On 5/10/20 11:51 PM, Alexander Bulekov wrote:
> Hello,
> While fuzzing, I found an input that triggers an assertion failure
> through virtio-rng -> vring_split_desc_read. Maybe this is related to:
> Message-ID: <20200511033001.dzvtbdhl3oz5p...@mozz.bu.edu>
> Assertion failure through virtio_lduw_phys_cached
>
> #8 0x7fe6a9acf091 in __assert_fail
> /build/glibc-GwnBeO/glibc-2.30/assert/assert.c:101:3
> #9 0x564cbe7d96fd in address_space_read_cached include/exec/memory.h:2423:5
> #10 0x564cbe7e79c5 in vring_split_desc_read hw/virtio/virtio.c:236:5
> #11 0x564cbe7e84ce in virtqueue_split_read_next_desc hw/virtio/virtio.c:929:5
> #12 0x564cbe78f86b in virtqueue_split_get_avail_bytes
> hw/virtio/virtio.c:1009:18
> #13 0x564cbe78ab22 in virtqueue_get_avail_bytes hw/virtio/virtio.c:1208:9
> #14 0x564cc08aade1 in get_request_size hw/virtio/virtio-rng.c:40:5
> #15 0x564cc08aa20b in virtio_rng_process hw/virtio/virtio-rng.c:115:12
> #16 0x564cc08a8c48 in virtio_rng_set_status hw/virtio/virtio-rng.c:172:5
> #17 0x564cbe7a50be in virtio_set_status hw/virtio/virtio.c:1876:9
> #18 0x564cc08d1b8f in virtio_pci_common_write hw/virtio/virtio-pci.c:1245:9
>
> I can reproduce it in a qemu 5.0 build using these qtest commands:
> https://paste.debian.net/plain/1146089
> (not including them here, as some are quite long)
>
> wget https://paste.debian.net/plain/1146089 -O qtest-trace;
> ~/Development/qemu/build/i386-softmmu/qemu-system-i386 -M pc-q35-5.0 -device
> virtio-rng-pci,addr=04.0 -display none -nodefaults -nographic -qtest stdio <
> qtest-trace
>
> Please let me know if I can provide any further info.
> -Alex
>
Do you have a writeup somewhere of how you are approaching fuzzing and
how you've found this pile of bugs so far?
Might make for a good blog post.
--js
