Skip to content

Assertion failure in iov_from_buf_full through the e1000e

This was originally reported at: https://bugs.launchpad.net/qemu/+bug/1878250

Hello,

Reproducer

cat << EOF | ./qemu-system-i386 -M pc-q35-5.0 -nographic -qtest stdio \
-monitor none -serial none
outl 0xcf8 0x80001010
outl 0xcfc 0xe1020000
outl 0xcf8 0x80001004
outw 0xcfc 0x06
write 0xe10207e8 0x4 0x00002d05
write 0xe10207f0 0x4 0x5e000002
write 0xe10207f8 0x4 0x24001025
write 0x200006a 0x1 0x08
write 0x200006c 0x1 0x05
write 0x2000075 0x1 0x06
write 0xe1020098 0x4 0x000006ff
write 0xe1020402 0x2 0x0200
write 0xe1020420 0x4 0x010002e1
write 0xe1020428 0x4 0x010001
write 0xe1020438 0x1 0x20
write 0xe1020439 0x1 0x00
EOF

Stack-Trace

SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../net/eth.c:54:13 in
../net/eth.c:54:13: runtime error: load of misaligned address 0x631000028846 for type 'uint8_t' (aka 'unsigned char'), which requires 4 byte alignment
0x631000028846: note: pointer points here
00 00 00 00 05 00  00 00 00 00 00 00 00 06  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  00 00
^
#0 0x564919c29873 in eth_get_gso_type ../net/eth.c:54:13
#1 0x564919cf2829 in net_tx_pkt_get_gso_type ../hw/net/net_tx_pkt.c:300:10
#2 0x564919cf2829 in net_tx_pkt_build_vheader ../hw/net/net_tx_pkt.c:316:30
#3 0x56491996049c in e1000e_setup_tx_offloads ../hw/net/e1000e_core.c:630:9
#4 0x56491996049c in e1000e_tx_pkt_send ../hw/net/e1000e_core.c:651:5
#5 0x56491996049c in e1000e_process_tx_desc ../hw/net/e1000e_core.c:736:17
#6 0x56491996049c in e1000e_start_xmit ../hw/net/e1000e_core.c:927:9
#7 0x564919959a92 in e1000e_set_tdt ../hw/net/e1000e_core.c:2442:9
#8 0x56491993903e in e1000e_core_write ../hw/net/e1000e_core.c:3254:9
#9 0x56491a6bdf75 in memory_region_write_accessor ../softmmu/memory.c:492:5
#10 0x56491a6bda9a in access_with_adjusted_size ../softmmu/memory.c:554:18
#11 0x56491a6bd55f in memory_region_dispatch_write ../softmmu/memory.c
#12 0x56491a823e26 in flatview_write_continue ../softmmu/physmem.c:2777:23
#13 0x56491a81b995 in flatview_write ../softmmu/physmem.c:2817:14
#14 0x56491a81b995 in address_space_write ../softmmu/physmem.c:2909:18
#15 0x56491a7560cf in qtest_process_command ../softmmu/qtest.c:670:9
#16 0x56491a751b58 in qtest_process_inbuf ../softmmu/qtest.c:813:9
#17 0x56491a8f8e14 in fd_chr_read ../chardev/char-fd.c:73:9
#18 0x7fd537564d6e in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x51d6e)
#19 0x56491af58053 in glib_pollfds_poll ../util/main-loop.c:232:9
#20 0x56491af58053 in os_host_main_loop_wait ../util/main-loop.c:255:5
#21 0x56491af58053 in main_loop_wait ../util/main-loop.c:531:11
#22 0x56491a5c30c6 in qemu_main_loop ../softmmu/runstate.c:726:9
#23 0x56491913185a in main ../softmmu/main.c:50:5
#24 0x7fd535cc3d09 in __libc_start_main csu/../csu/libc-start.c:308:16
#25 0x564919085259 in _start (system-i386+0x2204259)

SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../net/eth.c:54:13 in
qemu-system-i386: ../util/iov.c:40: size_t iov_from_buf_full(const struct iovec *, unsigned int, size_t, const void *, size_t): Assertion `offset == 0' failed.
Aborted

OSS-Fuzz Report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1878250

libqtest Reproducer: 1878250.c

Thank you

Edited by Alexander Bulekov
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information