Assertion failuer in cryptodev_builtin_close_session()
Host environment
- Operating system: Ubuntu 22.04.4 LTS
- OS/kernel version: Linux 6.5.0-25-generic
- Architecture: x86_64
- QEMU flavor: 8.2.92
- QEMU version: commit ce64e622
Emulated/Virtualized environment
- Operating system: Debian GNU/Linux 10 (buster)
- OS/kernel version: Linux syzkaller 6.6.0
- Architecture: x86_64
Description of problem
In the function cryptodev_builtin_close_session(), an assertation happened:
qemu-fuzz-x86_64: qemu/backends/cryptodev-builtin.c:430: int cryptodev_builtin_close_session(CryptoDevBackend *, uint64_t, uint32_t, CryptoDevCompletionFunc, void *): Assertion `session_id < MAX_NUM_SESSIONS && builtin->sessions[session_id]' failed.
==1256139== ERROR: libFuzzer: deadly signal
#9 0x71acb8c2871a in __assert_fail_base assert/./assert/assert.c:92:3
#10 0x71acb8c39e95 in __assert_fail assert/./assert/assert.c:101:3
#11 0x5af7f624b12b in cryptodev_builtin_close_session qemu/backends/cryptodev-builtin.c:430:5
#12 0x5af7f60b2860 in virtio_crypto_handle_close_session qemu/hw/virtio/virtio-crypto.c:262:12
#13 0x5af7f60b2860 in virtio_crypto_handle_ctrl qemu/hw/virtio/virtio-crypto.c:423:19The user could send an invalid session_id to trigger this assertion.
Steps to reproduce
Here's a simple PoC:
cat << EOF | qemu-system-x86_64 -display none\
-machine accel=qtest -m 512M -machine q35 -nodefaults -object \
cryptodev-backend-builtin,id=cryptodev0 -device \
virtio-crypto-pci,id=crypto0,cryptodev=cryptodev0 -qtest stdio
outl 0xcf8 0x80000804
outw 0xcfc 0x06
outl 0xcf8 0x80000820
outl 0xcfc 0xe0008000
write 0x10800e 0x1 0x01
write 0xe0008016 0x1 0x01
write 0xe0008020 0x4 0x00801000
write 0xe0008028 0x4 0x00c01000
write 0xe000801c 0x1 0x01
write 0x110000 0x1 0x05
write 0x110001 0x1 0x04
write 0x108002 0x1 0x11
write 0x108008 0x1 0x48
write 0x10800c 0x1 0x01
write 0x108018 0x1 0x10
write 0x10801c 0x1 0x02
write 0x10c002 0x1 0x01
write 0xe000b005 0x1 0x00
EOF