diff options
| author | Christian Krinitsin <mail@krinitsin.com> | 2025-06-16 16:59:00 +0000 |
|---|---|---|
| committer | Christian Krinitsin <mail@krinitsin.com> | 2025-06-16 16:59:33 +0000 |
| commit | 9aba81d8eb048db908c94a3c40c25a5fde0caee6 (patch) | |
| tree | b765e7fb5e9a3c2143c68b0414e0055adb70e785 /results/classifier/118/user-level-x86/2274 | |
| parent | b89a938452613061c0f1f23e710281cf5c83cb29 (diff) | |
| download | emulator-bug-study-9aba81d8eb048db908c94a3c40c25a5fde0caee6.tar.gz emulator-bug-study-9aba81d8eb048db908c94a3c40c25a5fde0caee6.zip | |
add 18th iteration of classifier
Diffstat (limited to 'results/classifier/118/user-level-x86/2274')
| -rw-r--r-- | results/classifier/118/user-level-x86/2274 | 103 |
1 files changed, 103 insertions, 0 deletions
diff --git a/results/classifier/118/user-level-x86/2274 b/results/classifier/118/user-level-x86/2274 new file mode 100644 index 00000000..8fc86938 --- /dev/null +++ b/results/classifier/118/user-level-x86/2274 @@ -0,0 +1,103 @@ +x86: 0.965 +graphic: 0.884 +user-level: 0.802 +device: 0.734 +performance: 0.730 +ppc: 0.658 +kernel: 0.638 +semantic: 0.620 +debug: 0.591 +hypervisor: 0.582 +PID: 0.558 +architecture: 0.558 +peripherals: 0.540 +boot: 0.534 +vnc: 0.528 +mistranslation: 0.467 +network: 0.464 +arm: 0.437 +socket: 0.436 +TCG: 0.360 +files: 0.349 +VMM: 0.346 +risc-v: 0.344 +permissions: 0.341 +register: 0.335 +virtual: 0.313 +KVM: 0.296 +i386: 0.271 +assembly: 0.250 +-------------------- +x86: 0.984 +hypervisor: 0.640 +kernel: 0.610 +virtual: 0.560 +debug: 0.542 +performance: 0.124 +assembly: 0.119 +files: 0.061 +PID: 0.049 +register: 0.045 +TCG: 0.041 +KVM: 0.038 +semantic: 0.027 +device: 0.027 +user-level: 0.011 +VMM: 0.011 +architecture: 0.010 +network: 0.007 +socket: 0.006 +boot: 0.004 +ppc: 0.003 +graphic: 0.002 +risc-v: 0.002 +peripherals: 0.002 +permissions: 0.002 +vnc: 0.001 +mistranslation: 0.001 +i386: 0.000 +arm: 0.000 + +Assertion failuer in cryptodev_builtin_close_session() +Description of problem: +In the function _cryptodev_builtin_close_session(),_ an assertation happened: + +``` +qemu-fuzz-x86_64: qemu/backends/cryptodev-builtin.c:430: int cryptodev_builtin_close_session(CryptoDevBackend *, uint64_t, uint32_t, CryptoDevCompletionFunc, void *): Assertion `session_id < MAX_NUM_SESSIONS && builtin->sessions[session_id]' failed. +==1256139== ERROR: libFuzzer: deadly signal + #9 0x71acb8c2871a in __assert_fail_base assert/./assert/assert.c:92:3 + #10 0x71acb8c39e95 in __assert_fail assert/./assert/assert.c:101:3 + #11 0x5af7f624b12b in cryptodev_builtin_close_session qemu/backends/cryptodev-builtin.c:430:5 + #12 0x5af7f60b2860 in virtio_crypto_handle_close_session qemu/hw/virtio/virtio-crypto.c:262:12 + #13 0x5af7f60b2860 in virtio_crypto_handle_ctrl qemu/hw/virtio/virtio-crypto.c:423:19 +``` + +The user could send an invalid session_id to trigger this assertion. +Steps to reproduce: +Here's a simple PoC: + +``` +cat << EOF | qemu-system-x86_64 -display none\ + -machine accel=qtest -m 512M -machine q35 -nodefaults -object \ +cryptodev-backend-builtin,id=cryptodev0 -device \ +virtio-crypto-pci,id=crypto0,cryptodev=cryptodev0 -qtest stdio +outl 0xcf8 0x80000804 +outw 0xcfc 0x06 +outl 0xcf8 0x80000820 +outl 0xcfc 0xe0008000 +write 0x10800e 0x1 0x01 +write 0xe0008016 0x1 0x01 +write 0xe0008020 0x4 0x00801000 +write 0xe0008028 0x4 0x00c01000 +write 0xe000801c 0x1 0x01 +write 0x110000 0x1 0x05 +write 0x110001 0x1 0x04 +write 0x108002 0x1 0x11 +write 0x108008 0x1 0x48 +write 0x10800c 0x1 0x01 +write 0x108018 0x1 0x10 +write 0x10801c 0x1 0x02 +write 0x10c002 0x1 0x01 +write 0xe000b005 0x1 0x00 +EOF +``` |