[Bug 1878250] [NEW] Assertion failure in iov_from_buf_full through the e1000e

Alexander Bulekov Tue, 12 May 2020 10:31:24 -0700

Public bug reported:

Hello,
While fuzzing, I found an input that triggers an assertion failure in
iov_from_buf_full through the e1000e:


size_t iov_from_buf_full(const struct iovec *, unsigned int, size_t,
const void *, size_t): Assertion `offset == 0' failed.


#3  0x00007ffff6866092 in __GI___assert_fail (assertion=0x5555570c74c0 <str> 
"offset == 0", file=0x5555570c7500 <str> 
"/home/alxndr/Development/qemu/util/iov.c", line=0x28, function=0x5555570c7560 
<__PRETTY_FUNCTION__.iov_from_buf_full> "size_t iov_from_buf_full(const struct 
iovec *, unsigned int, size_t, const void *, size_t)") at assert.c:101
#4  0x0000555556c5fa5e in iov_from_buf_full (iov=<optimized out>, 
iov_cnt=<optimized out>, offset=<optimized out>, buf=buf@entry=0x7fffffffbb60, 
bytes=<optimized out>, bytes@entry=0x2) at 
/home/alxndr/Development/qemu/util/iov.c:40
#5  0x00005555565f585e in iov_from_buf (iov=0x7fffffffb830, iov_cnt=0xffffb830, 
offset=0x0, buf=0x7fffffffbb60, bytes=0x2) at 
/home/alxndr/Development/qemu/include/qemu/iov.h:49
#6  0x00005555565f585e in net_tx_pkt_update_ip_checksums (pkt=<optimized out>) 
at /home/alxndr/Development/qemu/hw/net/net_tx_pkt.c:139
#7  0x0000555556621f9c in e1000e_setup_tx_offloads (core=0x7fffeeb754e0, 
tx=0x7fffeeb95748) at /home/alxndr/Development/qemu/hw/net/e1000e_core.c:638
#8  0x0000555556621f9c in e1000e_tx_pkt_send (core=0x7fffeeb754e0, 
tx=0x7fffeeb95748, queue_index=<optimized out>) at 
/home/alxndr/Development/qemu/hw/net/e1000e_core.c:658
#9  0x0000555556621f9c in e1000e_process_tx_desc (core=0x7fffeeb754e0, 
tx=0x7fffeeb95748, dp=<optimized out>, queue_index=<optimized out>) at 
/home/alxndr/Development/qemu/hw/net/e1000e_core.c:743
#10 0x0000555556621f9c in e1000e_start_xmit (core=<optimized out>, 
txr=<optimized out>) at /home/alxndr/Development/qemu/hw/net/e1000e_core.c:934
#11 0x000055555661edb1 in e1000e_set_tdt (core=0x7fffffffb830, index=0xe06, 
val=0x563) at /home/alxndr/Development/qemu/hw/net/e1000e_core.c:2451
#12 0x000055555660f2cd in e1000e_core_write (core=<optimized out>, 
addr=<optimized out>, val=<optimized out>, size=<optimized out>) at 
/home/alxndr/Development/qemu/hw/net/e1000e_core.c:3261
#13 0x00005555560028d7 in memory_region_write_accessor (mr=<optimized out>, 
addr=<optimized out>, value=<optimized out>, size=<optimized out>, 
shift=<optimized out>, mask=<optimized out>, attrs=...) at 
/home/alxndr/Development/qemu/memory.c:483

I can reproduce it in qemu 5.0 using:

cat << EOF | ~/Development/qemu/build/i386-softmmu/qemu-system-i386 -M 
pc-q35-5.0 -nographic -qtest stdio -monitor none -serial none
outl 0xcf8 0x80001010
outl 0xcfc 0xe1020000
outl 0xcf8 0x80001014
outl 0xcf8 0x80001004
outw 0xcfc 0x7
outl 0xcf8 0x800010a2
write 0xe10207e8 0x14 0x00002d05225f3f5f5e00000200000000250013ff
write 0x200006a 0xc 0x08004500feffffff02007b06
write 0xe1020098 0x3a2 
0x000006ffdf054e411b0002e10000000006ffe1054e411b0002e10000000006ffe3054e411b0002e10000000006ffe5054e411b0002e10000000006ffe7054e411b0002e10000000006ffe9054e411b0002e10000000006ffeb054e411b0002e10000000006ffed054e411b0002e10000000006ffef054e411b0002e10000000006fff1054e411b0002e10000000006fff3054e411b0002e10000000006fff5054e411b0002e10000000006fff7054e411b0002e10000000006fff9054e411b0002e10000000006fffb054e411b0002e10000000006fffd054e411b0002e10000000006ffff054e411b0002e10000000006ff01054e411b0002e10000000006ff03054e411b0002e10000000006ff05054e411b0002e10000000006ff07054e411b0002e10000000006ff09054e411b0002e10000000006ff0b054e411b0002e10000000006ff0d054e411b0002e10000000006ff0f054e411b0002e10000000006ff11054e411b0002e10000000006ff13054e411b0002e10000000006ff15054e411b0002e10000000006ff17054e411b0002e10000000006ff19054e411b0002e10000000006ff1b054e411b0002e10000000006ff1d054e411b0002e10000000006ff1f054e411b0002e10000000006ff21054e411b0002e10000000006ff23054e411b0002e10000000006ff25054e411b0002e10000000006ff27054e411b0002e10000000006ff29054e411b0002e10000000006ff2b054e411b0002e10000000006ff2d054e411b0002e10000000006ff2f054e411b0002e10000000006ff31054e411b0002e10000000006ff33054e411b0002e10000000006ff35054e411b0002e10000000006ff37054e411b0002e10000000006ff39054e411b0002e10000000006ff3b054e411b0002e10000000006ff3d054e411b0002e10000000006ff3f054e411b0002e10000000006ff41054e411b0002e10000000006ff43054e411b0002e10000000006ff45054e411b0002e10000000006ff47054e411b0002e10000000006ff49054e411b0002e10000000006ff4b054e411b0002e10000000006ff4d054e411b0002e10000000006ff4f054e411b0002e10000000006ff51054e411b0002e10000000006ff53054e411b0002e10000000006ff55054e411b0002e10000000006ff57054e411b0002e10000000006ff59054e411b0002e10000000006ff5b054e411b0002e10000000006ff5d054e411b0002e10000000006ff5f054e411b0002e10000000006ff61054e411b0002e10000000006ff6305
EOF

I also attached the traces to this launchpad report, in case the
formatting is broken:

qemu-system-i386 -M pc-q35-5.0 -nographic -qtest stdio -monitor none
-serial none < attachment

Please let me know if I can provide any further info.
-Alex

** Affects: qemu
     Importance: Undecided
         Status: New

** Attachment added: "attachment"
   https://bugs.launchpad.net/bugs/1878250/+attachment/5370453/+files/attachment

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1878250

Title:
  Assertion failure in iov_from_buf_full through the e1000e

Status in QEMU:
  New

Bug description:
  Hello,
  While fuzzing, I found an input that triggers an assertion failure in
  iov_from_buf_full through the e1000e:

  size_t iov_from_buf_full(const struct iovec *, unsigned int, size_t,
  const void *, size_t): Assertion `offset == 0' failed.

  
  #3  0x00007ffff6866092 in __GI___assert_fail (assertion=0x5555570c74c0 <str> 
"offset == 0", file=0x5555570c7500 <str> 
"/home/alxndr/Development/qemu/util/iov.c", line=0x28, function=0x5555570c7560 
<__PRETTY_FUNCTION__.iov_from_buf_full> "size_t iov_from_buf_full(const struct 
iovec *, unsigned int, size_t, const void *, size_t)") at assert.c:101
  #4  0x0000555556c5fa5e in iov_from_buf_full (iov=<optimized out>, 
iov_cnt=<optimized out>, offset=<optimized out>, buf=buf@entry=0x7fffffffbb60, 
bytes=<optimized out>, bytes@entry=0x2) at 
/home/alxndr/Development/qemu/util/iov.c:40
  #5  0x00005555565f585e in iov_from_buf (iov=0x7fffffffb830, 
iov_cnt=0xffffb830, offset=0x0, buf=0x7fffffffbb60, bytes=0x2) at 
/home/alxndr/Development/qemu/include/qemu/iov.h:49
  #6  0x00005555565f585e in net_tx_pkt_update_ip_checksums (pkt=<optimized 
out>) at /home/alxndr/Development/qemu/hw/net/net_tx_pkt.c:139
  #7  0x0000555556621f9c in e1000e_setup_tx_offloads (core=0x7fffeeb754e0, 
tx=0x7fffeeb95748) at /home/alxndr/Development/qemu/hw/net/e1000e_core.c:638
  #8  0x0000555556621f9c in e1000e_tx_pkt_send (core=0x7fffeeb754e0, 
tx=0x7fffeeb95748, queue_index=<optimized out>) at 
/home/alxndr/Development/qemu/hw/net/e1000e_core.c:658
  #9  0x0000555556621f9c in e1000e_process_tx_desc (core=0x7fffeeb754e0, 
tx=0x7fffeeb95748, dp=<optimized out>, queue_index=<optimized out>) at 
/home/alxndr/Development/qemu/hw/net/e1000e_core.c:743
  #10 0x0000555556621f9c in e1000e_start_xmit (core=<optimized out>, 
txr=<optimized out>) at /home/alxndr/Development/qemu/hw/net/e1000e_core.c:934
  #11 0x000055555661edb1 in e1000e_set_tdt (core=0x7fffffffb830, index=0xe06, 
val=0x563) at /home/alxndr/Development/qemu/hw/net/e1000e_core.c:2451
  #12 0x000055555660f2cd in e1000e_core_write (core=<optimized out>, 
addr=<optimized out>, val=<optimized out>, size=<optimized out>) at 
/home/alxndr/Development/qemu/hw/net/e1000e_core.c:3261
  #13 0x00005555560028d7 in memory_region_write_accessor (mr=<optimized out>, 
addr=<optimized out>, value=<optimized out>, size=<optimized out>, 
shift=<optimized out>, mask=<optimized out>, attrs=...) at 
/home/alxndr/Development/qemu/memory.c:483

  I can reproduce it in qemu 5.0 using:

  cat << EOF | ~/Development/qemu/build/i386-softmmu/qemu-system-i386 -M 
pc-q35-5.0 -nographic -qtest stdio -monitor none -serial none
  outl 0xcf8 0x80001010
  outl 0xcfc 0xe1020000
  outl 0xcf8 0x80001014
  outl 0xcf8 0x80001004
  outw 0xcfc 0x7
  outl 0xcf8 0x800010a2
  write 0xe10207e8 0x14 0x00002d05225f3f5f5e00000200000000250013ff
  write 0x200006a 0xc 0x08004500feffffff02007b06
  write 0xe1020098 0x3a2 
0x000006ffdf054e411b0002e10000000006ffe1054e411b0002e10000000006ffe3054e411b0002e10000000006ffe5054e411b0002e10000000006ffe7054e411b0002e10000000006ffe9054e411b0002e10000000006ffeb054e411b0002e10000000006ffed054e411b0002e10000000006ffef054e411b0002e10000000006fff1054e411b0002e10000000006fff3054e411b0002e10000000006fff5054e411b0002e10000000006fff7054e411b0002e10000000006fff9054e411b0002e10000000006fffb054e411b0002e10000000006fffd054e411b0002e10000000006ffff054e411b0002e10000000006ff01054e411b0002e10000000006ff03054e411b0002e10000000006ff05054e411b0002e10000000006ff07054e411b0002e10000000006ff09054e411b0002e10000000006ff0b054e411b0002e10000000006ff0d054e411b0002e10000000006ff0f054e411b0002e10000000006ff11054e411b0002e10000000006ff13054e411b0002e10000000006ff15054e411b0002e10000000006ff17054e411b0002e10000000006ff19054e411b0002e10000000006ff1b054e411b0002e10000000006ff1d054e411b0002e10000000006ff1f054e411b0002e10000000006ff21054e411b0002e10000000006ff23054e411b0002e10000000006ff25054e411b0002e10000000006ff27054e411b0002e10000000006ff29054e411b0002e10000000006ff2b054e411b0002e10000000006ff2d054e411b0002e10000000006ff2f054e411b0002e10000000006ff31054e411b0002e10000000006ff33054e411b0002e10000000006ff35054e411b0002e10000000006ff37054e411b0002e10000000006ff39054e411b0002e10000000006ff3b054e411b0002e10000000006ff3d054e411b0002e10000000006ff3f054e411b0002e10000000006ff41054e411b0002e10000000006ff43054e411b0002e10000000006ff45054e411b0002e10000000006ff47054e411b0002e10000000006ff49054e411b0002e10000000006ff4b054e411b0002e10000000006ff4d054e411b0002e10000000006ff4f054e411b0002e10000000006ff51054e411b0002e10000000006ff53054e411b0002e10000000006ff55054e411b0002e10000000006ff57054e411b0002e10000000006ff59054e411b0002e10000000006ff5b054e411b0002e10000000006ff5d054e411b0002e10000000006ff5f054e411b0002e10000000006ff61054e411b0002e10000000006ff6305
  EOF

  I also attached the traces to this launchpad report, in case the
  formatting is broken:

  qemu-system-i386 -M pc-q35-5.0 -nographic -qtest stdio -monitor none
  -serial none < attachment

  Please let me know if I can provide any further info.
  -Alex

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1878250/+subscriptions

[Bug 1878250] [NEW] Assertion failure in iov_from_buf_full through the e1000e

Reply via email to