VirtualBox

Ticket #21474: intel-hda-00.backtrace

File intel-hda-00.backtrace, 6.0 KB (added by cyruscyliu, 20 months ago)

backtrace

Line 
1INFO: Reading pre_seed_input if any ...
2INFO: Executing pre_seed_input if any ...
3Matching objects by name , *HDA*
4This process will fuzz the following MemoryRegions:
5 * hda (size 4000)
6This process will fuzz through the following interfaces:
7 * clock_step, EVENT_TYPE_CLOCK_STEP, 0xffffffff +0xffffffff, 255,255
8 * HDA, EVENT_TYPE_MMIO_READ, 0xf0404000 +0x4000, 1,4
9 * HDA, EVENT_TYPE_MMIO_WRITE, 0xf0404000 +0x4000, 1,4
10INFO: A corpus is not provided, starting from an empty corpus
11#2 INITED cov: 1 ft: 2 corp: 1/1b exec/s: 0 rss: 214Mb
12Running: /root/bugs/metadata/intel-hda-00/crash-ef8f9faf1e8280b1320cfaf82fff92f30167a190.minimized
13/root/videzzo/videzzo_vbox/vbox/src/VBox/Devices/Audio/DevHda.cpp:3410:26: runtime error: shift exponent 65552 is too large for 64-bit type 'uint64_t' (aka 'unsigned long')
14SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /root/videzzo/videzzo_vbox/vbox/src/VBox/Devices/Audio/DevHda.cpp:3410:26 in
15/root/videzzo/videzzo_vbox/vbox/src/VBox/Devices/Audio/DevHda.cpp:3411:59: runtime error: index 8194 out of bounds for type 'const uint32_t [5]'
16SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /root/videzzo/videzzo_vbox/vbox/src/VBox/Devices/Audio/DevHda.cpp:3411:59 in
17=================================================================
18==384==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7f0807d578c8 at pc 0x7f080714a97e bp 0x7fff74406e90 sp 0x7fff74406e88
19READ of size 4 at 0x7f0807d578c8 thread T0
20 #0 0x7f080714a97d in hdaMmioWrite(PDMDEVINSR3*, void*, unsigned long, void const*, unsigned int) /root/videzzo/videzzo_vbox/vbox/src/VBox/Devices/Audio/DevHda.cpp:3411:59
21 #1 0x7f08159d8fc8 in iomMmioDoWrite(VM*, VMCPU*, IOMMMIOENTRYR3*, unsigned long, unsigned long, void const*, unsigned int, IOMMMIOSTATSENTRY*) /root/videzzo/videzzo_vbox/vbox/src/VBox/VMM/VMMAll/IOMAllMmioNew.cpp:348:24
22 #2 0x7f08159d9949 in iomMmioHandlerNew /root/videzzo/videzzo_vbox/vbox/src/VBox/VMM/VMMAll/IOMAllMmioNew.cpp:939:24
23 #3 0x7f0815a56c7d in pgmPhysWriteHandler(VM*, PGMPAGE*, unsigned long, void const*, unsigned long, PGMACCESSORIGIN) /root/videzzo/videzzo_vbox/vbox/src/VBox/VMM/VMMAll/PGMAllPhys.cpp:2746:28
24 #4 0x7f0815a5621f in PGMPhysWrite /root/videzzo/videzzo_vbox/vbox/src/VBox/VMM/VMMAll/PGMAllPhys.cpp:3027:46
25 #5 0x570386 in vbox_writeb(unsigned long, unsigned char) /root/videzzo/videzzo_vbox/vbox/src/VBox/Frontends/VBoxManage/VBoxViDeZZo.cpp:495:5
26 #6 0x57023c in dispatch_mmio_write /root/videzzo/videzzo_vbox/vbox/src/VBox/Frontends/VBoxManage/VBoxViDeZZo.cpp:588:28
27 #7 0x81c10f in videzzo_dispatch_event /root/videzzo/videzzo.c:1140:5
28 #8 0x81348d in __videzzo_execute_one_input /root/videzzo/videzzo.c:288:9
29 #9 0x813234 in videzzo_execute_one_input /root/videzzo/videzzo.c:329:9
30 #10 0x571902 in videzzo_vbox(unsigned char*, unsigned long) /root/videzzo/videzzo_vbox/vbox/src/VBox/Frontends/VBoxManage/VBoxViDeZZo.cpp:694:12
31 #11 0x820f5b in LLVMFuzzerTestOneInput /root/videzzo/videzzo.c:1910:18
32 #12 0x467246 in fuzzer::Fuzzer::ExecuteCallback(unsigned char*, unsigned long) /root/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:594:17
33 #13 0x449e74 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /root/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:323:21
34 #14 0x454e1e in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char*, unsigned long)) /root/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:885:19
35 #15 0x440ed6 in main /root/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:30
36 #16 0x7f0813d7f082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
37 #17 0x44145d in _start (/root/videzzo/videzzo_vbox/out-san/vbox-videzzo-i386-target-videzzo-fuzz-hda+0x44145d)
38
390x7f0807d578c8 is located 24 bytes to the left of global variable '<string literal>' defined in '/root/videzzo/videzzo_vbox/vbox/src/VBox/Devices/Audio/DevHda.cpp:471:5' (0x7f0807d578e0) of size 12
40 '<string literal>' is ascii string 'SD2: Status'
410x7f0807d578c8 is located 33 bytes to the right of global variable '<string literal>' defined in '/root/videzzo/videzzo_vbox/vbox/src/VBox/Devices/Audio/DevHda.cpp:471:5' (0x7f0807d578a0) of size 7
42 '<string literal>' is ascii string 'SD2STS'
43SUMMARY: AddressSanitizer: global-buffer-overflow /root/videzzo/videzzo_vbox/vbox/src/VBox/Devices/Audio/DevHda.cpp:3411:59 in hdaMmioWrite(PDMDEVINSR3*, void*, unsigned long, void const*, unsigned int)
44Shadow bytes around the buggy address:
45 0x0fe180fa2ec0: f9 f9 f9 f9 00 07 f9 f9 f9 f9 f9 f9 07 f9 f9 f9
46 0x0fe180fa2ed0: f9 f9 f9 f9 00 00 03 f9 f9 f9 f9 f9 00 f9 f9 f9
47 0x0fe180fa2ee0: f9 f9 f9 f9 00 00 00 00 00 00 07 f9 f9 f9 f9 f9
48 0x0fe180fa2ef0: 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 07 f9
49 0x0fe180fa2f00: f9 f9 f9 f9 07 f9 f9 f9 f9 f9 f9 f9 00 00 00 07
50=>0x0fe180fa2f10: f9 f9 f9 f9 07 f9 f9 f9 f9[f9]f9 f9 00 04 f9 f9
51 0x0fe180fa2f20: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 05
52 0x0fe180fa2f30: f9 f9 f9 f9 07 f9 f9 f9 f9 f9 f9 f9 00 00 00 02
53 0x0fe180fa2f40: f9 f9 f9 f9 07 f9 f9 f9 f9 f9 f9 f9 00 00 06 f9
54 0x0fe180fa2f50: f9 f9 f9 f9 00 01 f9 f9 f9 f9 f9 f9 00 00 04 f9
55 0x0fe180fa2f60: f9 f9 f9 f9 00 01 f9 f9 f9 f9 f9 f9 00 07 f9 f9
56Shadow byte legend (one shadow byte represents 8 application bytes):
57 Addressable: 00
58 Partially addressable: 01 02 03 04 05 06 07
59 Heap left redzone: fa
60 Freed heap region: fd
61 Stack left redzone: f1
62 Stack mid redzone: f2
63 Stack right redzone: f3
64 Stack after return: f5
65 Stack use after scope: f8
66 Global redzone: f9
67 Global init order: f6
68 Poisoned by user: f7
69 Container overflow: fc
70 Array cookie: ac
71 Intra object redzone: bb
72 ASan internal: fe
73 Left alloca redzone: ca
74 Right alloca redzone: cb
75 Shadow gap: cc
76==384==ABORTING
77MS: 0 ; base unit: 0000000000000000000000000000000000000000
780x1,0x9,0x46,0x61,0x40,0xf0,0x0,0x0,0x0,0x0,0x1,0x0,0x0,0x0,0xc2,0x62,0xd0,0x5b,0x0,0x0,0x0,0x0,
79\x01\x09Fa@\xf0\x00\x00\x00\x00\x01\x00\x00\x00\xc2b\xd0[\x00\x00\x00\x00

© 2024 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy