* [Bug 1910603] [NEW] [OSS-Fuzz] Issue 29174 sb16: Abrt in audio_bug
@ 2021-01-07 22:25 Alexander Bulekov
2021-01-15 16:09 ` [Bug 1910603] " Peter Maydell
` (5 more replies)
0 siblings, 6 replies; 14+ messages in thread
From: Alexander Bulekov @ 2021-01-07 22:25 UTC (permalink / raw)
To: qemu-devel
Public bug reported:
=== Reproducer ===
cat << EOF | ../build-system/qemu-system-i386 \
-machine q35 -device sb16,audiodev=snd0 \
-audiodev none,id=snd0 -nographic -nodefaults \
-qtest stdio
outw 0x22c 0x41
outb 0x22c 0x0
outw 0x22c 0x1004
outw 0x22c 0x1c
EOF
=== Stack Trace ===
A bug was just triggered in audio_calloc
Save all your work and restart without audio
I am sorry
Context:
Aborted
#0 raise
#1 abort
#2 audio_bug /src/qemu/audio/audio.c:119:9
#3 audio_calloc /src/qemu/audio/audio.c:154:9
#4 audio_pcm_sw_alloc_resources_out /src/qemu/audio/audio_template.h:116:15
#5 audio_pcm_sw_init_out /src/qemu/audio/audio_template.h:175:11
#6 audio_pcm_create_voice_pair_out /src/qemu/audio/audio_template.h:410:9
#7 AUD_open_out /src/qemu/audio/audio_template.h:503:14
#8 continue_dma8 /src/qemu/hw/audio/sb16.c:216:20
#9 dma_cmd8 /src/qemu/hw/audio/sb16.c:276:5
#10 command /src/qemu/hw/audio/sb16.c:0
#11 dsp_write /src/qemu/hw/audio/sb16.c:949:13
#12 portio_write /src/qemu/softmmu/ioport.c:205:13
#13 memory_region_write_accessor /src/qemu/softmmu/memory.c:491:5
#14 access_with_adjusted_size /src/qemu/softmmu/memory.c:552:18
#15 memory_region_dispatch_write /src/qemu/softmmu/memory.c:0:13
#16 flatview_write_continue /src/qemu/softmmu/physmem.c:2759:23
#17 flatview_write /src/qemu/softmmu/physmem.c:2799:14
#18 address_space_write /src/qemu/softmmu/physmem.c:2891:18
#19 cpu_outw /src/qemu/softmmu/ioport.c:70:5
OSS-Fuzz Report:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29174
** Affects: qemu
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1910603
Title:
[OSS-Fuzz] Issue 29174 sb16: Abrt in audio_bug
Status in QEMU:
New
Bug description:
=== Reproducer ===
cat << EOF | ../build-system/qemu-system-i386 \
-machine q35 -device sb16,audiodev=snd0 \
-audiodev none,id=snd0 -nographic -nodefaults \
-qtest stdio
outw 0x22c 0x41
outb 0x22c 0x0
outw 0x22c 0x1004
outw 0x22c 0x1c
EOF
=== Stack Trace ===
A bug was just triggered in audio_calloc
Save all your work and restart without audio
I am sorry
Context:
Aborted
#0 raise
#1 abort
#2 audio_bug /src/qemu/audio/audio.c:119:9
#3 audio_calloc /src/qemu/audio/audio.c:154:9
#4 audio_pcm_sw_alloc_resources_out /src/qemu/audio/audio_template.h:116:15
#5 audio_pcm_sw_init_out /src/qemu/audio/audio_template.h:175:11
#6 audio_pcm_create_voice_pair_out /src/qemu/audio/audio_template.h:410:9
#7 AUD_open_out /src/qemu/audio/audio_template.h:503:14
#8 continue_dma8 /src/qemu/hw/audio/sb16.c:216:20
#9 dma_cmd8 /src/qemu/hw/audio/sb16.c:276:5
#10 command /src/qemu/hw/audio/sb16.c:0
#11 dsp_write /src/qemu/hw/audio/sb16.c:949:13
#12 portio_write /src/qemu/softmmu/ioport.c:205:13
#13 memory_region_write_accessor /src/qemu/softmmu/memory.c:491:5
#14 access_with_adjusted_size /src/qemu/softmmu/memory.c:552:18
#15 memory_region_dispatch_write /src/qemu/softmmu/memory.c:0:13
#16 flatview_write_continue /src/qemu/softmmu/physmem.c:2759:23
#17 flatview_write /src/qemu/softmmu/physmem.c:2799:14
#18 address_space_write /src/qemu/softmmu/physmem.c:2891:18
#19 cpu_outw /src/qemu/softmmu/ioport.c:70:5
OSS-Fuzz Report:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29174
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1910603/+subscriptions
^ permalink raw reply [flat|nested] 14+ messages in thread
* [Bug 1910603] Re: [OSS-Fuzz] Issue 29174 sb16: Abrt in audio_bug
2021-01-07 22:25 [Bug 1910603] [NEW] [OSS-Fuzz] Issue 29174 sb16: Abrt in audio_bug Alexander Bulekov
@ 2021-01-15 16:09 ` Peter Maydell
2021-05-26 15:31 ` Thomas Huth
` (4 subsequent siblings)
5 siblings, 0 replies; 14+ messages in thread
From: Peter Maydell @ 2021-01-15 16:09 UTC (permalink / raw)
To: qemu-devel
** Tags added: fuzzer
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1910603
Title:
[OSS-Fuzz] Issue 29174 sb16: Abrt in audio_bug
Status in QEMU:
New
Bug description:
=== Reproducer ===
cat << EOF | ../build-system/qemu-system-i386 \
-machine q35 -device sb16,audiodev=snd0 \
-audiodev none,id=snd0 -nographic -nodefaults \
-qtest stdio
outw 0x22c 0x41
outb 0x22c 0x0
outw 0x22c 0x1004
outw 0x22c 0x1c
EOF
=== Stack Trace ===
A bug was just triggered in audio_calloc
Save all your work and restart without audio
I am sorry
Context:
Aborted
#0 raise
#1 abort
#2 audio_bug /src/qemu/audio/audio.c:119:9
#3 audio_calloc /src/qemu/audio/audio.c:154:9
#4 audio_pcm_sw_alloc_resources_out /src/qemu/audio/audio_template.h:116:15
#5 audio_pcm_sw_init_out /src/qemu/audio/audio_template.h:175:11
#6 audio_pcm_create_voice_pair_out /src/qemu/audio/audio_template.h:410:9
#7 AUD_open_out /src/qemu/audio/audio_template.h:503:14
#8 continue_dma8 /src/qemu/hw/audio/sb16.c:216:20
#9 dma_cmd8 /src/qemu/hw/audio/sb16.c:276:5
#10 command /src/qemu/hw/audio/sb16.c:0
#11 dsp_write /src/qemu/hw/audio/sb16.c:949:13
#12 portio_write /src/qemu/softmmu/ioport.c:205:13
#13 memory_region_write_accessor /src/qemu/softmmu/memory.c:491:5
#14 access_with_adjusted_size /src/qemu/softmmu/memory.c:552:18
#15 memory_region_dispatch_write /src/qemu/softmmu/memory.c:0:13
#16 flatview_write_continue /src/qemu/softmmu/physmem.c:2759:23
#17 flatview_write /src/qemu/softmmu/physmem.c:2799:14
#18 address_space_write /src/qemu/softmmu/physmem.c:2891:18
#19 cpu_outw /src/qemu/softmmu/ioport.c:70:5
OSS-Fuzz Report:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29174
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1910603/+subscriptions
^ permalink raw reply [flat|nested] 14+ messages in thread
* [Bug 1910603] Re: [OSS-Fuzz] Issue 29174 sb16: Abrt in audio_bug
2021-01-07 22:25 [Bug 1910603] [NEW] [OSS-Fuzz] Issue 29174 sb16: Abrt in audio_bug Alexander Bulekov
2021-01-15 16:09 ` [Bug 1910603] " Peter Maydell
@ 2021-05-26 15:31 ` Thomas Huth
2021-06-01 15:18 ` [PATCH] hw/audio/sb16: Avoid assertion by restricting I/O sampling rate range Philippe Mathieu-Daudé
` (3 subsequent siblings)
5 siblings, 0 replies; 14+ messages in thread
From: Thomas Huth @ 2021-05-26 15:31 UTC (permalink / raw)
To: qemu-devel
This is still reproducible with the current version of QEMU. Marking
this as "Confirmed"
** Changed in: qemu
Status: New => Confirmed
** Tags added: audio
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1910603
Title:
[OSS-Fuzz] Issue 29174 sb16: Abrt in audio_bug
Status in QEMU:
Confirmed
Bug description:
=== Reproducer ===
cat << EOF | ../build-system/qemu-system-i386 \
-machine q35 -device sb16,audiodev=snd0 \
-audiodev none,id=snd0 -nographic -nodefaults \
-qtest stdio
outw 0x22c 0x41
outb 0x22c 0x0
outw 0x22c 0x1004
outw 0x22c 0x1c
EOF
=== Stack Trace ===
A bug was just triggered in audio_calloc
Save all your work and restart without audio
I am sorry
Context:
Aborted
#0 raise
#1 abort
#2 audio_bug /src/qemu/audio/audio.c:119:9
#3 audio_calloc /src/qemu/audio/audio.c:154:9
#4 audio_pcm_sw_alloc_resources_out /src/qemu/audio/audio_template.h:116:15
#5 audio_pcm_sw_init_out /src/qemu/audio/audio_template.h:175:11
#6 audio_pcm_create_voice_pair_out /src/qemu/audio/audio_template.h:410:9
#7 AUD_open_out /src/qemu/audio/audio_template.h:503:14
#8 continue_dma8 /src/qemu/hw/audio/sb16.c:216:20
#9 dma_cmd8 /src/qemu/hw/audio/sb16.c:276:5
#10 command /src/qemu/hw/audio/sb16.c:0
#11 dsp_write /src/qemu/hw/audio/sb16.c:949:13
#12 portio_write /src/qemu/softmmu/ioport.c:205:13
#13 memory_region_write_accessor /src/qemu/softmmu/memory.c:491:5
#14 access_with_adjusted_size /src/qemu/softmmu/memory.c:552:18
#15 memory_region_dispatch_write /src/qemu/softmmu/memory.c:0:13
#16 flatview_write_continue /src/qemu/softmmu/physmem.c:2759:23
#17 flatview_write /src/qemu/softmmu/physmem.c:2799:14
#18 address_space_write /src/qemu/softmmu/physmem.c:2891:18
#19 cpu_outw /src/qemu/softmmu/ioport.c:70:5
OSS-Fuzz Report:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29174
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1910603/+subscriptions
^ permalink raw reply [flat|nested] 14+ messages in thread
* [PATCH] hw/audio/sb16: Avoid assertion by restricting I/O sampling rate range
@ 2021-06-01 15:18 ` Philippe Mathieu-Daudé
2021-06-01 15:18 ` [Bug 1910603] " Philippe Mathieu-Daudé
2021-06-14 11:13 ` Philippe Mathieu-Daudé
0 siblings, 2 replies; 14+ messages in thread
From: Philippe Mathieu-Daudé @ 2021-06-01 15:18 UTC (permalink / raw)
To: qemu-devel
Cc: 1910603, Alexander Bulekov, Gerd Hoffmann,
Philippe Mathieu-Daudé
While the SB16 seems to work up to 48000 Hz, the "Sound Blaster Series
Hardware Programming Guide" limit the sampling range from 4000 Hz to
44100 Hz (Section 3-9, 3-10: Digitized Sound I/O Programming, tables
3-2 and 3-3).
Later, section 6-15 (DSP Commands) is more specific regarding the 41h /
42h registers (Set digitized sound output sampling rate):
Valid sampling rates range from 5000 to 45000 Hz inclusive.
There is no comment regarding error handling if the register is filled
with an out-of-range value. (See also section 3-28 "8-bit or 16-bit
Auto-initialize Transfer"). Assume limits are enforced in hardware.
This fixes triggering an assertion in audio_calloc():
#1 abort
#2 audio_bug audio/audio.c:119:9
#3 audio_calloc audio/audio.c:154:9
#4 audio_pcm_sw_alloc_resources_out audio/audio_template.h:116:15
#5 audio_pcm_sw_init_out audio/audio_template.h:175:11
#6 audio_pcm_create_voice_pair_out audio/audio_template.h:410:9
#7 AUD_open_out audio/audio_template.h:503:14
#8 continue_dma8 hw/audio/sb16.c:216:20
#9 dma_cmd8 hw/audio/sb16.c:276:5
#10 command hw/audio/sb16.c:0
#11 dsp_write hw/audio/sb16.c:949:13
#12 portio_write softmmu/ioport.c:205:13
#13 memory_region_write_accessor softmmu/memory.c:491:5
#14 access_with_adjusted_size softmmu/memory.c:552:18
#15 memory_region_dispatch_write softmmu/memory.c:0:13
#16 flatview_write_continue softmmu/physmem.c:2759:23
#17 flatview_write softmmu/physmem.c:2799:14
#18 address_space_write softmmu/physmem.c:2891:18
#19 cpu_outw softmmu/ioport.c:70:5
[*] http://www.baudline.com/solutions/full_duplex/sb16_pci/index.html
Fixes: 85571bc7415 ("audio merge (malc)")
Buglink: https://bugs.launchpad.net/bugs/1910603
OSS-Fuzz Report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29174
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
---
hw/audio/sb16.c | 14 ++++++++++
tests/qtest/fuzz-sb16-test.c | 52 ++++++++++++++++++++++++++++++++++++
MAINTAINERS | 1 +
tests/qtest/meson.build | 1 +
4 files changed, 68 insertions(+)
create mode 100644 tests/qtest/fuzz-sb16-test.c
diff --git a/hw/audio/sb16.c b/hw/audio/sb16.c
index 8b207004102..5cf121fe363 100644
--- a/hw/audio/sb16.c
+++ b/hw/audio/sb16.c
@@ -115,6 +115,9 @@ struct SB16State {
PortioList portio_list;
};
+#define SAMPLE_RATE_MIN 5000
+#define SAMPLE_RATE_MAX 45000
+
static void SB_audio_callback (void *opaque, int free);
static int magic_of_irq (int irq)
@@ -241,6 +244,17 @@ static void dma_cmd8 (SB16State *s, int mask, int dma_len)
int tmp = (256 - s->time_const);
s->freq = (1000000 + (tmp / 2)) / tmp;
}
+ if (s->freq < SAMPLE_RATE_MIN) {
+ qemu_log_mask(LOG_GUEST_ERROR,
+ "sampling range too low: %d, increasing to %u\n",
+ s->freq, SAMPLE_RATE_MIN);
+ s->freq = SAMPLE_RATE_MIN;
+ } else if (s->freq > SAMPLE_RATE_MAX) {
+ qemu_log_mask(LOG_GUEST_ERROR,
+ "sampling range too high: %d, decreasing to %u\n",
+ s->freq, SAMPLE_RATE_MAX);
+ s->freq = SAMPLE_RATE_MAX;
+ }
if (dma_len != -1) {
s->block_size = dma_len << s->fmt_stereo;
diff --git a/tests/qtest/fuzz-sb16-test.c b/tests/qtest/fuzz-sb16-test.c
new file mode 100644
index 00000000000..51030cd7dc4
--- /dev/null
+++ b/tests/qtest/fuzz-sb16-test.c
@@ -0,0 +1,52 @@
+/*
+ * QTest fuzzer-generated testcase for sb16 audio device
+ *
+ * Copyright (c) 2021 Philippe Mathieu-Daudé <f4bug@amsat.org>
+ *
+ * SPDX-License-Identifier: GPL-2.0-or-later
+ */
+
+#include "qemu/osdep.h"
+#include "libqos/libqtest.h"
+
+/*
+ * This used to trigger the assert in audio_calloc
+ * https://bugs.launchpad.net/qemu/+bug/1910603
+ */
+static void test_fuzz_sb16_0x1c(void)
+{
+ QTestState *s = qtest_init("-M q35 -display none "
+ "-device sb16,audiodev=snd0 "
+ "-audiodev none,id=snd0");
+ qtest_outw(s, 0x22c, 0x41);
+ qtest_outb(s, 0x22c, 0x00);
+ qtest_outw(s, 0x22c, 0x1004);
+ qtest_outw(s, 0x22c, 0x001c);
+ qtest_quit(s);
+}
+
+static void test_fuzz_sb16_0x91(void)
+{
+ QTestState *s = qtest_init("-M pc -display none "
+ "-device sb16,audiodev=none "
+ "-audiodev id=none,driver=none");
+ qtest_outw(s, 0x22c, 0xf141);
+ qtest_outb(s, 0x22c, 0x00);
+ qtest_outb(s, 0x22c, 0x24);
+ qtest_outb(s, 0x22c, 0x91);
+ qtest_quit(s);
+}
+
+int main(int argc, char **argv)
+{
+ const char *arch = qtest_get_arch();
+
+ g_test_init(&argc, &argv, NULL);
+
+ if (strcmp(arch, "i386") == 0) {
+ qtest_add_func("fuzz/test_fuzz_sb16/1c", test_fuzz_sb16_0x1c);
+ qtest_add_func("fuzz/test_fuzz_sb16/91", test_fuzz_sb16_0x91);
+ }
+
+ return g_test_run();
+}
diff --git a/MAINTAINERS b/MAINTAINERS
index 5f55404f2fa..7edb26d2293 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -2213,6 +2213,7 @@ F: qapi/audio.json
F: tests/qtest/ac97-test.c
F: tests/qtest/es1370-test.c
F: tests/qtest/intel-hda-test.c
+F: tests/qtest/fuzz-sb16-test.c
Block layer core
M: Kevin Wolf <kwolf@redhat.com>
diff --git a/tests/qtest/meson.build b/tests/qtest/meson.build
index c3a223a83d6..b03e8541700 100644
--- a/tests/qtest/meson.build
+++ b/tests/qtest/meson.build
@@ -20,6 +20,7 @@
qtests_generic = \
(config_all_devices.has_key('CONFIG_MEGASAS_SCSI_PCI') ? ['fuzz-megasas-test'] : []) + \
(config_all_devices.has_key('CONFIG_VIRTIO_SCSI') ? ['fuzz-virtio-scsi-test'] : []) + \
+ (config_all_devices.has_key('CONFIG_SB16') ? ['fuzz-sb16-test'] : []) + \
[
'cdrom-test',
'device-introspect-test',
--
2.26.3
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [Bug 1910603] [PATCH] hw/audio/sb16: Avoid assertion by restricting I/O sampling rate range
2021-06-01 15:18 ` [PATCH] hw/audio/sb16: Avoid assertion by restricting I/O sampling rate range Philippe Mathieu-Daudé
@ 2021-06-01 15:18 ` Philippe Mathieu-Daudé
2021-06-14 11:13 ` Philippe Mathieu-Daudé
1 sibling, 0 replies; 14+ messages in thread
From: Philippe Mathieu-Daudé @ 2021-06-01 15:18 UTC (permalink / raw)
To: qemu-devel
While the SB16 seems to work up to 48000 Hz, the "Sound Blaster Series
Hardware Programming Guide" limit the sampling range from 4000 Hz to
44100 Hz (Section 3-9, 3-10: Digitized Sound I/O Programming, tables
3-2 and 3-3).
Later, section 6-15 (DSP Commands) is more specific regarding the 41h /
42h registers (Set digitized sound output sampling rate):
Valid sampling rates range from 5000 to 45000 Hz inclusive.
There is no comment regarding error handling if the register is filled
with an out-of-range value. (See also section 3-28 "8-bit or 16-bit
Auto-initialize Transfer"). Assume limits are enforced in hardware.
This fixes triggering an assertion in audio_calloc():
#1 abort
#2 audio_bug audio/audio.c:119:9
#3 audio_calloc audio/audio.c:154:9
#4 audio_pcm_sw_alloc_resources_out audio/audio_template.h:116:15
#5 audio_pcm_sw_init_out audio/audio_template.h:175:11
#6 audio_pcm_create_voice_pair_out audio/audio_template.h:410:9
#7 AUD_open_out audio/audio_template.h:503:14
#8 continue_dma8 hw/audio/sb16.c:216:20
#9 dma_cmd8 hw/audio/sb16.c:276:5
#10 command hw/audio/sb16.c:0
#11 dsp_write hw/audio/sb16.c:949:13
#12 portio_write softmmu/ioport.c:205:13
#13 memory_region_write_accessor softmmu/memory.c:491:5
#14 access_with_adjusted_size softmmu/memory.c:552:18
#15 memory_region_dispatch_write softmmu/memory.c:0:13
#16 flatview_write_continue softmmu/physmem.c:2759:23
#17 flatview_write softmmu/physmem.c:2799:14
#18 address_space_write softmmu/physmem.c:2891:18
#19 cpu_outw softmmu/ioport.c:70:5
[*] http://www.baudline.com/solutions/full_duplex/sb16_pci/index.html
Fixes: 85571bc7415 ("audio merge (malc)")
Buglink: https://bugs.launchpad.net/bugs/1910603
OSS-Fuzz Report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29174
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
---
hw/audio/sb16.c | 14 ++++++++++
tests/qtest/fuzz-sb16-test.c | 52 ++++++++++++++++++++++++++++++++++++
MAINTAINERS | 1 +
tests/qtest/meson.build | 1 +
4 files changed, 68 insertions(+)
create mode 100644 tests/qtest/fuzz-sb16-test.c
diff --git a/hw/audio/sb16.c b/hw/audio/sb16.c
index 8b207004102..5cf121fe363 100644
--- a/hw/audio/sb16.c
+++ b/hw/audio/sb16.c
@@ -115,6 +115,9 @@ struct SB16State {
PortioList portio_list;
};
+#define SAMPLE_RATE_MIN 5000
+#define SAMPLE_RATE_MAX 45000
+
static void SB_audio_callback (void *opaque, int free);
static int magic_of_irq (int irq)
@@ -241,6 +244,17 @@ static void dma_cmd8 (SB16State *s, int mask, int dma_len)
int tmp = (256 - s->time_const);
s->freq = (1000000 + (tmp / 2)) / tmp;
}
+ if (s->freq < SAMPLE_RATE_MIN) {
+ qemu_log_mask(LOG_GUEST_ERROR,
+ "sampling range too low: %d, increasing to %u\n",
+ s->freq, SAMPLE_RATE_MIN);
+ s->freq = SAMPLE_RATE_MIN;
+ } else if (s->freq > SAMPLE_RATE_MAX) {
+ qemu_log_mask(LOG_GUEST_ERROR,
+ "sampling range too high: %d, decreasing to %u\n",
+ s->freq, SAMPLE_RATE_MAX);
+ s->freq = SAMPLE_RATE_MAX;
+ }
if (dma_len != -1) {
s->block_size = dma_len << s->fmt_stereo;
diff --git a/tests/qtest/fuzz-sb16-test.c b/tests/qtest/fuzz-sb16-test.c
new file mode 100644
index 00000000000..51030cd7dc4
--- /dev/null
+++ b/tests/qtest/fuzz-sb16-test.c
@@ -0,0 +1,52 @@
+/*
+ * QTest fuzzer-generated testcase for sb16 audio device
+ *
+ * Copyright (c) 2021 Philippe Mathieu-Daudé <f4bug@amsat.org>
+ *
+ * SPDX-License-Identifier: GPL-2.0-or-later
+ */
+
+#include "qemu/osdep.h"
+#include "libqos/libqtest.h"
+
+/*
+ * This used to trigger the assert in audio_calloc
+ * https://bugs.launchpad.net/qemu/+bug/1910603
+ */
+static void test_fuzz_sb16_0x1c(void)
+{
+ QTestState *s = qtest_init("-M q35 -display none "
+ "-device sb16,audiodev=snd0 "
+ "-audiodev none,id=snd0");
+ qtest_outw(s, 0x22c, 0x41);
+ qtest_outb(s, 0x22c, 0x00);
+ qtest_outw(s, 0x22c, 0x1004);
+ qtest_outw(s, 0x22c, 0x001c);
+ qtest_quit(s);
+}
+
+static void test_fuzz_sb16_0x91(void)
+{
+ QTestState *s = qtest_init("-M pc -display none "
+ "-device sb16,audiodev=none "
+ "-audiodev id=none,driver=none");
+ qtest_outw(s, 0x22c, 0xf141);
+ qtest_outb(s, 0x22c, 0x00);
+ qtest_outb(s, 0x22c, 0x24);
+ qtest_outb(s, 0x22c, 0x91);
+ qtest_quit(s);
+}
+
+int main(int argc, char **argv)
+{
+ const char *arch = qtest_get_arch();
+
+ g_test_init(&argc, &argv, NULL);
+
+ if (strcmp(arch, "i386") == 0) {
+ qtest_add_func("fuzz/test_fuzz_sb16/1c", test_fuzz_sb16_0x1c);
+ qtest_add_func("fuzz/test_fuzz_sb16/91", test_fuzz_sb16_0x91);
+ }
+
+ return g_test_run();
+}
diff --git a/MAINTAINERS b/MAINTAINERS
index 5f55404f2fa..7edb26d2293 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -2213,6 +2213,7 @@ F: qapi/audio.json
F: tests/qtest/ac97-test.c
F: tests/qtest/es1370-test.c
F: tests/qtest/intel-hda-test.c
+F: tests/qtest/fuzz-sb16-test.c
Block layer core
M: Kevin Wolf <kwolf@redhat.com>
diff --git a/tests/qtest/meson.build b/tests/qtest/meson.build
index c3a223a83d6..b03e8541700 100644
--- a/tests/qtest/meson.build
+++ b/tests/qtest/meson.build
@@ -20,6 +20,7 @@
qtests_generic = \
(config_all_devices.has_key('CONFIG_MEGASAS_SCSI_PCI') ? ['fuzz-megasas-test'] : []) + \
(config_all_devices.has_key('CONFIG_VIRTIO_SCSI') ? ['fuzz-virtio-scsi-test'] : []) + \
+ (config_all_devices.has_key('CONFIG_SB16') ? ['fuzz-sb16-test'] : []) + \
[
'cdrom-test',
'device-introspect-test',
--
2.26.3
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1910603
Title:
[OSS-Fuzz] Issue 29174 sb16: Abrt in audio_bug
Status in QEMU:
Confirmed
Bug description:
=== Reproducer ===
cat << EOF | ../build-system/qemu-system-i386 \
-machine q35 -device sb16,audiodev=snd0 \
-audiodev none,id=snd0 -nographic -nodefaults \
-qtest stdio
outw 0x22c 0x41
outb 0x22c 0x0
outw 0x22c 0x1004
outw 0x22c 0x1c
EOF
=== Stack Trace ===
A bug was just triggered in audio_calloc
Save all your work and restart without audio
I am sorry
Context:
Aborted
#0 raise
#1 abort
#2 audio_bug /src/qemu/audio/audio.c:119:9
#3 audio_calloc /src/qemu/audio/audio.c:154:9
#4 audio_pcm_sw_alloc_resources_out /src/qemu/audio/audio_template.h:116:15
#5 audio_pcm_sw_init_out /src/qemu/audio/audio_template.h:175:11
#6 audio_pcm_create_voice_pair_out /src/qemu/audio/audio_template.h:410:9
#7 AUD_open_out /src/qemu/audio/audio_template.h:503:14
#8 continue_dma8 /src/qemu/hw/audio/sb16.c:216:20
#9 dma_cmd8 /src/qemu/hw/audio/sb16.c:276:5
#10 command /src/qemu/hw/audio/sb16.c:0
#11 dsp_write /src/qemu/hw/audio/sb16.c:949:13
#12 portio_write /src/qemu/softmmu/ioport.c:205:13
#13 memory_region_write_accessor /src/qemu/softmmu/memory.c:491:5
#14 access_with_adjusted_size /src/qemu/softmmu/memory.c:552:18
#15 memory_region_dispatch_write /src/qemu/softmmu/memory.c:0:13
#16 flatview_write_continue /src/qemu/softmmu/physmem.c:2759:23
#17 flatview_write /src/qemu/softmmu/physmem.c:2799:14
#18 address_space_write /src/qemu/softmmu/physmem.c:2891:18
#19 cpu_outw /src/qemu/softmmu/ioport.c:70:5
OSS-Fuzz Report:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29174
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1910603/+subscriptions
^ permalink raw reply related [flat|nested] 14+ messages in thread
* Re: [PATCH] hw/audio/sb16: Avoid assertion by restricting I/O sampling rate range
2021-06-01 15:18 ` [PATCH] hw/audio/sb16: Avoid assertion by restricting I/O sampling rate range Philippe Mathieu-Daudé
2021-06-01 15:18 ` [Bug 1910603] " Philippe Mathieu-Daudé
@ 2021-06-14 11:13 ` Philippe Mathieu-Daudé
2021-06-14 12:11 ` Qiang Liu
1 sibling, 1 reply; 14+ messages in thread
From: Philippe Mathieu-Daudé @ 2021-06-14 11:13 UTC (permalink / raw)
To: Alexander Bulekov; +Cc: Qiang Liu, qemu-devel, Gerd Hoffmann
ping?
On 6/1/21 5:18 PM, Philippe Mathieu-Daudé wrote:
> While the SB16 seems to work up to 48000 Hz, the "Sound Blaster Series
> Hardware Programming Guide" limit the sampling range from 4000 Hz to
> 44100 Hz (Section 3-9, 3-10: Digitized Sound I/O Programming, tables
> 3-2 and 3-3).
>
> Later, section 6-15 (DSP Commands) is more specific regarding the 41h /
> 42h registers (Set digitized sound output sampling rate):
>
> Valid sampling rates range from 5000 to 45000 Hz inclusive.
>
> There is no comment regarding error handling if the register is filled
> with an out-of-range value. (See also section 3-28 "8-bit or 16-bit
> Auto-initialize Transfer"). Assume limits are enforced in hardware.
>
> This fixes triggering an assertion in audio_calloc():
>
> #1 abort
> #2 audio_bug audio/audio.c:119:9
> #3 audio_calloc audio/audio.c:154:9
> #4 audio_pcm_sw_alloc_resources_out audio/audio_template.h:116:15
> #5 audio_pcm_sw_init_out audio/audio_template.h:175:11
> #6 audio_pcm_create_voice_pair_out audio/audio_template.h:410:9
> #7 AUD_open_out audio/audio_template.h:503:14
> #8 continue_dma8 hw/audio/sb16.c:216:20
> #9 dma_cmd8 hw/audio/sb16.c:276:5
> #10 command hw/audio/sb16.c:0
> #11 dsp_write hw/audio/sb16.c:949:13
> #12 portio_write softmmu/ioport.c:205:13
> #13 memory_region_write_accessor softmmu/memory.c:491:5
> #14 access_with_adjusted_size softmmu/memory.c:552:18
> #15 memory_region_dispatch_write softmmu/memory.c:0:13
> #16 flatview_write_continue softmmu/physmem.c:2759:23
> #17 flatview_write softmmu/physmem.c:2799:14
> #18 address_space_write softmmu/physmem.c:2891:18
> #19 cpu_outw softmmu/ioport.c:70:5
>
> [*] http://www.baudline.com/solutions/full_duplex/sb16_pci/index.html
>
> Fixes: 85571bc7415 ("audio merge (malc)")
> Buglink: https://bugs.launchpad.net/bugs/1910603
> OSS-Fuzz Report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29174
> Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
> ---
> hw/audio/sb16.c | 14 ++++++++++
> tests/qtest/fuzz-sb16-test.c | 52 ++++++++++++++++++++++++++++++++++++
> MAINTAINERS | 1 +
> tests/qtest/meson.build | 1 +
> 4 files changed, 68 insertions(+)
> create mode 100644 tests/qtest/fuzz-sb16-test.c
>
> diff --git a/hw/audio/sb16.c b/hw/audio/sb16.c
> index 8b207004102..5cf121fe363 100644
> --- a/hw/audio/sb16.c
> +++ b/hw/audio/sb16.c
> @@ -115,6 +115,9 @@ struct SB16State {
> PortioList portio_list;
> };
>
> +#define SAMPLE_RATE_MIN 5000
> +#define SAMPLE_RATE_MAX 45000
> +
> static void SB_audio_callback (void *opaque, int free);
>
> static int magic_of_irq (int irq)
> @@ -241,6 +244,17 @@ static void dma_cmd8 (SB16State *s, int mask, int dma_len)
> int tmp = (256 - s->time_const);
> s->freq = (1000000 + (tmp / 2)) / tmp;
> }
> + if (s->freq < SAMPLE_RATE_MIN) {
> + qemu_log_mask(LOG_GUEST_ERROR,
> + "sampling range too low: %d, increasing to %u\n",
> + s->freq, SAMPLE_RATE_MIN);
> + s->freq = SAMPLE_RATE_MIN;
> + } else if (s->freq > SAMPLE_RATE_MAX) {
> + qemu_log_mask(LOG_GUEST_ERROR,
> + "sampling range too high: %d, decreasing to %u\n",
> + s->freq, SAMPLE_RATE_MAX);
> + s->freq = SAMPLE_RATE_MAX;
> + }
>
> if (dma_len != -1) {
> s->block_size = dma_len << s->fmt_stereo;
> diff --git a/tests/qtest/fuzz-sb16-test.c b/tests/qtest/fuzz-sb16-test.c
> new file mode 100644
> index 00000000000..51030cd7dc4
> --- /dev/null
> +++ b/tests/qtest/fuzz-sb16-test.c
> @@ -0,0 +1,52 @@
> +/*
> + * QTest fuzzer-generated testcase for sb16 audio device
> + *
> + * Copyright (c) 2021 Philippe Mathieu-Daudé <f4bug@amsat.org>
> + *
> + * SPDX-License-Identifier: GPL-2.0-or-later
> + */
> +
> +#include "qemu/osdep.h"
> +#include "libqos/libqtest.h"
> +
> +/*
> + * This used to trigger the assert in audio_calloc
> + * https://bugs.launchpad.net/qemu/+bug/1910603
> + */
> +static void test_fuzz_sb16_0x1c(void)
> +{
> + QTestState *s = qtest_init("-M q35 -display none "
> + "-device sb16,audiodev=snd0 "
> + "-audiodev none,id=snd0");
> + qtest_outw(s, 0x22c, 0x41);
> + qtest_outb(s, 0x22c, 0x00);
> + qtest_outw(s, 0x22c, 0x1004);
> + qtest_outw(s, 0x22c, 0x001c);
> + qtest_quit(s);
> +}
> +
> +static void test_fuzz_sb16_0x91(void)
> +{
> + QTestState *s = qtest_init("-M pc -display none "
> + "-device sb16,audiodev=none "
> + "-audiodev id=none,driver=none");
> + qtest_outw(s, 0x22c, 0xf141);
> + qtest_outb(s, 0x22c, 0x00);
> + qtest_outb(s, 0x22c, 0x24);
> + qtest_outb(s, 0x22c, 0x91);
> + qtest_quit(s);
> +}
> +
> +int main(int argc, char **argv)
> +{
> + const char *arch = qtest_get_arch();
> +
> + g_test_init(&argc, &argv, NULL);
> +
> + if (strcmp(arch, "i386") == 0) {
> + qtest_add_func("fuzz/test_fuzz_sb16/1c", test_fuzz_sb16_0x1c);
> + qtest_add_func("fuzz/test_fuzz_sb16/91", test_fuzz_sb16_0x91);
> + }
> +
> + return g_test_run();
> +}
> diff --git a/MAINTAINERS b/MAINTAINERS
> index 5f55404f2fa..7edb26d2293 100644
> --- a/MAINTAINERS
> +++ b/MAINTAINERS
> @@ -2213,6 +2213,7 @@ F: qapi/audio.json
> F: tests/qtest/ac97-test.c
> F: tests/qtest/es1370-test.c
> F: tests/qtest/intel-hda-test.c
> +F: tests/qtest/fuzz-sb16-test.c
>
> Block layer core
> M: Kevin Wolf <kwolf@redhat.com>
> diff --git a/tests/qtest/meson.build b/tests/qtest/meson.build
> index c3a223a83d6..b03e8541700 100644
> --- a/tests/qtest/meson.build
> +++ b/tests/qtest/meson.build
> @@ -20,6 +20,7 @@
> qtests_generic = \
> (config_all_devices.has_key('CONFIG_MEGASAS_SCSI_PCI') ? ['fuzz-megasas-test'] : []) + \
> (config_all_devices.has_key('CONFIG_VIRTIO_SCSI') ? ['fuzz-virtio-scsi-test'] : []) + \
> + (config_all_devices.has_key('CONFIG_SB16') ? ['fuzz-sb16-test'] : []) + \
> [
> 'cdrom-test',
> 'device-introspect-test',
>
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH] hw/audio/sb16: Avoid assertion by restricting I/O sampling rate range
2021-06-14 11:13 ` Philippe Mathieu-Daudé
@ 2021-06-14 12:11 ` Qiang Liu
2021-06-14 15:06 ` Philippe Mathieu-Daudé
0 siblings, 1 reply; 14+ messages in thread
From: Qiang Liu @ 2021-06-14 12:11 UTC (permalink / raw)
To: Philippe Mathieu-Daudé; +Cc: Alexander Bulekov, qemu-devel, Gerd Hoffmann
Hi Phil,
Thanks for inviting me. I've applied your patch. It seems fine
because my sb16 fuzzer is running for another 24 hours and
it has no crash yet. I can also double-check the specification.
Best,
Qiang
On Mon, Jun 14, 2021 at 7:13 PM Philippe Mathieu-Daudé <f4bug@amsat.org> wrote:
>
> ping?
>
> On 6/1/21 5:18 PM, Philippe Mathieu-Daudé wrote:
> > While the SB16 seems to work up to 48000 Hz, the "Sound Blaster Series
> > Hardware Programming Guide" limit the sampling range from 4000 Hz to
> > 44100 Hz (Section 3-9, 3-10: Digitized Sound I/O Programming, tables
> > 3-2 and 3-3).
> >
> > Later, section 6-15 (DSP Commands) is more specific regarding the 41h /
> > 42h registers (Set digitized sound output sampling rate):
> >
> > Valid sampling rates range from 5000 to 45000 Hz inclusive.
> >
> > There is no comment regarding error handling if the register is filled
> > with an out-of-range value. (See also section 3-28 "8-bit or 16-bit
> > Auto-initialize Transfer"). Assume limits are enforced in hardware.
> >
> > This fixes triggering an assertion in audio_calloc():
> >
> > #1 abort
> > #2 audio_bug audio/audio.c:119:9
> > #3 audio_calloc audio/audio.c:154:9
> > #4 audio_pcm_sw_alloc_resources_out audio/audio_template.h:116:15
> > #5 audio_pcm_sw_init_out audio/audio_template.h:175:11
> > #6 audio_pcm_create_voice_pair_out audio/audio_template.h:410:9
> > #7 AUD_open_out audio/audio_template.h:503:14
> > #8 continue_dma8 hw/audio/sb16.c:216:20
> > #9 dma_cmd8 hw/audio/sb16.c:276:5
> > #10 command hw/audio/sb16.c:0
> > #11 dsp_write hw/audio/sb16.c:949:13
> > #12 portio_write softmmu/ioport.c:205:13
> > #13 memory_region_write_accessor softmmu/memory.c:491:5
> > #14 access_with_adjusted_size softmmu/memory.c:552:18
> > #15 memory_region_dispatch_write softmmu/memory.c:0:13
> > #16 flatview_write_continue softmmu/physmem.c:2759:23
> > #17 flatview_write softmmu/physmem.c:2799:14
> > #18 address_space_write softmmu/physmem.c:2891:18
> > #19 cpu_outw softmmu/ioport.c:70:5
> >
> > [*] http://www.baudline.com/solutions/full_duplex/sb16_pci/index.html
> >
> > Fixes: 85571bc7415 ("audio merge (malc)")
> > Buglink: https://bugs.launchpad.net/bugs/1910603
> > OSS-Fuzz Report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29174
> > Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
> > ---
> > hw/audio/sb16.c | 14 ++++++++++
> > tests/qtest/fuzz-sb16-test.c | 52 ++++++++++++++++++++++++++++++++++++
> > MAINTAINERS | 1 +
> > tests/qtest/meson.build | 1 +
> > 4 files changed, 68 insertions(+)
> > create mode 100644 tests/qtest/fuzz-sb16-test.c
> >
> > diff --git a/hw/audio/sb16.c b/hw/audio/sb16.c
> > index 8b207004102..5cf121fe363 100644
> > --- a/hw/audio/sb16.c
> > +++ b/hw/audio/sb16.c
> > @@ -115,6 +115,9 @@ struct SB16State {
> > PortioList portio_list;
> > };
> >
> > +#define SAMPLE_RATE_MIN 5000
> > +#define SAMPLE_RATE_MAX 45000
> > +
> > static void SB_audio_callback (void *opaque, int free);
> >
> > static int magic_of_irq (int irq)
> > @@ -241,6 +244,17 @@ static void dma_cmd8 (SB16State *s, int mask, int dma_len)
> > int tmp = (256 - s->time_const);
> > s->freq = (1000000 + (tmp / 2)) / tmp;
> > }
> > + if (s->freq < SAMPLE_RATE_MIN) {
> > + qemu_log_mask(LOG_GUEST_ERROR,
> > + "sampling range too low: %d, increasing to %u\n",
> > + s->freq, SAMPLE_RATE_MIN);
> > + s->freq = SAMPLE_RATE_MIN;
> > + } else if (s->freq > SAMPLE_RATE_MAX) {
> > + qemu_log_mask(LOG_GUEST_ERROR,
> > + "sampling range too high: %d, decreasing to %u\n",
> > + s->freq, SAMPLE_RATE_MAX);
> > + s->freq = SAMPLE_RATE_MAX;
> > + }
> >
> > if (dma_len != -1) {
> > s->block_size = dma_len << s->fmt_stereo;
> > diff --git a/tests/qtest/fuzz-sb16-test.c b/tests/qtest/fuzz-sb16-test.c
> > new file mode 100644
> > index 00000000000..51030cd7dc4
> > --- /dev/null
> > +++ b/tests/qtest/fuzz-sb16-test.c
> > @@ -0,0 +1,52 @@
> > +/*
> > + * QTest fuzzer-generated testcase for sb16 audio device
> > + *
> > + * Copyright (c) 2021 Philippe Mathieu-Daudé <f4bug@amsat.org>
> > + *
> > + * SPDX-License-Identifier: GPL-2.0-or-later
> > + */
> > +
> > +#include "qemu/osdep.h"
> > +#include "libqos/libqtest.h"
> > +
> > +/*
> > + * This used to trigger the assert in audio_calloc
> > + * https://bugs.launchpad.net/qemu/+bug/1910603
> > + */
> > +static void test_fuzz_sb16_0x1c(void)
> > +{
> > + QTestState *s = qtest_init("-M q35 -display none "
> > + "-device sb16,audiodev=snd0 "
> > + "-audiodev none,id=snd0");
> > + qtest_outw(s, 0x22c, 0x41);
> > + qtest_outb(s, 0x22c, 0x00);
> > + qtest_outw(s, 0x22c, 0x1004);
> > + qtest_outw(s, 0x22c, 0x001c);
> > + qtest_quit(s);
> > +}
> > +
> > +static void test_fuzz_sb16_0x91(void)
> > +{
> > + QTestState *s = qtest_init("-M pc -display none "
> > + "-device sb16,audiodev=none "
> > + "-audiodev id=none,driver=none");
> > + qtest_outw(s, 0x22c, 0xf141);
> > + qtest_outb(s, 0x22c, 0x00);
> > + qtest_outb(s, 0x22c, 0x24);
> > + qtest_outb(s, 0x22c, 0x91);
> > + qtest_quit(s);
> > +}
> > +
> > +int main(int argc, char **argv)
> > +{
> > + const char *arch = qtest_get_arch();
> > +
> > + g_test_init(&argc, &argv, NULL);
> > +
> > + if (strcmp(arch, "i386") == 0) {
> > + qtest_add_func("fuzz/test_fuzz_sb16/1c", test_fuzz_sb16_0x1c);
> > + qtest_add_func("fuzz/test_fuzz_sb16/91", test_fuzz_sb16_0x91);
> > + }
> > +
> > + return g_test_run();
> > +}
> > diff --git a/MAINTAINERS b/MAINTAINERS
> > index 5f55404f2fa..7edb26d2293 100644
> > --- a/MAINTAINERS
> > +++ b/MAINTAINERS
> > @@ -2213,6 +2213,7 @@ F: qapi/audio.json
> > F: tests/qtest/ac97-test.c
> > F: tests/qtest/es1370-test.c
> > F: tests/qtest/intel-hda-test.c
> > +F: tests/qtest/fuzz-sb16-test.c
> >
> > Block layer core
> > M: Kevin Wolf <kwolf@redhat.com>
> > diff --git a/tests/qtest/meson.build b/tests/qtest/meson.build
> > index c3a223a83d6..b03e8541700 100644
> > --- a/tests/qtest/meson.build
> > +++ b/tests/qtest/meson.build
> > @@ -20,6 +20,7 @@
> > qtests_generic = \
> > (config_all_devices.has_key('CONFIG_MEGASAS_SCSI_PCI') ? ['fuzz-megasas-test'] : []) + \
> > (config_all_devices.has_key('CONFIG_VIRTIO_SCSI') ? ['fuzz-virtio-scsi-test'] : []) + \
> > + (config_all_devices.has_key('CONFIG_SB16') ? ['fuzz-sb16-test'] : []) + \
> > [
> > 'cdrom-test',
> > 'device-introspect-test',
> >
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH] hw/audio/sb16: Avoid assertion by restricting I/O sampling rate range
2021-06-14 12:11 ` Qiang Liu
@ 2021-06-14 15:06 ` Philippe Mathieu-Daudé
2021-06-15 13:43 ` Qiang Liu
0 siblings, 1 reply; 14+ messages in thread
From: Philippe Mathieu-Daudé @ 2021-06-14 15:06 UTC (permalink / raw)
To: Qiang Liu; +Cc: Alexander Bulekov, qemu-devel, Gerd Hoffmann
On 6/14/21 2:11 PM, Qiang Liu wrote:
> Hi Phil,
>
> Thanks for inviting me. I've applied your patch. It seems fine
> because my sb16 fuzzer is running for another 24 hours and
> it has no crash yet.
Thanks for testing!
Can we use your "Tested-by: Qiang Liu <cyruscyliu@gmail.com>" tag?
> I can also double-check the specification.
If you do, please send a "Reviewed-by: Qiang Liu <cyruscyliu@gmail.com>"
tag :)
> Best,
> Qiang
>
> On Mon, Jun 14, 2021 at 7:13 PM Philippe Mathieu-Daudé <f4bug@amsat.org> wrote:
>>
>> ping?
>>
>> On 6/1/21 5:18 PM, Philippe Mathieu-Daudé wrote:
>>> While the SB16 seems to work up to 48000 Hz, the "Sound Blaster Series
>>> Hardware Programming Guide" limit the sampling range from 4000 Hz to
>>> 44100 Hz (Section 3-9, 3-10: Digitized Sound I/O Programming, tables
>>> 3-2 and 3-3).
>>>
>>> Later, section 6-15 (DSP Commands) is more specific regarding the 41h /
>>> 42h registers (Set digitized sound output sampling rate):
>>>
>>> Valid sampling rates range from 5000 to 45000 Hz inclusive.
>>>
>>> There is no comment regarding error handling if the register is filled
>>> with an out-of-range value. (See also section 3-28 "8-bit or 16-bit
>>> Auto-initialize Transfer"). Assume limits are enforced in hardware.
>>>
>>> This fixes triggering an assertion in audio_calloc():
>>>
>>> #1 abort
>>> #2 audio_bug audio/audio.c:119:9
>>> #3 audio_calloc audio/audio.c:154:9
>>> #4 audio_pcm_sw_alloc_resources_out audio/audio_template.h:116:15
>>> #5 audio_pcm_sw_init_out audio/audio_template.h:175:11
>>> #6 audio_pcm_create_voice_pair_out audio/audio_template.h:410:9
>>> #7 AUD_open_out audio/audio_template.h:503:14
>>> #8 continue_dma8 hw/audio/sb16.c:216:20
>>> #9 dma_cmd8 hw/audio/sb16.c:276:5
>>> #10 command hw/audio/sb16.c:0
>>> #11 dsp_write hw/audio/sb16.c:949:13
>>> #12 portio_write softmmu/ioport.c:205:13
>>> #13 memory_region_write_accessor softmmu/memory.c:491:5
>>> #14 access_with_adjusted_size softmmu/memory.c:552:18
>>> #15 memory_region_dispatch_write softmmu/memory.c:0:13
>>> #16 flatview_write_continue softmmu/physmem.c:2759:23
>>> #17 flatview_write softmmu/physmem.c:2799:14
>>> #18 address_space_write softmmu/physmem.c:2891:18
>>> #19 cpu_outw softmmu/ioport.c:70:5
>>>
>>> [*] http://www.baudline.com/solutions/full_duplex/sb16_pci/index.html
>>>
>>> Fixes: 85571bc7415 ("audio merge (malc)")
>>> Buglink: https://bugs.launchpad.net/bugs/1910603
>>> OSS-Fuzz Report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29174
>>> Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
>>> ---
>>> hw/audio/sb16.c | 14 ++++++++++
>>> tests/qtest/fuzz-sb16-test.c | 52 ++++++++++++++++++++++++++++++++++++
>>> MAINTAINERS | 1 +
>>> tests/qtest/meson.build | 1 +
>>> 4 files changed, 68 insertions(+)
>>> create mode 100644 tests/qtest/fuzz-sb16-test.c
>>>
>>> diff --git a/hw/audio/sb16.c b/hw/audio/sb16.c
>>> index 8b207004102..5cf121fe363 100644
>>> --- a/hw/audio/sb16.c
>>> +++ b/hw/audio/sb16.c
>>> @@ -115,6 +115,9 @@ struct SB16State {
>>> PortioList portio_list;
>>> };
>>>
>>> +#define SAMPLE_RATE_MIN 5000
>>> +#define SAMPLE_RATE_MAX 45000
>>> +
>>> static void SB_audio_callback (void *opaque, int free);
>>>
>>> static int magic_of_irq (int irq)
>>> @@ -241,6 +244,17 @@ static void dma_cmd8 (SB16State *s, int mask, int dma_len)
>>> int tmp = (256 - s->time_const);
>>> s->freq = (1000000 + (tmp / 2)) / tmp;
>>> }
>>> + if (s->freq < SAMPLE_RATE_MIN) {
>>> + qemu_log_mask(LOG_GUEST_ERROR,
>>> + "sampling range too low: %d, increasing to %u\n",
>>> + s->freq, SAMPLE_RATE_MIN);
>>> + s->freq = SAMPLE_RATE_MIN;
>>> + } else if (s->freq > SAMPLE_RATE_MAX) {
>>> + qemu_log_mask(LOG_GUEST_ERROR,
>>> + "sampling range too high: %d, decreasing to %u\n",
>>> + s->freq, SAMPLE_RATE_MAX);
>>> + s->freq = SAMPLE_RATE_MAX;
>>> + }
>>>
>>> if (dma_len != -1) {
>>> s->block_size = dma_len << s->fmt_stereo;
>>> diff --git a/tests/qtest/fuzz-sb16-test.c b/tests/qtest/fuzz-sb16-test.c
>>> new file mode 100644
>>> index 00000000000..51030cd7dc4
>>> --- /dev/null
>>> +++ b/tests/qtest/fuzz-sb16-test.c
>>> @@ -0,0 +1,52 @@
>>> +/*
>>> + * QTest fuzzer-generated testcase for sb16 audio device
>>> + *
>>> + * Copyright (c) 2021 Philippe Mathieu-Daudé <f4bug@amsat.org>
>>> + *
>>> + * SPDX-License-Identifier: GPL-2.0-or-later
>>> + */
>>> +
>>> +#include "qemu/osdep.h"
>>> +#include "libqos/libqtest.h"
>>> +
>>> +/*
>>> + * This used to trigger the assert in audio_calloc
>>> + * https://bugs.launchpad.net/qemu/+bug/1910603
>>> + */
>>> +static void test_fuzz_sb16_0x1c(void)
>>> +{
>>> + QTestState *s = qtest_init("-M q35 -display none "
>>> + "-device sb16,audiodev=snd0 "
>>> + "-audiodev none,id=snd0");
>>> + qtest_outw(s, 0x22c, 0x41);
>>> + qtest_outb(s, 0x22c, 0x00);
>>> + qtest_outw(s, 0x22c, 0x1004);
>>> + qtest_outw(s, 0x22c, 0x001c);
>>> + qtest_quit(s);
>>> +}
>>> +
>>> +static void test_fuzz_sb16_0x91(void)
>>> +{
>>> + QTestState *s = qtest_init("-M pc -display none "
>>> + "-device sb16,audiodev=none "
>>> + "-audiodev id=none,driver=none");
>>> + qtest_outw(s, 0x22c, 0xf141);
>>> + qtest_outb(s, 0x22c, 0x00);
>>> + qtest_outb(s, 0x22c, 0x24);
>>> + qtest_outb(s, 0x22c, 0x91);
>>> + qtest_quit(s);
>>> +}
>>> +
>>> +int main(int argc, char **argv)
>>> +{
>>> + const char *arch = qtest_get_arch();
>>> +
>>> + g_test_init(&argc, &argv, NULL);
>>> +
>>> + if (strcmp(arch, "i386") == 0) {
>>> + qtest_add_func("fuzz/test_fuzz_sb16/1c", test_fuzz_sb16_0x1c);
>>> + qtest_add_func("fuzz/test_fuzz_sb16/91", test_fuzz_sb16_0x91);
>>> + }
>>> +
>>> + return g_test_run();
>>> +}
>>> diff --git a/MAINTAINERS b/MAINTAINERS
>>> index 5f55404f2fa..7edb26d2293 100644
>>> --- a/MAINTAINERS
>>> +++ b/MAINTAINERS
>>> @@ -2213,6 +2213,7 @@ F: qapi/audio.json
>>> F: tests/qtest/ac97-test.c
>>> F: tests/qtest/es1370-test.c
>>> F: tests/qtest/intel-hda-test.c
>>> +F: tests/qtest/fuzz-sb16-test.c
>>>
>>> Block layer core
>>> M: Kevin Wolf <kwolf@redhat.com>
>>> diff --git a/tests/qtest/meson.build b/tests/qtest/meson.build
>>> index c3a223a83d6..b03e8541700 100644
>>> --- a/tests/qtest/meson.build
>>> +++ b/tests/qtest/meson.build
>>> @@ -20,6 +20,7 @@
>>> qtests_generic = \
>>> (config_all_devices.has_key('CONFIG_MEGASAS_SCSI_PCI') ? ['fuzz-megasas-test'] : []) + \
>>> (config_all_devices.has_key('CONFIG_VIRTIO_SCSI') ? ['fuzz-virtio-scsi-test'] : []) + \
>>> + (config_all_devices.has_key('CONFIG_SB16') ? ['fuzz-sb16-test'] : []) + \
>>> [
>>> 'cdrom-test',
>>> 'device-introspect-test',
>>>
>
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH] hw/audio/sb16: Avoid assertion by restricting I/O sampling rate range
2021-06-14 15:06 ` Philippe Mathieu-Daudé
@ 2021-06-15 13:43 ` Qiang Liu
2021-06-16 9:16 ` Gerd Hoffmann
0 siblings, 1 reply; 14+ messages in thread
From: Qiang Liu @ 2021-06-15 13:43 UTC (permalink / raw)
To: Philippe Mathieu-Daudé; +Cc: Alexander Bulekov, qemu-devel, Gerd Hoffmann
On Mon, Jun 14, 2021 at 11:06 PM Philippe Mathieu-Daudé <f4bug@amsat.org> wrote:
>
> On 6/14/21 2:11 PM, Qiang Liu wrote:
> > Hi Phil,
> >
> > Thanks for inviting me. I've applied your patch. It seems fine
> > because my sb16 fuzzer is running for another 24 hours and
> > it has no crash yet.
>
> Thanks for testing!
>
> Can we use your "Tested-by: Qiang Liu <cyruscyliu@gmail.com>" tag?
Yes. My sb16 fuzzer has no crash yet after 24h, so I think the patch is good.
> > I can also double-check the specification.
>
> If you do, please send a "Reviewed-by: Qiang Liu <cyruscyliu@gmail.com>"
> tag :)
Yes, I did. I agree to follow the specific frequency limit regarding
the 41h/42h registers.
> >>> Valid sampling rates range from 5000 to 45000 Hz inclusive.
Should I send this patch with tag V2?
> > Best,
> > Qiang
> >
> > On Mon, Jun 14, 2021 at 7:13 PM Philippe Mathieu-Daudé <f4bug@amsat.org> wrote:
> >>
> >> ping?
> >>
> >> On 6/1/21 5:18 PM, Philippe Mathieu-Daudé wrote:
> >>> While the SB16 seems to work up to 48000 Hz, the "Sound Blaster Series
> >>> Hardware Programming Guide" limit the sampling range from 4000 Hz to
> >>> 44100 Hz (Section 3-9, 3-10: Digitized Sound I/O Programming, tables
> >>> 3-2 and 3-3).
> >>>
> >>> Later, section 6-15 (DSP Commands) is more specific regarding the 41h /
> >>> 42h registers (Set digitized sound output sampling rate):
> >>>
> >>> Valid sampling rates range from 5000 to 45000 Hz inclusive.
> >>>
> >>> There is no comment regarding error handling if the register is filled
> >>> with an out-of-range value. (See also section 3-28 "8-bit or 16-bit
> >>> Auto-initialize Transfer"). Assume limits are enforced in hardware.
> >>>
> >>> This fixes triggering an assertion in audio_calloc():
> >>>
> >>> #1 abort
> >>> #2 audio_bug audio/audio.c:119:9
> >>> #3 audio_calloc audio/audio.c:154:9
> >>> #4 audio_pcm_sw_alloc_resources_out audio/audio_template.h:116:15
> >>> #5 audio_pcm_sw_init_out audio/audio_template.h:175:11
> >>> #6 audio_pcm_create_voice_pair_out audio/audio_template.h:410:9
> >>> #7 AUD_open_out audio/audio_template.h:503:14
> >>> #8 continue_dma8 hw/audio/sb16.c:216:20
> >>> #9 dma_cmd8 hw/audio/sb16.c:276:5
> >>> #10 command hw/audio/sb16.c:0
> >>> #11 dsp_write hw/audio/sb16.c:949:13
> >>> #12 portio_write softmmu/ioport.c:205:13
> >>> #13 memory_region_write_accessor softmmu/memory.c:491:5
> >>> #14 access_with_adjusted_size softmmu/memory.c:552:18
> >>> #15 memory_region_dispatch_write softmmu/memory.c:0:13
> >>> #16 flatview_write_continue softmmu/physmem.c:2759:23
> >>> #17 flatview_write softmmu/physmem.c:2799:14
> >>> #18 address_space_write softmmu/physmem.c:2891:18
> >>> #19 cpu_outw softmmu/ioport.c:70:5
> >>>
> >>> [*] http://www.baudline.com/solutions/full_duplex/sb16_pci/index.html
> >>>
> >>> Fixes: 85571bc7415 ("audio merge (malc)")
> >>> Buglink: https://bugs.launchpad.net/bugs/1910603
> >>> OSS-Fuzz Report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29174
> >>> Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
> >>> ---
> >>> hw/audio/sb16.c | 14 ++++++++++
> >>> tests/qtest/fuzz-sb16-test.c | 52 ++++++++++++++++++++++++++++++++++++
> >>> MAINTAINERS | 1 +
> >>> tests/qtest/meson.build | 1 +
> >>> 4 files changed, 68 insertions(+)
> >>> create mode 100644 tests/qtest/fuzz-sb16-test.c
> >>>
> >>> diff --git a/hw/audio/sb16.c b/hw/audio/sb16.c
> >>> index 8b207004102..5cf121fe363 100644
> >>> --- a/hw/audio/sb16.c
> >>> +++ b/hw/audio/sb16.c
> >>> @@ -115,6 +115,9 @@ struct SB16State {
> >>> PortioList portio_list;
> >>> };
> >>>
> >>> +#define SAMPLE_RATE_MIN 5000
> >>> +#define SAMPLE_RATE_MAX 45000
> >>> +
> >>> static void SB_audio_callback (void *opaque, int free);
> >>>
> >>> static int magic_of_irq (int irq)
> >>> @@ -241,6 +244,17 @@ static void dma_cmd8 (SB16State *s, int mask, int dma_len)
> >>> int tmp = (256 - s->time_const);
> >>> s->freq = (1000000 + (tmp / 2)) / tmp;
> >>> }
> >>> + if (s->freq < SAMPLE_RATE_MIN) {
> >>> + qemu_log_mask(LOG_GUEST_ERROR,
> >>> + "sampling range too low: %d, increasing to %u\n",
> >>> + s->freq, SAMPLE_RATE_MIN);
> >>> + s->freq = SAMPLE_RATE_MIN;
> >>> + } else if (s->freq > SAMPLE_RATE_MAX) {
> >>> + qemu_log_mask(LOG_GUEST_ERROR,
> >>> + "sampling range too high: %d, decreasing to %u\n",
> >>> + s->freq, SAMPLE_RATE_MAX);
> >>> + s->freq = SAMPLE_RATE_MAX;
> >>> + }
> >>>
> >>> if (dma_len != -1) {
> >>> s->block_size = dma_len << s->fmt_stereo;
> >>> diff --git a/tests/qtest/fuzz-sb16-test.c b/tests/qtest/fuzz-sb16-test.c
> >>> new file mode 100644
> >>> index 00000000000..51030cd7dc4
> >>> --- /dev/null
> >>> +++ b/tests/qtest/fuzz-sb16-test.c
> >>> @@ -0,0 +1,52 @@
> >>> +/*
> >>> + * QTest fuzzer-generated testcase for sb16 audio device
> >>> + *
> >>> + * Copyright (c) 2021 Philippe Mathieu-Daudé <f4bug@amsat.org>
> >>> + *
> >>> + * SPDX-License-Identifier: GPL-2.0-or-later
> >>> + */
> >>> +
> >>> +#include "qemu/osdep.h"
> >>> +#include "libqos/libqtest.h"
> >>> +
> >>> +/*
> >>> + * This used to trigger the assert in audio_calloc
> >>> + * https://bugs.launchpad.net/qemu/+bug/1910603
> >>> + */
> >>> +static void test_fuzz_sb16_0x1c(void)
> >>> +{
> >>> + QTestState *s = qtest_init("-M q35 -display none "
> >>> + "-device sb16,audiodev=snd0 "
> >>> + "-audiodev none,id=snd0");
> >>> + qtest_outw(s, 0x22c, 0x41);
> >>> + qtest_outb(s, 0x22c, 0x00);
> >>> + qtest_outw(s, 0x22c, 0x1004);
> >>> + qtest_outw(s, 0x22c, 0x001c);
> >>> + qtest_quit(s);
> >>> +}
> >>> +
> >>> +static void test_fuzz_sb16_0x91(void)
> >>> +{
> >>> + QTestState *s = qtest_init("-M pc -display none "
> >>> + "-device sb16,audiodev=none "
> >>> + "-audiodev id=none,driver=none");
> >>> + qtest_outw(s, 0x22c, 0xf141);
> >>> + qtest_outb(s, 0x22c, 0x00);
> >>> + qtest_outb(s, 0x22c, 0x24);
> >>> + qtest_outb(s, 0x22c, 0x91);
> >>> + qtest_quit(s);
> >>> +}
> >>> +
> >>> +int main(int argc, char **argv)
> >>> +{
> >>> + const char *arch = qtest_get_arch();
> >>> +
> >>> + g_test_init(&argc, &argv, NULL);
> >>> +
> >>> + if (strcmp(arch, "i386") == 0) {
> >>> + qtest_add_func("fuzz/test_fuzz_sb16/1c", test_fuzz_sb16_0x1c);
> >>> + qtest_add_func("fuzz/test_fuzz_sb16/91", test_fuzz_sb16_0x91);
> >>> + }
> >>> +
> >>> + return g_test_run();
> >>> +}
> >>> diff --git a/MAINTAINERS b/MAINTAINERS
> >>> index 5f55404f2fa..7edb26d2293 100644
> >>> --- a/MAINTAINERS
> >>> +++ b/MAINTAINERS
> >>> @@ -2213,6 +2213,7 @@ F: qapi/audio.json
> >>> F: tests/qtest/ac97-test.c
> >>> F: tests/qtest/es1370-test.c
> >>> F: tests/qtest/intel-hda-test.c
> >>> +F: tests/qtest/fuzz-sb16-test.c
> >>>
> >>> Block layer core
> >>> M: Kevin Wolf <kwolf@redhat.com>
> >>> diff --git a/tests/qtest/meson.build b/tests/qtest/meson.build
> >>> index c3a223a83d6..b03e8541700 100644
> >>> --- a/tests/qtest/meson.build
> >>> +++ b/tests/qtest/meson.build
> >>> @@ -20,6 +20,7 @@
> >>> qtests_generic = \
> >>> (config_all_devices.has_key('CONFIG_MEGASAS_SCSI_PCI') ? ['fuzz-megasas-test'] : []) + \
> >>> (config_all_devices.has_key('CONFIG_VIRTIO_SCSI') ? ['fuzz-virtio-scsi-test'] : []) + \
> >>> + (config_all_devices.has_key('CONFIG_SB16') ? ['fuzz-sb16-test'] : []) + \
> >>> [
> >>> 'cdrom-test',
> >>> 'device-introspect-test',
> >>>
> >
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH] hw/audio/sb16: Avoid assertion by restricting I/O sampling rate range
2021-06-15 13:43 ` Qiang Liu
@ 2021-06-16 9:16 ` Gerd Hoffmann
2021-06-16 10:41 ` Philippe Mathieu-Daudé
0 siblings, 1 reply; 14+ messages in thread
From: Gerd Hoffmann @ 2021-06-16 9:16 UTC (permalink / raw)
To: Qiang Liu; +Cc: Alexander Bulekov, Philippe Mathieu-Daudé, qemu-devel
Hi,
> Should I send this patch with tag V2?
Yes, please.
thanks,
Gerd
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH] hw/audio/sb16: Avoid assertion by restricting I/O sampling rate range
2021-06-16 9:16 ` Gerd Hoffmann
@ 2021-06-16 10:41 ` Philippe Mathieu-Daudé
0 siblings, 0 replies; 14+ messages in thread
From: Philippe Mathieu-Daudé @ 2021-06-16 10:41 UTC (permalink / raw)
To: Gerd Hoffmann, Qiang Liu; +Cc: Alexander Bulekov, qemu-devel
On 6/16/21 11:16 AM, Gerd Hoffmann wrote:
> Hi,
>
>> Should I send this patch with tag V2?
>
> Yes, please.
I don't understand why. Shouldn't it be enough if
Qiang Liu replies with
"Tested-by: Qiang Liu <cyruscyliu@gmail.com>"
?
^ permalink raw reply [flat|nested] 14+ messages in thread
* [Bug 1910603] Re: [OSS-Fuzz] Issue 29174 sb16: Abrt in audio_bug
2021-01-07 22:25 [Bug 1910603] [NEW] [OSS-Fuzz] Issue 29174 sb16: Abrt in audio_bug Alexander Bulekov
` (2 preceding siblings ...)
2021-06-01 15:18 ` [PATCH] hw/audio/sb16: Avoid assertion by restricting I/O sampling rate range Philippe Mathieu-Daudé
@ 2021-06-19 19:45 ` Alexander Bulekov
2021-06-20 17:22 ` Thomas Huth
2021-08-25 7:12 ` Thomas Huth
5 siblings, 0 replies; 14+ messages in thread
From: Alexander Bulekov @ 2021-06-19 19:45 UTC (permalink / raw)
To: qemu-devel
OSS-Fuzz confirms this is fixed: https://bugs.chromium.org/p/oss-
fuzz/issues/detail?id=30574#c4
** Changed in: qemu
Status: Confirmed => Fix Committed
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1910603
Title:
[OSS-Fuzz] Issue 29174 sb16: Abrt in audio_bug
Status in QEMU:
Fix Committed
Bug description:
=== Reproducer ===
cat << EOF | ../build-system/qemu-system-i386 \
-machine q35 -device sb16,audiodev=snd0 \
-audiodev none,id=snd0 -nographic -nodefaults \
-qtest stdio
outw 0x22c 0x41
outb 0x22c 0x0
outw 0x22c 0x1004
outw 0x22c 0x1c
EOF
=== Stack Trace ===
A bug was just triggered in audio_calloc
Save all your work and restart without audio
I am sorry
Context:
Aborted
#0 raise
#1 abort
#2 audio_bug /src/qemu/audio/audio.c:119:9
#3 audio_calloc /src/qemu/audio/audio.c:154:9
#4 audio_pcm_sw_alloc_resources_out /src/qemu/audio/audio_template.h:116:15
#5 audio_pcm_sw_init_out /src/qemu/audio/audio_template.h:175:11
#6 audio_pcm_create_voice_pair_out /src/qemu/audio/audio_template.h:410:9
#7 AUD_open_out /src/qemu/audio/audio_template.h:503:14
#8 continue_dma8 /src/qemu/hw/audio/sb16.c:216:20
#9 dma_cmd8 /src/qemu/hw/audio/sb16.c:276:5
#10 command /src/qemu/hw/audio/sb16.c:0
#11 dsp_write /src/qemu/hw/audio/sb16.c:949:13
#12 portio_write /src/qemu/softmmu/ioport.c:205:13
#13 memory_region_write_accessor /src/qemu/softmmu/memory.c:491:5
#14 access_with_adjusted_size /src/qemu/softmmu/memory.c:552:18
#15 memory_region_dispatch_write /src/qemu/softmmu/memory.c:0:13
#16 flatview_write_continue /src/qemu/softmmu/physmem.c:2759:23
#17 flatview_write /src/qemu/softmmu/physmem.c:2799:14
#18 address_space_write /src/qemu/softmmu/physmem.c:2891:18
#19 cpu_outw /src/qemu/softmmu/ioport.c:70:5
OSS-Fuzz Report:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29174
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1910603/+subscriptions
^ permalink raw reply [flat|nested] 14+ messages in thread
* [Bug 1910603] Re: [OSS-Fuzz] Issue 29174 sb16: Abrt in audio_bug
2021-01-07 22:25 [Bug 1910603] [NEW] [OSS-Fuzz] Issue 29174 sb16: Abrt in audio_bug Alexander Bulekov
` (3 preceding siblings ...)
2021-06-19 19:45 ` [Bug 1910603] Re: [OSS-Fuzz] Issue 29174 sb16: Abrt in audio_bug Alexander Bulekov
@ 2021-06-20 17:22 ` Thomas Huth
2021-08-25 7:12 ` Thomas Huth
5 siblings, 0 replies; 14+ messages in thread
From: Thomas Huth @ 2021-06-20 17:22 UTC (permalink / raw)
To: qemu-devel
Fixed by:
https://gitlab.com/qemu-project/qemu/-/commit/a2cd86a94a881b38a7d8bb67c619
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1910603
Title:
[OSS-Fuzz] Issue 29174 sb16: Abrt in audio_bug
Status in QEMU:
Fix Committed
Bug description:
=== Reproducer ===
cat << EOF | ../build-system/qemu-system-i386 \
-machine q35 -device sb16,audiodev=snd0 \
-audiodev none,id=snd0 -nographic -nodefaults \
-qtest stdio
outw 0x22c 0x41
outb 0x22c 0x0
outw 0x22c 0x1004
outw 0x22c 0x1c
EOF
=== Stack Trace ===
A bug was just triggered in audio_calloc
Save all your work and restart without audio
I am sorry
Context:
Aborted
#0 raise
#1 abort
#2 audio_bug /src/qemu/audio/audio.c:119:9
#3 audio_calloc /src/qemu/audio/audio.c:154:9
#4 audio_pcm_sw_alloc_resources_out /src/qemu/audio/audio_template.h:116:15
#5 audio_pcm_sw_init_out /src/qemu/audio/audio_template.h:175:11
#6 audio_pcm_create_voice_pair_out /src/qemu/audio/audio_template.h:410:9
#7 AUD_open_out /src/qemu/audio/audio_template.h:503:14
#8 continue_dma8 /src/qemu/hw/audio/sb16.c:216:20
#9 dma_cmd8 /src/qemu/hw/audio/sb16.c:276:5
#10 command /src/qemu/hw/audio/sb16.c:0
#11 dsp_write /src/qemu/hw/audio/sb16.c:949:13
#12 portio_write /src/qemu/softmmu/ioport.c:205:13
#13 memory_region_write_accessor /src/qemu/softmmu/memory.c:491:5
#14 access_with_adjusted_size /src/qemu/softmmu/memory.c:552:18
#15 memory_region_dispatch_write /src/qemu/softmmu/memory.c:0:13
#16 flatview_write_continue /src/qemu/softmmu/physmem.c:2759:23
#17 flatview_write /src/qemu/softmmu/physmem.c:2799:14
#18 address_space_write /src/qemu/softmmu/physmem.c:2891:18
#19 cpu_outw /src/qemu/softmmu/ioport.c:70:5
OSS-Fuzz Report:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29174
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1910603/+subscriptions
^ permalink raw reply [flat|nested] 14+ messages in thread
* [Bug 1910603] Re: [OSS-Fuzz] Issue 29174 sb16: Abrt in audio_bug
2021-01-07 22:25 [Bug 1910603] [NEW] [OSS-Fuzz] Issue 29174 sb16: Abrt in audio_bug Alexander Bulekov
` (4 preceding siblings ...)
2021-06-20 17:22 ` Thomas Huth
@ 2021-08-25 7:12 ` Thomas Huth
5 siblings, 0 replies; 14+ messages in thread
From: Thomas Huth @ 2021-08-25 7:12 UTC (permalink / raw)
To: qemu-devel
** Changed in: qemu
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1910603
Title:
[OSS-Fuzz] Issue 29174 sb16: Abrt in audio_bug
Status in QEMU:
Fix Released
Bug description:
=== Reproducer ===
cat << EOF | ../build-system/qemu-system-i386 \
-machine q35 -device sb16,audiodev=snd0 \
-audiodev none,id=snd0 -nographic -nodefaults \
-qtest stdio
outw 0x22c 0x41
outb 0x22c 0x0
outw 0x22c 0x1004
outw 0x22c 0x1c
EOF
=== Stack Trace ===
A bug was just triggered in audio_calloc
Save all your work and restart without audio
I am sorry
Context:
Aborted
#0 raise
#1 abort
#2 audio_bug /src/qemu/audio/audio.c:119:9
#3 audio_calloc /src/qemu/audio/audio.c:154:9
#4 audio_pcm_sw_alloc_resources_out /src/qemu/audio/audio_template.h:116:15
#5 audio_pcm_sw_init_out /src/qemu/audio/audio_template.h:175:11
#6 audio_pcm_create_voice_pair_out /src/qemu/audio/audio_template.h:410:9
#7 AUD_open_out /src/qemu/audio/audio_template.h:503:14
#8 continue_dma8 /src/qemu/hw/audio/sb16.c:216:20
#9 dma_cmd8 /src/qemu/hw/audio/sb16.c:276:5
#10 command /src/qemu/hw/audio/sb16.c:0
#11 dsp_write /src/qemu/hw/audio/sb16.c:949:13
#12 portio_write /src/qemu/softmmu/ioport.c:205:13
#13 memory_region_write_accessor /src/qemu/softmmu/memory.c:491:5
#14 access_with_adjusted_size /src/qemu/softmmu/memory.c:552:18
#15 memory_region_dispatch_write /src/qemu/softmmu/memory.c:0:13
#16 flatview_write_continue /src/qemu/softmmu/physmem.c:2759:23
#17 flatview_write /src/qemu/softmmu/physmem.c:2799:14
#18 address_space_write /src/qemu/softmmu/physmem.c:2891:18
#19 cpu_outw /src/qemu/softmmu/ioport.c:70:5
OSS-Fuzz Report:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29174
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1910603/+subscriptions
^ permalink raw reply [flat|nested] 14+ messages in thread
end of thread, other threads:[~2021-08-25 7:24 UTC | newest]
Thread overview: 14+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-01-07 22:25 [Bug 1910603] [NEW] [OSS-Fuzz] Issue 29174 sb16: Abrt in audio_bug Alexander Bulekov
2021-01-15 16:09 ` [Bug 1910603] " Peter Maydell
2021-05-26 15:31 ` Thomas Huth
2021-06-01 15:18 ` [PATCH] hw/audio/sb16: Avoid assertion by restricting I/O sampling rate range Philippe Mathieu-Daudé
2021-06-01 15:18 ` [Bug 1910603] " Philippe Mathieu-Daudé
2021-06-14 11:13 ` Philippe Mathieu-Daudé
2021-06-14 12:11 ` Qiang Liu
2021-06-14 15:06 ` Philippe Mathieu-Daudé
2021-06-15 13:43 ` Qiang Liu
2021-06-16 9:16 ` Gerd Hoffmann
2021-06-16 10:41 ` Philippe Mathieu-Daudé
2021-06-19 19:45 ` [Bug 1910603] Re: [OSS-Fuzz] Issue 29174 sb16: Abrt in audio_bug Alexander Bulekov
2021-06-20 17:22 ` Thomas Huth
2021-08-25 7:12 ` Thomas Huth
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).