Abort in net_tx_pkt_do_sw_fragmentation
Hello,
I'm guessing this might be related to the recent IGB patches, but I haven't had a chance to bisect. CC: @akihiko.odaki CC: @jasowang
Reproducer
cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, -m \
512M -M q35 -nodefaults -device e1000e,netdev=net0 -netdev user,id=net0 \
-qtest stdio
outl 0xcf8 0x80000810
outl 0xcfc 0xe0000000
outl 0xcf8 0x80000804
outw 0xcfc 0x06
write 0xe000042a 0x2 0x20ff
write 0xe0000430 0x2 0x2002
write 0x210b 0x1 0x08
write 0x210d 0x1 0x46
write 0x210e 0x1 0x03
write 0xfe8b 0x1 0x24
write 0xfea0 0x1 0xff
write 0xfea1 0x1 0x20
write 0xfea9 0x1 0x01
write 0xfeaa 0x1 0x10
write 0xfeab 0x1 0x25
write 0xe0000400 0x1 0x02
EOFStack-Trace
../net/eth.c:54:13: runtime error: member access within misaligned address 0x631000014846 for type 'struct ip_header', which requires 4 byte alignment
0x631000014846: note: pointer points here
00 00 00 00 46 ff 20 20 00 00 00 00 00 20 ff ff ff 08 00 46 ff 20 40 00 00 00 00 00 00 00 00 00
^
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../net/eth.c:54:13 in
../net/eth.c:54:13: runtime error: load of misaligned address 0x631000014846 for type 'uint8_t' (aka 'unsigned char'), which requires 4 byte alignment
0x631000014846: note: pointer points here
00 00 00 00 46 ff 20 20 00 00 00 00 00 20 ff ff ff 08 00 46 ff 20 40 00 00 00 00 00 00 00 00 00
^
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../net/eth.c:54:13 in
../net/eth.c:55:17: runtime error: member access within misaligned address 0x631000014846 for type 'struct ip_header', which requires 4 byte alignment
0x631000014846: note: pointer points here
00 00 00 00 46 ff 20 20 00 00 00 00 00 20 ff ff ff 08 00 46 ff 20 40 00 00 00 00 00 00 00 00 00
^
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../net/eth.c:55:17 in
==1001025== ERROR: libFuzzer: deadly signal
#0 0x55fc4a5f9bf1 in __sanitizer_print_stack_trace (/home/alxndr/Development/qemu-demo/qemu/build/qemu-fuzz-i386+0x2287bf1) (BuildId: 7c4ce493fae4324b5f6e6d13ba359194d25265ec)
#1 0x55fc4a56c548 in fuzzer::PrintStackTrace() (/home/alxndr/Development/qemu-demo/qemu/build/qemu-fuzz-i386+0x21fa548) (BuildId: 7c4ce493fae4324b5f6e6d13ba359194d25265ec)
#2 0x55fc4a551e13 in fuzzer::Fuzzer::CrashCallback() (/home/alxndr/Development/qemu-demo/qemu/build/qemu-fuzz-i386+0x21dfe13) (BuildId: 7c4ce493fae4324b5f6e6d13ba359194d25265ec)
#3 0x7fe2ec84ff8f (/lib/x86_64-linux-gnu/libc.so.6+0x3bf8f) (BuildId: f684ebb8772f68a082f2ad1031fc05c847b87fad)
#4 0x7fe2ec89eccb in __pthread_kill_implementation nptl/./nptl/pthread_kill.c:43:17
#5 0x7fe2ec84fef1 in raise signal/../sysdeps/posix/raise.c:26:13
#6 0x7fe2ec83a471 in abort stdlib/./stdlib/abort.c:79:7
#7 0x55fc4ac008fa in net_tx_pkt_do_sw_fragmentation /home/alxndr/Development/qemu-demo/qemu/build/../hw/net/net_tx_pkt.c:739:9
#8 0x55fc4ac008fa in net_tx_pkt_send_custom /home/alxndr/Development/qemu-demo/qemu/build/../hw/net/net_tx_pkt.c:825:12
#9 0x55fc4ac4cf1a in e1000e_tx_pkt_send /home/alxndr/Development/qemu-demo/qemu/build/../hw/net/e1000e_core.c:685:16
#10 0x55fc4ac4cf1a in e1000e_process_tx_desc /home/alxndr/Development/qemu-demo/qemu/build/../hw/net/e1000e_core.c:762:17
#11 0x55fc4ac4cf1a in e1000e_start_xmit /home/alxndr/Development/qemu-demo/qemu/build/../hw/net/e1000e_core.c:953:9
#12 0x55fc4ac44273 in e1000e_set_tctl /home/alxndr/Development/qemu-demo/qemu/build/../hw/net/e1000e_core.c:2496:9
#13 0x55fc4ac2622d in e1000e_core_write /home/alxndr/Development/qemu-demo/qemu/build/../hw/net/e1000e_core.c:3349:9
#14 0x55fc4bd99e78 in memory_region_write_accessor /home/alxndr/Development/qemu-demo/qemu/build/../softmmu/memory.c:493:5
#15 0x55fc4bd999ca in access_with_adjusted_size /home/alxndr/Development/qemu-demo/qemu/build/../softmmu/memory.c:555:18
#16 0x55fc4bd99333 in memory_region_dispatch_write /home/alxndr/Development/qemu-demo/qemu/build/../softmmu/memory.c
#17 0x55fc4bde3040 in flatview_write_continue /home/alxndr/Development/qemu-demo/qemu/build/../softmmu/physmem.c:2641:23
#18 0x55fc4bdda4e3 in flatview_write /home/alxndr/Development/qemu-demo/qemu/build/../softmmu/physmem.c:2683:12
#19 0x55fc4bdda1f3 in address_space_write /home/alxndr/Development/qemu-demo/qemu/build/../softmmu/physmem.c:2779:18
#20 0x55fc4bdeebb3 in qtest_process_command /home/alxndr/Development/qemu-demo/qemu/build/../softmmu/qtest.c:537:13
#21 0x55fc4bdec968 in qtest_process_inbuf /home/alxndr/Development/qemu-demo/qemu/build/../softmmu/qtest.c:801:9
#22 0x55fc4bdec783 in qtest_server_inproc_recv /home/alxndr/Development/qemu-demo/qemu/build/../softmmu/qtest.c:932:9
#23 0x55fc4c4c3540 in qtest_sendf /home/alxndr/Development/qemu-demo/qemu/build/../tests/qtest/libqtest.c:600:5
#24 0x55fc4c4c3c4e in qtest_write /home/alxndr/Development/qemu-demo/qemu/build/../tests/qtest/libqtest.c:1047:5
#25 0x55fc4c4c3c4e in qtest_writeq /home/alxndr/Development/qemu-demo/qemu/build/../tests/qtest/libqtest.c:1068:5
#26 0x55fc4a632c8e in __wrap_qtest_writeq /home/alxndr/Development/qemu-demo/qemu/build/../tests/qtest/fuzz/qtest_wrappers.c:190:9
#27 0x55fc4a63a8e4 in op_write /home/alxndr/Development/qemu-demo/qemu/build/../tests/qtest/fuzz/generic_fuzz.c:490:13OSS-Fuzz Report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=56999
libqtest Reproducer: 56999.c
Thank you