diff options
| author | Christian Krinitsin <mail@krinitsin.com> | 2025-05-30 16:52:07 +0200 |
|---|---|---|
| committer | Christian Krinitsin <mail@krinitsin.com> | 2025-05-30 16:52:17 +0200 |
| commit | 9260319e7411ff8281700a532caa436f40120ec4 (patch) | |
| tree | 2f6bfe5f3458dd49d328d3a9eb508595450adec0 /gitlab/issues/target_missing/host_missing/accel_missing/2427.toml | |
| parent | 225caa38269323af1bfc2daadff5ec8bd930747f (diff) | |
| download | emulator-bug-study-9260319e7411ff8281700a532caa436f40120ec4.tar.gz emulator-bug-study-9260319e7411ff8281700a532caa436f40120ec4.zip | |
gitlab scraper: download in toml and text format
Diffstat (limited to 'gitlab/issues/target_missing/host_missing/accel_missing/2427.toml')
| -rw-r--r-- | gitlab/issues/target_missing/host_missing/accel_missing/2427.toml | 151 |
1 files changed, 0 insertions, 151 deletions
diff --git a/gitlab/issues/target_missing/host_missing/accel_missing/2427.toml b/gitlab/issues/target_missing/host_missing/accel_missing/2427.toml deleted file mode 100644 index b1d46c3a..00000000 --- a/gitlab/issues/target_missing/host_missing/accel_missing/2427.toml +++ /dev/null @@ -1,151 +0,0 @@ -id = 2427 -title = "Heap-buffer-overflow in virtio-sound" -state = "closed" -created_at = "2024-07-05T21:20:21.429Z" -closed_at = "2024-07-24T01:24:30.116Z" -labels = ["Audio", "Fuzzer", "device:virtio", "workflow::Patch available"] -url = "https://gitlab.com/qemu-project/qemu/-/issues/2427" -host-os = "Ubuntu 22.04.4 LTS" -host-arch = "x86_64" -qemu-version = "commit 3665dd6bb9" -guest-os = "n/a" -guest-arch = "n/a" -description = """The following log reveals it: - -``` -==852995==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x50400002f2f9 at pc 0x5b291f531ba9 bp 0x7ffd8e80c0a0 sp 0x7ffd8e80c098 -WRITE of size 2 at 0x50400002f2f9 thread T0 - #0 0x5b291f531ba8 in clip_natural_int16_t_from_stereo audio/mixeng_template.h:133:16 - #1 0x5b291f4ea707 in audio_pcm_sw_read audio/audio.c:604:5 - #2 0x5b291f4e9502 in AUD_read audio/audio.c:900:16 - #3 0x5b291e6db7c7 in virtio_snd_pcm_in_cb hw/audio/virtio-snd.c:1279:24 - #4 0x5b291f4f3017 in audio_run_in audio/audio.c:1331:21 - #5 0x5b291f4eda89 in audio_run audio/audio.c:1389:5 - #6 0x5b291fa34311 in alsa_poll_handler audio/alsaaudio.c:205:9 - #7 0x5b2921054bb3 in aio_dispatch_handler util/aio-posix.c:372:9 - #8 0x5b292104b9d5 in aio_dispatch_handlers util/aio-posix.c:414:20 - #9 0x5b292104b4b9 in aio_dispatch util/aio-posix.c:424:5 - #10 0x5b29210ede0e in aio_ctx_dispatch util/async.c:360:5 - #11 0x79b4f927fd3a in g_main_context_dispatch (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x55d3a) (BuildId: 224ac2a88b72bc8e2fe8566ee28fae789fc69241) - #12 0x5b29210f1851 in glib_pollfds_poll util/main-loop.c:287:9 - #13 0x5b29210f007a in os_host_main_loop_wait util/main-loop.c:310:5 - #14 0x5b29210efc24 in main_loop_wait util/main-loop.c:589:11 - #15 0x5b291f5e5475 in qemu_main_loop system/runstate.c:795:9 - #16 0x5b292067eefb in qemu_default_main system/main.c:37:14 - #17 0x5b292067ef7d in main system/main.c:48:12 - #18 0x79b4f8829d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 - #19 0x79b4f8829e3f in __libc_start_main csu/../csu/libc-start.c:392:3 - #20 0x5b291e29bef4 in _start (/usr/local/bin/qemu-system-x86_64+0x1c8fef4) - -0x50400002f2f9 is located 1 bytes after 40-byte region [0x50400002f2d0,0x50400002f2f8) -allocated by thread T0 here: - #0 0x5b291e339758 in calloc /home/runner/work/llvm-project/llvm-project/final/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:77:3 - #1 0x79b4f9288c50 in g_malloc0 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x5ec50) (BuildId: 224ac2a88b72bc8e2fe8566ee28fae789fc69241) - #2 0x5b29202d0efd in virtio_queue_notify hw/virtio/virtio.c:2297:9 - #3 0x5b291f3d242e in virtio_pci_notify_write hw/virtio/virtio-pci.c:1721:9 - #4 0x5b29203c82a4 in memory_region_write_accessor system/memory.c:497:5 - #5 0x5b29203c7951 in access_with_adjusted_size system/memory.c:573:18 - #6 0x5b29203c57eb in memory_region_dispatch_write system/memory.c:1521:16 - #7 0x5b292046cb42 in flatview_write_continue_step system/physmem.c:2757:18 - #8 0x5b292046c3c1 in flatview_write_continue system/physmem.c:2787:19 - #9 0x5b29204424c9 in flatview_write system/physmem.c:2818:12 - #10 0x5b2920441f1e in address_space_write system/physmem.c:2938:18 - #11 0x5b291f5d8eac in qtest_process_command system/qtest.c:643:9 - #12 0x5b291f5cfec5 in qtest_process_inbuf system/qtest.c:776:9 - #13 0x5b291f5de05e in qtest_read system/qtest.c:788:5 - #14 0x5b2920d2aef0 in qemu_chr_be_write_impl chardev/char.c:214:9 - #15 0x5b2920d2afb1 in qemu_chr_be_write chardev/char.c:226:9 - #16 0x5b2920d37388 in fd_chr_read chardev/char-fd.c:72:9 - #17 0x5b2920719767 in qio_channel_fd_source_dispatch io/channel-watch.c:84:12 - #18 0x79b4f927fc43 in g_main_context_dispatch (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x55c43) (BuildId: 224ac2a88b72bc8e2fe8566ee28fae789fc69241) - -SUMMARY: AddressSanitizer: heap-buffer-overflow audio/mixeng_template.h:133:16 in clip_natural_int16_t_from_stereo -Shadow bytes around the buggy address: - 0x50400002f000: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd - 0x50400002f080: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd - 0x50400002f100: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd - 0x50400002f180: fa fa 00 00 00 00 00 fa fa fa fd fd fd fd fd fd - 0x50400002f200: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd -=>0x50400002f280: fa fa fd fd fd fd fd fd fa fa 00 00 00 00 00[fa] - 0x50400002f300: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd - 0x50400002f380: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd - 0x50400002f400: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd - 0x50400002f480: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd - 0x50400002f500: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd -Shadow byte legend (one shadow byte represents 8 application bytes): - Addressable: 00 - Partially addressable: 01 02 03 04 05 06 07 - Heap left redzone: fa - Freed heap region: fd - Stack left redzone: f1 - Stack mid redzone: f2 - Stack right redzone: f3 - Stack after return: f5 - Stack use after scope: f8 - Global redzone: f9 - Global init order: f6 - Poisoned by user: f7 - Container overflow: fc - Array cookie: ac - Intra object redzone: bb - ASan internal: fe - Left alloca redzone: ca - Right alloca redzone: cb -```""" -reproduce = """``` -cat << EOF | qemu-system-x86_64 -display none \\ --machine accel=qtest, -m 512M -machine q35 -device \\ -virtio-sound,audiodev=my_audiodev,streams=2 -audiodev \\ -alsa,id=my_audiodev -qtest stdio -outl 0xcf8 0x80001804 -outw 0xcfc 0x7 -outl 0xcf8 0x80001820 -outl 0xcfc 0xe0008000 -write 0xe0008020 0x4 0x00001000 -write 0xe0008028 0x4 0x00101000 -write 0xe0008016 0x1 0x03 -write 0xe0008020 0x4 0x00901000 -write 0xe0008028 0x4 0x00a01000 -write 0xe0008016 0x1 0x00 -write 0xe000801c 0x1 0x01 -write 0xe0008016 0x1 0x03 -write 0xe000801c 0x1 0x01 -write 0x100008 0x1 0x08 -write 0x109008 0x1 0x04 -write 0x11e000 0x1 0x04 -write 0x11e001 0x1 0x01 -write 0x11e004 0x1 0x01 -write 0x100081 0x1 0xe0 -write 0x100082 0x1 0x11 -write 0x100088 0x1 0x08 -write 0x10100a 0x1 0x08 -write 0x151000 0x1 0x01 -write 0x1090c1 0x1 0x10 -write 0x1090c2 0x1 0x15 -write 0x1090c8 0x1 0x04 -write 0x10a00c 0x1 0x0c -write 0x10a002 0x1 0x05 -write 0xe000b00c 0x1 0x03 -write 0x101002 0x1 0x1d -write 0xe000b001 0x1 0x00 -outl 0xcfc 0xe0008000 -outl 0xcf8 0x80001885 -outl 0xcf8 0x80001870 -outl 0xcf8 0x80001878 -inl 0xcfc -outl 0xcf8 0x80001870 -outl 0xcf8 0x80001863 -outl 0xcf8 0x80001853 -inb 0xcfc -outl 0xcf8 0x80001854 -inb 0xcfc -inb 0xcfc -outl 0xcf8 0x80001898 -inb 0xcfc -outl 0xcf8 0x80001899 -outl 0xcf8 0x80001870 -inb 0xcfc -inb 0xcfc -EOF -```""" -additional = "n/a" |