[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug 1911216] [NEW] abort issue locates in hw/usb/hcd-ohci.c:1297:ohci_f
From: |
Gaoning Pan |
Subject: |
[Bug 1911216] [NEW] abort issue locates in hw/usb/hcd-ohci.c:1297:ohci_frame_boundary |
Date: |
Tue, 12 Jan 2021 15:53:03 -0000 |
Public bug reported:
Hello,
I found an assertion failure in hw/usb/hcd-ohci.c:1297
This was found in latest version 5.2.0.
my reproduced environment is as follows:
Host: ubuntu 18.04
Guest: ubuntu 18.04
QEMU boot command line:
qemu-system-x86_64 -enable-kvm -boot c -m 4G -drive
format=qcow2,file=./ubuntu.img -nic user,hostfwd=tcp:0.0.0.0:5555-:22 -display
none -device pci-ohci,id=ohci -device usb-tablet,bus=ohci.0,port=1,id=usbdev1
backtrace is as follows
pwndbg> bt
#0 0x00007fdf392aa438 in __GI_raise (sig=sig@entry=6) at
../sysdeps/unix/sysv/linux/raise.c:54
#1 0x00007fdf392ac03a in __GI_abort () at abort.c:89
#2 0x000055c613721118 in ohci_frame_boundary (opaque=0x6270000191f0) at
hw/usb/hcd-ohci.c:1297
#3 0x000055c6140bdf0e in timerlist_run_timers (timer_list=0x60b00005bcc0) at
util/qemu-timer.c:572
#4 0x000055c6140be15a in qemu_clock_run_timers (type=QEMU_CLOCK_VIRTUAL) at
util/qemu-timer.c:586
#5 0x000055c6140beac7 in qemu_clock_run_all_timers () at util/qemu-timer.c:672
#6 0x000055c6140a1938 in main_loop_wait (nonblocking=0) at util/main-loop.c:523
#7 0x000055c6125d87e9 in qemu_main_loop () at
/home/dell/qemu5-hypervisor/vm/fuzz-seedpool/hcd-ohci/qemu-5.1.0/softmmu/vl.c:1676
#8 0x000055c613f216ea in main (argc=7, argv=0x7fff174cdd28,
envp=0x7fff174cdd68) at
/home/dell/qemu5-hypervisor/vm/fuzz-seedpool/hcd-ohci/qemu-5.1.0/softmmu/main.c:49
#9 0x00007fdf39295840 in __libc_start_main (main=0x55c613f21699 <main>,
argc=7, argv=0x7fff174cdd28, init=<optimized out>, fini=<optimized out>,
rtld_fini=<optimized out>, stack_end=0x7fff174cdd18) at ../csu/libc-start.c:291
#10 0x000055c6120a4349 in _start ()
The poc is attached.
** Affects: qemu
Importance: Undecided
Status: New
** Attachment added: "poc-ohci-abort.c"
https://bugs.launchpad.net/bugs/1911216/+attachment/5452326/+files/poc-ohci-abort.c
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1911216
Title:
abort issue locates in hw/usb/hcd-ohci.c:1297:ohci_frame_boundary
Status in QEMU:
New
Bug description:
Hello,
I found an assertion failure in hw/usb/hcd-ohci.c:1297
This was found in latest version 5.2.0.
my reproduced environment is as follows:
Host: ubuntu 18.04
Guest: ubuntu 18.04
QEMU boot command line:
qemu-system-x86_64 -enable-kvm -boot c -m 4G -drive
format=qcow2,file=./ubuntu.img -nic user,hostfwd=tcp:0.0.0.0:5555-:22 -display
none -device pci-ohci,id=ohci -device usb-tablet,bus=ohci.0,port=1,id=usbdev1
backtrace is as follows
pwndbg> bt
#0 0x00007fdf392aa438 in __GI_raise (sig=sig@entry=6) at
../sysdeps/unix/sysv/linux/raise.c:54
#1 0x00007fdf392ac03a in __GI_abort () at abort.c:89
#2 0x000055c613721118 in ohci_frame_boundary (opaque=0x6270000191f0) at
hw/usb/hcd-ohci.c:1297
#3 0x000055c6140bdf0e in timerlist_run_timers (timer_list=0x60b00005bcc0) at
util/qemu-timer.c:572
#4 0x000055c6140be15a in qemu_clock_run_timers (type=QEMU_CLOCK_VIRTUAL) at
util/qemu-timer.c:586
#5 0x000055c6140beac7 in qemu_clock_run_all_timers () at
util/qemu-timer.c:672
#6 0x000055c6140a1938 in main_loop_wait (nonblocking=0) at
util/main-loop.c:523
#7 0x000055c6125d87e9 in qemu_main_loop () at
/home/dell/qemu5-hypervisor/vm/fuzz-seedpool/hcd-ohci/qemu-5.1.0/softmmu/vl.c:1676
#8 0x000055c613f216ea in main (argc=7, argv=0x7fff174cdd28,
envp=0x7fff174cdd68) at
/home/dell/qemu5-hypervisor/vm/fuzz-seedpool/hcd-ohci/qemu-5.1.0/softmmu/main.c:49
#9 0x00007fdf39295840 in __libc_start_main (main=0x55c613f21699 <main>,
argc=7, argv=0x7fff174cdd28, init=<optimized out>, fini=<optimized out>,
rtld_fini=<optimized out>, stack_end=0x7fff174cdd18) at ../csu/libc-start.c:291
#10 0x000055c6120a4349 in _start ()
The poc is attached.
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1911216/+subscriptions
- [Bug 1911216] [NEW] abort issue locates in hw/usb/hcd-ohci.c:1297:ohci_frame_boundary,
Gaoning Pan <=