1*59b63d78SPhilippe Mathieu-Daudé /* 2*59b63d78SPhilippe Mathieu-Daudé * QTest fuzzer-generated testcase for sdcard device 3*59b63d78SPhilippe Mathieu-Daudé * 4*59b63d78SPhilippe Mathieu-Daudé * Copyright (c) 2021 Philippe Mathieu-Daudé <f4bug@amsat.org> 5*59b63d78SPhilippe Mathieu-Daudé * 6*59b63d78SPhilippe Mathieu-Daudé * SPDX-License-Identifier: GPL-2.0-or-later 7*59b63d78SPhilippe Mathieu-Daudé */ 8*59b63d78SPhilippe Mathieu-Daudé 9*59b63d78SPhilippe Mathieu-Daudé #include "qemu/osdep.h" 10*59b63d78SPhilippe Mathieu-Daudé #include "libqos/libqtest.h" 11*59b63d78SPhilippe Mathieu-Daudé 12*59b63d78SPhilippe Mathieu-Daudé /* 13*59b63d78SPhilippe Mathieu-Daudé * https://gitlab.com/qemu-project/qemu/-/issues/450 14*59b63d78SPhilippe Mathieu-Daudé * Used to trigger: 15*59b63d78SPhilippe Mathieu-Daudé * Assertion `wpnum < sd->wpgrps_size' failed. 16*59b63d78SPhilippe Mathieu-Daudé */ 17*59b63d78SPhilippe Mathieu-Daudé static void oss_fuzz_29225(void) 18*59b63d78SPhilippe Mathieu-Daudé { 19*59b63d78SPhilippe Mathieu-Daudé QTestState *s; 20*59b63d78SPhilippe Mathieu-Daudé 21*59b63d78SPhilippe Mathieu-Daudé s = qtest_init(" -display none -m 512m -nodefaults -nographic" 22*59b63d78SPhilippe Mathieu-Daudé " -device sdhci-pci,sd-spec-version=3" 23*59b63d78SPhilippe Mathieu-Daudé " -device sd-card,drive=d0" 24*59b63d78SPhilippe Mathieu-Daudé " -drive if=none,index=0,file=null-co://,format=raw,id=d0"); 25*59b63d78SPhilippe Mathieu-Daudé 26*59b63d78SPhilippe Mathieu-Daudé qtest_outl(s, 0xcf8, 0x80001010); 27*59b63d78SPhilippe Mathieu-Daudé qtest_outl(s, 0xcfc, 0xd0690); 28*59b63d78SPhilippe Mathieu-Daudé qtest_outl(s, 0xcf8, 0x80001003); 29*59b63d78SPhilippe Mathieu-Daudé qtest_outl(s, 0xcf8, 0x80001013); 30*59b63d78SPhilippe Mathieu-Daudé qtest_outl(s, 0xcfc, 0xffffffff); 31*59b63d78SPhilippe Mathieu-Daudé qtest_outl(s, 0xcf8, 0x80001003); 32*59b63d78SPhilippe Mathieu-Daudé qtest_outl(s, 0xcfc, 0x3effe00); 33*59b63d78SPhilippe Mathieu-Daudé 34*59b63d78SPhilippe Mathieu-Daudé qtest_bufwrite(s, 0xff0d062c, "\xff", 0x1); 35*59b63d78SPhilippe Mathieu-Daudé qtest_bufwrite(s, 0xff0d060f, "\xb7", 0x1); 36*59b63d78SPhilippe Mathieu-Daudé qtest_bufwrite(s, 0xff0d060a, "\xc9", 0x1); 37*59b63d78SPhilippe Mathieu-Daudé qtest_bufwrite(s, 0xff0d060f, "\x29", 0x1); 38*59b63d78SPhilippe Mathieu-Daudé qtest_bufwrite(s, 0xff0d060f, "\xc2", 0x1); 39*59b63d78SPhilippe Mathieu-Daudé qtest_bufwrite(s, 0xff0d0628, "\xf7", 0x1); 40*59b63d78SPhilippe Mathieu-Daudé qtest_bufwrite(s, 0x0, "\xe3", 0x1); 41*59b63d78SPhilippe Mathieu-Daudé qtest_bufwrite(s, 0x7, "\x13", 0x1); 42*59b63d78SPhilippe Mathieu-Daudé qtest_bufwrite(s, 0x8, "\xe3", 0x1); 43*59b63d78SPhilippe Mathieu-Daudé qtest_bufwrite(s, 0xf, "\xe3", 0x1); 44*59b63d78SPhilippe Mathieu-Daudé qtest_bufwrite(s, 0xff0d060f, "\x03", 0x1); 45*59b63d78SPhilippe Mathieu-Daudé qtest_bufwrite(s, 0xff0d0605, "\x01", 0x1); 46*59b63d78SPhilippe Mathieu-Daudé qtest_bufwrite(s, 0xff0d060b, "\xff", 0x1); 47*59b63d78SPhilippe Mathieu-Daudé qtest_bufwrite(s, 0xff0d060c, "\xff", 0x1); 48*59b63d78SPhilippe Mathieu-Daudé qtest_bufwrite(s, 0xff0d060e, "\xff", 0x1); 49*59b63d78SPhilippe Mathieu-Daudé qtest_bufwrite(s, 0xff0d060f, "\x06", 0x1); 50*59b63d78SPhilippe Mathieu-Daudé qtest_bufwrite(s, 0xff0d060f, "\x9e", 0x1); 51*59b63d78SPhilippe Mathieu-Daudé 52*59b63d78SPhilippe Mathieu-Daudé qtest_quit(s); 53*59b63d78SPhilippe Mathieu-Daudé } 54*59b63d78SPhilippe Mathieu-Daudé 55*59b63d78SPhilippe Mathieu-Daudé int main(int argc, char **argv) 56*59b63d78SPhilippe Mathieu-Daudé { 57*59b63d78SPhilippe Mathieu-Daudé const char *arch = qtest_get_arch(); 58*59b63d78SPhilippe Mathieu-Daudé 59*59b63d78SPhilippe Mathieu-Daudé g_test_init(&argc, &argv, NULL); 60*59b63d78SPhilippe Mathieu-Daudé 61*59b63d78SPhilippe Mathieu-Daudé if (strcmp(arch, "i386") == 0) { 62*59b63d78SPhilippe Mathieu-Daudé qtest_add_func("fuzz/sdcard/oss_fuzz_29225", oss_fuzz_29225); 63*59b63d78SPhilippe Mathieu-Daudé } 64*59b63d78SPhilippe Mathieu-Daudé 65*59b63d78SPhilippe Mathieu-Daudé return g_test_run(); 66*59b63d78SPhilippe Mathieu-Daudé } 67