Assertion failure through virtio_blk_req_complete

Alexander Bulekov Sun, 10 May 2020 21:07:44 -0700

Hello,
While fuzzing, I found an input that triggers an assertion through
virtio-blk.c:


void address_space_unmap(AddressSpace *, void *, hwaddr, int, hwaddr): 
Assertion `mr != NULL' failed

#8 0x7fa947707091 in __assert_fail 
/build/glibc-GwnBeO/glibc-2.30/assert/assert.c:101:3
#9 0x55ec68a73a97 in address_space_unmap exec.c:3619:9
#10 0x55ec6943ffab in dma_memory_unmap include/sysemu/dma.h:145:5
#11 0x55ec693e2df6 in virtqueue_unmap_sg hw/virtio/virtio.c:640:9
#12 0x55ec693e435b in virtqueue_fill hw/virtio/virtio.c:789:5
#13 0x55ec693e8cf0 in virtqueue_push hw/virtio/virtio.c:863:5
#14 0x55ec68ff73ce in virtio_blk_req_complete hw/block/virtio-blk.c:83:5
#15 0x55ec68ff037e in virtio_blk_handle_request hw/block/virtio-blk.c:671:13
#16 0x55ec68fec4c0 in virtio_blk_handle_vq hw/block/virtio-blk.c:780:17
#17 0x55ec6901ae79 in virtio_blk_handle_output_do hw/block/virtio-blk.c:803:5
#18 0x55ec6901a336 in virtio_blk_handle_output hw/block/virtio-blk.c:819:5
#19 0x55ec694168f0 in virtio_queue_notify hw/virtio/virtio.c:2284:9
#20 0x55ec6b55abc5 in virtio_mmio_write hw/virtio/virtio-mmio.c:369:13
#21 0x55ec68d9e17b in memory_region_write_accessor memory.c:496:5

I can reproduce it in a qemu 5.0 build using:
cat << EOF | qemu-system-i386 -M pc-q35-5.0 -M 
microvm,x-option-roms=off,pit=off,pic=off,isa-serial=off,rtc=off -nographic 
-device virtio-blk-device,drive=mydrive,scsi=true -drive 
file=null-co://,id=mydrive,if=none,format=raw -nographic -monitor none -display 
none -serial none -qtest stdio
write 0x1ba000b 0x12 0x01820040bf07f0ffffffffffff3328000101
write 0x1ba1003 0x2 0x0101
write 0xc0000e28 0x2c 
0x000046dd000000000049dd00000000004cdd00000000004fdd000000000052dd000000000055dd0000000000
EOF

I also uploaded the above trace, in case the formatting is broken:

curl https://paste.debian.net/plain/1146092 | qemu-system-i386 -M pc-q35-5.0 -M 
microvm,x-option-roms=off,pit=off,pic=off,isa-serial=off,rtc=off -nographic 
-device virtio-blk-device,drive=mydrive,scsi=true -drive 
file=null-co://,id=mydrive,if=none,format=raw -nographic -monitor none -display 
none -serial none -qtest stdio

Please let me know if I can provide any further info.
-Alex

Assertion failure through virtio_blk_req_complete

Reply via email to