Skip to content

Abort in net_tx_pkt_update_sctp_checksum()

Host environment

  • Operating system: Ubuntu 22.04.4 LTS
  • OS/kernel version: Linux 6.5.0-25-generic
  • Architecture: x86_64
  • QEMU flavor: 8.2.92
  • QEMU version: commit ce64e622

Emulated/Virtualized environment

  • Operating system: Debian GNU/Linux 10 (buster)
  • OS/kernel version: Linux syzkaller 6.6.0
  • Architecture: x86_64

Description of problem

In the function net_tx_pkt_update_sctp_checksum(), an abort happened:

qemu-fuzz-x86_64: ../../../third_party/qemu/util/iov.c:39: size_t iov_from_buf_full(const struct iovec *, unsigned int, size_t, const void *, size_t): Assertion `offset == 0' failed.
==1052929== ERROR: libFuzzer: deadly signal
    #0 0x5575e5cccbe1 in __sanitizer_print_stack_trace llvm/compiler-rt/lib/asan/asan_stack.cpp:87:3
    #1 0x5575e5c479b8 in fuzzer::PrintStackTrace() llvm/compiler-rt/lib/fuzzer/FuzzerUtil.cpp:210:5
    #2 0x5575e5c2bbb3 in fuzzer::Fuzzer::CrashCallback() llvm/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:233:3
    #3 0x7f691f24251f  (/lib/x86_64-linux-gnu/libc.so.6+0x4251f)
    #4 0x7f691f2969fb in __pthread_kill_implementation nptl/./nptl/pthread_kill.c:43:17
    #5 0x7f691f2969fb in __pthread_kill_internal nptl/./nptl/pthread_kill.c:78:10
    #6 0x7f691f2969fb in pthread_kill nptl/./nptl/pthread_kill.c:89:10
    #7 0x7f691f242475 in gsignal signal/../sysdeps/posix/raise.c:26:13
    #8 0x7f691f2287f2 in abort stdlib/./stdlib/abort.c:79:7
    #9 0x7f691f22871a in __assert_fail_base assert/./assert/assert.c:92:3
    #10 0x7f691f239e95 in __assert_fail assert/./assert/assert.c:101:3
    #11 0x5575e81e952a in iov_from_buf_full qemu/util/iov.c:39:5
    #12 0x5575e6500768 in net_tx_pkt_update_sctp_checksum qemu/hw/net/net_tx_pkt.c:144:9
    #13 0x5575e659f3e1 in igb_setup_tx_offloads qemu/hw/net/igb_core.c:478:11
    #14 0x5575e659f3e1 in igb_tx_pkt_send qemu/hw/net/igb_core.c:552:10
    #15 0x5575e659f3e1 in igb_process_tx_desc qemu/hw/net/igb_core.c:671:17
    #16 0x5575e659f3e1 in igb_start_xmit qemu/hw/net/igb_core.c:903:9
    #17 0x5575e659f3e1 in igb_set_tdt qemu/hw/net/igb_core.c:2812:5
    #18 0x5575e657d6a4 in igb_core_write qemu/hw/net/igb_core.c:4248:9

Steps to reproduce

Here's a simple PoC:

cat << EOF | \
qemu-system-x86_64 \
-display none -machine accel=qtest -m 512M -M q35 -nodefaults -device \
igb,netdev=net0 -netdev user,id=net0 -qtest stdio
outl 0xcf8 0x80000810
outl 0xcfc 0xe0000000
outl 0xcf8 0x80000804
outw 0xcfc 0x06
write 0xe0000403 0x1 0x02
writel 0xe0003808 0xffffffff
write 0xe000381a 0x1 0x5b
write 0xe000381b 0x1 0x00
EOF
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information