Out of bounds access in tx_fifo_push()
Host environment
- Operating system: Ubuntu 20.04
- OS/kernel version: Linux 5.4.0
- Architecture: x86_64
- QEMU version: commit fea445e8
Emulated/Virtualized environment
- Operating system: Ubuntu 20.04
- OS/kernel version: Linux 5.4.0
- Architecture: arm
Description of problem
I detected an out-of-bounds access in tx_fifo_push with my fuzzer.
Stack trace (part):
hw/net/lan9118.c:798:17: runtime error: index 2048 out of bounds for
type 'uint8_t[2048]' (aka 'unsigned char[2048]')
#0 0x563ec9a057b1 in tx_fifo_push hw/net/lan9118.c:798:43
#1 0x563ec99fbb28 in lan9118_writel hw/net/lan9118.c:1042:9
#2 0x563ec99f2de2 in lan9118_16bit_mode_write hw/net/lan9118.c:1205:9
#3 0x563ecbf78013 in memory_region_write_accessor system/memory.c:497:5
#4 0x563ecbf776f5 in access_with_adjusted_size system/memory.c:573:18
#5 0x563ecbf75643 in memory_region_dispatch_write system/memory.c:1521:16
#6 0x563ecc01bade in flatview_write_continue_step system/physmem.c:2713:18
#7 0x563ecc01b374 in flatview_write_continue system/physmem.c:2743:19
#8 0x563ecbff1c9b in flatview_write system/physmem.c:2774:12
#9 0x563ecbff1768 in address_space_write system/physmem.c:2894:18
...
Steps to reproduce
Reproducer:
export QEMU_ARGS="-display none -machine accel=qtest, -m 512M -machine smdkc210"
cat << EOF | ./qemu-system-arm $QEMU_ARGS -qtest /dev/null -qtest stdio
outl 0xcf8 0x80000010
outl 0xcfc 0x5000000
outl 0xcf8 0x80000004
outl 0xcfc 0x07
writew 0x5000030 0x4918237b
writew 0x5000030 0x4918237b
writel 0x500003c 0x223bd37f
writel 0x500003c 0x223bd37f
writel 0x500003c 0x223bd37f
writew 0x500003c 0x223bd37f
writel 0x500003c 0x223bd37f
writew 0x500003c 0x223bd37f
writel 0x500003c 0x223bd37f
writel 0x500003c 0x223bd37f
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0xcb06897
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x17954990
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x17954990
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0xcb06897
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x17954990
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0xcb06897
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000024 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x17954990
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0xcb06897
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000024 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x17954990
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000024 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0xcb06897
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0xcb06897
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x17954990
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0xcb06897
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x17954990
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x17954990
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0xcb06897
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x17954990
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0xcb06897
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0xcb06897
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x17954990
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0xcb06897
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x17954990
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0xcb06897
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x17954990
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0xcb06897
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x17954990
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0xcb06897
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x17954990
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x17954990
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0xcb06897
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
writel 0x5000020 0x6a035c1b
EOF
Additional information
Ack: Chuhong Yuan (hslester96@gmail.com)