From: John Snow <jsnow@redhat.com>
To: "Alexander Bulekov" <alxndr@bu.edu>,
"Philippe Mathieu-Daudé" <philmd@redhat.com>
Cc: lvivier@redhat.com, bsd@redhat.com, qemu-devel@nongnu.org,
Stefan Hajnoczi <stefanha@redhat.com>,
"Michael S. Tsirkin" <mst@redhat.com>
Subject: Re: Assertion failure through vring_split_desc_read
Date: Thu, 14 May 2020 13:22:55 -0400 [thread overview]
Message-ID: <445b8ed8-289d-7e0f-3168-fa9c2f48c18c@redhat.com> (raw)
In-Reply-To: <20200514135007.qzv2icgm5olrzre6@mozz.bu.edu>
On 5/14/20 9:50 AM, Alexander Bulekov wrote:
> On 200514 1012, Philippe Mathieu-Daudé wrote:
>> On 5/14/20 1:24 AM, John Snow wrote:
>>>
>>>
>>> On 5/10/20 11:51 PM, Alexander Bulekov wrote:
>>>> Hello,
>>>> While fuzzing, I found an input that triggers an assertion failure
>>>> through virtio-rng -> vring_split_desc_read. Maybe this is related to:
>>>> Message-ID: <20200511033001.dzvtbdhl3oz5pgiy@mozz.bu.edu>
>>>> Assertion failure through virtio_lduw_phys_cached
>>>>
>>>> #8 0x7fe6a9acf091 in __assert_fail /build/glibc-GwnBeO/glibc-2.30/assert/assert.c:101:3
>>>> #9 0x564cbe7d96fd in address_space_read_cached include/exec/memory.h:2423:5
>>>> #10 0x564cbe7e79c5 in vring_split_desc_read hw/virtio/virtio.c:236:5
>>>> #11 0x564cbe7e84ce in virtqueue_split_read_next_desc hw/virtio/virtio.c:929:5
>>>> #12 0x564cbe78f86b in virtqueue_split_get_avail_bytes hw/virtio/virtio.c:1009:18
>>>> #13 0x564cbe78ab22 in virtqueue_get_avail_bytes hw/virtio/virtio.c:1208:9
>>>> #14 0x564cc08aade1 in get_request_size hw/virtio/virtio-rng.c:40:5
>>>> #15 0x564cc08aa20b in virtio_rng_process hw/virtio/virtio-rng.c:115:12
>>>> #16 0x564cc08a8c48 in virtio_rng_set_status hw/virtio/virtio-rng.c:172:5
>>>> #17 0x564cbe7a50be in virtio_set_status hw/virtio/virtio.c:1876:9
>>>> #18 0x564cc08d1b8f in virtio_pci_common_write hw/virtio/virtio-pci.c:1245:9
>>>>
>>>> I can reproduce it in a qemu 5.0 build using these qtest commands:
>>>> https://paste.debian.net/plain/1146089
>>>> (not including them here, as some are quite long)
>>>>
>>>> wget https://paste.debian.net/plain/1146089 -O qtest-trace; ~/Development/qemu/build/i386-softmmu/qemu-system-i386 -M pc-q35-5.0 -device virtio-rng-pci,addr=04.0 -display none -nodefaults -nographic -qtest stdio < qtest-trace
>>>>
>>>> Please let me know if I can provide any further info.
>>>> -Alex
>>>>
>>>
>>> Do you have a writeup somewhere of how you are approaching fuzzing and
>>> how you've found this pile of bugs so far?
>>
>> There is docs/devel/fuzzing.txt:
>>
>> https://git.qemu.org/?p=qemu.git;a=blob;f=docs/devel/fuzzing.txt;hb=v5.0.0
>>
>>>
>>> Might make for a good blog post.
>
> I am working on a patchset for the particular fuzzer I used to find
> these bugs. With that, I'll also update docs/devel/fuzzing.txt.
>
>>
>> Good idea!
>
> Yes I agree :)
>
Awesome, I look forward to it. Thanks for the reports and the bugs filed
on LP.
--js
prev parent reply other threads:[~2020-05-14 17:24 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-11 3:51 Assertion failure through vring_split_desc_read Alexander Bulekov
2020-05-12 13:49 ` Laurent Vivier
2020-05-12 15:14 ` Laurent Vivier
2020-05-13 23:24 ` John Snow
2020-05-14 8:12 ` Philippe Mathieu-Daudé
2020-05-14 13:50 ` Alexander Bulekov
2020-05-14 17:22 ` John Snow [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=445b8ed8-289d-7e0f-3168-fa9c2f48c18c@redhat.com \
--to=jsnow@redhat.com \
--cc=alxndr@bu.edu \
--cc=bsd@redhat.com \
--cc=lvivier@redhat.com \
--cc=mst@redhat.com \
--cc=philmd@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=stefanha@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).