mirror of
https://github.com/xemu-project/xemu.git
synced 2024-11-24 12:09:58 +00:00
fda43b1204
libFuzzer found using 'qemu-system-i386 -M q35': qemu: hardware error: e1000e: PSRCTL.BSIZE0 cannot be zero CPU #0: EAX=00000000 EBX=00000000 ECX=00000000 EDX=00000663 ESI=00000000 EDI=00000000 EBP=00000000 ESP=00000000 EIP=0000fff0 EFL=00000002 [-------] CPL=0 II=0 A20=1 SMM=0 HLT=0 ES =0000 00000000 0000ffff 00009300 CS =f000 ffff0000 0000ffff 00009b00 SS =0000 00000000 0000ffff 00009300 DS =0000 00000000 0000ffff 00009300 FS =0000 00000000 0000ffff 00009300 GS =0000 00000000 0000ffff 00009300 LDT=0000 00000000 0000ffff 00008200 TR =0000 00000000 0000ffff 00008b00 GDT= 00000000 0000ffff IDT= 00000000 0000ffff CR0=60000010 CR2=00000000 CR3=00000000 CR4=00000000 DR0=00000000 DR1=00000000 DR2=00000000 DR3=00000000 DR6=ffff0ff0 DR7=00000400 EFER=0000000000000000 FCW=037f FSW=0000 [ST=0] FTW=00 MXCSR=00001f80 FPR0=0000000000000000 0000 FPR1=0000000000000000 0000 FPR2=0000000000000000 0000 FPR3=0000000000000000 0000 FPR4=0000000000000000 0000 FPR5=0000000000000000 0000 FPR6=0000000000000000 0000 FPR7=0000000000000000 0000 XMM00=00000000000000000000000000000000 XMM01=00000000000000000000000000000000 XMM02=00000000000000000000000000000000 XMM03=00000000000000000000000000000000 XMM04=00000000000000000000000000000000 XMM05=00000000000000000000000000000000 XMM06=00000000000000000000000000000000 XMM07=00000000000000000000000000000000 ==1988== ERROR: libFuzzer: deadly signal #6 0x7fae4d3ea894 in __GI_abort (/lib64/libc.so.6+0x22894) #7 0x563f4cc59a1d in hw_error (qemu-fuzz-i386+0xe8ca1d) #8 0x563f4d7c93f2 in e1000e_set_psrctl (qemu-fuzz-i386+0x19fc3f2) #9 0x563f4d7b798f in e1000e_core_write (qemu-fuzz-i386+0x19ea98f) #10 0x563f4d7afc46 in e1000e_mmio_write (qemu-fuzz-i386+0x19e2c46) #11 0x563f4cc9a0a7 in memory_region_write_accessor (qemu-fuzz-i386+0xecd0a7) #12 0x563f4cc99c13 in access_with_adjusted_size (qemu-fuzz-i386+0xeccc13) #13 0x563f4cc987b4 in memory_region_dispatch_write (qemu-fuzz-i386+0xecb7b4) It simply sent the following 2 I/O command to the e1000e PCI BAR #2 I/O region: writew 0x0100 0x0c00 # RCTL = E1000_RCTL_DTYP_MASK writeb 0x2170 0x00 # PSRCTL = 0 2813 static void 2814 e1000e_set_psrctl(E1000ECore *core, int index, uint32_t val) 2815 { 2816 if (core->mac[RCTL] & E1000_RCTL_DTYP_MASK) { 2817 2818 if ((val & E1000_PSRCTL_BSIZE0_MASK) == 0) { 2819 hw_error("e1000e: PSRCTL.BSIZE0 cannot be zero"); 2820 } Instead of calling hw_error() which abort the process (it is meant for CPU fatal error condition, not for device logging), log the invalid request with qemu_log_mask(LOG_GUEST_ERROR) and return, ignoring the request. Cc: qemu-stable@nongnu.org Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Signed-off-by: Jason Wang <jasowang@redhat.com> |
||
|---|---|---|
| .. | ||
| can | ||
| fsl_etsec | ||
| rocker | ||
| allwinner_emac.c | ||
| allwinner-sun8i-emac.c | ||
| cadence_gem.c | ||
| dp8393x.c | ||
| e1000_regs.h | ||
| e1000.c | ||
| e1000e_core.c | ||
| e1000e_core.h | ||
| e1000e.c | ||
| e1000x_common.c | ||
| e1000x_common.h | ||
| eepro100.c | ||
| etraxfs_eth.c | ||
| ftgmac100.c | ||
| i82596.c | ||
| i82596.h | ||
| imx_fec.c | ||
| Kconfig | ||
| lan9118.c | ||
| lance.c | ||
| lasi_i82596.c | ||
| Makefile.objs | ||
| mcf_fec.c | ||
| milkymist-minimac2.c | ||
| mipsnet.c | ||
| msf2-emac.c | ||
| ne2000-isa.c | ||
| ne2000-pci.c | ||
| ne2000.c | ||
| ne2000.h | ||
| net_rx_pkt.c | ||
| net_rx_pkt.h | ||
| net_tx_pkt.c | ||
| net_tx_pkt.h | ||
| opencores_eth.c | ||
| pcnet-pci.c | ||
| pcnet.c | ||
| pcnet.h | ||
| rtl8139.c | ||
| smc91c111.c | ||
| spapr_llan.c | ||
| stellaris_enet.c | ||
| sungem.c | ||
| sunhme.c | ||
| trace-events | ||
| tulip.c | ||
| tulip.h | ||
| vhost_net-stub.c | ||
| vhost_net.c | ||
| virtio-net.c | ||
| vmware_utils.h | ||
| vmxnet3_defs.h | ||
| vmxnet3.c | ||
| vmxnet3.h | ||
| vmxnet_debug.h | ||
| xen_nic.c | ||
| xgmac.c | ||
| xilinx_axienet.c | ||
| xilinx_ethlite.c | ||