Artem Nasonov activity

Artem Nasonov commented on issue #2777 at QEMU / QEMU

2025-02-06T11:34:32Z

Patch discussion: https://patchew.org/QEMU/[email protected]/

Artem Nasonov opened issue #2803: Assert failure in virtio-net device in address_space_lduw_le_cached at QEMU / QEMU

2025-02-06T10:59:18Z

Host environment

Operating system: Debian 12
OS/kernel version: Linux 6.1.0-17-amd64
Architecture: x86_64
QEMU flavor: qemu-system-x86_64
QEMU version: QEMU emulator version 9.2.50 (v9.2.0-1537-gd922088eb4)

QEMU command line:

./qemu-system-x86_64 -display none -machine accel=qtest, -m 512M -M q35 -nodefaults -device virtio-net,netdev=net0,packed=on -netdev user,id=net0 -qtest stdio

Description of problem

Issue was found by fuzzing. Assert

qemu/include/exec/memory_ldst_cached.h.inc:30: uint16_t address_space_lduw_le_cached(MemoryRegionCache *, hwaddr, MemTxAttrs, MemTxResult *): Assertion `addr < cache->len && 2 <= cache->len - addr' failed.

can be triggered with some qtest commands. This is pretty similar to issue_302 and issue_781, but kinda different. In issue_781 there is a comment, that issue was Possibly fixed by commit 10d35e58 ("virtio-pci: fix queue_enable write")., but unfortunately it is not - we can still trigger this assert with other set of command-line arguments and qtest commands.

Steps to reproduce

Command:

cat << EOF | ./qemu-system-x86_64 -display none -machine accel=qtest, -m 512M -M q35 -nodefaults -device virtio-net,netdev=net0,packed=on -netdev user,id=net0 -qtest stdio
outl 0xcf8 0x80000810
outl 0xcfc 0xc000
outl 0xcf8 0x80000820
outl 0xcfc 0xe0004000
outl 0xcf8 0x80000804
outw 0xcfc 0x7
write 0xe0004008 0x1 0x01
write 0xe000400c 0x1 0x04
outl 0xc00b 0x01000000
outl 0xc006 0x38380000
outl 0xc001 0x00
outl 0xc00f 0x04000100
write 0x3839003 0x1 0x01
EOF

Results in

[I 0.000000] OPENED
[R +0.028638] outl 0xcf8 0x80000810
[S +0.028692] OK
OK
[R +0.028705] outl 0xcfc 0xc000
[S +0.028729] OK
OK
[R +0.028738] outl 0xcf8 0x80000820
[S +0.028748] OK
OK
[R +0.028763] outl 0xcfc 0xe0004000
[S +0.028784] OK
OK
[R +0.028800] outl 0xcf8 0x80000804
[S +0.029483] OK
OK
[R +0.029509] outw 0xcfc 0x7
[S +0.029820] OK
OK
[R +0.029833] write 0xe0004008 0x1 0x01
[S +0.029846] OK
OK
[R +0.029853] write 0xe000400c 0x1 0x04
[S +0.029882] OK
OK
[R +0.029894] outl 0xc00b 0x01000000
[S +0.029909] OK
OK
[R +0.029923] outl 0xc006 0x38380000
[S +0.029938] OK
OK
[R +0.029944] outl 0xc001 0x00
[S +0.029953] OK
OK
[R +0.029959] outl 0xc00f 0x04000100
[S +0.030073] OK
OK
[R +0.030091] write 0x3839003 0x1 0x01
[S +0.030106] OK
OK
qemu-system-x86_64: /home/artemiin/Work/original_qemu/include/exec/memory_ldst_cached.h.inc:30: uint16_t address_space_lduw_le_cached(MemoryRegionCache *, hwaddr, MemTxAttrs, MemTxResult *): Assertion `addr < cache->len && 2 <= cache->len - addr' failed.

Additional information

There is a stack trace from libFuzzer output:

#0 0x5555561bcfc1 in __sanitizer_print_stack_trace (qemu/build/qemu-fuzz-x86_64+0xc68fc1) (BuildId: 97b846e788f9dda2a285e5ea004d922c4886a315)

#6 0x7ffff48d4471 in abort stdlib/abort.c:79:7
#7 0x7ffff48d4394 in __assert_fail_base assert/assert.c:92:3
#8 0x7ffff48e2eb1 in __assert_fail assert/assert.c:101:3
#9 0x555557043c41 in address_space_lduw_le_cached qemu/include/exec/memory_ldst_cached.h.inc:30:5
#10 0x555557043c41 in lduw_le_phys_cached qemu/include/exec/memory_ldst_phys.h.inc:67:12
#11 0x555557043c41 in virtio_lduw_phys_cached qemu/include/hw/virtio/virtio-access.h:166:12
#12 0x555557030a78 in vring_avail_ring qemu/build/../hw/virtio/virtio.c:389:12
#13 0x555557030a78 in virtqueue_get_head qemu/build/../hw/virtio/virtio.c:1043:13
#14 0x555557030a78 in virtqueue_split_pop qemu/build/../hw/virtio/virtio.c:1540:10
#15 0x555557030a78 in virtqueue_pop qemu/build/../hw/virtio/virtio.c:1790:16
#16 0x555556f9aaf9 in virtio_net_flush_tx qemu/build/../hw/net/virtio-net.c:2746:16
#17 0x555556f9a4dc in virtio_net_tx_bh qemu/build/../hw/net/virtio-net.c:2953:11
#18 0x5555577152e2 in aio_bh_call qemu/build/../util/async.c:171:5
#19 0x555557715830 in aio_bh_poll qemu/build/../util/async.c:218:13
#20 0x5555576ce2d7 in aio_dispatch qemu/build/../util/aio-posix.c:423:5
#21 0x555557717918 in aio_ctx_dispatch qemu/build/../util/async.c:360:5
#22 0x7ffff69837a8 in g_main_context_dispatch (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x547a8) (BuildId: 9f90bd7bbfcf84a1f1c5a6102f70e6264837b9d4)
#23 0x5555577187cd in glib_pollfds_poll qemu/build/../util/main-loop.c:287:9
#24 0x5555577187cd in os_host_main_loop_wait qemu/build/../util/main-loop.c:310:5
#25 0x5555577187cd in main_loop_wait qemu/build/../util/main-loop.c:589:11
#26 0x5555571ce309 in flush_events qemu/build/../tests/qtest/fuzz/fuzz.c:50:9
#27 0x5555571d662b in generic_fuzz qemu/build/../tests/qtest/fuzz/generic_fuzz.c:669:13
#28 0x5555571ce7de in LLVMFuzzerTestOneInput qemu/build/../tests/qtest/fuzz/fuzz.c:158:5

#35 0x5555560e2510 in _start (qemu/build/qemu-fuzz-x86_64+0xb8e510) (BuildId: 97b846e788f9dda2a285e5ea004d922c4886a315

FYI @mstredhat

Artem Nasonov opened merge request !1420: Fix Out-of-bounds read in nts_client_process_response_core at NTPsec / ntpsec

2025-01-29T12:19:11Z

Issue details are described in https://gitlab.com/NTPsec/ntpsec/-/issues/836 This MR is based on this commit: 5cffe91b

Artem Nasonov opened issue #2778: Null Dereference in ahci-hd device at QEMU / QEMU

2025-01-15T11:52:20Z

Host environment

Operating system: Debian 12
OS/kernel version: Linux 6.1.0-17-amd64
Architecture: x86_64
QEMU flavor: qemu-system-x86_64
QEMU version: QEMU emulator version 9.2.50 (v9.2.0-1001-g7433709a14)

QEMU command line:

./qemu-system-x86_64 -display none -machine accel=qtest, -m 512M -machine q35 -nodefaults -drive file=null-co://,if=none,format=raw,id=disk0 -device ide-hd,drive=disk0  -qtest stdio

Emulated/Virtualized environment

Does not matter

Description of problem

Issue was found by fuzzing. With some qtest commands we can crash qemu-system-x86_64 because of Null dereference.

Steps to reproduce

Command:

cat << EOF | ./qemu-system-x86_64 -display none -machine accel=qtest -m 512M -machine q35 -nodefaults -drive file=null-co://,if=none,format=raw,id=disk0 -device ide-hd,drive=disk0  -qtest stdio
outl 0xcf8 0x8000fa24
outl 0xcfc 0xe0000000
outl 0xcf8 0x8000fa04
outw 0xcfc 0x06
write 0xe00003b8 0x1 0x01
write 0x0 0x1 0x27
write 0x1 0x1 0x80
write 0x2 0x1 0x20
write 0x7 0x1 0x01
write 0xe0000398 0x1 0x01
write 0xe0000398 0x1 0x00
write 0xe0000398 0x1 0x01
EOF

Results in

[I 0.000001] OPENED
[R +0.082978] outl 0xcf8 0x8000fa24
[S +0.083040] OK
OK
[R +0.083070] outl 0xcfc 0xe0000000
[S +0.083115] OK
OK
[R +0.083132] outl 0xcf8 0x8000fa04
[S +0.083152] OK
OK
[R +0.083180] outw 0xcfc 0x06
[S +0.084233] OK
OK
[R +0.084291] write 0xe00003b8 0x1 0x01
[S +0.084344] OK
OK
[R +0.084384] write 0x0 0x1 0x27
[S +0.085007] OK
OK
[R +0.085041] write 0x1 0x1 0x80
[S +0.085055] OK
OK
[R +0.085071] write 0x2 0x1 0x20
[S +0.085084] OK
OK
[R +0.085096] write 0x7 0x1 0x01
[S +0.085110] OK
OK
[R +0.085123] write 0xe0000398 0x1 0x01
[S +0.085254] OK
OK
[R +0.085294] write 0xe0000398 0x1 0x00
[S +0.085324] OK
OK
[R +0.085349] write 0xe0000398 0x1 0x01
[S +0.085408] OK
OK
../hw/ide/ahci.c:1377:46: runtime error: member access within null pointer of type 'AHCICmdHdr' (aka 'struct AHCICmdHdr')
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../hw/ide/ahci.c:1377:46 in 
../hw/ide/ahci.c:1377:46: runtime error: load of null pointer of type 'uint16_t' (aka 'unsigned short')
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../hw/ide/ahci.c:1377:46 in 
AddressSanitizer:DEADLYSIGNAL
=================================================================
==2547739==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x55abf3a79f9c bp 0x7ffc213000d0 sp 0x7ffc212fffa0 T0)
==2547739==The signal is caused by a READ memory access.
==2547739==Hint: address points to the zero page.
    #0 0x55abf3a79f9c in ahci_pio_transfer /home/artemiin/Work/original_qemu/build/../hw/ide/ahci.c:1377:46
    #1 0x55abf3a8a396 in ide_transfer_start_norecurse /home/artemiin/Work/original_qemu/build/../hw/ide/core.c:581:5
    #2 0x55abf3aab79e in ide_transfer_start /home/artemiin/Work/original_qemu/build/../hw/ide/core.c:588:9
    #3 0x55abf3aab79e in ide_sector_read_cb /home/artemiin/Work/original_qemu/build/../hw/ide/core.c:789:5
    #4 0x55abf3a8d6e2 in ide_buffered_readv_cb /home/artemiin/Work/original_qemu/build/../hw/ide/core.c:684:9
    #5 0x55abf4f31d33 in blk_aio_complete /home/artemiin/Work/original_qemu/build/../block/block-backend.c:1552:9
    #6 0x55abf545010b in aio_bh_call /home/artemiin/Work/original_qemu/build/../util/async.c:172:5
    #7 0x55abf545089f in aio_bh_poll /home/artemiin/Work/original_qemu/build/../util/async.c:219:13
    #8 0x55abf53e746a in aio_dispatch /home/artemiin/Work/original_qemu/build/../util/aio-posix.c:424:5
    #9 0x55abf545469a in aio_ctx_dispatch /home/artemiin/Work/original_qemu/build/../util/async.c:361:5
    #10 0x7f358845b7a8 in g_main_context_dispatch (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x547a8) (BuildId: 9f90bd7bbfcf84a1f1c5a6102f70e6264837b9d4)
    #11 0x55abf5455787 in glib_pollfds_poll /home/artemiin/Work/original_qemu/build/../util/main-loop.c:287:9
    #12 0x55abf5455787 in os_host_main_loop_wait /home/artemiin/Work/original_qemu/build/../util/main-loop.c:310:5
    #13 0x55abf5455787 in main_loop_wait /home/artemiin/Work/original_qemu/build/../util/main-loop.c:589:11
    #14 0x55abf425c296 in qemu_main_loop /home/artemiin/Work/original_qemu/build/../system/runstate.c:835:9
    #15 0x55abf51df1c6 in qemu_default_main /home/artemiin/Work/original_qemu/build/../system/main.c:48:14
    #16 0x55abf51df1a1 in main /home/artemiin/Work/original_qemu/build/../system/main.c:76:9
    #17 0x7f3587219249 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #18 0x7f3587219304 in __libc_start_main csu/../csu/libc-start.c:360:3
    #19 0x55abf353be60 in _start (/home/artemiin/Work/original_qemu/build/qemu-system-x86_64+0x1828e60) (BuildId: f91712a3af40a999ce35e39809ce00f92c35ae25)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/artemiin/Work/original_qemu/build/../hw/ide/ahci.c:1377:46 in ahci_pio_transfer
==2547739==ABORTING

Additional information

This issue may need a complicated patch so I ask developers to take a look at this issue.

Artem Nasonov opened issue #2777: Assert failure in ahci-hd device at QEMU / QEMU

2025-01-15T11:46:40Z

Host environment

Operating system: Debian 12
OS/kernel version: Linux 6.1.0-17-amd64
Architecture: x86_64
QEMU flavor: qemu-system-x86_64
QEMU version: QEMU emulator version 9.2.50 (v9.2.0-1001-g7433709a14)

QEMU command line:

./qemu-system-x86_64 -display none -machine accel=qtest, -m 512M -machine q35 -nodefaults -drive file=null-co://,if=none,format=raw,id=disk0 -device ide-hd,drive=disk0  -qtest stdio

Emulated/Virtualized environment

Does not matter

Description of problem

Assert

qemu-system-x86_64: ../hw/ide/core.c:934: void ide_dma_cb(void *, int): Assertion `prep_size >= 0 && prep_size <= n * 512' failed.

can be triggered with some qtest commands. This was found by fuzzing.

Steps to reproduce

Command:

cat << EOF | ./qemu-system-x86_64 -display none -machine accel=qtest, -m 512M -machine q35 -nodefaults -drive file=null-co://,if=none,format=raw,id=disk0 -device ide-hd,drive=disk0  -qtest stdio
outl 0xcf8 0x8000fa24
outl 0xcfc 0xe0000000
outl 0xcf8 0x8000fa04
outw 0xcfc 0x06
write 0x0 0x1 0x27
write 0x1 0x1 0x80
write 0x2 0x1 0x25
write 0xe00003b8 0x1 0x02
write 0xe0000398 0x1 0x01
EOF

Results in

[I 0.000001] OPENED
[R +0.076075] outl 0xcf8 0x8000fa24
[S +0.076165] OK
OK
[R +0.076198] outl 0xcfc 0xe0000000
[S +0.076242] OK
OK
[R +0.076320] outl 0xcf8 0x8000fa04
[S +0.076344] OK
OK
[R +0.076379] outw 0xcfc 0x06
[S +0.077676] OK
OK
[R +0.077760] write 0x0 0x1 0x27
[S +0.079429] OK
OK
[R +0.079552] write 0x1 0x1 0x80
[S +0.079592] OK
OK
[R +0.079618] write 0x2 0x1 0x25
[S +0.079645] OK
OK
[R +0.079669] write 0xe00003b8 0x1 0x02
[S +0.079709] OK
OK
[R +0.079733] write 0xe0000398 0x1 0x01
qemu-system-x86_64: ../hw/ide/core.c:934: void ide_dma_cb(void *, int): Assertion `prep_size >= 0 && prep_size <= n * 512' failed.
Aborted

Additional information

Maybe we can just goto eot; instead of assert?

Artem Nasonov commented on issue #2412 at QEMU / QEMU

2025-01-15T09:03:25Z

Just a friendly reminder, that issue is still relevant in QEMU emulator version 9.2.50 (v9.2.0-1001-g7433709a14)

I can't patch this on my own and I ask the developers to pay attention to this issue

Artem Nasonov commented on issue #1926 at QEMU / QEMU

2025-01-13T09:44:11Z

As i can see, some changes were applied https://gitlab.freedesktop.org/spice/spice/-/merge_requests/221 Closing issue

Artem Nasonov closed issue #1926: Spice: handle_dev_destroy_surface_wait: condition `msg->surface_id == 0' failed (DoS via assert failure) at QEMU / QEMU

2025-01-13T09:43:00Z

Host environment

Operating system: Debian 12
OS/kernel version: Kernel: Linux 6.1.0-11-amd64
Architecture: x86_64
QEMU flavor: qemu/master
QEMU version: version 8.1.50 (v8.1.0-1353-g 2f3913f4-dirty), commit 2f3913f4

QEMU command line:

./qemu-system-x86_64 -vga qxl -m 2048 -nodefaults

Emulated/Virtualized environment

Does not matter

Description of problem

Assert failure in libspice-server was found during fuzzing qxl-vga device.

qemu-system-x86_64: Spice: ../server/red-worker.cpp:367:handle_dev_destroy_surface_wait: condition `msg->surface_id == 0' failed
Аварийный останов

Steps to reproduce

This bug can be reroduced with

cat << EOF | ./qemu-system-x86_64 -display none -machine accel=qtest, -m 512M -M \
pc -nodefaults -vga qxl -qtest stdio
outl 0xcf8 0x8000101c
outl 0xcfc 0xc000
outl 0xcf8 0x80001004
outw 0xcfc 0x01
outl 0xc00b 0x01000000
EOF

This bug is in another place from #1829, please pay attention to it. It has to be solved, because it interferes with further fuzzing process

Additional information

As I mentioned, I really need this bug to be solved, because fuzzing qxl-vga device gets less efficient. I suggested to report it here, not in spice-server, because this bug can be on the QEMU side.