Stack-overflow through pcnet_tmd_load
Hello,
Reproducer
export ASAN_OPTIONS=handle_segv=2
cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, -m \
512M -machine q35 -nodefaults -device pcnet,netdev=net0 -netdev \
user,id=net0 -qtest stdio
outl 0xcf8 0x80000810
outl 0xcfc 0xc000
outl 0xcf8 0x80000804
outw 0xcfc 0x7
outl 0xcf8 0x80000815
outl 0xcfc 0xfffffd
outl 0xc011 0x1400
outl 0xc015 0x100
inl 0xc012
write 0x3 0x1 0x10
write 0x18 0x1 0xf9
write 0x19 0x1 0xfc
write 0x1a 0x1 0xff
write 0x1b 0x1 0xff
outw 0xc010 0x01
outw 0xc010 0x02
clock_step
clock_step
EOFStack-Trace
AddressSanitizer:DEADLYSIGNAL
=================================================================
==1558451==ERROR: AddressSanitizer: stack-overflow on address 0x7ffe0d9b6f20 (pc 0x55f9a1fc8a18 bp 0x7ffe0d9b79f0 sp 0x7ffe0d9b6f20 T0)
#0 0x55f9a1fc8a18 in pcnet_rdte_poll ../hw/net/pcnet.c:874
#1 0x55f9a1fd2a4b in pcnet_poll ../hw/net/pcnet.c:1303:9
#2 0x55f9a1fdcdbd in pcnet_poll_timer ../hw/net/pcnet.c:1334:17
#3 0x55f9a1fe2412 in pcnet_ioport_readl ../hw/net/pcnet.c:1660:5
#4 0x55f9a155d5cf in pcnet_ioport_read ../hw/net/pcnet-pci.c:107:20
#5 0x55f9a304e516 in memory_region_read_accessor ../softmmu/memory.c:440:11
#6 0x55f9a30004aa in access_with_adjusted_size ../softmmu/memory.c:554:18
#7 0x55f9a2ffd67a in memory_region_dispatch_read1 ../softmmu/memory.c:1424:16
#8 0x55f9a2ffcccb in memory_region_dispatch_read ../softmmu/memory.c:1452:9
#9 0x55f9a323afe7 in flatview_read_continue ../softmmu/physmem.c:2841:23
#10 0x55f9a323c875 in flatview_read ../softmmu/physmem.c:2880:12
#11 0x55f9a323c3fe in address_space_read_full ../softmmu/physmem.c:2893:18
#12 0x55f9a323d404 in address_space_rw ../softmmu/physmem.c:2921:16
#13 0x55f9a1560ab7 in dma_memory_rw_relaxed include/sysemu/dma.h:88:12
#14 0x55f9a15603e5 in dma_memory_rw include/sysemu/dma.h:127:12
#15 0x55f9a156032d in pci_dma_rw include/hw/pci/pci.h:806:12
#16 0x55f9a1560287 in pci_dma_read include/hw/pci/pci.h:824:12
#17 0x55f9a155c7a1 in pci_physical_memory_read ../hw/net/pcnet-pci.c:178:5
#18 0x55f9a1ff5d0e in pcnet_tmd_load ../hw/net/pcnet.c:315:9
#19 0x55f9a1fe7382 in pcnet_tdte_poll ../hw/net/pcnet.c:954:9
#20 0x55f9a1fd3036 in pcnet_poll ../hw/net/pcnet.c:1306:57
#21 0x55f9a1fdcdbd in pcnet_poll_timer ../hw/net/pcnet.c:1334:17
#22 0x55f9a1fe2412 in pcnet_ioport_readl ../hw/net/pcnet.c:1660:5
#23 0x55f9a155d5cf in pcnet_ioport_read ../hw/net/pcnet-pci.c:107:20
#24 0x55f9a304e516 in memory_region_read_accessor ../softmmu/memory.c:440:11
#25 0x55f9a30004aa in access_with_adjusted_size ../softmmu/memory.c:554:18
#26 0x55f9a2ffd67a in memory_region_dispatch_read1 ../softmmu/memory.c:1424:16
#27 0x55f9a2ffcccb in memory_region_dispatch_read ../softmmu/memory.c:1452:9
#28 0x55f9a323afe7 in flatview_read_continue ../softmmu/physmem.c:2841:23
#29 0x55f9a323c875 in flatview_read ../softmmu/physmem.c:2880:12
#30 0x55f9a323c3fe in address_space_read_full ../softmmu/physmem.c:2893:18
#31 0x55f9a323d404 in address_space_rw ../softmmu/physmem.c:2921:16
#32 0x55f9a1560ab7 in dma_memory_rw_relaxed include/sysemu/dma.h:88:12
#33 0x55f9a15603e5 in dma_memory_rw include/sysemu/dma.h:127:12
#34 0x55f9a156032d in pci_dma_rw include/hw/pci/pci.h:806:12
#35 0x55f9a1560287 in pci_dma_read include/hw/pci/pci.h:824:12
#36 0x55f9a155c7a1 in pci_physical_memory_read ../hw/net/pcnet-pci.c:178:5
...OSS-Fuzz Report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=33247
libqtest Reproducer: reproducer.c
Thank you