You need to sign in or sign up before continuing.

Assert failure in `usb_ep_get` : Assertion `pid == USB_TOKEN_IN || pid == USB_TOKEN_OUT` failed (CVE-2024-8354)

Description of problem

Assert failure in usb_ep_get : Assertion pid == USB_TOKEN_IN || pid == USB_TOKEN_OUT failed.

The TD PID needs to be either USB_TOKEN_IN or USB_TOKEN_OUT in usb_ep_get, but in the caller uhci_handle_td it may be USB_TOKEN_SETUP.

An unprivileged guest user may be able to reach the assertion, I think this bug is quite akin to CVE-2024-3567 (#2273 (closed)) :

Users are not directly able to craft URBs, however as a user, one might be able to find a kernel path that would send a TD with PID USB_TOKEN_SETUP to QEMU (which is called USB_PID_SETUP in Linux). For instance in the Linux Kernel, uhci_submit_control in drivers/usb/host/uhci-q.c:789 does link a USB_PID_SETUP TD to the URB.

Acknowledgement

CVE-ID: CVE-2024-8354 Reported-by:

Antoine "Gravis" Assier de Pompignan from Fuzzinglabs
Patrick Ventuzelo from Fuzzinglabs

Host environment

Operating system: Ubuntu 23.04
OS/kernel version: Linux 6.2.0-39-generic
Architecture: x86_64
QEMU flavor: qemu-system-x86_64
QEMU version: commit at 6af69d02
Compiled with : Ubuntu clang version 15.0.7
QEMU command line:

QEMU_FUZZ_ARGS="-machine q35 -nodefaults -device ich9-usb-ehci1,bus=pcie.0,addr=1d.7,multifunction=on,id=ich9-ehci-1 -device ich9-usb-uhci1,bus=pcie.0,addr=1d.0,multifunction=on,masterbus=ich9-ehci-1.0,firstport=0 -device ich9-usb-uhci2,bus=pcie.0,addr=1d.1,multifunction=on,masterbus=ich9-ehci-1.0,firstport=2 -device ich9-usb-uhci3,bus=pcie.0,addr=1d.2,multifunction=on,masterbus=ich9-ehci-1.0,firstport=4 -drive if=none,id=usbcdrom,media=cdrom -device usb-tablet,bus=ich9-ehci-1.0,port=1,usb_version=1 -device usb-storage,bus=ich9-ehci-1.0,port=2,drive=usbcdrom" QEMU_FUZZ_OBJECTS="*usb* *hci*" qemu-fuzz-x86_64 --fuzz-target=generic-fuzz

Steps to reproduce

Minimized reproducer:

cat << EOF | ./qemu/build2/qemu-system-x86_64 -machine q35 -nodefaults \
-device \
ich9-usb-ehci1,bus=pcie.0,addr=1d.7,multifunction=on,id=ich9-ehci-1 \
-device ich9-usb-uhci1,bus=pcie.0,addr=1d.0,multifunction=on,masterbus=i\
ch9-ehci-1.0,firstport=0 -device ich9-usb-uhci2,bus=pcie.0,addr=1d.1,mul\
tifunction=on,masterbus=ich9-ehci-1.0,firstport=2 -device ich9-usb-uhci3\
,bus=pcie.0,addr=1d.2,multifunction=on,masterbus=ich9-ehci-1.0,firstport\
=4 -drive if=none,id=usbcdrom,media=cdrom -device \
usb-tablet,bus=ich9-ehci-1.0,port=1,usb_version=1 -device \
usb-storage,bus=ich9-ehci-1.0,port=2,drive=usbcdrom -qtest stdio
outl 0xcf8 0x8000e900
inw 0xcfc
outl 0xcf8 0x8000e920
outl 0xcfc 0xffffffff
outl 0xcf8 0x8000e920
inl 0xcfc
outl 0xcf8 0x8000e920
outl 0xcfc 0xc001
outl 0xcf8 0x8000e904
inw 0xcfc
outl 0xcf8 0x8000e904
outw 0xcfc 0x7
outl 0xcf8 0x8000e904
inw 0xcfc
outl 0xcf8 0x8000ef00
inw 0xcfc
outl 0xcf8 0x8000ef10
outl 0xcfc 0xffffffff
outl 0xcf8 0x8000ef10
inl 0xcfc
outl 0xcf8 0x8000ef10
outl 0xcfc 0xe0000000
outl 0xcf8 0x8000ef04
inw 0xcfc
outl 0xcf8 0x8000ef04
outw 0xcfc 0x7
outl 0xcf8 0x8000ef04
inw 0xcfc
outl 0xcf8 0x8000ea00
inw 0xcfc
outl 0xcf8 0x8000ea20
outl 0xcfc 0xffffffff
outl 0xcf8 0x8000ea20
inl 0xcfc
outl 0xcf8 0x8000ea20
outl 0xcfc 0xc021
outl 0xcf8 0x8000ea04
inw 0xcfc
outl 0xcf8 0x8000ea04
outw 0xcfc 0x7
outl 0xcf8 0x8000ea04
inw 0xcfc
outl 0xcf8 0x8000e800
inw 0xcfc
outl 0xcf8 0x8000e820
outl 0xcfc 0xffffffff
outl 0xcf8 0x8000e820
inl 0xcfc
outl 0xcf8 0x8000e820
outl 0xcfc 0xc041
outl 0xcf8 0x8000e804
inw 0xcfc
outl 0xcf8 0x8000e804
outw 0xcfc 0x7
outl 0xcf8 0x8000e804
inw 0xcfc
outl 0xcf8 0x8000fa00
inw 0xcfc
outl 0xcf8 0x8000fa20
outl 0xcfc 0xffffffff
outl 0xcf8 0x8000fa20
inl 0xcfc
outl 0xcf8 0x8000fa20
outl 0xcfc 0xc061
outl 0xcf8 0x8000fa24
outl 0xcfc 0xffffffff
outl 0xcf8 0x8000fa24
inl 0xcfc
outl 0xcf8 0x8000fa24
outl 0xcfc 0xe0001000
outl 0xcf8 0x8000fa04
inw 0xcfc
outl 0xcf8 0x8000fa04
outw 0xcfc 0x7
outl 0xcf8 0x8000fa04
inw 0xcfc
outl 0xcf8 0x8000ea20
outl 0xcfc 0x625f69a0
outb 0xc040 0x46
outb 0xc040 0x69
inb 0xc000
outb 0xc040 0x46
clock_step
outb 0xc040 0x69
clock_step
write 0x0 0x4 0x64657669
write 0x69766560 0x8 0x000000ff6c46f228
write 0x69766568 0x8 0x2d323334319c6c65
write 0xff000000 0x8 0x000000ff6c6f6766
write 0xff000008 0x8 0x8d6c65652d736400
outb 0xc040 0x69
outl 0xcf8 0x8000ef76
outw 0xcfc 0x6563
outb 0xc040 0x46
clock_step
outb 0xc040 0x69
inb 0xc000
clock_step
write 0x4 0x4 0x64657669
write 0x69766560 0x8 0x000000ff6c46f228
write 0x69766568 0x8 0x2d323334319c6c65
write 0xff000000 0x8 0x000000ff6c6f6766
write 0xff000008 0x8 0x8d6c65652d736400
outb 0xc040 0x69
outw 0xc003 0x6769
outb 0xc040 0x69
readq 0xe0000074
outb 0xc040 0x46
clock_step
outb 0xc040 0x69
clock_step
write 0x8 0x4 0x00000100
write 0x10000 0x10 0x000000ff6c46f2282d00363939333336
write 0xff000000 0x8 0x6465766963656d69
write 0xff000008 0x8 0x740d00699b652d63
write 0x69766560 0x8 0x000000ff6c46f228
write 0x69766568 0x8 0x2d323334319c6c65
clock_step
write 0xc 0x4 0x000000ff
write 0xff000000 0x8 0x0000010000000069
write 0xff000008 0x8 0x636c395f61707269
write 0x10000 0x10 0x000000ff6c46f2282d00363939333336
outw 0xc003 0x6f00
outb 0xc040 0x69
outl 0xc053 0x6378616d
clock_step
write 0x10 0x4 0x000000ff
write 0xff000000 0x8 0x6465766963656d69
write 0xff000008 0x8 0x740d00699b652d63
write 0x69766560 0x8 0x000000ff6c46f228
write 0x69766568 0x8 0x2d323334319c6c65
outb 0xc051 0x6d
outb 0xc04f 0x61
outb 0xc040 0x69
clock_step
write 0x14 0x4 0x000000ff
write 0xff000000 0x8 0x0000010000000069
write 0xff000008 0x8 0x636c395f61707269
write 0x10000 0x10 0x000000ff6c46f2282d00363939333336
EOF

Additional information

The crash report triggered by the reproducer is:

[R +0.033173] outl 0xcf8 0x8000e900
[S +0.033189] [R +0.033195] inw 0xcfc
[S +0.033205] [R +0.033212] outl 0xcf8 0x8000e920
[S +0.033218] [R +0.033222] outl 0xcfc 0xffffffff
[S +0.033231] [R +0.033235] outl 0xcf8 0x8000e920
[S +0.033241] [R +0.033245] inl 0xcfc
[S +0.033250] [R +0.033255] outl 0xcf8 0x8000e920
[S +0.033261] [R +0.033265] outl 0xcfc 0xc001
[S +0.033271] [R +0.033275] outl 0xcf8 0x8000e904
[S +0.033281] [R +0.033285] inw 0xcfc
[S +0.033290] [R +0.033295] outl 0xcf8 0x8000e904
[S +0.033300] [R +0.033306] outw 0xcfc 0x7
[S +0.033755] [R +0.033767] outl 0xcf8 0x8000e904
[S +0.033774] [R +0.033779] inw 0xcfc
[S +0.033785] [R +0.033792] outl 0xcf8 0x8000ef00
[S +0.033798] [R +0.033802] inw 0xcfc
[S +0.033808] [R +0.033813] outl 0xcf8 0x8000ef10
[S +0.033818] [R +0.033840] outl 0xcfc 0xffffffff
[S +0.033848] [R +0.033853] outl 0xcf8 0x8000ef10
[S +0.033859] [R +0.033864] inl 0xcfc
[S +0.033870] [R +0.033875] outl 0xcf8 0x8000ef10
[S +0.033880] [R +0.033884] outl 0xcfc 0xe0000000
[S +0.033891] [R +0.033895] outl 0xcf8 0x8000ef04
[S +0.033901] [R +0.033904] inw 0xcfc
[S +0.033909] [R +0.033916] outl 0xcf8 0x8000ef04
[S +0.033922] [R +0.033926] outw 0xcfc 0x7
[S +0.034381] [R +0.034389] outl 0xcf8 0x8000ef04
[S +0.034395] [R +0.034399] inw 0xcfc
[S +0.034405] [R +0.034412] outl 0xcf8 0x8000ea00
[S +0.034417] [R +0.034421] inw 0xcfc
[S +0.034427] [R +0.034431] outl 0xcf8 0x8000ea20
[S +0.034437] [R +0.034441] outl 0xcfc 0xffffffff
[S +0.034448] [R +0.034452] outl 0xcf8 0x8000ea20
[S +0.034457] [R +0.034463] inl 0xcfc
[S +0.034469] [R +0.034474] outl 0xcf8 0x8000ea20
[S +0.034480] [R +0.034484] outl 0xcfc 0xc021
[S +0.034490] [R +0.034494] outl 0xcf8 0x8000ea04
[S +0.034500] [R +0.034504] inw 0xcfc
[S +0.034509] [R +0.034515] outl 0xcf8 0x8000ea04
[S +0.034521] [R +0.034525] outw 0xcfc 0x7
[S +0.034948] [R +0.034955] outl 0xcf8 0x8000ea04
[S +0.034961] [R +0.034965] inw 0xcfc
[S +0.034971] [R +0.034989] outl 0xcf8 0x8000e800
[S +0.034996] [R +0.035000] inw 0xcfc
[S +0.035005] [R +0.035010] outl 0xcf8 0x8000e820
[S +0.035016] [R +0.035020] outl 0xcfc 0xffffffff
[S +0.035027] [R +0.035033] outl 0xcf8 0x8000e820
[S +0.035039] [R +0.035043] inl 0xcfc
[S +0.035048] [R +0.035053] outl 0xcf8 0x8000e820
[S +0.035059] [R +0.035065] outl 0xcfc 0xc041
[S +0.035071] [R +0.035075] outl 0xcf8 0x8000e804
[S +0.035081] [R +0.035084] inw 0xcfc
[S +0.035089] [R +0.035094] outl 0xcf8 0x8000e804
[S +0.035100] [R +0.035103] outw 0xcfc 0x7
[S +0.035525] [R +0.035532] outl 0xcf8 0x8000e804
[S +0.035538] [R +0.035542] inw 0xcfc
[S +0.035548] [R +0.035553] outl 0xcf8 0x8000fa00
[S +0.035558] [R +0.035562] inw 0xcfc
[S +0.035567] [R +0.035572] outl 0xcf8 0x8000fa20
[S +0.035578] [R +0.035581] outl 0xcfc 0xffffffff
[S +0.035589] [R +0.035594] outl 0xcf8 0x8000fa20
[S +0.035600] [R +0.035604] inl 0xcfc
[S +0.035609] [R +0.035613] outl 0xcf8 0x8000fa20
[S +0.035618] [R +0.035623] outl 0xcfc 0xc061
[S +0.035629] [R +0.035633] outl 0xcf8 0x8000fa24
[S +0.035638] [R +0.035642] outl 0xcfc 0xffffffff
[S +0.035648] [R +0.035652] outl 0xcf8 0x8000fa24
[S +0.035658] [R +0.035664] inl 0xcfc
[S +0.035669] [R +0.035673] outl 0xcf8 0x8000fa24
[S +0.035679] [R +0.035683] outl 0xcfc 0xe0001000
[S +0.035689] [R +0.035696] outl 0xcf8 0x8000fa04
[S +0.035702] [R +0.035706] inw 0xcfc
[S +0.035711] [R +0.035716] outl 0xcf8 0x8000fa04
[S +0.035722] [R +0.035725] outw 0xcfc 0x7
[S +0.036402] [R +0.036412] outl 0xcf8 0x8000fa04
[S +0.036418] [R +0.036422] inw 0xcfc
[S +0.036434] [R +0.036442] outl 0xcf8 0x8000ea20
[S +0.036448] [R +0.036463] outl 0xcfc 0x625f69a0
[S +0.036906] [I +0.036981] CLOSED
x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
[R +0.000000] outb 0xc040 0x46
x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
[R +0.000000] outb 0xc040 0x69
x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
[R +0.000000] inb 0xc000
x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
[R +0.000000] outb 0xc040 0x46
x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
[R +0.000000] clock_step
x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
[R +0.000000] outb 0xc040 0x69
x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
[R +0.000000] clock_step
[DMA] x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
[R +0.000000] write 0x0 0x4 0x64657669
[DMA] x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
[R +0.000000] write 0x69766560 0x8 0x000000ff6c46f228
[DMA] x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
[R +0.000000] write 0x69766568 0x8 0x2d323334319c6c65
[DMA] x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
[R +0.000000] write 0xff000000 0x8 0x000000ff6c6f6766
[DMA] x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
[R +0.000000] write 0xff000008 0x8 0x8d6c65652d736400
x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
[R +0.000000] outb 0xc040 0x69
x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
[R +0.000000] outl 0xcf8 0x8000ef76
x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
[R +0.000000] outw 0xcfc 0x6563
x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
[R +0.000000] outb 0xc040 0x46
x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
[R +0.000000] clock_step
x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
[R +0.000000] outb 0xc040 0x69
x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
[R +0.000000] inb 0xc000
x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
[R +0.000000] clock_step
[DMA] x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
[R +0.000000] write 0x4 0x4 0x64657669
[DMA] x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
[R +0.000000] write 0x69766560 0x8 0x000000ff6c46f228
[DMA] x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
[R +0.000000] write 0x69766568 0x8 0x2d323334319c6c65
[DMA] x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
[R +0.000000] write 0xff000000 0x8 0x000000ff6c6f6766
[DMA] x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
[R +0.000000] write 0xff000008 0x8 0x8d6c65652d736400
x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
[R +0.000000] outb 0xc040 0x69
x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
[R +0.000000] outw 0xc003 0x6769
x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
[R +0.000000] outb 0xc040 0x69
x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
[R +0.000000] readq 0xe0000074
x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
[R +0.000000] outb 0xc040 0x46
x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
[R +0.000000] clock_step
x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
[R +0.000000] outb 0xc040 0x69
x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
[R +0.000000] clock_step
[DMA] x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
[R +0.000000] write 0x8 0x4 0x00000100
[DMA] x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
[R +0.000000] write 0x10000 0x10 0x000000ff6c46f2282d00363939333336
[DMA] x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
[R +0.000000] write 0xff000000 0x8 0x6465766963656d69
[DMA] x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
[R +0.000000] write 0xff000008 0x8 0x740d00699b652d63
[DMA] x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
[R +0.000000] write 0x69766560 0x8 0x000000ff6c46f228
[DMA] x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
[R +0.000000] write 0x69766568 0x8 0x2d323334319c6c65
x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
[R +0.000000] clock_step
[DMA] x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
[R +0.000000] write 0xc 0x4 0x000000ff
[DMA] x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
[R +0.000000] write 0xff000000 0x8 0x0000010000000069
[DMA] x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
[R +0.000000] write 0xff000008 0x8 0x636c395f61707269
[DMA] x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
[R +0.000000] write 0x10000 0x10 0x000000ff6c46f2282d00363939333336
x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
[R +0.000000] outw 0xc003 0x6f00
x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
[R +0.000000] outb 0xc040 0x69
x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
[R +0.000000] outl 0xc053 0x6378616d
x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
[R +0.000000] clock_step
[DMA] x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
[R +0.000000] write 0x10 0x4 0x000000ff
[DMA] x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
[R +0.000000] write 0xff000000 0x8 0x6465766963656d69
[DMA] x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
[R +0.000000] write 0xff000008 0x8 0x740d00699b652d63
[DMA] x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
[R +0.000000] write 0x69766560 0x8 0x000000ff6c46f228
[DMA] x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
[R +0.000000] write 0x69766568 0x8 0x2d323334319c6c65
x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
[R +0.000000] outb 0xc051 0x6d
x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
[R +0.000000] outb 0xc04f 0x61
x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
[R +0.000000] outb 0xc040 0x69
x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
[R +0.000000] clock_step
[DMA] x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
[R +0.000000] write 0x14 0x4 0x000000ff
[DMA] x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
[R +0.000000] write 0xff000000 0x8 0x0000010000000069
[DMA] x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
[R +0.000000] write 0xff000008 0x8 0x636c395f61707269
[DMA] x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
[R +0.000000] write 0x10000 0x10 0x000000ff6c46f2282d00363939333336
qemu-fuzz-x86_64: ../hw/usb/core.c:744: struct USBEndpoint *usb_ep_get(USBDevice *, int, int): Assertion `pid == USB_TOKEN_IN || pid == USB_TOKEN_OUT' failed.
==892641== ERROR: libFuzzer: deadly signal
    #0 0x557dd985fc41 in __sanitizer_print_stack_trace (/home/hypervisor/qemu_fuzz/qemu/build2/qemu-fuzz-x86_64+0x20b2c41) (BuildId: 1208fb4c12f2da2381e7763dabbbdabaf2db65e5)
    #1 0x557dd97cfa58 in fuzzer::PrintStackTrace() (/home/hypervisor/qemu_fuzz/qemu/build2/qemu-fuzz-x86_64+0x2022a58) (BuildId: 1208fb4c12f2da2381e7763dabbbdabaf2db65e5)
    #2 0x557dd97b5ae3 in fuzzer::Fuzzer::CrashCallback() (/home/hypervisor/qemu_fuzz/qemu/build2/qemu-fuzz-x86_64+0x2008ae3) (BuildId: 1208fb4c12f2da2381e7763dabbbdabaf2db65e5)
    #3 0x7fd7e623c45f  (/lib/x86_64-linux-gnu/libc.so.6+0x3c45f) (BuildId: d320ce4e63925d698610ed423fc4b1f0e8ed51f1)
    #4 0x7fd7e629152a in __pthread_kill_implementation nptl/pthread_kill.c:43:17
    #5 0x7fd7e629152a in __pthread_kill_internal nptl/pthread_kill.c:78:10
    #6 0x7fd7e629152a in pthread_kill nptl/pthread_kill.c:89:10
    #7 0x7fd7e623c3b5 in raise signal/../sysdeps/posix/raise.c:26:13
    #8 0x7fd7e622287b in abort stdlib/abort.c:79:7
    #9 0x7fd7e622279a in __assert_fail_base assert/assert.c:92:3
    #10 0x7fd7e6233b65 in __assert_fail assert/assert.c:101:3
    #11 0x557dda3b67c6 in usb_ep_get /home/hypervisor/qemu_fuzz/qemu/build2/../hw/usb/core.c:744:5
    #12 0x557dda3d8820 in uhci_handle_td /home/hypervisor/qemu_fuzz/qemu/build2/../hw/usb/hcd-uhci.c:819:14
    #13 0x557dda3d41ed in uhci_process_frame /home/hypervisor/qemu_fuzz/qemu/build2/../hw/usb/hcd-uhci.c:1022:15
    #14 0x557dda3cbf7e in uhci_frame_timer /home/hypervisor/qemu_fuzz/qemu/build2/../hw/usb/hcd-uhci.c:1121:9
    #15 0x557ddb90c0ff in timerlist_run_timers /home/hypervisor/qemu_fuzz/qemu/build2/../util/qemu-timer.c:576:9
    #16 0x557ddb90d3e8 in qemu_clock_run_timers /home/hypervisor/qemu_fuzz/qemu/build2/../util/qemu-timer.c:590:12
    #17 0x557ddb90d3e8 in qemu_clock_advance_virtual_time /home/hypervisor/qemu_fuzz/qemu/build2/../util/qemu-timer.c:696:9
    #18 0x557dda67fa2f in qtest_process_command /home/hypervisor/qemu_fuzz/qemu/build2/../system/qtest.c:722:9
    #19 0x557dda67b3bb in qtest_process_inbuf /home/hypervisor/qemu_fuzz/qemu/build2/../system/qtest.c:776:9
    #20 0x557dda67acf6 in qtest_server_inproc_recv /home/hypervisor/qemu_fuzz/qemu/build2/../system/qtest.c:907:9
    #21 0x557ddb5fa3e2 in qtest_sendf /home/hypervisor/qemu_fuzz/qemu/build2/../tests/qtest/libqtest.c:640:5
    #22 0x557ddb5fa4f4 in qtest_clock_step_next /home/hypervisor/qemu_fuzz/qemu/build2/../tests/qtest/libqtest.c:1009:5
    #23 0x557ddb67c2ef in generic_fuzz /home/hypervisor/qemu_fuzz/qemu/build2/../tests/qtest/fuzz/generic_fuzz.c:667:13
    #24 0x557ddb66e807 in LLVMFuzzerTestOneInput /home/hypervisor/qemu_fuzz/qemu/build2/../tests/qtest/fuzz/fuzz.c:158:5
    #25 0x557dd97b6f52 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/hypervisor/qemu_fuzz/qemu/build2/qemu-fuzz-x86_64+0x2009f52) (BuildId: 1208fb4c12f2da2381e7763dabbbdabaf2db65e5)
    #26 0x557dd97a1080 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/home/hypervisor/qemu_fuzz/qemu/build2/qemu-fuzz-x86_64+0x1ff4080) (BuildId: 1208fb4c12f2da2381e7763dabbbdabaf2db65e5)
    #27 0x557dd97a6d07 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/hypervisor/qemu_fuzz/qemu/build2/qemu-fuzz-x86_64+0x1ff9d07) (BuildId: 1208fb4c12f2da2381e7763dabbbdabaf2db65e5)
    #28 0x557dd97d0292 in main (/home/hypervisor/qemu_fuzz/qemu/build2/qemu-fuzz-x86_64+0x2023292) (BuildId: 1208fb4c12f2da2381e7763dabbbdabaf2db65e5)
    #29 0x7fd7e6223a8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #30 0x7fd7e6223b48 in __libc_start_main csu/../csu/libc-start.c:360:3
    #31 0x557dd979b884 in _start (/home/hypervisor/qemu_fuzz/qemu/build2/qemu-fuzz-x86_64+0x1fee884) (BuildId: 1208fb4c12f2da2381e7763dabbbdabaf2db65e5)

Edited Aug 11, 2025 by Michael Tokarev

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information

Assert failure in usb_ep_get : Assertion pid == USB_TOKEN_IN || pid == USB_TOKEN_OUT failed (CVE-2024-8354)