Abort in net_tx_pkt_update_sctp_checksum()
Host environment
- Operating system: Ubuntu 22.04.4 LTS
- OS/kernel version: Linux 6.5.0-25-generic
- Architecture: x86_64
- QEMU flavor: 8.2.92
- QEMU version: commit ce64e622
Emulated/Virtualized environment
- Operating system: Debian GNU/Linux 10 (buster)
- OS/kernel version: Linux syzkaller 6.6.0
- Architecture: x86_64
Description of problem
In the function net_tx_pkt_update_sctp_checksum(), an abort happened:
qemu-fuzz-x86_64: ../../../third_party/qemu/util/iov.c:39: size_t iov_from_buf_full(const struct iovec *, unsigned int, size_t, const void *, size_t): Assertion `offset == 0' failed.
==1052929== ERROR: libFuzzer: deadly signal
#0 0x5575e5cccbe1 in __sanitizer_print_stack_trace llvm/compiler-rt/lib/asan/asan_stack.cpp:87:3
#1 0x5575e5c479b8 in fuzzer::PrintStackTrace() llvm/compiler-rt/lib/fuzzer/FuzzerUtil.cpp:210:5
#2 0x5575e5c2bbb3 in fuzzer::Fuzzer::CrashCallback() llvm/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:233:3
#3 0x7f691f24251f (/lib/x86_64-linux-gnu/libc.so.6+0x4251f)
#4 0x7f691f2969fb in __pthread_kill_implementation nptl/./nptl/pthread_kill.c:43:17
#5 0x7f691f2969fb in __pthread_kill_internal nptl/./nptl/pthread_kill.c:78:10
#6 0x7f691f2969fb in pthread_kill nptl/./nptl/pthread_kill.c:89:10
#7 0x7f691f242475 in gsignal signal/../sysdeps/posix/raise.c:26:13
#8 0x7f691f2287f2 in abort stdlib/./stdlib/abort.c:79:7
#9 0x7f691f22871a in __assert_fail_base assert/./assert/assert.c:92:3
#10 0x7f691f239e95 in __assert_fail assert/./assert/assert.c:101:3
#11 0x5575e81e952a in iov_from_buf_full qemu/util/iov.c:39:5
#12 0x5575e6500768 in net_tx_pkt_update_sctp_checksum qemu/hw/net/net_tx_pkt.c:144:9
#13 0x5575e659f3e1 in igb_setup_tx_offloads qemu/hw/net/igb_core.c:478:11
#14 0x5575e659f3e1 in igb_tx_pkt_send qemu/hw/net/igb_core.c:552:10
#15 0x5575e659f3e1 in igb_process_tx_desc qemu/hw/net/igb_core.c:671:17
#16 0x5575e659f3e1 in igb_start_xmit qemu/hw/net/igb_core.c:903:9
#17 0x5575e659f3e1 in igb_set_tdt qemu/hw/net/igb_core.c:2812:5
#18 0x5575e657d6a4 in igb_core_write qemu/hw/net/igb_core.c:4248:9
Steps to reproduce
Here's a simple PoC:
cat << EOF | \
qemu-system-x86_64 \
-display none -machine accel=qtest -m 512M -M q35 -nodefaults -device \
igb,netdev=net0 -netdev user,id=net0 -qtest stdio
outl 0xcf8 0x80000810
outl 0xcfc 0xe0000000
outl 0xcf8 0x80000804
outw 0xcfc 0x06
write 0xe0000403 0x1 0x02
writel 0xe0003808 0xffffffff
write 0xe000381a 0x1 0x5b
write 0xe000381b 0x1 0x00
EOF