. This driver leaks some
state in the form of files/directories created in the shared dir.
* One with the synth driver. While it is not used in the real world, this
driver won't leak leak state between fuzz inputs.
Signed-off-by: Alexander Bulekov
---
CC: Christian Schoenebeck
CC: Greg
On 210118 1030, Thomas Huth wrote:
> On 18/01/2021 09.43, Paolo Bonzini wrote:
> > On 17/01/21 21:10, Alexander Bulekov wrote:
> > > This is useful for building reproducers. Instead checking the code or
> > > the QEMU_FUZZ_ARGS, the arguments are at the top of the cra
On 210118 1334, Christian Schoenebeck wrote:
> On Montag, 18. Januar 2021 00:09:24 CET Alexander Bulekov wrote:
> > virtio-9p devices are often used to expose a virtual-filesystem to the
> > guest. There have been some bugs reported in this device, such as
> > CVE-2018-1936
On 210118 1536, Darren Kenny wrote:
> On Sunday, 2021-01-17 at 18:09:24 -05, Alexander Bulekov wrote:
> > virtio-9p devices are often used to expose a virtual-filesystem to the
> > guest. There have been some bugs reported in this device, such as
> > CVE-2018-19364, and CVE-
On 210118 1540, Darren Kenny wrote:
> On Monday, 2021-01-18 at 10:30:33 -05, Alexander Bulekov wrote:
> > On 210118 1334, Christian Schoenebeck wrote:
> >> On Montag, 18. Januar 2021 00:09:24 CET Alexander Bulekov wrote:
> >> > virtio-9p devices are often used to expo
cmd_fis is mapped as DMA_DIRECTION_FROM_DEVICE, however, it is read
from, and not written to anywhere. Fix the DMA_DIRECTION and mark
cmd_fis as read-only in the code.
Signed-off-by: Alexander Bulekov
---
hw/ide/ahci.c | 12 ++--
1 file changed, 6 insertions(+), 6 deletions(-)
diff
esult, we will fill all mapped DMA regions with fuzzed data, ignoring
the specified transfer direction.
Signed-off-by: Alexander Bulekov
---
include/exec/memory.h | 8 +++-
include/exec/memory_ldst_cached.h.inc | 6 +++---
memory_ldst.c.inc | 8
so
.
Signed-off-by: Alexander Bulekov
---
tests/qtest/fuzz/generic_fuzz_configs.h | 20 +++-
1 file changed, 19 insertions(+), 1 deletion(-)
diff --git a/tests/qtest/fuzz/generic_fuzz_configs.h
b/tests/qtest/fuzz/generic_fuzz_configs.h
index 7fed035345..2ec52fbb63 100644
--- a/tests
On 210120 1053, Thomas Huth wrote:
> On 20/01/2021 07.07, Alexander Bulekov wrote:
> > Disks work differently depending on the x86 machine type (SATA vs PATA).
> > Additionally, we should fuzz the atapi code paths, which might contain
> > vulnerabilities such as CVE-2020-2
On 210120 1003, Philippe Mathieu-Daudé wrote:
> On 1/20/21 7:07 AM, Alexander Bulekov wrote:
> > Disks work differently depending on the x86 machine type (SATA vs PATA).
> > Additionally, we should fuzz the atapi code paths, which might contain
> > vulnerabilities such as
On 210120 1811, Michael Tokarev wrote:
> As someone noticed on IRC, old (2.x) RedHat floppies does not boot
> in current qemu. When qemu is booted from floppy image at
> https://archive.org/details/RedHatLinuxBootDisk521998
> (download the "ISO image" link there, it really is an 1.44 floppy),
> s
.
Signed-off-by: Alexander Bulekov
---
v2: Fix ide-hd -> ide-cd in the ahci-atapi config
tests/qtest/fuzz/generic_fuzz_configs.h | 20 +++-
1 file changed, 19 insertions(+), 1 deletion(-)
diff --git a/tests/qtest/fuzz/generic_fuzz_configs.h
b/tests/qtest/f
.
Signed-off-by: Alexander Bulekov
Reviewed-by: Darren Kenny
---
tests/qtest/fuzz/generic_fuzz_configs.h | 20 +++-
1 file changed, 19 insertions(+), 1 deletion(-)
diff --git a/tests/qtest/fuzz/generic_fuzz_configs.h
b/tests/qtest/fuzz/generic_fuzz_configs.h
index 7fed035345
Signed-off-by: Alexander Bulekov
Reviewed-by: Thomas Huth
---
docs/devel/fuzzing.rst | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/docs/devel/fuzzing.rst b/docs/devel/fuzzing.rst
index 6096242d99..5f5200c843 100644
--- a/docs/devel/fuzzing.rst
+++ b/docs/devel
This is useful for building reproducers. Instead checking the code or
the QEMU_FUZZ_ARGS, the arguments are at the top of the crash log.
Signed-off-by: Alexander Bulekov
Reviewed-by: Thomas Huth
---
tests/qtest/fuzz/fuzz.c | 11 ++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff
er configs for PATA/SATA ide-hd and atapi devices
* Remove a DMA callback check that was limitting the fuzzer
* Improve debug info and documentation
----
Alexander Bulekov (7):
fuzz: ignore address_space_map is_write flag
fuzz:
aining the corresponding QEMU arguments. This can be useful
for targets that rely on e.g.:
* a temporary qcow2 image
* a temporary directory
* an unused TCP port used to bind the VNC server
Signed-off-by: Alexander Bulekov
Reviewed-by: Thomas Huth
---
tests/qtest/fuzz/generic_fuzz.c
Signed-off-by: Alexander Bulekov
Reviewed-by: Thomas Huth
---
docs/devel/fuzzing.rst | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/docs/devel/fuzzing.rst b/docs/devel/fuzzing.rst
index 6096242d99..5f5200c843 100644
--- a/docs/devel/fuzzing.rst
+++ b/docs/devel
Signed-off-by: Alexander Bulekov
Reviewed-by: Darren Kenny
---
docs/devel/fuzzing.rst | 26 ++
1 file changed, 26 insertions(+)
diff --git a/docs/devel/fuzzing.rst b/docs/devel/fuzzing.rst
index 5f5200c843..b9bb07988b 100644
--- a/docs/devel/fuzzing.rst
+++ b/docs/devel
Signed-off-by: Alexander Bulekov
Reviewed-by: Darren Kenny
---
docs/devel/fuzzing.rst | 26 ++
1 file changed, 26 insertions(+)
diff --git a/docs/devel/fuzzing.rst b/docs/devel/fuzzing.rst
index 5f5200c843..b9bb07988b 100644
--- a/docs/devel/fuzzing.rst
+++ b/docs/devel
aining the corresponding QEMU arguments. This can be useful
for targets that rely on e.g.:
* a temporary qcow2 image
* a temporary directory
* an unused TCP port used to bind the VNC server
Signed-off-by: Alexander Bulekov
Reviewed-by: Thomas Huth
---
tests/qtest/fuzz/generic_fuzz.c
esult, we will fill all mapped DMA regions with fuzzed data, ignoring
the specified transfer direction.
Signed-off-by: Alexander Bulekov
---
include/exec/memory.h | 8 +++-
include/exec/memory_ldst_cached.h.inc | 6 +++---
memory_ldst.c.inc | 8
so
esult, we will fill all mapped DMA regions with fuzzed data, ignoring
the specified transfer direction.
Signed-off-by: Alexander Bulekov
---
include/exec/memory.h | 8 +++-
include/exec/memory_ldst_cached.h.inc | 6 +++---
memory_ldst.c.inc | 8
so
esult, we will fill all mapped DMA regions with fuzzed data, ignoring
the specified transfer direction.
Signed-off-by: Alexander Bulekov
Reviewed-by: Darren Kenny
---
include/exec/memory.h | 8 +++-
include/exec/memory_ldst_cached.h.inc | 6 +++---
memory_ldst.
This is useful for building reproducers. Instead checking the code or
the QEMU_FUZZ_ARGS, the arguments are at the top of the crash log.
Signed-off-by: Alexander Bulekov
Reviewed-by: Thomas Huth
---
tests/qtest/fuzz/fuzz.c | 11 ++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff
. This driver leaks some
state in the form of files/directories created in the shared dir.
* One with the synth driver. While it is not used in the real world, this
driver won't leak leak state between fuzz inputs.
Signed-off-by: Alexander Bulekov
Reviewed-by: Darren Kenny
---
tests/
.
Signed-off-by: Alexander Bulekov
Reviewed-by: Darren Kenny
---
tests/qtest/fuzz/generic_fuzz_configs.h | 20 +++-
1 file changed, 19 insertions(+), 1 deletion(-)
diff --git a/tests/qtest/fuzz/generic_fuzz_configs.h
b/tests/qtest/fuzz/generic_fuzz_configs.h
index 7fed035345
.
Signed-off-by: Alexander Bulekov
Acked-by: Thomas Huth
---
tests/qtest/fuzz/generic_fuzz_configs.h | 20 +++-
1 file changed, 19 insertions(+), 1 deletion(-)
diff --git a/tests/qtest/fuzz/generic_fuzz_configs.h
b/tests/qtest/fuzz/generic_fuzz_configs.h
index f99657cdbc
. This driver leaks some
state in the form of files/directories created in the shared dir.
* One with the synth driver. While it is not used in the real world, this
driver won't leak leak state between fuzz inputs.
Signed-off-by: Alexander Bulekov
Reviewed-by: Darren Kenny
---
tests/
Signed-off-by: Alexander Bulekov
Reviewed-by: Thomas Huth
---
docs/devel/fuzzing.rst | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/docs/devel/fuzzing.rst b/docs/devel/fuzzing.rst
index 6096242d99..5f5200c843 100644
--- a/docs/devel/fuzzing.rst
+++ b/docs/devel
This is useful for building reproducers. Instead checking the code or
the QEMU_FUZZ_ARGS, the arguments are at the top of the crash log.
Signed-off-by: Alexander Bulekov
Reviewed-by: Thomas Huth
---
tests/qtest/fuzz/fuzz.c | 11 ++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff
Nack
On 210120 1235, Alexander Bulekov wrote:
> Hi Peter,
>
> The following changes since commit 48202c712412c803ddb56365c7bca322aa4e7506:
>
> Merge remote-tracking branch
> 'remotes/pmaydell/tags/pull-target-arm-20210119-1' into staging (2021-01-19
> 15:47:
Signed-off-by: Alexander Bulekov
Reviewed-by: Darren Kenny
---
docs/devel/fuzzing.rst | 26 ++
1 file changed, 26 insertions(+)
diff --git a/docs/devel/fuzzing.rst b/docs/devel/fuzzing.rst
index 5f5200c843..b9bb07988b 100644
--- a/docs/devel/fuzzing.rst
+++ b/docs/devel
er configs for PATA/SATA ide-hd and atapi devices
* Remove a DMA callback check that was limitting the fuzzer
* Improve debug info and documentation
----
Alexander Bulekov (7):
fuzz: ignore address_space_map is_write flag
fuzz:
aining the corresponding QEMU arguments. This can be useful
for targets that rely on e.g.:
* a temporary qcow2 image
* a temporary directory
* an unused TCP port used to bind the VNC server
Signed-off-by: Alexander Bulekov
Reviewed-by: Thomas Huth
---
tests/qtest/fuzz/generic_fuzz.c
. This driver leaks some
state in the form of files/directories created in the shared dir.
* One with the synth driver. While it is not used in the real world, this
driver won't leak leak state between fuzz inputs.
Signed-off-by: Alexander Bulekov
Reviewed-by: Darren Kenny
---
tests/
On 11/5/19 11:41 AM, Darren Kenny wrote:
On Wed, Oct 30, 2019 at 02:49:48PM +, Oleinik, Alexander wrote:
From: Alexander Oleinik
A program might rely on functions implemented in vl.c, but implement its
own main(). By placing main into a separate source file, there are no
complaints about d
On 11/6/19 11:56 AM, Stefan Hajnoczi wrote:
On Wed, Oct 30, 2019 at 02:49:58PM +, Oleinik, Alexander wrote:
From: Alexander Oleinik
Signed-off-by: Alexander Oleinik
---
There's a particularily ugly line here:
qtest_client_set_tx_handler(qts,
(void (*)(QTestState *s, const char*,
+ *
+ * Copyright Red Hat Inc., 2019
+ *
+ * Authors:
+ * Alexander Bulekov
Bulekov instead of Oleinik?
Yes I changed my last name and the approval from the court finally came
through last week :)
I'll make sure its consistent across v5.
+ *
+ * This work is licensed under the terms of th
zer
* pass check-patch
Alexander Bulekov (20):
softmmu: split off vl.c:main() into main.c
libqos: Rename i2c_send and i2c_recv
fuzz: Add FUZZ_TARGET module type
qtest: add qtest_server_send abstraction
libqtest: Add a layer of abstraciton to send/recv
module: check module wasn't alre
the fuzz target based on this name, rather than the
--fuzz-target argument. This is useful for systems such as oss-fuzz
where we don't have control of the arguments passed to the fuzzer.
Signed-off-by: Alexander Bulekov
---
tests/qtest/fuzz/fuzz.c | 19 +++
1 file change
Signed-off-by: Alexander Bulekov
---
tests/test-char.c | 83 +++
1 file changed, 83 insertions(+)
diff --git a/tests/test-char.c b/tests/test-char.c
index 3afc9b1b8d..9b3e1e2a9b 100644
--- a/tests/test-char.c
+++ b/tests/test-char.c
@@ -1228,6
: Alexander Bulekov
Reviewed-by: Stefan Hajnoczi
---
chardev/char-file.c | 5 +
chardev/char.c | 3 +++
qemu-options.hx | 7 +--
3 files changed, 13 insertions(+), 2 deletions(-)
diff --git a/chardev/char-file.c b/chardev/char-file.c
index 2fd80707e5..031f2aa7d7 100644
--- a/chardev
This adds a pathin= option to -chardev file, which allows specifying
distinct input and output paths for the chardev. This functionaliy was
already available through QMP.
Alexander Bulekov (2):
chardev: enable distinct input for -chardev file
char-file: add test for distinct path= and pathin
Hello,
While fuzzing, I found an input that triggers an assertion failure in
virtio-net.c:
hw/net/virtio-net.c:533: void virtio_net_reset(VirtIODevice *): Assertion
`!virtio_net_get_subqueue(nc)->async_tx.elem' failed.
#9 0x55a33fa31b78 in virtio_net_reset hw/net/virtio-net.c:533:13
#10 0x55a33f
Hello,
While fuzzing, I found an input that triggers an assertion failure in
address_space_lduw_le_cached:
void address_space_stw_le_cached(MemoryRegionCache *, hwaddr, uint32_t,
MemTxAttrs, MemTxResult *): Assertion `addr < cache->len && 2 <= cache->len -
addr' failed.
#8 0x7f53dabda091 in __as
Hello,
While fuzzing, I found an input that triggers an assertion failure
through virtio-rng -> vring_split_desc_read. Maybe this is related to:
Message-ID: <20200511033001.dzvtbdhl3oz5p...@mozz.bu.edu>
Assertion failure through virtio_lduw_phys_cached
#8 0x7fe6a9acf091 in __assert_fail
/build/g
Hello,
While fuzzing, I found an input that triggers an assertion through
virtio-blk.c:
void address_space_unmap(AddressSpace *, void *, hwaddr, int, hwaddr):
Assertion `mr != NULL' failed
#8 0x7fa947707091 in __assert_fail
/build/glibc-GwnBeO/glibc-2.30/assert/assert.c:101:3
#9 0x55ec68a73a97
n't pass the sender check.
>
> Fix by using the peer.
>
> Reported-by: "Alexander Bulekov"
> Fixes: ca77d85e1dbf9 ("net: complete all queued packets on VM stop")
> Cc: qemu-sta...@nongnu.org
> Signed-off-by: Jason Wang
Hi Jason,
With this patch, I can
Hello,
While fuzzing, I found an input that triggers a null-ptr dereference in
aio_bh_enqueue, through virtio-balloon. Based on the stacktrace below,
I am not positive that this is specific to virtio-balloon, however
I have not encountered the same issue for any of the other virtio
devices I am fuz
Hello,
While fuzzing, I found an input that triggers an assertion failure in
mch_update_pciexbar:
#6 0x7f38d387c55a in abort /build/glibc-GwnBeO/glibc-2.30/stdlib/abort.c:79:7
#7 0x55c27e94ffd0 in mch_update_pciexbar hw/pci-host/q35.c:331:9
#8 0x55c27e94db38 in mch_write_config hw/pci-host/q35.c:4
Hello,
While fuzzing, I found an input that triggers an assertion failure in
pci_bus_get_irq_level through ich9_lpc_update_apic:
int pci_bus_get_irq_level(PCIBus *, int): Assertion `irq_num < bus->nirq'
failed.
#8 0x7fc7d4fa4091 in __assert_fail
/build/glibc-GwnBeO/glibc-2.30/assert/assert.c:10
Hello,
While fuzzing, I found an input that triggers an assertion failure in
net_tx_pkt_add_raw_fragment through the e1000e:
_Bool net_tx_pkt_add_raw_fragment(struct NetTxPkt *, hwaddr, size_t): Assertion
`pkt->max_raw_frags > pkt->raw_frags' failed.
#8 0x7f2930b0d091 in __assert_fail
/build/gl
On 200511 0910, Philippe Mathieu-Daudé wrote:
> On 5/11/20 8:19 AM, Philippe Mathieu-Daudé wrote:
> > On 5/11/20 6:59 AM, Alexander Bulekov wrote:
> > > Hello,
> > > While fuzzing, I found an input that triggers an assertion failure in
> > > mch_update_pciexba
Public bug reported:
Hello,
While fuzzing, I found an input that triggers an overlapping memcpy (caught by
AddressSanitizer).
Overlapping memcpys are undefined behavior according to the POSIX and C
standards, and can lead to bugs.
==22287==ERROR: AddressSanitizer: memcpy-param-overlap: memory r
Public bug reported:
Hello,
While fuzzing, I found an input that triggers an overlapping memcpy (caught by
AddressSanitizer).
Overlapping memcpys are undefined behavior according to the POSIX and C
standards, and can lead to bugs.
==1==ERROR: AddressSanitizer: memcpy-param-overlap: memory r
Forgot the attachment..
** Attachment added: "attachment"
https://bugs.launchpad.net/qemu/+bug/1878054/+attachment/5369967/+files/attachment
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1878054
Public bug reported:
Hello,
While fuzzing, I found an input that causes QEMU to hang with 100% CPU usage.
I have waited several minutes, and QEMU is still unresponsive. Using gdb, It
appears that it is stuck in an sdhci_data_transfer:
#0 memory_region_access_valid (mr=, addr=0x10284920,
size=,
Public bug reported:
Hello,
While fuzzing, I found an input that triggers a null-pointer dereference in
megasas_command_complete:
==14959==ERROR: AddressSanitizer: SEGV on unknown address 0x0003 (pc
0x55b1d11b4df1 bp 0x7ffeb55ca450 sp 0x7ffeb55ca1e0 T0)
==14959==The signal is caused by a
Public bug reported:
Hello,
While fuzzing, I found an input that triggers an assertion failure in
eth_get_gso_type through the e1000e:
#1 0x7685755b in __GI_abort () at abort.c:79
#2 0x77c75dc3 in () at /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
#3 0x77cd0b0a in g_asse
Previously, we relied on "FuzzerTracePC*(.bss*)" to place libfuzzer's
fuzzer::TPC object into our contiguous shared-memory region. This does
not work for some libfuzzer builds, so this addition identifies the
region by its mangled name: *(.bss._ZN6fuzzer3TPCE);
Signed-off-by: Al
the timer events do not pile up, over time.
Signed-off-by: Alexander Bulekov
---
tests/qtest/fuzz/i440fx_fuzz.c | 1 +
tests/qtest/fuzz/virtio_net_fuzz.c | 2 ++
tests/qtest/fuzz/virtio_scsi_fuzz.c | 2 ++
3 files changed, 5 insertions(+)
I'm working on another series to abstract a
Signed-off-by: Alexander Bulekov
---
tests/qtest/fuzz/i440fx_fuzz.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tests/qtest/fuzz/i440fx_fuzz.c b/tests/qtest/fuzz/i440fx_fuzz.c
index ab5f112584..90e75ffaea 100644
--- a/tests/qtest/fuzz/i440fx_fuzz.c
+++ b/tests/qtest/fuzz
invalid argument to qemu_main
* Add an alternate name to resolve libfuzzer's internal fuzzer::TPC
object at link-time
* For all fork-based fuzzers, run the main-loop in the parent, to
prevent the clock from running far-ahead of the previous main-loop.
-Alex
Alexander Bulekov (4):
This allows us to keep pc-bios in executable_dir/pc-bios, rather than
executable_dir/../pc-bios, which is incompatible with oss-fuzz' file
structure.
Signed-off-by: Alexander Bulekov
---
include/sysemu/sysemu.h | 2 ++
softmmu/vl.c| 2 +-
tests/qtest/fuzz/fuzz.c
: Alexander Bulekov
Reviewed-by: Stefan Hajnoczi
Reviewed-by: Darren Kenny
---
chardev/char-file.c | 5 +
chardev/char.c | 3 +++
qemu-options.hx | 7 +--
3 files changed, 13 insertions(+), 2 deletions(-)
diff --git a/chardev/char-file.c b/chardev/char-file.c
index 2fd80707e5
test.
Alexander Bulekov (2):
chardev: enable distinct input for -chardev file
char-file: add test for distinct path= and pathin=
chardev/char-file.c | 5 +++
chardev/char.c | 3 ++
qemu-options.hx | 7 +++-
tests/test-char.c | 96 +
4
Signed-off-by: Alexander Bulekov
---
tests/test-char.c | 96 +++
1 file changed, 96 insertions(+)
diff --git a/tests/test-char.c b/tests/test-char.c
index 3afc9b1b8d..6c66fae86a 100644
--- a/tests/test-char.c
+++ b/tests/test-char.c
@@ -1228,6
** Attachment added: "The qtest commands for triggering the assertion in
ati_reg_read_offs"
https://bugs.launchpad.net/qemu/+bug/1878136/+attachment/5370129/+files/attachment2
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https
Public bug reported:
Hello,
While fuzzing, I found inputs that trigger assertion failures in
ati_reg_read_offs/ati_reg_write_offs
uint32_t extract32(uint32_t, int, int): Assertion `start >= 0 && length
> 0 && length <= 32 - start' failed
#3 0x76866092 in __GI___assert_fail (assertion=0x5
Public bug reported:
Hello,
While fuzzing, I found an input that triggers an assertion failure in
iov_from_buf_full through the e1000e:
size_t iov_from_buf_full(const struct iovec *, unsigned int, size_t,
const void *, size_t): Assertion `offset == 0' failed.
#3 0x76866092 in __GI___as
Public bug reported:
Hello,
While fuzzing, I found an input that triggers a null-ptr dereference in
address_space_to_flatview through ide:
==31699==ERROR: AddressSanitizer: SEGV on unknown address 0x0020 (pc
0x55e0f562bafd bp 0x7ffee92355b0 sp 0x7ffee92354e0 T0)
==31699==The signal is ca
Public bug reported:
Hello,
While fuzzing, I found an input that triggers an assertion failure in
bdrv_aio_cancel, through ide:
#1 0x7685755b in __GI_abort () at abort.c:79
#2 0x56a8d396 in bdrv_aio_cancel (acb=0x60761290) at
/home/alxndr/Development/qemu/block/io.c:2746
#
Public bug reported:
Hello,
While fuzzing, I found an input that triggers a null-pointer dereference in
megasas_handle_frame:
==1595==ERROR: AddressSanitizer: SEGV on unknown address 0x (pc
0x55e3e83e6e08 bp 0x7ffdb04c63b0 sp 0x7ffd
==1595==The signal is caused by a READ memory acce
Public bug reported:
Hello,
While fuzzing, I found an input that triggers an assertion-failure in
scsi_dma_complete, with megasas:
qemu-system-i386: /home/alxndr/Development/qemu/hw/scsi/scsi-disk.c:292:
void scsi_dma_complete(void *, int): Assertion `r->req.aiocb != NULL'
failed.
#3 0x7ff
Hello Prasad,
I noticed this since I found a similar issue recently, using a fuzzer.
I applied your patches, but I can still reproduce the heap-overflow,
unless I'm missing something:
==20527==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x7f79f968a5e0 at pc 0x55b6bb84ce28 bp 0x7ffcbc
o,read-zeroes=on,node-name=null0 -nographic
EOF
On 200512 1508, Alexander Bulekov wrote:
> Hello Prasad,
> I noticed this since I found a similar issue recently, using a fuzzer.
> I applied your patches, but I can still reproduce the heap-overflow,
> unless I'm missing somethi
On 200512 2259, Philippe Mathieu-Daudé wrote:
> On 5/12/20 9:48 PM, Alexander Bulekov wrote:
> > Oops I realized I posted a bad stacktrace and a bad reproducer :)
> > Fixed stacktrace:
> >
> > ==20527==ERROR: AddressSanitizer: heap-buffer-overflow on addres
Hello,
While fuzzing, I found an input that triggers this assertion-failure in
usb_ep_get
/home/alxndr/Development/qemu/hw/usb/core.c:723: struct USBEndpoint
*usb_ep_get(USBDevice *, int, int): Assertion `pid == USB_TOKEN_IN || pid ==
USB_TOKEN_OUT' failed.
#3 0x76866092 in __GI___asse
Public bug reported:
Hello,
While fuzzing, I found an input that triggers an assertion-failure in usb_detach
/home/alxndr/Development/qemu/hw/usb/core.c:69: void usb_detach(USBPort *):
Assertion `dev->state != USB_STATE_NOTATTACHED' failed.
#3 0x76866092 in __GI___assert_fail (assertion
On 200513 1919, P J P wrote:
> Hello Alex,
>
> +-- On Tue, 12 May 2020, Alexander Bulekov wrote --+
> | I noticed this since I found a similar issue recently, using a fuzzer. I
> | applied your patches, but I can still reproduce the heap-overflow, unless
> | I
On 200513 1919, P J P wrote:
> Hello Alex,
>
> +-- On Tue, 12 May 2020, Alexander Bulekov wrote --+
> | I noticed this since I found a similar issue recently, using a fuzzer. I
> | applied your patches, but I can still reproduce the heap-overflow, unless
> | I
On 200514 0055, P J P wrote:
> From: Prasad J Pandit
>
> While in megasas_handle_frame(), megasas_enqueue_frame() may
> set a NULL frame into MegasasCmd object for a given 'frame_addr'
> address. Add check to avoid a NULL pointer dereference issue.
>
> Reported
id OOB
> access issue.
>
> Also check that 'index' value stays within s->frames[] bounds
> through the while() loop in 'megasas_lookup_frame' to avoid OOB
> access.
>
> Reported-by: Ren Ding
> Reported-by: Hanqing Zhao
> Reported-by: Alexander B
On 200514 1012, Philippe Mathieu-Daudé wrote:
> On 5/14/20 1:24 AM, John Snow wrote:
> >
> >
> > On 5/10/20 11:51 PM, Alexander Bulekov wrote:
> > > Hello,
> > > While fuzzing, I found an input that triggers an assertion failure
> > > through vi
Public bug reported:
Hello,
I found an input which triggers an abort() in mch_update_pciexbar:
#0 0x7686d761 in __GI_raise (sig=sig@entry=0x6) at
../sysdeps/unix/sysv/linux/raise.c:50
#1 0x7685755b in __GI_abort () at abort.c:79
#2 0x5705c7ae in mch_update_pciexbar (mc
Public bug reported:
Hello,
I found an input which triggers an assertion failure in pci_bus_get_irq_level:
qemu-system-i386: /home/alxndr/Development/qemu/hw/pci/pci.c:268: int
pci_bus_get_irq_level(PCIBus *, int): Assertion `irq_num < bus->nirq' failed.
Aborted
#0 0x7686d761 in __GI_ra
Public bug reported:
Hello,
While fuzzing, I found an input which triggers a NULL pointer dereference in
tcg_handle_interrupt. It seems the culprint is a "cpu" pointer - maybe this bug
is specific to QTest?
==23862==ERROR: AddressSanitizer: SEGV on unknown address 0x00b4 (pc
0x55b9dc7c9d
Public bug reported:
Hello,
While fuzzing, I found an input which triggers an assertion failure in
e1000e_write_to_rx_buffers:
/home/alxndr/Development/qemu/hw/net/e1000e_core.c:1424: void
e1000e_write_to_rx_buffers(E1000ECore *, hwaddr (*)[4], e1000e_ba_state *,
const char *, dma_addr_t): Asse
On 200514 1634, Philippe Mathieu-Daudé wrote:
> I took some code notes while testing Alex's toy.
> Sending them as patches.
Thank you for these! I'd send my review tags, if they weren't already
pulled.
> Alex, I had theses issues while building following
> docs/devel/fuzzing.txt:
>
> CC
*** This bug is a duplicate of bug 1878134 ***
https://bugs.launchpad.net/bugs/1878134
** This bug has been marked a duplicate of bug 1878134
Assertion failures in ati_reg_read_offs/ati_reg_write_offs
--
You received this bug notification because you are a member of qemu-
devel-ml, which
ied this patch and confirmed that I cannot reproduce the crash in #1878134
Thanks!
Acked-by: Alexander Bulekov
> hw/display/ati.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/hw/display/ati.c b/hw/display/ati.c
> index f4c4542751..2ee23173b2 100644
&g
Public bug reported:
Hello,
While fuzzing, I found an input which triggers an assertion failure in
e1000e_write_rx_descr:
qemu-system-i386: /home/alxndr/Development/qemu/hw/net/e1000e_core.c:1359: void
e1000e_write_rx_descr(E1000ECore *, uint8_t *, struct NetRxPkt *, const
E1000E_RSSInfo *, siz
Public bug reported:
Hello,
While fuzzing, I found an input which triggers an assertion failure in
e1000e_write_lgcy_rx_descr:
qemu-system-i386: /home/alxndr/Development/qemu/hw/net/e1000e_core.c:1283: void
e1000e_write_lgcy_rx_descr(E1000ECore *, uint8_t *, struct NetRxPkt *, const
E1000E_RSSI
On 200515 0526, Markus Armbruster wrote:
> Alexander Bulekov writes:
>
> > ``-chardev pipe,id=id,path=path``
> > Create a two-way connection to the guest. The behaviour differs
> > slightly between Windows hosts and other hosts:
>
> "pathin" is
ping?
On 200511 2301, Alexander Bulekov wrote:
> Hello,
> With these patches, the fuzzer passes the oss-fuzz build checks.
> There are also some miscelanous improvement to the fuzzer, in general:
> * If building for oss-fuzz, check executable_dir/pc-bios for
>the bios images
>From Prasad:
struct ip6_ext_hdr {
uint8_t ip6r_nxt; /* next header */
uint8_t ip6r_len; /* length in units of 8 octets */
};
struct ip6_ext_hdr_routing {
uint8_t nxt;
uint8_t len;
uint8_t rtype;
uint8_t segleft;
uint8_t rsvd[4];
};
Yes, it looks like because 'struct ip6_ext_hdr' type st
Public bug reported:
Hello,
While fuzzing, I found a 1-byte stack-overflow (read) through the
e1000e.
==10318==ERROR: AddressSanitizer: stack-buffer-overflow on address
0x7ffdb76c16c2 at pc 0x55594f1a69e1 bp 0x7ffdb76c15a0 sp 0x7ffdb76c1598
READ of size 1 at 0x7ffdb76c16c2 thread T0
#0 0x55
On 200520 1851, Philippe Mathieu-Daudé wrote:
> On 5/12/20 5:01 AM, Alexander Bulekov wrote:
-snip-
> > +/*
> > + * With oss-fuzz, the executable is kept in the root of a
> > directory (we
> > + * cannot assume the path). All data (including
x27;t work that context.
>
Yes - I was not really sure how to deal with those failures, so I sent
the patch anyway. Maybe someone else knows a workaround.
-Alex
> Thanks,
>
> Darren.
>
> On Friday, 2020-05-29 at 18:14:48 -04, Alexander Bulekov wrote:
> > In the same ve
701 - 800 of 1121 matches
Mail list logo