Skip to content

Divide-by-zero in virtio_gpu_simple_process_cmd

Hello,

Reproducer

cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, -m \
512M -machine q35 -nodefaults -device virtio-vga -qtest stdio
outl 0xcf8 0x80000818
outl 0xcfc 0xe0800000
outl 0xcf8 0x80000804
outw 0xcfc 0x06
write 0xe0801028 0x1 0x16
write 0xe0801020 0x1 0x01
write 0xe080101c 0x1 0x01
write 0xe0803000 0x1 0x00
write 0x18 0x1 0x01
write 0x1a 0x1 0x02
write 0x2a 0x1 0x01
write 0x0 0x1 0x01
write 0x1 0x1 0x01
write 0x1c 0x1 0x01
EOF

Stack-Trace

UndefinedBehaviorSanitizer:DEADLYSIGNAL
==1430356==ERROR: UndefinedBehaviorSanitizer: FPE on unknown address 0x555ca03ddb35 (pc 0x555ca03ddb35 bp 0x7fff05a9bf50 sp 0x7fff05a9beb0 T1430356)
    #0 0x555ca03ddb35 in virtio_gpu_resource_create_2d /home/alxndr/Development/qemu/build/../hw/display/virtio-gpu.c:327:66
    #1 0x555ca03de674 in virtio_gpu_simple_process_cmd /home/alxndr/Development/qemu/build/../hw/display/virtio-gpu.c:1002:9
    #2 0x555ca03e1302 in virtio_gpu_process_cmdq /home/alxndr/Development/qemu/build/../hw/display/virtio-gpu.c:1077:9
    #3 0x555ca0745da6 in aio_bh_call /home/alxndr/Development/qemu/build/../util/async.c:169:5
    #4 0x555ca0745f3d in aio_bh_poll /home/alxndr/Development/qemu/build/../util/async.c:216:13
    #5 0x555ca072f07e in aio_dispatch /home/alxndr/Development/qemu/build/../util/aio-posix.c:423:5
    #6 0x555ca0746bda in aio_ctx_dispatch /home/alxndr/Development/qemu/build/../util/async.c:358:5
    #7 0x7fc2bb33e7a8 in g_main_context_dispatch (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x547a8) (BuildId: 9f90bd7bbfcf84a1f1c5a6102f70e6264837b9d4)
    #8 0x555ca074737b in glib_pollfds_poll /home/alxndr/Development/qemu/build/../util/main-loop.c:290:9
    #9 0x555ca074737b in os_host_main_loop_wait /home/alxndr/Development/qemu/build/../util/main-loop.c:313:5
    #10 0x555ca074737b in main_loop_wait /home/alxndr/Development/qemu/build/../util/main-loop.c:592:11
    #11 0x555ca036d786 in qemu_main_loop /home/alxndr/Development/qemu/build/../softmmu/runstate.c:732:9
    #12 0x555ca05b27d5 in qemu_default_main /home/alxndr/Development/qemu/build/../softmmu/main.c:37:14
    #13 0x7fc2bac46189 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #14 0x7fc2bac46244 in __libc_start_main csu/../csu/libc-start.c:381:3
    #15 0x555ca001aee0 in _start (/home/alxndr/Development/qemu/build/qemu-system-i386+0x4eeee0) (BuildId: c6af8f91e52e475fe6a1684f85c631fe944cfde0)

OSS-Fuzz Report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60239

libqtest Reproducer: repro.c

Thank you

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information