diff options
| author | Christian Krinitsin <mail@krinitsin.com> | 2025-07-03 16:27:09 +0000 |
|---|---|---|
| committer | Christian Krinitsin <mail@krinitsin.com> | 2025-07-03 16:27:09 +0000 |
| commit | 4d9e26c0333abd39bdbd039dcdb30ed429c475ba (patch) | |
| tree | 4010d5fb3e8bc48c110a2c1ff2a16b8648cb86bb /results/classifier/accel-gemma3:12b/kvm/1883083 | |
| parent | 5541099586dbd6018574cb44e1934907c121526f (diff) | |
| download | emulator-bug-study-4d9e26c0333abd39bdbd039dcdb30ed429c475ba.tar.gz emulator-bug-study-4d9e26c0333abd39bdbd039dcdb30ed429c475ba.zip | |
add gemma accelerator classification results
Diffstat (limited to 'results/classifier/accel-gemma3:12b/kvm/1883083')
| -rw-r--r-- | results/classifier/accel-gemma3:12b/kvm/1883083 | 46 |
1 files changed, 46 insertions, 0 deletions
diff --git a/results/classifier/accel-gemma3:12b/kvm/1883083 b/results/classifier/accel-gemma3:12b/kvm/1883083 new file mode 100644 index 00000000..90fe7923 --- /dev/null +++ b/results/classifier/accel-gemma3:12b/kvm/1883083 @@ -0,0 +1,46 @@ + +QEMU: block/vvfat driver issues + +Nathan Huckleberry <email address hidden> has reported following issues in the block/vvfat driver for the virtual VFAT file system image, used to share a host system directory with a guest VM. + +Please note: + -> https://www.qemu.org/docs/master/system/images.html#virtual-fat-disk-images + +Virtual VFAT read/write support is available only for (beta) testing purposes. + +Following issues are reproducible with: + + host)$ ./bin/qemu-system-x86_64 -nographic -enable-kvm \ + -drive file=fat:rw:/tmp/var/run/,index=2 -m 2048 /var/lib/libvirt/images/f27vm.qcow2 + + guest)# mount -t vfat /dev/sdb1 /mnt/ + +The attached reproducers (run inside a guest) include: + +1. dir.sh: - directory traversal on the host + - It creates a file under /mnt/yyyy + - Then edits the VFAT directory entry to make it -> /mnt/../y + - The handle_renames_and_mkdirs() routine does not check this new file name + and creates a file outside of the shared directory on the host + +2. dos.sh: hits an assertion failure in vvfat driver + - Creates a deep directory tree like - /mnt/0/1/2/3/4/5/6/../29/30/ + - While updating vvfat commits, driver hits an assertion in + handle_renames_and_mkdirs + ... + } else if (commit->action == ACTION_MKDIR) { + ... + assert(j < s->mapping.next); <== it fails + +3. read.sh: reads past vvfat directory entries + - Creates a file with: echo "x" > /mnt/a + - Reads past VVFAT directory entry structure with + + # head -c 1000000 $MNTDEV | xxd | grep x -A 512 + + - It may disclose some heap addresses. + +4. write.sh: heap buffer overflow + - Creates large number of files as /mnt/file[1..35] + - while syncing directory tree with the host, driver hits an overflow + while doing memmove(3) in array_roll() routine
\ No newline at end of file |