diff options
| author | Christian Krinitsin <mail@krinitsin.com> | 2025-06-03 12:04:13 +0000 |
|---|---|---|
| committer | Christian Krinitsin <mail@krinitsin.com> | 2025-06-03 12:04:13 +0000 |
| commit | 256709d2eb3fd80d768a99964be5caa61effa2a0 (patch) | |
| tree | 05b2352fba70923126836a64b6a0de43902e976a /results/classifier/105/other/1907497 | |
| parent | 2ab14fa96a6c5484b5e4ba8337551bb8dcc79cc5 (diff) | |
| download | emulator-bug-study-256709d2eb3fd80d768a99964be5caa61effa2a0.tar.gz emulator-bug-study-256709d2eb3fd80d768a99964be5caa61effa2a0.zip | |
add new classifier result
Diffstat (limited to 'results/classifier/105/other/1907497')
| -rw-r--r-- | results/classifier/105/other/1907497 | 95 |
1 files changed, 95 insertions, 0 deletions
diff --git a/results/classifier/105/other/1907497 b/results/classifier/105/other/1907497 new file mode 100644 index 00000000..ce539d65 --- /dev/null +++ b/results/classifier/105/other/1907497 @@ -0,0 +1,95 @@ +other: 0.893 +KVM: 0.860 +mistranslation: 0.849 +device: 0.833 +instruction: 0.812 +graphic: 0.790 +assembly: 0.790 +vnc: 0.757 +boot: 0.747 +socket: 0.739 +semantic: 0.731 +network: 0.704 + +[OSS-Fuzz] Issue 28435 qemu:qemu-fuzz-i386-target-generic-fuzz-intel-hda: Stack-overflow in ldl_le_dma + + affects qemu + +=== Reproducer (build with --enable-sanitizers) === + +cat << EOF | ./qemu-system-i386 -machine q35 -nodefaults \ +-device intel-hda,id=hda0 -device hda-output,bus=hda0.0 \ +-device hda-micro,bus=hda0.0 -device hda-duplex,bus=hda0.0 \ +-qtest stdio +outl 0xcf8 0x80000804 +outw 0xcfc 0xffff +write 0x0 0x1 0x12 +write 0x2 0x1 0x2f +outl 0xcf8 0x80000811 +outl 0xcfc 0x5a6a4406 +write 0x6a44005a 0x1 0x11 +write 0x6a44005c 0x1 0x3f +write 0x6a442050 0x4 0x0000446a +write 0x6a44204a 0x1 0xf3 +write 0x6a44204c 0x1 0xff +writeq 0x6a44005a 0x17b3f0011 +write 0x6a442050 0x4 0x0000446a +write 0x6a44204a 0x1 0xf3 +write 0x6a44204c 0x1 0xff +EOF + +=== Stack Trace === +==411958==ERROR: AddressSanitizer: stack-overflow on address 0x7ffcaeb8bc88 (pc 0x55c7c9dc1159 bp 0x7ffcaeb8c4d0 sp 0x7ffcaeb8bc90 T0) + #0 0x55c7c9dc1159 in __asan_memcpy (u-system-i386+0x2a13159) + #1 0x55c7cb2a457e in flatview_do_translate softmmu/physmem.c:513:12 + #2 0x55c7cb2bdab0 in flatview_translate softmmu/physmem.c:563:15 + #3 0x55c7cb2bdab0 in flatview_read softmmu/physmem.c:2861:10 + #4 0x55c7cb2bdab0 in address_space_read_full softmmu/physmem.c:2875:18 + #5 0x55c7caaec937 in dma_memory_rw_relaxed include/sysemu/dma.h:87:18 + #6 0x55c7caaec937 in dma_memory_rw include/sysemu/dma.h:110:12 + #7 0x55c7caaec937 in dma_memory_read include/sysemu/dma.h:116:12 + #8 0x55c7caaec937 in ldl_le_dma include/sysemu/dma.h:179:1 + #9 0x55c7caaec937 in ldl_le_pci_dma include/hw/pci/pci.h:816:1 + #10 0x55c7caaec937 in intel_hda_corb_run hw/audio/intel-hda.c:338:16 + #11 0x55c7cb2e7198 in memory_region_write_accessor softmmu/memory.c:491:5 + #12 0x55c7cb2e6bd3 in access_with_adjusted_size softmmu/memory.c:552:18 + #13 0x55c7cb2e646c in memory_region_dispatch_write softmmu/memory.c + #14 0x55c7cb2c8445 in flatview_write_continue softmmu/physmem.c:2759:23 + #15 0x55c7cb2bdfb8 in flatview_write softmmu/physmem.c:2799:14 + #16 0x55c7cb2bdfb8 in address_space_write softmmu/physmem.c:2891:18 + #17 0x55c7caae2c54 in dma_memory_rw_relaxed include/sysemu/dma.h:87:18 + #18 0x55c7caae2c54 in dma_memory_rw include/sysemu/dma.h:110:12 + #19 0x55c7caae2c54 in dma_memory_write include/sysemu/dma.h:122:12 + #20 0x55c7caae2c54 in stl_le_dma include/sysemu/dma.h:179:1 + #21 0x55c7caae2c54 in stl_le_pci_dma include/hw/pci/pci.h:816:1 + #22 0x55c7caae2c54 in intel_hda_response hw/audio/intel-hda.c:370:5 + #23 0x55c7caaeca00 in intel_hda_corb_run hw/audio/intel-hda.c:342:9 + #24 0x55c7cb2e7198 in memory_region_write_accessor softmmu/memory.c:491:5 +... + +OSS-Fuzz Report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28435 + + + +I think this [0] commit actually fixes this bug, can someone please confirm it? + +[0] https://github.com/qemu/qemu/commit/1bf8b88f144bee747e386c88d45d772e066bbb36 + +No, I can still reproduce this issue with current version from the git repo (commit 8f521741e1280f0957ac1) ... when I compile QEMU with Clang and --enable-sanitizers, the reproducer still crashes with "ERROR: AddressSanitizer: stack-overflow" + +Just FYI, this issue was assigned CVE-2021-3611 by Red Hat. + +@Thomas, could you try by compiling qemu with a commit close to the timeframe mentioned here [0]? + +[0] https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28435#c2 + +@Gianluca: The problem still reproduces with the current master branch (commit 13d5f87cc3b94bfccc5), so the problem is definitely not fixed yet. So no, I certainly won't waste my time trying it on older versions. + +I moved this report over to QEMU's new bug tracker on gitlab.com. +Please continue with the discussion here: + +https://gitlab.com/qemu-project/qemu/-/issues/542 + +Thanks for moving it over! ... let's close this one here on Launchpad now. + + |