../softmmu/runstate.c:720
  #22 0x000056537a928a3b in main (argc=<optimized out>, argc@entry=0x15, 
argv=<optimized out>, argv@entry=0x7ffc8adda718, envp=<optimized out>) at 
../softmmu/main.c:50
  #23 0x00007f71cc154b97 in __libc_start_main (main=0x56537a928a30 <main>, 
argc=0x15, argv=0x7ffc8adda718, init=<optimized out>, fini=<optimized out>, 
rtld_fini=<optimized out>, stack_end=0x7ffc8adda708) at ../csu/libc-start.c:310
  #24 0x000056537a92894a in _start ()

  ```

  To reproduce this issue, please run the QEMU with the following
  command line.

  ```

  # To reproduce this issue, please run the QEMU process with the
  following command line.

  $ qemu-system-i386 -m 512  -drive
  file=hyfuzz.img,index=0,media=disk,format=raw -device virtio-blk-
  pci,drive=drive0,id=virtblk0,num-queues=4 -drive
  file=disk.img,if=none,id=drive0

  ```

  Please let me know if I can provide any further info.

  Thank you.

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1910941/+subscriptions



reply via email to

[Prev in Thread] Current Thread [Next in Thread]