vmxnet3: Assertion failure in eth_setup_ip4_fragmentation
Hello,
Reproducer
cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, -m \
512M -machine q35 -nodefaults -device vmxnet3,netdev=net0 -netdev \
user,id=net0 -qtest /dev/null -qtest stdio
outl 0xcf8 0x80000814
outl 0xcfc 0xe0000000
outl 0xcf8 0x80000804
outw 0xcfc 0x06
outl 0xcf8 0x80000812
outl 0xcfc 0x2000
outl 0xcf8 0x80000815
outb 0xcfc 0x40
write 0x0 0x1 0xe1
write 0x1 0x1 0xfe
write 0x2 0x1 0xbe
write 0x3 0x1 0xba
write 0x28 0x1 0xff
write 0x29 0x1 0xff
write 0x2a 0x1 0xff
write 0x2b 0x1 0xff
write 0x2c 0x1 0xff
write 0x2d 0x1 0xff
write 0x2e 0x1 0xff
write 0x2f 0x1 0xff
write 0x37 0x1 0x40
write 0x3e 0x1 0x01
write 0xe0004020 0x4 0x0000feca
write 0x9 0x1 0x40
write 0xd 0x1 0x10
write 0x12 0x1 0x10
write 0x19 0x1 0x40
write 0x1b 0x1 0x21
write 0x1d 0x1 0x0c
write 0x2d 0x1 0x00
write 0x10000c 0x1 0x08
write 0x10000e 0x1 0x45
write 0x100017 0x1 0x11
write 0x20000600 0x1 0x00
write 0x38 0x1 0x01
write 0x39 0x1 0x40
write 0x48 0x1 0x01
write 0x49 0x1 0x40
write 0x58 0x1 0x01
write 0x59 0x1 0x40
write 0x68 0x1 0x01
write 0x69 0x1 0x40
write 0x78 0x1 0x01
write 0x79 0x1 0x40
write 0x88 0x1 0x01
write 0x89 0x1 0x40
write 0x98 0x1 0x01
write 0x99 0x1 0x40
write 0xa8 0x1 0x01
write 0xa9 0x1 0x40
write 0xb8 0x1 0x01
write 0xb9 0x1 0x40
write 0xc8 0x1 0x01
write 0xc9 0x1 0x40
write 0xd8 0x1 0x01
write 0xd9 0x1 0x40
write 0xe8 0x1 0x01
write 0xe9 0x1 0x40
write 0xf8 0x1 0x01
write 0xf9 0x1 0x40
write 0x108 0x1 0x01
write 0x109 0x1 0x40
write 0x118 0x1 0x01
write 0x119 0x1 0x40
write 0x128 0x1 0x01
write 0x129 0x1 0x40
write 0x138 0x1 0x01
write 0x139 0x1 0x40
write 0x148 0x1 0x01
write 0x149 0x1 0x40
write 0x158 0x1 0x01
write 0x159 0x1 0x40
write 0x168 0x1 0x01
write 0x169 0x1 0x40
write 0x178 0x1 0x01
write 0x179 0x1 0x40
write 0x188 0x1 0x01
write 0x189 0x1 0x40
write 0x198 0x1 0x01
write 0x199 0x1 0x40
write 0x1a8 0x1 0x01
write 0x1a9 0x1 0x40
write 0x1b8 0x1 0x01
write 0x1b9 0x1 0x40
write 0x1c8 0x1 0x01
write 0x1c9 0x1 0x40
write 0x1d8 0x1 0x01
write 0x1d9 0x1 0x40
write 0x1e8 0x1 0x01
write 0x1e9 0x1 0x40
write 0x1f8 0x1 0x01
write 0x1f9 0x1 0x40
write 0x208 0x1 0x01
write 0x209 0x1 0x40
write 0x218 0x1 0x01
write 0x219 0x1 0x40
write 0x228 0x1 0x01
write 0x229 0x1 0x40
write 0x238 0x1 0x01
write 0x239 0x1 0x40
write 0x248 0x1 0x01
write 0x249 0x1 0x40
write 0x258 0x1 0x01
write 0x259 0x1 0x40
write 0x268 0x1 0x01
write 0x269 0x1 0x40
write 0x278 0x1 0x01
write 0x279 0x1 0x40
write 0x288 0x1 0x01
write 0x289 0x1 0x40
write 0x298 0x1 0x01
write 0x299 0x1 0x40
write 0x2a8 0x1 0x01
write 0x2a9 0x1 0x40
write 0x2b8 0x1 0x01
write 0x2b9 0x1 0x40
write 0x2c8 0x1 0x01
write 0x2c9 0x1 0x40
write 0x2d8 0x1 0x01
write 0x2d9 0x1 0x40
write 0x2e8 0x1 0x01
write 0x2e9 0x1 0x40
write 0x2f8 0x1 0x01
write 0x2f9 0x1 0x40
write 0x308 0x1 0x01
write 0x309 0x1 0x40
write 0x318 0x1 0x01
write 0x319 0x1 0x40
write 0x328 0x1 0x01
write 0x329 0x1 0x40
write 0x338 0x1 0x01
write 0x339 0x1 0x40
write 0x348 0x1 0x01
write 0x349 0x1 0x40
write 0x358 0x1 0x01
write 0x359 0x1 0x40
write 0x368 0x1 0x01
write 0x369 0x1 0x40
write 0x378 0x1 0x01
write 0x379 0x1 0x40
write 0x388 0x1 0x01
write 0x389 0x1 0x40
write 0x398 0x1 0x01
write 0x399 0x1 0x40
write 0x3a8 0x1 0x01
write 0x3a9 0x1 0x40
write 0x3b8 0x1 0x01
write 0x3b9 0x1 0x40
write 0x3c8 0x1 0x01
write 0x3c9 0x1 0x40
write 0x3d8 0x1 0x01
write 0x3d9 0x1 0x40
write 0x3e8 0x1 0x01
write 0x3e9 0x1 0x40
write 0x3f8 0x1 0x01
write 0x3f9 0x1 0x40
write 0xd 0x1 0x10
write 0x20000600 0x1 0x00
EOF
Stack-Trace
target-generic-fuzz-vmxnet3: ../net/eth.c:334: void eth_setup_ip4_fragmentation(const void *, size_t, void *, size_t, size_t, size_t, _Bool):
Assertion `frag_offset % IP_FRAG_UNIT_SIZE == 0' failed.
#0 0x7f50e5ec5438 in raise
#1 0x7f50e5ec7039 in abort
#2 0x7f50e5ebdbe6 in libc.so.6
#3 0x7f50e5ebdc91 in __assert_fail
#4 0x55e179d1429d in eth_setup_ip4_fragmentation /src/qemu/net/eth.c:334:9
#5 0x55e179f4adf7 in net_tx_pkt_do_sw_fragmentation /src/qemu/hw/net/net_tx_pkt.c:595:9
#6 0x55e179f4a29f in net_tx_pkt_send /src/qemu/hw/net/net_tx_pkt.c:638:12
#7 0x55e179f95ec0 in vmxnet3_send_packet /src/qemu/hw/net/vmxnet3.c:625:10
#8 0x55e179f958f0 in vmxnet3_process_tx_queue /src/qemu/hw/net/vmxnet3.c:671:17
#9 0x55e179f95224 in vmxnet3_io_bar0_write /src/qemu/hw/net/vmxnet3.c:1097:9
#10 0x55e17a3b11f7 in memory_region_write_accessor /src/qemu/softmmu/memory.c:489:5
#11 0x55e17a3b1082 in access_with_adjusted_size /src/qemu/softmmu/memory.c:550:18
#12 0x55e17a3b08e1 in memory_region_dispatch_write /src/qemu/softmmu/memory.c:0:13
#13 0x55e17a39f2f7 in flatview_write_continue /src/qemu/softmmu/physmem.c:2778:23
#14 0x55e17a399fec in flatview_write /src/qemu/softmmu/physmem.c:2818:14
#15 0x55e17a399e07 in address_space_write /src/qemu/softmmu/physmem.c:2910:18
OSS-Fuzz Report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=35799
libqtest Reproducer: reproducer.c
Thank you
Edited by Alexander Bulekov